Hong Kong stablecoin issuer AML/CFT regulatory "three-step"

Background

On July 29, 2025, the Hong Kong Monetary Authority ( HKMA ) released multiple guidelines and explanatory documents for the regulatory regime for stablecoin issuers, which will officially come into effect on August 1, 2025. Two sets of guidelines will be published in the gazette on August 1, 2025.

• Consultation Summary of the "Guidelines for Regulating Licensed Stablecoin Issuers" and the Guidelines;
• Summary of the consultation on the "Guidelines for Combating Money Laundering and Terrorist Financing (Applicable to Licensed Stablecoin Issuers)" and the guidelines;
• Summary of the Licensing System for Stablecoin Issuers related to the licensing system and application procedures;
• Summary of the Provisions for the Transition of Existing Stablecoin Issuers

**These documents constitute the core regulatory components for the implementation of the Hong Kong stablecoin system: They not only include summary descriptions related to license applications and regulatory transitions but also include two core specifications developed around the AML / CFT( framework, which are directly related to whether stablecoin issuers can establish a compliant, controllable, and sustainable business framework. This also reflects the Hong Kong Monetary Authority's systematic response to money laundering and terrorist financing risks, which is also the focus of this article's interpretation.

Summary and Guidelines of the Consultation Released in July

) Consultation Summary: Establishing the Direction for System Optimization

During the public consultation period from May 26 to June 30, 2025, the Monetary Authority received a total of 38 feedback submissions from banks, virtual asset platforms, Web3 companies, technology service providers, and law firms. The summary document primarily addresses several key issues of concern to the industry and revises the originally proposed requirements accordingly:

• Adjustment of Non-Custodial Wallet Regulation Intensity: There is a general consensus in the market that the risks associated with managing client wallets need to be addressed. However, some opinions point out that due to current technological and analytical tool limitations, it is difficult to effectively distinguish between non-custodial and custodial wallets on the blockchain. The monetary authority requires licensees to verify the ownership or control of each client wallet without the need to classify wallet types.
• Flexible application of on-chain monitoring technology: Most opinions support the use of blockchain data to track transactions, but there are concerns that mandatory technical specifications will hinder small and medium-sized enterprises. The Monetary Authority ultimately adopted the principle of "technological adaptability," encouraging the use of specific tools rather than mandating them, and requiring compliance capabilities to match business scale.
• Travel Rule Role Identification: The opinion states that licensees must clearly identify whether they are the "originator," "intermediary," or "beneficiary" in transactions to fulfill different obligations. The Monetary Authority indicated that it will continue to work closely with industry stakeholders and provide further guidance when appropriate.
• Reasonable Limitations on Secondary Market Responsibilities: Regarding whether stablecoin issuers should bear the responsibility for monitoring the secondary market, some opinions suggest that issuers should play a role because they have the most comprehensive understanding and ultimate control over the stablecoin lifecycle. Other opinions argue that issuers have limited visibility and control over secondary market transactions and that it is technically challenging to monitor every peer-to-peer ### transaction, especially those involving non-custodial wallets. The Monetary Authority's response reiterated the necessity for stablecoin issuers to establish and implement adequate and appropriate control systems to prevent and combat money laundering/terrorist financing and other criminal activities in their licensed stablecoin operations; considering that certain characteristics of stablecoins are attractive to criminals, and the risks associated with peer-to-peer transactions and non-custodial wallets, the Monetary Authority will adopt a cautious approach during the initial implementation; unless licensees can demonstrate to the Monetary Authority and satisfy it that their risk mitigation measures effectively prevent and combat money laundering/terrorist financing and other crimes, the identity of every stablecoin holder (including holders without a client relationship with the licensee) should be verified by one of the following parties: ( i ) licensee; ( ii ) appropriately regulated financial institutions or virtual asset service providers; or ( iii ) reliable third parties.

In summary, the "Consultation Summary" reflects the Monetary Authority's increasing emphasis on enforceability and regulatory flexibility while adhering to regulatory principles, and provides institutional responses to practical issues such as uneven technological development and market diversity.

( Guidelines: Institutional Code of Conduct and Implementation Details

The "Guidelines" are formulated under the authorization of Article 171 of the "Stable Coin Ordinance" (Chapter 656) and Article 7 of the "Anti-Money Laundering and Counter-Terrorism Financing Ordinance" (AMLO, Chapter 615). They inherit the policy framework of the May "Consultation Paper" and have been substantively refined and legally transformed based on the feedback regarding non-custodial wallets, technical feasibility, and scope of responsibility from the July "Consultation Summary". Unlike the earlier "Consultation Paper" and "Consultation Summary" which focused on policy design and public feedback, the "Guidelines" constitute a compliance manual with enforceability within Hong Kong's stable coin AML/CFT regulatory framework. It not only stipulates the obligations that stable coin issuers must fulfill but also directly establishes institutional mechanisms for administrative accountability, violation penalties, and coordination with the Securities and Futures Commission.

