HONG KONG · EAST ↔ WEST
info@lockhartyip.comResponse within 4 hours (UTC+8)
Discuss your matter
Home/Insights/Disputes & Arbitration
Sanctions & AML

How to approach an internal sanctions and AML policy for an Asia group

An internal sanctions and AML policy for an Asia group. A practical guide for in-house counsel. The Hong Kong angle in focus. Write to info@lockhartyip.com.

A group operating across Asia – with a Hong Kong holding entity, Mainland Chinese subsidiaries, offshore treasury vehicles, and counterparties across the CIS, Middle East, and Southeast Asia – sits at one of the most demanding intersections of global financial crime compliance. The question is not whether an internal sanctions and anti-money laundering policy is needed. The question is how to build one that works across legal systems that do not share the same rules.

An internal sanctions and AML policy for an Asia group must be calibrated to the group's actual operating jurisdictions, counterparty profile, and banking relationships, anchored in the governing instruments – the Anti-Money Laundering and Counter-Terrorist Financing Ordinance and the United Nations Sanctions Ordinance – and structured so that each entity in the group knows its obligations before a transaction moves through the payment channel. Since Hong Kong implements United Nations sanctions and does not give domestic effect to unilateral measures of other states, the policy must be precise about which sanctions frameworks apply to which legal entities and in which circumstances.

This guide sets out the practical sequence: the decision the in-house team faces, the steps in order, the gate at each stage, the most common structural error, and a short decision checklist to close.

Why the internal policy sits at the centre of banking access

The most immediate commercial consequence of an inadequate internal sanctions and AML policy is not a regulatory fine. It is a frozen correspondent banking relationship.

For an Asia group, the payment channel is the operating lifeline. A group that cannot move funds through its Hong Kong operating account, its offshore treasury, or its Mainland subsidiary's renminbi clearing line has a structural problem – one that typically emerges at the worst moment: mid-acquisition, during a drawdown, or on a scheduled dividend upstream.

Banks – both in Hong Kong and across the correspondent network – run their own compliance filters. When a counterparty or beneficiary triggers a flag, the bank's first question is whether the client has a documented policy that addresses the issue. In our cross-border practice, the absence of a written, entity-level policy is consistently the factor that converts a resolvable compliance query into a protracted account review. That review can suspend access for weeks or months.

The policy is not a formality. It is the first line of evidence that the group has addressed its obligations as a matter of process, not improvisation.

The two governing instruments in Hong Kong are the Anti-Money Laundering and Counter-Terrorist Financing Ordinance – which imposes customer due diligence, record-keeping and transaction-monitoring obligations on financial institutions and, in certain respects, on the broader regulated sector – and the United Nations Sanctions Ordinance, which gives effect to the United Nations Security Council's sanctions resolutions in Hong Kong law. The policy must reflect both.

Step 1 – Map the group before writing a word of policy

The first step is an entity-by-entity map of the group, identifying where each legal entity sits, what obligations attach to it, and what the counterparty profile of that entity looks like in practice.

This sounds mechanical. In practice it is the step most frequently skipped – and the one whose absence produces a policy that looks complete on paper but fails at the entity level where actual transactions occur.

The mapping exercise should answer four questions for each entity in the group:

  • Which jurisdiction's sanctions and AML rules apply directly to this entity, and which apply indirectly through its banking relationships or contractual counterparties?
  • What category of counterparty does this entity transact with? A Hong Kong entity collecting dividends from a Mainland subsidiary has a very different risk profile from a trading subsidiary with customers across the CIS or the Middle East.
  • Which payment channels does this entity use, and which financial institutions sit in those channels? The correspondent bank's own compliance requirements – which may include exposure to unilateral sanctions regimes that do not apply in Hong Kong – will impose real constraints regardless of the legal position in Hong Kong.
  • Who in the group has authority to approve or escalate a transaction that triggers a compliance flag?

The output of the mapping exercise is not a policy. It is the foundation on which a policy that will actually hold together under scrutiny can be built.

