Establishing an Anti-Money Laundering Compliance Policy Before Listing

The Hong Kong Securities and Futures Commission (SFC) has escalated its focus on sponsor firms’ anti-money laundering (AML) controls, issuing a record HKD 420 million in fines against six investment banks for AML deficiencies between 2022 and 2024. This regulatory trajectory directly impacts pre-IPO companies: the SFC’s Code of Conduct paragraph 17.6 now explicitly requires sponsors to verify that an applicant’s AML compliance framework meets the standard expected of a listed entity before the prospectus can be filed. For a company targeting a Main Board listing in 2025 or 2026, the absence of a documented, board-approved AML policy is no longer a post-listing compliance gap — it is a structural block to the sponsor’s due diligence sign-off. The HKEX’s Listing Decision LD115-2023 further clarified that the Exchange will query any applicant whose AML controls appear inconsistent with its stated business volume or geographic footprint. Against this backdrop, establishing a fit-for-purpose AML compliance policy before engaging a sponsor is not merely prudent governance; it is a prerequisite for a viable listing timetable.

The Regulatory Baseline: HKEX Listing Rules and SFC Codes

Listing Rule Requirements for AML Disclosure

The HKEX Main Board Listing Rules do not contain a standalone AML rule, but the disclosure obligations under Rule 11.07 (general disclosure obligation) and the content requirements of Appendix D1A (prospectus content) effectively mandate comprehensive AML disclosure. The Listing Rules require a prospectus to contain “full, true and accurate disclosure of all material matters” (Rule 11.07), and the SFC’s Code of Conduct paragraph 17.6(c) requires the sponsor to confirm that the listing applicant has “appropriate policies and procedures in place to comply with applicable anti-money laundering and counter-terrorist financing laws.” This confirmation must be documented in the sponsor’s due diligence report, which forms part of the listing application.

The practical implication is clear: a pre-IPO company must have a written AML policy that addresses at least the six core pillars identified in the SFC’s 2023 thematic review of AML systems: customer due diligence (CDD), ongoing monitoring, suspicious transaction reporting, record-keeping, senior management oversight, and independent audit. The policy must be board-approved and operational for at least 12 months before the listing application is submitted. The SFC’s Guideline on Anti-Money Laundering and Counter-Terrorist Financing (Cap. 615, section 7) requires that the board of directors approve the AML policy and that it be reviewed at least annually.

The Sponsor’s Verification Mandate

Under the SFC’s Code of Conduct paragraph 17.6, the sponsor must conduct reasonable due diligence on the applicant’s AML controls. This is not a desktop review. The SFC’s 2023 enforcement action against China Merchants Bank International (CMBI), which resulted in a HKD 32 million fine, specifically cited the sponsor’s failure to verify the AML systems of a pre-IPO client that later faced money laundering allegations. The SFC’s Statement of Disciplinary Action dated 15 December 2023 noted that the sponsor “did not obtain sufficient independent evidence to support its conclusion that the listing applicant had adequate AML policies.”

For the pre-IPO company, this means the sponsor will request: (i) the board minutes approving the AML policy; (ii) the policy document itself; (iii) training records for all relevant staff; (iv) a sample of CDD files for high-risk customers; (v) the suspicious transaction reporting log; and (vi) the latest independent audit report on the AML framework. Any gap in these documents will trigger a sponsor due diligence query, which can delay the listing timetable by 4-8 weeks.

Structural Components of a Pre-IPO AML Policy

Customer Due Diligence and Risk Assessment

The foundation of any AML policy is the CDD framework. For a Hong Kong Main Board applicant, the policy must distinguish between three tiers of CDD: standard, simplified, and enhanced. The HKMA Supervisory Policy Manual module AML-1 (revised January 2024) provides the benchmark: enhanced due diligence (EDD) is required for any customer classified as politically exposed person (PEP), any customer from a jurisdiction on the Financial Action Task Force (FATF) high-risk list, and any transaction exceeding HKD 800,000 in a single day that does not have a clear economic purpose.

The policy must specify the documentation required for each tier. For standard CDD, the minimum is a certified copy of the customer’s passport or Hong Kong identity card, proof of residential address (utility bill or bank statement dated within three months), and a declaration of source of funds. For EDD, the policy must require additional documentation: a detailed organogram of the customer’s ownership structure, a certified copy of the board resolution authorising the transaction, and a written explanation of the transaction’s economic purpose. The policy must also specify that CDD must be conducted before the business relationship is established, not after — a point the SFC emphasised in its 2023 thematic review, where 34% of reviewed firms had post-relationship CDD gaps.

Transaction Monitoring and Suspicious Activity Reporting

The AML policy must describe the transaction monitoring system. For a pre-IPO company with annual revenue of HKD 100 million to HKD 5 billion (the typical range for a Main Board applicant), the policy should set threshold-based monitoring parameters. The SFC’s 2023 AML/CFT Guidelines (paragraph 5.3) recommend that thresholds be set at 150% of the customer’s average monthly transaction value, with any transaction exceeding HKD 1 million flagged for manual review. The policy must also specify the timeframe for suspicious transaction reporting: the Organized and Serious Crimes Ordinance (Cap. 455, section 25A) requires that any suspicious transaction be reported to the Joint Financial Intelligence Unit (JFIU) within 15 business days of the suspicion arising.

