Where an internal sanctions and AML policy for an Asia group stands now
An internal sanctions and AML policy for an Asia group. The current cross-border position and what it means in practice. Write to info@lockhartyip.com.
The payment channel is where the commercial stakes become real. An Asia group – a holding structure bridging Hong Kong, a Mainland operating entity, and offshore subsidiaries in the BVI or Cayman Islands – depends on correspondent banking access. That access is not guaranteed. It is extended by banks that have assessed the group's compliance posture against their own screening criteria, which today means sanctions lists, AML controls, and source-of-funds documentation that hold up to scrutiny across multiple regulatory jurisdictions simultaneously.
An internal sanctions and AML policy for an Asia group must address two distinct compliance environments at once: Hong Kong's regime, which implements United Nations sanctions and applies the Anti-Money Laundering and Counter-Terrorist Financing Ordinance, and the de facto extraterritorial reach of the unilateral measures maintained by other states – measures that Hong Kong does not give domestic legal effect to, but that the group's foreign banking counterparties are legally required to enforce. Getting this interface right is what preserves banking access. Getting it wrong is what cuts the group off from the international payment system regardless of whether any Hong Kong rule has been broken.
This analysis sets out the current cross-border position, maps the governing instruments, and identifies where the operational risk actually sits for a group structured through Hong Kong in 2027.
What is commercially at stake for an Asia group
Compliance with sanctions and AML rules is not a legal formality. It is the admission condition for the international banking system, and the international banking system is the infrastructure on which cross-border trade and capital flows depend. A group that cannot hold a correspondent banking relationship cannot settle transactions, move dividends, or service offshore debt.
The pressure on Asia groups has intensified over the past several years, not because Hong Kong's own rules have changed dramatically, but because the global correspondent banking community has become significantly more selective. Banks in New York, London, Frankfurt and Singapore – the main nodes of the dollar, euro and sterling clearing systems – apply their own jurisdictions' sanctions rules to every client and every transaction they touch. An Asia group that sits above an operating entity with counterparties in a jurisdiction subject to US, EU or UK unilateral measures will face scrutiny from its banks even if no Hong Kong rule is engaged.
In our cross-border practice, the most common presenting problem is not a group that has done something wrong. It is a group whose compliance documentation was designed for a single-jurisdiction environment and has not been updated to reflect the multi-system reality in which its banking relationships now operate. The gap between the group's internal policy and what its correspondent banks actually require is where the risk lives.
The commercial question is therefore precise: does the group's internal policy produce documentation and decision-making that satisfies a correspondent bank's compliance team in the jurisdictions where the group needs banking access? If the answer is uncertain, the policy needs to be rebuilt from that question outward.
The governing regime in Hong Kong: what the Anti-Money Laundering and Counter-Terrorist Financing Ordinance actually requires
Hong Kong's primary AML instrument is the Anti-Money Laundering and Counter-Terrorist Financing Ordinance, which imposes customer due diligence, transaction monitoring, record-keeping, and suspicious transaction reporting obligations on financial institutions and designated non-financial businesses and professions. The Inland Revenue Department, the Securities and Futures Commission, the Hong Kong Monetary Authority, and the relevant professional bodies each publish AML guidelines that amplify the Ordinance's requirements for their respective sectors.
On sanctions, the operative instrument is the United Nations Sanctions Ordinance. Hong Kong implements United Nations sanctions and does not give domestic legal effect to the unilateral measures of other states. This is not a gap in Hong Kong's legal architecture. It is a deliberate and principled position under the one country, two systems framework. The practical consequence is that a Hong Kong entity is legally compliant with Hong Kong sanctions law if it screens against UN-designated parties and honours the relevant UN resolutions.
That legal position, however, does not resolve the operational reality. A Hong Kong entity that transacts with a party subject to US Office of Foreign Assets Control designations, or EU or UK restrictive measures, may face no liability under Hong Kong law – and yet find that every correspondent bank in the dollar clearing system refuses to process the related payment. The entity may be legally compliant and operationally paralysed simultaneously. This is the structural tension that an internal policy for an Asia group must navigate explicitly.
An internal policy that addresses only the Hong Kong legal minimum is therefore incomplete as a banking-access document. A policy built for a group with genuine cross-border exposure must map the UN position, identify which unilateral regimes its banking counterparties are subject to, and create decision-making procedures that allow the group to take a reasoned, documented position on any transaction that touches a sensitive jurisdiction.
How the cross-border interface bites: Hong Kong, the Mainland, and the offshore layer
The cross-border interface for a typical Asia group is not a single line between Hong Kong and one foreign jurisdiction. It is a layered structure with at least three distinct compliance environments that must be addressed simultaneously.