A common error at this stage is to treat the group's Hong Kong holding entity as the only regulated entity and to model the policy around it alone. In reality, operating subsidiaries, treasury vehicles, and joint-venture entities each carry their own compliance obligations in their respective jurisdictions – and a policy built at group level without cascading entity-level schedules will leave gaps that a correspondent bank's compliance team will find.

Step 2 – Establish the applicable sanctions perimeter with precision

Hong Kong implements United Nations sanctions and does not give domestic effect to unilateral measures – such as those maintained by the United States Office of Foreign Assets Control, the European Union, or the United Kingdom – that have not been adopted by the UN Security Council.

That is the legal position. It is not, however, the commercial position faced by an Asia group whose banks, investors, or contractual counterparties operate under or within reach of those unilateral regimes.

The policy must distinguish three categories of obligation clearly:

  • UN-mandated sanctions, implemented in Hong Kong through the United Nations Sanctions Ordinance – these are legal obligations for Hong Kong entities.
  • Extraterritorial reach (the application of a foreign sanctions regime to a Hong Kong entity by reason of its use of that foreign state's currency, financial infrastructure, or personnel) – these are commercial and banking-access risks, not Hong Kong legal obligations, but they are real risks that the policy must acknowledge.
  • Jurisdictional obligations of non-Hong Kong group entities – a Mainland subsidiary, a Singapore trading entity, or a UAE treasury vehicle each sits under its own regulatory perimeter.

The gate at this step is a written sanctions-scope matrix: for each entity in the group, a clear statement of which sanctions lists are screened, on what basis, and who is responsible for maintaining the screening process. Without this matrix, a policy that sets out a general screening obligation is not actionable – and a bank's compliance team reviewing the policy will notice the absence.

We regularly advise on the distinction between legal obligation and banking-channel risk in this context. The two must be addressed separately, because conflating them either understates the commercial risk or overstates the legal obligation – and both errors create problems.

Step 3 – Build the AML policy around the group's actual customer and counterparty profile

An AML policy that treats all counterparties as equivalent is not a policy. It is a statement of aspiration.

The Anti-Money Laundering and Counter-Terrorist Financing Ordinance requires regulated financial institutions to apply customer due diligence (CDD) – a set of identification, verification and ongoing monitoring obligations – calibrated to the risk the customer or transaction presents. For non-financial group entities, the same risk logic applies in practice even where it is not a direct statutory requirement, because the group's banks will apply CDD to the group itself and will expect the group's own processes to reflect a similar discipline.

The practical build is a tiered CDD framework:

  • Simplified due diligence for counterparties that present low risk – established, regulated financial institutions in well-regulated jurisdictions, for example.
  • Standard CDD for the ordinary counterparty population – verifying legal identity, understanding the nature of the relationship, and identifying the ultimate beneficial owner (UBO), meaning the natural person who ultimately owns or controls the counterparty.
  • Enhanced due diligence (EDD) for higher-risk counterparties or transactions – including politically exposed persons (PEPs, meaning individuals who hold or have held prominent public functions, and their close associates), counterparties in higher-risk jurisdictions, complex ownership structures, and transactions that lack an obvious commercial rationale.

The gate at this step is the definition of what triggers EDD in the group's own operating context. A generic policy that lists EDD triggers from a regulatory guidance document without anchoring them to the group's actual business is unlikely to function when a real transaction arrives with a complex or unusual fact pattern.

The common mistake our desk sees at this stage is a policy that sets out correct procedures at the level of principle but leaves the decision about which tier applies to individual staff without clear criteria. The result is inconsistent application – and inconsistency is the fact pattern that produces a regulatory file review.

The sequence above describes the standard position. Your group's policy turns on the actual counterparty population, the jurisdictions engaged, and the banking channels in use – which is precisely where the policy structure is won or lost. To discuss how the AML and sanctions obligations apply to your group's specific cross-border position, contact info@lockhartyip.com.

