Hong Kong’s “Trilogy” of AML/CFT Supervision for Stablecoin Issuers

Background

On July 29, 2025, the Hong Kong Monetary Authority (HKMA) issued several guidelines and explanatory documents on the regulatory regime for stablecoin issuers, which will officially come into effect on August 1, 2025. Two sets of guidelines were gazetted on August 1, 2025.

• Consultation Summary of the "Guidelines for the Supervision of Licensed Stablecoin Issuers"and the

• Consultation Summary of the "Guidelines on Combating Money Laundering and Counter-Terrorist Financing (Applicable to Licensed Stablecoin Issuers)"

• Consultation Summary of the "Guidelines on Combating Money Laundering and Counter-Terrorist Financing (Applicable to Licensed Stablecoin Issuers)"

• ；

•  Related to the licensing system and application proceduresSummary Explanation of the Licensing Regime for Stablecoin Issuers

• Summary Explanation of the Transitional Provisions for Existing Stablecoin Issuers

Consultation summary and guidelines released in July

Consultation summary: establishing the direction of system optimization

During the public consultation period from May 26 to June 30, 2025, the HKMA received a total of 38 feedbacks from banks, virtual asset platforms, Web3 companies, technology service providers and law firms. The summary document mainly responds to industry concerns around the following key issues and revises the original proposed requirements accordingly:

• Non-custodial

• Flexible application of on-chain monitoring technology: The majority of opinions support the use of blockchain data to track transactions, but there are concerns that mandatory technical specifications will hinder small and medium-sized enterprises. The HKMA ultimately adopted the principle of "technical adaptation", encouraging the use of specific tools rather than mandating them, and requiring compliance capabilities to be commensurate with the scale of the business. Travel Rule Role Identification: The opinion points out that licensees need to clearly identify whether they are the "initiator," "intermediary," or "recipient" in a transaction in order to fulfill their different obligations. The HKMA stated that it will continue to work closely with industry stakeholders and provide further guidance where appropriate. Reasonable Limitation of Secondary Market Responsibility: Regarding whether stablecoin issuers should assume secondary market monitoring responsibilities, some opinions believe that issuers should play a role because they have the most comprehensive understanding and ultimate control over the stablecoin life cycle. Other opinions believe that issuers have limited visibility and control over secondary market transactions, and it is technically difficult to monitor every peer-to-peer transaction, especially those involving non-custodial wallets. The HKMA’s response reiterated the need for stablecoin issuers to establish and implement adequate and appropriate control systems to prevent and combat money laundering/terrorist financing and other crimes in their licensed stablecoin activities; given that certain features of stablecoins are attractive to criminals, as well as the risks associated with peer-to-peer transactions and non-custodial wallets, the HKMA will adopt a cautious approach in the initial implementation; unless the licensee can demonstrate to the satisfaction of the HKMA that its risk mitigation measures are effective in preventing and combating money laundering/terrorist financing and other crimes, the identity of each stablecoin holder (including holders who have no client relationship with the licensee) should be verified by one of the following parties: (i) the licensee; (ii) an appropriately regulated financial institution or virtual asset service provider; or (iii) a reliable third party.

To sum up, the Consultation Conclusions demonstrate that the HKMA, while adhering to regulatory principles, places greater emphasis on enforceability and regulatory flexibility, and has made institutional responses to real issues such as uneven technological development and market diversity.

Guidelines: Institutional Provisions and Implementation Details

The Guidelines are authorized by Article 171 of the Stablecoin Ordinance (Cap. 656) and Article 7 of the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO, Cap. 615). They not only inherit the policy framework of the Consultation Document in May, but also make substantial refinements and legal transformations based on the feedback on non-custodial wallets, technical feasibility and scope of responsibility in the Consultation Summary in July. Unlike the previous "Consultation Document" and "Consultation Summary" which focused on policy design and public feedback, the "Guidelines" constitute a compliance operation manual with mandatory enforcement power in Hong Kong's stablecoin AML/CFT regulatory framework. It not only stipulates the obligations that stablecoin issuers need to fulfill, but also directly establishes institutional mechanisms such as administrative accountability, violation penalties and coordination with the Securities and Futures Commission.