The Hong Kong holding entity sits in a common-law system with clear AML and sanctions obligations under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance and the United Nations Sanctions Ordinance. The Mainland operating subsidiary is subject to PRC AML rules and – separately – the PRC's own sanctions and export-control regime, including the rules on unreliable entities and anti-foreign-sanctions measures. The BVI or Cayman holding layer above the Hong Kong entity is subject to those jurisdictions' own AML and economic-substance rules, plus the beneficial ownership reporting requirements that the offshore registries have progressively tightened.
Each layer generates its own compliance obligations, and those obligations do not automatically align. A transaction that is permissible under UN sanctions may be restricted by a PRC anti-sanctions measure. A counterparty that is clean on the UN list may be subject to a designation by a jurisdiction whose measures Hong Kong does not apply but whose banking relationships the group depends on. An ownership structure that is transparent for Hong Kong Companies Registry purposes may require separate disclosure to an offshore registry under different timing and format rules.
In our experience acting on cross-border compliance matters across this architecture, the error most commonly made by foreign-appointed counsel is to treat the Hong Kong layer as the only layer that matters. It is the critical hub for banking access, but it does not subsume the Mainland and offshore obligations. A policy built only around Hong Kong law will fail the group at the Mainland and offshore levels, and it will fail the group's banks at the level of the broader multi-regime screen they are required to run.
The practical consequence of this layered environment is that an internal policy must contain separate, jurisdiction-specific modules – or a clearly articulated matrix approach – that addresses each layer's obligations, the interaction between them, and the escalation procedure when they point in different directions.
What does a policy that actually works look like: the functional architecture
A policy that functions as both a legal compliance document and a banking-access document has four functional components that must be present and coherent.
First, a customer and counterparty due diligence (CDD) framework calibrated to the group's actual risk profile. The risk profile of an Asia group is shaped by factors including the sectors in which it operates, the jurisdictions of its counterparties, the nature of the payment flows, the ownership structure above the Hong Kong entity, and the identity of the beneficial owners and their source of wealth. A group with concentrated exposure to commodities, shipping, or financial services across Southeast Asia and the Mainland has a materially higher inherent risk than a group operating a single consumer-goods business in Hong Kong. The CDD procedures must match the risk, not a generic template.
Second, a sanctions screening protocol that identifies the lists to be screened against and the procedure to follow when a potential match is identified. Given Hong Kong's posture, the minimum legal requirement is UN list screening. Given the group's banking relationships, the protocol will in practice need to address the major unilateral regimes as well – not because Hong Kong requires it, but because the group's correspondent banks do. The protocol must distinguish between what is legally mandated and what is operationally required, and it must create a documented decision pathway for transactions that fall in the space between them.
Third, a transaction monitoring procedure that is scaled to the group's transaction volumes and risk profile. For most Asia holding groups, this does not require a sophisticated automated system. It requires a defined set of red flags, a clear escalation path, a named responsible officer, and a record of the monitoring decisions that have been taken. The record is as important as the decision: in a correspondent bank review, the absence of documentation is treated as the absence of a control.
Fourth, a governance and training architecture that makes the policy operational rather than ornamental. A policy document that sits in a folder and has not been explained to the finance, treasury, and commercial teams who handle the transactions it is meant to govern will not satisfy a regulator or a correspondent bank. The policy must be embedded in the group's operating procedures, and the responsible officer must have the authority and the information needed to act on it.
Where the current risk sits: the practitioner's read
Three pressure points are generating the most operational disruption for Asia groups in the current environment.
The first is de-risking (the decision by correspondent banks to exit client relationships rather than manage complex compliance assessments). The groups most affected are those whose ownership structure is opaque at the beneficial-owner level, whose source-of-funds documentation is incomplete or outdated, or whose counterparty base includes entities in jurisdictions subject to heightened monitoring by the international banking community. A group that cannot produce clean beneficial ownership documentation up to the ultimate individual level, tracing through all holding layers including the offshore entities, will face de-risking pressure regardless of the quality of its day-to-day transaction monitoring.
The second is the travel rule (the FATF requirement that virtual-asset service providers and, increasingly, traditional financial institutions pass originator and beneficiary information with certain payment messages). For Asia groups with treasury or investment activity in virtual assets, or with banking counterparties who are extending the travel rule's logic to traditional wire transfers, this creates a documentation requirement that older compliance architectures were not built to address. The group's internal policy must anticipate and respond to this requirement explicitly.