Step 4 – Design the escalation and transaction-monitoring structure

A policy without an escalation structure is not operational. The written document must identify, for each entity or operational unit, who receives a compliance flag, what that person does with it, and what the time parameters are.

For an Asia group operating across multiple time zones and legal systems, the escalation design raises a practical cross-border question: where is the compliance authority located, and what is the mechanism for a Hong Kong entity to escalate a transaction involving a Mainland counterparty, a CIS payment, or an offshore treasury transfer when the relevant knowledge sits in different jurisdictions?

The structure that works in practice is a two-tier escalation model:

  • A first-tier review at entity level – conducted by the person within the entity closest to the transaction, operating against the criteria set in the CDD framework.
  • A second-tier escalation to a designated group compliance function or, where the group does not have one, to an external adviser – for transactions that the first tier cannot resolve against the written criteria.

The transaction-monitoring obligation runs alongside. For regulated financial institutions under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance, transaction monitoring is a statutory requirement. For non-financial group entities, it is a best-practice discipline that protects banking relationships and reduces the risk of the group being used as a conduit in a scheme the group did not initiate.

The gate at this step is a written record. Every escalation decision – including the decision not to escalate, and the reasons – should be documented. A bank's compliance team, or a regulator, reviewing the group's AML posture will not take comfort from a claim that the group "always screened carefully" without a paper trail to support it.

If an earlier compliance structure or a previous escalation produced an adverse or stalled result with a banking counterparty, a second read can identify the gap and the routes still available. Write to info@lockhartyip.com to discuss.

Step 5 – Address the correspondent banking channel directly

The payment channel is where the policy is tested in practice. For an Asia group, the correspondent banking relationship – through which cross-border payments are cleared – sits at the intersection of the group's own compliance posture and the compliance requirements of the correspondent bank itself.

A correspondent bank operating in a jurisdiction that applies unilateral sanctions regimes will apply its own screening to payments flowing through its network. This is not a legal requirement imposed on the Hong Kong entity at the far end of the transaction. It is a commercial reality that the group must account for in its policy and in its payment-routing decisions.

The practical consequence is that a Hong Kong entity making a payment to a counterparty that appears on a unilateral sanctions list – even if that counterparty is not subject to UN sanctions and the payment is legal under Hong Kong law – may find the payment blocked, frozen, or returned by the correspondent bank. The group's policy should address this scenario explicitly: not as a statement about what the law requires, but as a risk-management procedure that protects the payment channel.

In our cross-border practice, we see this issue arise most frequently in connection with CIS-origin structures, Middle Eastern counterparties, and transactions routed through US dollar clearing. The solution is not to avoid those corridors – which is commercially unacceptable for many Asia groups – but to document the compliance assessment in advance, so that the group can respond to a correspondent bank's query with a prepared file rather than an improvised explanation.

The gate at this step is a pre-transaction compliance memo for any payment that carries a cross-border risk indicator. The memo does not need to be long. It needs to record the screening result, the risk assessment, the approval authority, and the date. That memo is the group's first line of defence when the correspondent bank raises a query.

Step 6 – Train, test, and maintain

A policy that has never been read by the people who are supposed to implement it is not operational. A policy that was accurate when it was written but has not been updated since is not current.

Both are common. Both create the same problem: a gap between the documented position and the actual practice, which is the fact pattern that turns a compliance query into a formal investigation.

The maintenance obligation has three components:

  • Training – at least annual, covering the substance of the policy, the criteria that trigger escalation, and the record-keeping requirements. Training should be recorded, with dates and attendees documented.
  • Testing – periodic review of a sample of transactions against the policy criteria, to verify that the first-tier review process is functioning as designed. Gaps found in testing should be documented and the policy or process amended accordingly.
  • Update cycle – the policy should be reviewed whenever there is a material change in the group's business (new jurisdictions, new counterparty populations, new payment channels), a material change in the applicable sanctions regime, or a development in the regulatory guidance issued by the relevant regulators – including the Securities and Futures Commission and the Hong Kong Monetary Authority where the group has regulated entities.