(1) Scope of Application and Overall Structure

The "Guidelines" are aimed at all stablecoin issuers (licensees) that are licensed under Article 15 of the "Stablecoin Regulation." The document is centered around a "risk-based" approach, incorporating the decentralized, cross-chain, and highly anonymous characteristics of virtual assets, and sets out regulations in the following core areas:

• Institutional governance structure and AML system framework construction;
• Due diligence requirements for clients during the issuance and redemption process;
• Continuous trading monitoring mechanism in stablecoin circulation;
• Management measures for on-chain wallet types (especially non-custodial wallets);
• Obligation to identify, report, and follow up on suspicious transactions;
• Record keeping, employee training, and senior management oversight responsibilities.

(2) Seven Key Regulatory Dimensions

1. Institutional Risk Management Framework

Licensees must establish written internal policies, control systems, and audit procedures to identify, assess, and mitigate the money laundering and terrorist financing risks associated with stablecoin activities. The risk assessment should cover customer categories, geographic locations, payment instruments, types of stablecoins (fiat-backed vs multi-asset-backed), and their on-chain liquidity; a dedicated AML/CFT compliance officer should be appointed to report directly to the board; all system implementations must be documented and available for post-audit traceability.

2. Customer Due Diligence and Enhanced Due Diligence ) CDD and EDD ###

The "Guidelines" categorize customer relationships into "business relationships" and "occasional transactions," and set the due diligence intensity accordingly: if a customer establishes a business relationship through ongoing interactions, the licensee must collect their identity information, verification documents, beneficial owner information, and nature of business, and cross-verify the risk level with on-chain behavior. If the customer involves politically exposed persons (PEPs), high-risk jurisdictions, or uses mixing services, enhanced due diligence (EDD) must be implemented, including but not limited to proof of funds source and increased frequency of ongoing reviews.

3. Management Measures for Non-Custodial Wallets

The "Guidelines" clearly state that non-custodial wallets are considered high-risk channels, and licensees must not equate them with regulated financial accounts. Specific requirements include:

• Trading control measures: Set limit thresholds for transactions involving non-custodial wallets, or only allow participation in low-risk redemption phases;
• Behavior recognition and enhanced KYC: The on-chain behavior patterns of the first interaction wallet must be recorded, and a series of additional due diligence steps must be taken (such as on-chain profiling, address binding records);
• Blacklist and Whitelist Mechanism: Establish an on-chain address database to blacklist wallet addresses identified as being related to sanctions or illegal activities;
• Technical monitoring requirements: On-chain analysis tools need to be deployed to regularly scan the behavioral interactions between wallets and transactions, and generate audit trail reports when necessary.

It is worth noting that the "Guidelines" do not prohibit the use of non-custodial wallets, but rather require their inclusion in a "behavioral risk-based" review system.

4. Stablecoin Trading Monitoring and Tracking Analysis

The Hong Kong Monetary Authority has made the identification and tracking of stablecoin on-chain transfer paths one of the compliance focuses this time. Licensees must establish real-time transaction monitoring mechanisms and possess the following capabilities:

• Real-time tracking of transaction links to identify high-risk jumps, cross-chain bridges, mixers, and other behaviors;
• Establish an on-chain behavior pattern database to set up automatic alerts for abnormal trading paths;
• Integrated with wallet recognition mechanism to record the identity and address risk of trading counterparties;
• Output compliance review report, supporting on-site inspections and law enforcement intervention by the Monetary Authority.

On-chain monitoring is considered as important as bank payment monitoring; failing to deploy an effective on-chain system will be regarded as institutional negligence.

5. Suspicious Transaction Identification and Reporting Obligations (STR Mechanism)

In all cases where it is discovered or suspected that a customer is involved in illegal activities, on-chain behavior is abnormal, or the source of assets cannot be explained, the licensee must submit a suspicious transaction report (STR) to the Joint Financial Intelligence Unit (JFIU) within a reasonable time.

• Customer identity, address, transaction type;
• Types and quantities of stablecoins involved and wallets;
• System prompts and personnel responses when suspicious behavior occurs;
• Handling measures and follow-up (such as freezing, limiting privileges).

Regulatory authorities will conduct regular spot checks on the STR system and response logs to verify whether suspicious events have been effectively handled. At the same time, the STR mechanism should be linked with on-chain monitoring and KYC modules to form an automatic auxiliary generation mechanism.