The third pressure point is beneficial ownership (the disclosure and verification of ultimate natural persons who own or control the entity). Hong Kong-incorporated companies have been required to maintain a Significant Controllers Register since 1 March 2018 under the Companies Ordinance. The offshore layers – BVI, Cayman – have their own, progressively tightened beneficial ownership regimes. An internal policy that does not address the group's obligations across all three layers, and that does not create a procedure for keeping beneficial ownership records current when ownership changes, will fail at the first point of contact with a correspondent bank or regulator that asks.
A more recent development that several of our clients are currently assessing is the intersection of the expanded FATF grey-listing process with correspondent banking risk. When a jurisdiction is added to the FATF grey list, banks in FATF-member countries apply enhanced due diligence to transactions connected with that jurisdiction. Asia groups with counterparties, banking relationships, or operational entities in grey-listed jurisdictions face an immediate uplift in the documentation burden their correspondent banks will impose. The group's internal policy should have a standing procedure for monitoring FATF status changes and responding to them operationally before the bank's compliance team calls.
The comparative read: what Singapore does differently, and what it means for Hong Kong-headquartered groups
The comparison with Singapore is the one our clients raise most frequently, and it is worth addressing directly because the comparative read often shapes structuring decisions.
Singapore's Monetary Authority administers an AML and sanctions regime that is structurally similar to Hong Kong's in its reliance on a risk-based approach and its primary orientation around the FATF recommendations. Singapore, like Hong Kong, implements UN sanctions. Singapore does not give automatic domestic effect to all US, EU or UK unilateral measures, although its financial institutions are in practice required to manage the extraterritorial reach of those measures because of their own correspondent banking dependencies.
The material differences lie not in the legal architecture but in the perception held by the international correspondent banking community and in the specific counterparty and sector exposures that are concentrated in each centre. Singapore has invested heavily in positioning itself as a financial hub for Southeast Asian and South Asian capital, and its AML track record has been a central part of that positioning. Hong Kong's position is shaped by its role as the primary offshore RMB centre and the principal gateway for Mainland Chinese capital flows, which creates a different risk profile in the eyes of correspondent banks who apply their own internal models to assess the cross-border exposure.
For a group deciding whether to headquarter its Asia holding structure in Hong Kong or Singapore, the compliance implications are not primarily a function of the differences in local law. They are a function of the group's actual counterparty base, its sector, and the correspondent banking relationships it needs. A group whose commercial activity is concentrated in Mainland China and whose banking access depends primarily on relationships with banks that have significant USD clearing exposure will face materially different compliance management challenges depending on which hub it chooses.
What we consistently advise is that the internal policy should be built for the group's actual risk profile, not the risk profile of a hypothetical group in the same jurisdiction. A Hong Kong holding structure with clean Mainland counterparties, documented source of funds, and transparent beneficial ownership can maintain strong banking access. A Singapore holding structure with the same underlying risk factors will face the same pressure. The policy is the variable; the jurisdiction is the context.
Decision matrix: four situations, four responses
The risk analysis above translates into a practical decision framework. Consider four situations that arise frequently on our desk.
A group with a clean ownership structure, full beneficial ownership documentation at all layers, and counterparties that are UN-list clean and outside any jurisdiction subject to major unilateral measures needs a baseline policy: UN screening, standard CDD, documented transaction monitoring, a named responsible officer, and an annual policy review. The risk is low; the policy needs to be present and maintained, not elaborate.
A group with the same clean ownership structure but with counterparties or banking relationships that touch jurisdictions subject to significant unilateral measures needs an augmented policy. The augmentation is a documented analysis of each affected counterparty relationship, a record of the decision taken on each relationship, and a correspondent-bank communication protocol that explains the group's compliance position in terms the bank's own compliance team can work with. The legal position under Hong Kong law may be entirely clean; the operational risk is a function of the bank's own legal obligations.
A group with opacity at the beneficial ownership level – whether because the ownership chain runs through bearer instruments, nominee structures that have not been properly documented, or jurisdictions with weak disclosure regimes – faces a different and more urgent problem. The policy cannot resolve the underlying opacity. The first step is a structural review: identifying every layer of the holding structure, mapping the ultimate natural persons who own or control it, and creating the documentation that the Significant Controllers Register, the offshore registries, and the correspondent banks require. Until that documentation exists, a policy document is of limited practical value.
A group that has already faced a de-risking event – where a correspondent bank has exited or is threatening to exit the relationship – is in the most time-sensitive position. The response is not to produce a policy document quickly. It is to identify, with precision, what the bank's compliance team has assessed and found unsatisfactory, and to address that specific gap with specific documentation. In our experience, banks that have initiated a de-risking process are not looking for a policy document. They are looking for a credible remediation of the specific risk they have identified. That requires legal analysis of the gap, not a generic policy update.