The cross-border dimension adds complexity here. A sanctions regime update in one jurisdiction may not require immediate policy action in Hong Kong, but it may affect the group's banking relationships in other jurisdictions – and the policy should have a mechanism for identifying and addressing that knock-on effect.

Counsel on our desk regularly see groups that maintain a well-drafted policy at the central level but have no mechanism for cascading updates to entity-level schedules. The entity-level schedules are where transactions actually happen. Updates that do not reach them are, in practice, updates that have not occurred.

Decision checklist: before the policy goes live

Before an internal sanctions and AML policy is adopted by an Asia group, the in-house team should be able to answer each of the following questions positively:

  • Has every entity in the group been mapped, and does each entity have its own schedule or annex setting out its specific obligations and counterparty profile?
  • Does the policy distinguish clearly between UN-mandated sanctions obligations (legal requirements for Hong Kong entities) and the extraterritorial reach of unilateral sanctions regimes (commercial banking-channel risks)?
  • Is the CDD framework tiered, with defined criteria for simplified, standard, and enhanced due diligence that are anchored to the group's actual business?
  • Does the escalation structure identify, by name or role, the person at each entity responsible for first-tier review and the function responsible for second-tier escalation?
  • Is there a pre-transaction compliance memo procedure for payments that carry a cross-border risk indicator?
  • Is there a training schedule, a testing process, and an update cycle with a named owner?
  • Has the policy been reviewed in connection with the group's correspondent banking relationships, to ensure that the documented process will support the group's response to a bank query?

A "no" to any of these questions identifies a gap that should be addressed before the policy is submitted to a bank's compliance team or a regulator's review.

Related practices

Frequently asked questions

What documents are needed for an internal sanctions and AML policy for an Asia group?
The core document set comprises a group-level policy, entity-level schedules (one per operating entity in the group), a sanctions-scope matrix identifying which sanctions lists are screened by which entity, a CDD framework with defined tiering criteria, an escalation and record-keeping protocol, and a training log. For groups with regulated entities in Hong Kong, the policy must also address the specific obligations imposed by the Anti-Money Laundering and Counter-Terrorist Financing Ordinance. The document set should be reviewed and updated whenever there is a material change in the group's business or the applicable regulatory requirements. Parties should verify the current position with qualified advisers before acting.
How does the cross-border element affect an internal sanctions and AML policy for an Asia group?
The cross-border element is the primary driver of complexity. Hong Kong implements United Nations sanctions and does not apply unilateral measures of other states as a matter of Hong Kong law – but the group's correspondent banks, investors, and contractual counterparties may operate under regimes that do apply those measures. The policy must therefore address two distinct tracks: legal obligations under Hong Kong law and the Anti-Money Laundering and Counter-Terrorist Financing Ordinance, and banking-channel risk arising from the extraterritorial reach of unilateral regimes. Non-Hong Kong entities in the group carry their own jurisdictional obligations, which must be reflected in entity-level schedules. The interface between these tracks is where policy gaps most frequently produce commercial disruption.
How long does an internal sanctions and AML policy for an Asia group usually take?
The timeline depends on the complexity of the group structure and the state of existing documentation. For a straightforward group with a Hong Kong holding entity and a small number of operating subsidiaries, the mapping exercise, policy drafting, and internal review cycle can be completed within several weeks. For a larger group with multiple jurisdictions, regulated entities, and complex counterparty populations, the process typically runs to several months. The most time-consuming stage is invariably the entity mapping – not the drafting – which is why groups that invest in the mapping exercise early in the process complete the overall work more efficiently.

Speak with Lockhart & Yip

For a scoped view of your matter, contact info@lockhartyip.com. Discuss your matter →

Related

This publication is general information and does not constitute legal advice. For advice on your situation, contact info@lockhartyip.com.

This site uses only strictly necessary cookies. Non-essential cookies are declined by default. Cookie policy