(I) Scope of Application and Overall Structure

The Guidelines are aimed at all stablecoin issuers (licensees) licensed under Article 15 of the Stablecoin Regulations. The document adopts a "risk-based" approach throughout its main axis, combining the decentralized, cross-chain and high anonymity characteristics of virtual assets to set regulations for the following core areas:

• Governance at the Institutional Level

  Structure

• Due diligence requirements for customers during the issuance and redemption process;

• stable coin

• Continuous transaction monitoring mechanism in circulation;

• management measures for on-chain wallet types (especially non-custodial wallets);

• obligations for identifying, reporting and subsequent review of suspicious

• transaction records

• Preservation, employee training, and senior management oversight responsibilities. (II) Seven Key Regulatory Dimensions 1. Institutional Risk Management Framework Licensees must establish written internal policies, control systems, and audit procedures to identify, assess, and mitigate money laundering and terrorist financing risks associated with stablecoin activities. Risk assessments should cover customer categories, regions, payment instruments, stablecoin types (single fiat currency vs. multi-asset pegged), and on-chain liquidity. A dedicated AML/CFT compliance officer should be appointed, reporting directly to the board of directors. The implementation of all systems must be documented and traceable for subsequent audits. 2. Customer Due Diligence and Enhanced Due Diligence (CDD and EDD) The Guidelines categorize customer relationships into "business relationships" and "incidental transactions," and set due diligence intensity accordingly: If a business relationship is established through ongoing interactions with a customer, the licensee must collect their identity information, verification documents, information on actual controllers, and the nature of their business, and cross-verify their risk level based on on-chain behavior. If the customer involves politically exposed persons (PEPs), operates in high-risk jurisdictions, or uses currency mixing services, enhanced due diligence (EDD) must be implemented, including but not limited to proof of source of funds and increased frequency of ongoing reviews.

  3. Management measures for non-custodial wallets

  The Guidelines clearly state that non-custodial wallets are regarded as high-risk channels and licensees shall not equate them with regulated financial accounts. Specific requirements include:

  • Transactions

  • Control measures: Set limit thresholds for transactions involving non-custodial wallets, or only allow them to participate in low-risk redemption links;

  • Behavior

  Identification and KYC enhancement: The on-chain behavior patterns of wallets interacting for the first time must be recorded, and a series of additional due diligence steps must be taken (such as on-chain profiling and address binding records);

  • Blacklist and whitelist mechanism: Establish an on-chain address database and blacklist wallet addresses identified as being associated with sanctions or illegal activities;

  • TechnologyMonitoring requirements: It is necessary to deploy on-chain analysis tools to regularly scan the behavioral linkage between wallets and transactions, and generate audit trail reports when necessary.

  It is worth noting that the "Guidelines" do not prohibit the use of non-custodial wallets, but require them to be included in the "behavioral risk-based" review system.

  4. Stablecoin transaction monitoring and tracking analysis

  The Hong Kong Monetary Authority has made the identification and tracking of stablecoin transfer paths on the chain one of its compliance focuses. Licensees must establish a real-time transaction monitoring mechanism and have the following capabilities:

  • Real-time

    Track transaction links and identify high-risk hops, cross-chain bridges, mixers and other behaviors; Establish an on-chain behavior pattern database and set automatic alarms for abnormal transaction paths; Connect with the wallet identification mechanism to record counterparty identity and address risks; Output Compliance review report to support the HKMA's on-site spot checks and law enforcement intervention.

  On-chain monitoring is considered to be as important as bank payment monitoring. Failure to deploy an effective on-chain system will be regarded as institutional failure. 5. Suspicious Transaction Identification and Reporting Obligations (STR Mechanism) In all cases where a licensee discovers or suspects that a client is involved in illegal activities, abnormal on-chain behavior, or unexplained source of assets, the licensee must submit a suspicious transaction report (STR) to the Joint Financial Intelligence Unit (JFIU) within a reasonable time: Types, quantities and wallets of stablecoins involved; System prompts and personnel responses when suspicious behavior occurs; Handling measures and subsequent follow-up (such as freezing and restriction of rights).

Regulatory authorities will regularly spot-check the STR system and response logs to verify whether suspicious incidents are effectively handled. At the same time, the STR mechanism should be linked with on-chain monitoring and KYC modules to form an automatic auxiliary generation mechanism.

6. Data and Record Retention Requirements

The Guidelines establish strict time limits for compliance data records:

• Customer

  Due diligence related materials (including on-chain address mapping information): at least 5 years;

• Transaction

(III) Legal responsibilities and supervisory power enforcement mechanism

The consequences of violating the Guidelines are not just suggestive amendments, but may also trigger the following law enforcement actions:

• The Financial Supervisory Authority may suspend, restrict or revoke the stablecoin issuance license;

• In serious cases, the case will be handed over to law enforcement agencies for handling in accordance with the Anti-Money Laundering Ordinance or other criminal laws. In addition, the HKMA reserves the right to conduct surprise inspections, risk assessment interviews, and technical system verifications, and will collaborate with multiple departments including the Hong Kong Monetary Authority (HKMA), the Securities and Futures Commission (SFC), the Customs and Excise Department, and the JFIU to carry out comprehensive law enforcement.