6. Data and Record Keeping Requirements

The "Guidelines" establish strict timelines for compliance data records:

• Customer due diligence related materials (including on-chain address mapping information): to be kept for at least 5 years;
• Transaction records (on-chain data including path snapshots, transaction tags, address analysis reports): retained for at least 5 years;
• Risk assessment, internal review, system parameter change records: The Monetary Authority may require an extension of the retention period.

License holders should ensure that all records have traceability, security, and tamper-proof capabilities for compliance audits.

7. Employee Training and Organizational Culture

All employees involved in customer identification, transaction monitoring, risk assessment, and compliance reporting must undergo regular AML/CFT training before starting their jobs. Executives and board members must receive training on defined responsibilities to ensure proper resource allocation and implementation of systems. The Monetary Authority may conduct spot checks on the training system and effectiveness records, and if it finds that the system is merely a formality, it will be considered a serious violation.

(3) Legal Liability and Regulatory Authority Enforcement Mechanism

The consequences of violating the "Guidelines" are not merely advisory corrections; they may also trigger the following enforcement actions:

• The Monetary Authority may suspend, restrict, or revoke the issuance license of stablecoins;
• In serious cases, the matter will be handed over to law enforcement agencies for handling in accordance with the Anti-Money Laundering Ordinance or other criminal laws.

In addition, the Monetary Authority reserves the power for spot checks, risk assessment interviews, and technical system inspections, and will carry out comprehensive law enforcement in collaboration with multiple departments such as the Hong Kong Monetary Authority, the Hong Kong Securities and Futures Commission (SFC), Customs, and JFIU.

(4) Summary of System Significance and Regulatory Logic

The introduction of this "Guideline" is not only a legal response to the "Consultation Document" and the "Consultation Summary", but also reflects a significant shift of the Hong Kong regulatory authorities from a "principle-based" approach to a "mechanism-based" approach. Compared to traditional finance, the risks in the stablecoin sector are more dynamic, and on-chain behaviors are harder to qualify. Therefore, the institutional significance of the "Guideline" is reflected in:

• From policy initiatives (May) → consultation summary (July) → legal enforcement (August), completing a complete institutional closed loop.
• Introduce on-chain behavior supervision mechanisms to evolve the AML system towards "visualization, verification, and traceability";
• Balance the rigidity of regulation with compliance flexibility, emphasizing "clear boundaries of responsibility" and "controllable and quantifiable risks";
• Provide a regulatory trial platform for future expansion into on-chain payments, asset tokenization (such as RWA), cross-chain compliance, etc.

The Guidelines are an indispensable execution standard for licensed operators' compliance operations and serve as the core interface for technology service providers (such as those offering on-chain monitoring, identity verification, address management tools, etc.) to connect with the Hong Kong regulatory system.

Comparative Analysis of Three Documents

The "Consultation Document" published in May 2025, the "Consultation Summary" published in July 2025, and the "Guidelines" to be published in August 2025 together form a complete closed loop of the regulatory system for stablecoin AML/CFT in Hong Kong, from design to amendment to execution. These three documents not only reflect the Hong Kong Monetary Authority's prudent identification of the unique risk characteristics of stablecoins and regulatory expectations but also show the continuous adjustment and deepening of regulatory feasibility and enforceability in response to market feedback. By comparing the structure and content of the three, it is not difficult to see the logical evolution and key changes of the regulatory system from "principle setting" to "operational guidelines."

On one hand, the "Consultation Document" (May 2025) proposes a preliminary framework that establishes the core principles and objectives of regulation, particularly emphasizing the ML/TF risks associated with stablecoin activities, and presents ideas in areas such as customer due diligence, non-custodial wallet management, transaction monitoring, and STR reporting. The document includes a draft guidance intended to guide market participants in providing feedback on regulatory directions and technical pathways.

Subsequently, the "Consultation Summary" (July 2025) reflected the Monetary Authority's absorption of 38 market opinions and responded to specific contentious issues (such as the whitelist mechanism, difficulties in classifying non-custodial wallets, and the operability of the Travel Rule) by proposing more enforceable revisions. It is worth noting that the "Consultation Summary" has already shown a tightening of regulatory positions on several core requirements, such as the cancellation of the whitelist concept and the strengthening of non-customer identity verification obligations.

Ultimately, the "Guidelines" will come into effect in August 2025, officially establishing the legal obligations of licensed stablecoin issuers in terms of AML/CFT compliance. The content is more systematic and detailed than the previous two documents, enhancing its enforceability and auditability through means such as enumeration, operational steps, and document retention requirements. These "Guidelines" not only transform principled requirements into compliance operational processes but also introduce regulatory enforcement mechanisms, penalty mechanisms, and cross-agency cooperation powers to ensure that regulatory objectives are binding and enforceable.