What foreign counsel typically get wrong
The most persistent error we see from foreign counsel advising Asia groups on their internal compliance policies is jurisdiction-centric drafting. A policy that is built around a single jurisdiction's legal requirements – whether that is Hong Kong, the BVI, or a home-country AML regime – will not function as a cross-border compliance document because it does not address the multi-layer, multi-system environment in which the group actually operates.
A related error is the template approach. A compliance policy that has been adapted from a generic template without substantive analysis of the group's actual risk profile, counterparty base, and ownership structure will satisfy neither a regulator nor a correspondent bank. Compliance teams at major banks assess policies by examining whether the policy's procedures match the group's actual risk profile. A generic policy applied to a high-risk profile is a compliance failure even if every word in the policy is technically correct.
A third error is the failure to address the interaction between the group's legal obligations and its operational banking requirements as two distinct but related questions. The legal minimum under Hong Kong law and the documentation standard required by the group's correspondent banks are not the same thing. A policy that addresses only the former will produce a legally compliant group that cannot maintain banking access. A policy that addresses both – distinguishing between them clearly – is the one that functions in practice.
Finally, there is the error of treating the policy as a document rather than a system. A policy that is not embedded in operating procedures, that has not been communicated to the people who handle transactions, and that is not reviewed and updated when the group's risk profile changes is not a compliance policy in any meaningful sense. It is a document that will provide no defence when a correspondent bank or regulator asks whether the group's controls are adequate.
For a structured assessment of your group's internal sanctions and AML policy across the relevant jurisdictions, write to us at info@lockhartyip.com.
Where this is heading: the enforcement and banking-access trajectory
The direction of travel in this area is not towards reduced scrutiny. It is towards more granular, more automated, and more cross-jurisdictional screening by the correspondent banking system, combined with more active enforcement by the regulators whose unilateral measures have the greatest extraterritorial reach.
The FATF mutual evaluation cycle is producing updated country assessments on a rolling basis, and each updated assessment reshapes the risk models that correspondent banks apply to transactions connected with the assessed jurisdiction. Asia groups should expect that the jurisdictions relevant to their counterparty base will continue to be assessed and, in some cases, re-assessed downward. The operational implication is that a compliance policy reviewed in 2025 may be materially inadequate by 2027 if the group's counterparty base includes jurisdictions whose FATF status has deteriorated.
The beneficial ownership transparency agenda is also advancing. The offshore holding centres – BVI, Cayman, and others – have progressively tightened their beneficial ownership disclosure and verification requirements under sustained pressure from the FATF, the OECD, and the major financial-sector regulators. An Asia group that was adequately documented for the 2020 beneficial ownership standard may not be adequately documented for the current standard, and the gap will be visible to correspondent banks that conduct periodic compliance reviews of their client relationships.
The virtual asset dimension is moving rapidly. Hong Kong's mandatory licensing regime for centralised virtual-asset trading platforms (VATP) – which commenced on 1 June 2023 under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance, with the Securities and Futures Commission as licensing authority – has placed the AML and sanctions obligations of the virtual asset sector on an explicit statutory footing. Asia groups with treasury or investment activity in virtual assets, or whose business involves digital payment flows, face AML and sanctions obligations in this segment that are governed by the same instruments as traditional finance but are being applied to a rapidly evolving set of products and services. The policy must address this segment explicitly, and must be reviewed whenever the group's virtual-asset activity changes materially.
If an earlier compliance review or policy update produced a result that no longer reflects the group's current risk profile or banking requirements, a fresh cross-border assessment can identify the gaps and the remediation route. Write to us at info@lockhartyip.com.
For broader context on how Hong Kong's sanctions posture intersects with cross-border transaction structuring, see our analysis at Hong Kong's sanctions posture and cross-border transactions. For the source-of-funds dimension as it applies to counterparties in a Gulf context, see our separate piece on AML source-of-funds files for UAE counterparties. Our practice overview is at Sanctions & AML.
Related practices
- Holding Structures – structuring cross-border ownership layers across Hong Kong and offshore centres
- Corporate Counsel – governance and regulatory-compliance support for groups operating across jurisdictions
Frequently asked questions
Do I need a Hong Kong adviser for an internal sanctions and AML policy for an Asia group?
What documents are needed for an internal sanctions and AML policy for an Asia group?
What is the first step in an internal sanctions and AML policy for an Asia group?
Speak with Lockhart & Yip
For a scoped view of your matter, contact info@lockhartyip.com. Discuss your matter →
Related
- Sanctions Aml
- Aml Source Funds File Uae Counterparty Uae Analysis
- Hong Kong S Sanctions Posture Cross Border Transaction 3
This publication is general information and does not constitute legal advice. For advice on your situation, contact info@lockhartyip.com.