  (IV) Summary of institutional significance and regulatory logic

  The launch of the Guidelines is not only a legal response to the Consultation Paper and the Consultation Conclusions, but also reflects the important leap of the Hong Kong regulatory authorities from a "principle-oriented" to a "mechanism-oriented" approach. Compared with traditional finance, the risks in the stablecoin field are more dynamic and on-chain behavior is more difficult to characterize. Therefore, the institutional significance of the "Guidelines" is reflected in:

  • From

  • policy

  • introducing

  • on-chain behavior supervision mechanism to enable AML The system evolves towards “visualization, verifiability and traceability”;

  • balances

  • regulatory rigidity and compliance flexibility, emphasizing “clear boundaries of responsibility” and “controllable and quantifiable risks”;

  • provides a system testing platform for

  future expansion to on-chain payments, asset tokenization (such as RWA), cross-chain compliance, etc.

  The Guidelines are an indispensable implementation standard for licensees’ operational compliance and are also the core interface for technology service providers (such as providers of tools such as on-chain monitoring, identity authentication, and address management) to connect with the Hong Kong regulatory system.

  Comparative Analysis of Three Documents

  The Consultation Paper published in May 2025, the Consultation Conclusions published in July 2025, and the Guidelines to be gazetted in August 2025 constitute a complete closed loop for Hong Kong’s stablecoin AML/CFT regulatory regime, from design and revision to implementation. These three documents reflect the HKMA's careful identification of the unique risks associated with stablecoins and its regulatory expectations. They also reflect the continuous adjustment and deepening of regulatory feasibility and enforceability in response to market feedback. A comparison of their structure and content reveals the logical evolution and key changes in the regulatory framework from "principle-setting" to "practical guidance." On the one hand, the Consultation Paper (May 2025) proposes a preliminary framework, establishing core regulatory principles and objectives, with a particular emphasis on the ML/TF risks associated with stablecoin activities. It also outlines proposals in areas such as customer due diligence, non-custodial wallet management, transaction monitoring, and STR reporting. The document is accompanied by draft guidance, intended to encourage market participants to provide feedback on regulatory direction and technical approaches. Subsequently, the HKMA's Consultation Conclusions (July 2025) reflected the HKMA's incorporation of 38 market comments and addressed specific contentious issues (such as the whitelisting mechanism, the difficulty in classifying non-custodial wallets, and the operability of the Travel Rule), proposing more enforceable amendments. Notably, the Consultation Conclusions reflected a tightening regulatory stance on several core requirements, such as the removal of the whitelist concept and the strengthening of non-customer identity verification obligations. Finally, the Guidelines, slated for publication and implementation in August 2025, will formally establish the legal obligations of licensed stablecoin issuers regarding AML/CFT compliance. The Guidelines are more systematic and detailed than the previous two documents, enhancing their enforceability and reviewability through enumeration, operational procedures, and document retention requirements. The Guidelines not only transform principled requirements into compliance operational procedures, but also introduce supervisory enforcement mechanisms, penalty mechanisms, and cross-agency cooperation powers to ensure that regulatory objectives have binding force and enforcement power. In terms of content, the three documents reflect the following hierarchical progression and key differences: 1. Regulatory requirements shift from abstract principles to rigid operations: For example, the Consultation Paper proposes the use of blockchain analysis tools to track illicit funds, while the Guidelines specifically require the use of external technology service providers with real-time monitoring capabilities and conduct due diligence on their coverage, update frequency, and accuracy, emphasizing that the tools themselves must bear the burden of compliance. 2. A major shift in non-custodial wallet management strategies: The Consultation Paper proposed a "whitelist mechanism" as a possible measure to control secondary market risks, but the Consultation Conclusions abandoned this idea in favor of requiring identity verification for all non-client holders, unless the licensee can demonstrate the effectiveness of other controls. The Guidelines inherit and solidify this revision, explicitly requiring the identity verification of all stablecoin holders in the absence of evidence supporting the effectiveness of risk mitigation. This change extends the licensee's KYC obligations from clients to "holders," reflecting regulators' fundamental vigilance against the anonymity structure of DeFi. 3. The Travel Rule Regime Shifts from Principles to an Implementation Framework: In the Consultation Document, the Travel Rule was proposed as a clause within the AML framework. In the Guidelines, its implementation requirements are significantly refined, including amount tiers, the division of obligations between remitters, intermediaries, and recipients, encrypted transmission mechanisms, procedures for addressing missing information, and due diligence standards for technology vendors. This ultimately establishes a comprehensive regulatory model for due diligence of stablecoin counterparties. This fully localizes the FATF technical standards. 4. Comprehensive Clarification of Legal Responsibilities and Supervisory Powers: The Guidelines add numerous new regulatory enforcement provisions, including penalties for non-compliance (affecting licensing eligibility), regulatory intervention in record retention periods, and the authority to conduct on-site inspections of technical systems and operational procedures. In contrast, the Consultation Paper devoted very little attention to this issue, failing to provide a deterrent to law enforcement. 5. Significantly Strengthened Organizational Governance and Audit Requirements: The Guidelines strengthen oversight of AML/CFT organizational structures, requiring the establishment of a senior management oversight mechanism, the designation of a Compliance Officer (CO) and a Money Laundering Reporting Officer (MLRO), and the clarification of their respective responsibilities. They also introduce independent audit requirements, requiring them to report directly to the board of directors, and stipulate that integrity and suitability should be considered in the selection and appointment of staff. These details were not elaborated upon in the previous two documents.