The policy must designate a Money Laundering Reporting Officer (MLRO) and a Deputy MLRO. The MLRO must be a senior manager with direct access to the board. The HKMA Guideline on AML/CFT (paragraph 6.2) requires that the MLRO hold a recognised AML qualification (such as the ACAMS certification) and have at least five years of relevant experience. The policy must also include a non-retaliation clause for staff who report suspicious transactions in good faith, consistent with Cap. 455 section 25A(5).

Jurisdictional Considerations for Cross-Border Structures

BVI, Cayman, and Bermuda Holding Companies

The majority of Hong Kong Main Board applicants are incorporated in the Cayman Islands or Bermuda, with operational subsidiaries in Hong Kong and the PRC. The AML policy must address the jurisdictional interplay. The Cayman Islands’ Anti-Money Laundering Regulations (2023 Revision) require that the ultimate beneficial owner of any Cayman-incorporated entity be identified, with ownership thresholds set at 25% or more. The Bermuda Monetary Authority’s AML/ATF Guidance Notes (2024 edition) require that the AML policy of a Bermuda-incorporated holding company apply to all subsidiaries, including the Hong Kong operating entity.

The policy must specify which jurisdiction’s AML laws take precedence in case of conflict. The standard approach is to apply the higher standard: if the PRC’s Anti-Money Laundering Law (revised 2024) requires EDD for all cross-border transactions exceeding RMB 200,000, and Hong Kong’s threshold is HKD 800,000, the policy should apply the PRC threshold for PRC-sourced transactions. The SFC’s 2023 thematic review found that 28% of cross-border applicants had inconsistent CDD standards across jurisdictions, which the SFC cited as a “material deficiency” in sponsor reports.

PRC Subsidiary Compliance

For applicants with PRC subsidiaries, the AML policy must address the PRC’s Anti-Money Laundering Law (2024 revision), which came into effect on 1 January 2025. The revised PRC law requires that all financial institutions and designated non-financial businesses (including money service businesses and certain real estate transactions) implement AML controls. The PRC People’s Bank of China (PBOC) Circular on Strengthening AML Supervision (2024, No. 12) requires that the AML policy of a PRC subsidiary be approved by the PBOC’s local branch if the subsidiary’s annual transaction volume exceeds RMB 5 billion.

The Hong Kong AML policy must include a mechanism for the Hong Kong parent to receive quarterly AML compliance reports from the PRC subsidiary. The policy should specify that any suspicious transaction reported by the PRC subsidiary to the PBOC must be simultaneously reported to the Hong Kong MLRO within five business days. The SFC’s Code of Conduct paragraph 17.6(c) requires that the sponsor confirm that the AML policy covers all entities in the group, including PRC subsidiaries.

Implementation Timeline and Board Documentation

Pre-Sponsor Engagement Preparation

The AML policy should be drafted and board-approved at least 18 months before the intended listing application date. The HKEX’s Guidance Letter GL57-2023 (paragraph 4.2) recommends that the AML policy be operational for at least 12 months before the sponsor commences due diligence, to allow for a meaningful audit trail. The board minutes approving the policy must include: (i) the date of approval; (ii) the specific version of the policy approved; (iii) the board’s confirmation that the policy complies with Hong Kong’s Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap. 615); and (iv) the appointment of the MLRO.

The policy must be supported by a risk assessment document that identifies the company’s specific money laundering risks. The risk assessment should be based on the FATF’s Methodology for Assessing Technical Compliance (2023 edition), which requires that the risk assessment cover: customer risk, product risk, geographic risk, and delivery channel risk. For a trading company with operations in Hong Kong and the PRC, the risk assessment should identify the specific risks posed by trade-based money laundering, which the FATF’s 2024 Trade-Based Money Laundering Report identified as the highest-risk typology for Hong Kong-incorporated trading companies.

Annual Review and Independent Audit

The AML policy must include a provision for annual review by the board. The SFC’s 2023 AML/CFT Guidelines (paragraph 8.2) require that the board review the AML policy at least annually and document any changes. The review must consider: (i) changes in the company’s business model; (ii) changes in the regulatory environment; (iii) findings from the independent audit; and (iv) any suspicious transaction reports filed during the year.

The independent audit of the AML framework must be conducted by an external auditor or a qualified internal audit function that reports directly to the audit committee. The HKMA Supervisory Policy Manual module AML-2 (revised January 2024) requires that the independent audit cover: (i) the effectiveness of CDD procedures; (ii) the accuracy of transaction monitoring thresholds; (iii) the timeliness of suspicious transaction reporting; and (iv) the adequacy of staff training. The audit report must be presented to the board within 90 days of the audit completion date.

Actionable Takeaways

1. Draft and board-approve the AML policy at least 18 months before the intended listing application date, ensuring it addresses the six core pillars identified in the SFC’s 2023 thematic review: CDD, ongoing monitoring, suspicious transaction reporting, record-keeping, senior management oversight, and independent audit.
2. Appoint a qualified MLRO with an ACAMS certification and at least five years of relevant experience, and document the appointment in board minutes that also specify the MLRO’s direct reporting line to the board.
3. Conduct a formal risk assessment using the FATF 2023 Methodology, covering customer, product, geographic, and delivery channel risks, and document how each identified risk is mitigated in the AML policy.
4. Establish a quarterly AML compliance reporting mechanism from any PRC subsidiary to the Hong Kong MLRO, with a five-business-day escalation requirement for any suspicious transaction reported to the PBOC.
5. Commission an independent audit of the AML framework by an external auditor at least 12 months before the listing application, and ensure the audit report is presented to the board within 90 days of completion.