  Overall, the Consultation Document is more of a conceptual blueprint, proposing regulatory objectives and directions; the Consultation Conclusions make substantive revisions based on market feedback, clarifying regulatory baselines and core obligations; and the Guidelines complete the legalization, operationalization, and proceduralization of regulatory requirements, reflecting the HKMA's regulatory approach of basing itself on international standards, combining local realities, and strictly preventing and controlling emerging risks. In particular, in key areas such as non-custodial wallet processing strategies, the Travel Rule implementation mechanism, due diligence standards for technical tools, and the retention of records throughout the entire process, the Guidelines are no longer just "reference suggestions" but rather clear, legally binding regulatory provisions, establishing a followable, operational, and auditable implementation system for licensees.

  Compliance and Security Solutions

  Although the Guidelines, which will take effect on August 1, 2025, have refined and strengthened many specific requirements compared to the Consultation Paper, the compliance solutions previously built by the SlowMist team based on the Consultation Paper, especially the

  Smart Contract Implementation Guidelines for Stablecoin Issuers in Hong Kong

  Stablecoin Risk Management and Anti-Money Laundering/Counter-Terrorist Financing (AML/CFT) Compliance and Security Solutions

  On the one hand, the Smart Contract Guidelines already cover a number of technical control measures that are consistent with the formal requirements of the Guidelines, providing a reference blueprint for licensees to build contract structures. On the other hand, the "Stablecoin Risk Management and Anti-Money Laundering/Counter-Terrorist Financing (AML/CFT) Compliance Security Solution" is based on the SlowMist team's practical experience in blockchain security, compliance auditing, and risk management. The recommended technical solutions and implementation paths are also highly operational.

  

  

  

  Summary

  The Hong Kong Monetary Authority has established a legally binding, clearly defined, and clearly defined AML/CFT regulatory framework for stablecoins through a consultation draft, a market review, and a formal guideline. This framework not only responds to the FATF's international requirements for virtual asset regulation but also provides important institutional support for Hong Kong's development as an international hub for fintech, while protecting market stability and user rights. With the new regulations officially taking effect on August 1, 2025, stablecoin issuers will face unprecedented regulatory compliance challenges. Against this backdrop, the regulatory logic of "compliance means market access" can only be truly realized through the establishment of organizational governance, the introduction of technical tools, enhanced on-chain visibility, and the improvement of employee compliance awareness. Reference links: [1] Consultation Paper on the Proposed AMLCFT Req for Regulated Stablecoin Activities issued in May 2025. Consultation Conclusions on the “Guidelines on Combating Money Laundering and Counter-Terrorist Financing (Applicable to Licensed Stablecoin Issuers)” published in July 2025

  https://www.hkma.gov.hk/media/eng/doc/key-functions/ifc/stablecoin-issuers/Consultation_conclusions_aml_stablecoin.pdf

  [3] Formal Guidelines on the “Guidelines on Combating Money Laundering and Counter-Terrorist Financing (Applicable to Licensed Stablecoin Issuers)” effective August 2025

  text="">https://www.hkma.gov.hk/media/chi/doc/key-functions/banking-stability/aml-cft/Guideline_on_Anti-Money_Laundering_and_Counter-Financing_of_Terrorism_For_Licensed_Stablecoin_Issuers_chi.pdf