In terms of content, there are the following hierarchical advancements and key differences among the three.

1. Regulatory requirements shift from abstract principles to rigid operations: for example, the "Consultation Document" proposes using blockchain analysis tools to track illegal funds, while the "Guidelines" specifically require the use of external technology service providers with real-time monitoring capabilities, and due diligence should be conducted on their coverage, update frequency, and accuracy, emphasizing that the tools themselves must also bear compliance proof responsibilities.

2. Significant Shift in Non-Custodial Wallet Management Strategy: The "Consultation Document" proposed a "whitelist mechanism" as a possible measure to control risks in the secondary market, while the "Consultation Summary" canceled this idea and shifted to requiring identity verification for all non-customer holders, unless the licensee can prove that other control measures are effective. The "Guidelines" inherit and solidify this revision, explicitly requiring identity verification for all stablecoin holders in the absence of evidence supporting the effectiveness of risk mitigation. This change extends the licensee's KYC obligations from customers to "holders," reflecting regulatory fundamental vigilance towards the anonymity structures in DeFi.

3. The Travel Rule system shifts from principles to an execution framework: In the "Consultation Document", the Travel Rule is proposed as a requirement under the AML framework, while in the "Guidelines", its execution requirements are significantly refined, including amount grading, obligations division among remitters/intermediaries/recipients, encrypted transmission mechanisms, information deficiency handling procedures, and technical supplier due diligence standards, ultimately establishing a comprehensive regulatory model for "stablecoin transfers and due diligence for financial institutions". This reflects the complete localization of FATF technical standards.

4. Legal responsibilities and regulatory power systems are fully clarified: The "Guidelines" add a large number of regulatory enforcement provisions, including penalties for non-compliance (impacting licensing qualifications), regulatory intervention rights regarding record retention periods, and descriptions of authority for on-site verification of technical systems and operational processes. In contrast, the "Consultation Document" touches on this very little, failing to create an enforcement deterrent.

5. Organizational governance and audit requirements are significantly strengthened: The "Guidelines" enhance the supervision of AML/CFT organizational structure, requiring the establishment of a senior management oversight mechanism, appointing a compliance officer (CO) and a money laundering reporting officer (MLRO), and clarifying their division of responsibilities. At the same time, independent audit requirements are introduced, requiring them to report directly to the board of directors, and stipulating that employee recruitment should consider integrity and suitability. These contents were not elaborated in the previous two documents.

Overall, the "Consultation Paper" is more of a conceptual blueprint, proposing regulatory goals and directions; the "Consultation Summary" makes substantive revisions based on responses to market feedback, clarifying regulatory bottom lines and core obligations; while the "Guidelines" finalize the legal, operational, and procedural handling of regulatory requirements, reflecting the Monetary Authority's regulatory path that is based on international standards, combined with local realities, and strictly preventing new types of risks. Particularly in key areas such as non-custodial wallet handling strategies, the implementation mechanisms of the Travel Rule, technical due diligence standards, and full process record retention, the "Guidelines" are no longer just "reference suggestions," but rather regulatory provisions with clear legal binding force, establishing an execution system that is followable, operable, and auditable for licensees.

Compliance and Security Solutions

Although the Guidelines, which will come into effect on August 1, 2025, have refined and strengthened several specific requirements compared to the Consultation Document, the compliance solutions built by the SlowMist( team based on the Consultation Document, particularly the "Smart Contract Implementation Guidelines for Stablecoin Issuers in Hong Kong" and the "Stablecoin Risk Management and Anti-Money Laundering / Counter-Terrorism Financing (AML / CFT) Compliance Security Solution" developed in collaboration with ecosystem partners, can still provide highly adaptable compliance reference paths for the current Guidelines in terms of logical architecture, systematic design, and technical modules.

On one hand, the smart contract guidelines have included multiple technical control measures that are consistent with the formal requirements of the "Guidelines", providing a reference framework for licensees to construct contract architectures.

!)(https://img-cdn.gateio.im/webp-social/moments-9db2533bf0770d1ff81d17aa46f93259.webp)

On the other hand, the "Stablecoin Risk Management and Anti-Money Laundering / Counter-Terrorism Financing (AML / CFT) Compliance Security Solutions" are based on the practical experience of the SlowMist[Image] team in blockchain security, compliance auditing, and risk management. The recommended technical solutions and implementation paths also possess strong operability.

Overall, the compliance requirements covered by the "Guidelines" are extensive and complex, involving multiple dimensions such as technology, operations, governance, anti-money laundering ( AML / CFT ), etc. This proposal focuses only on the interpretation of certain key provisions and the provision of response strategies, and does not constitute a complete coverage of all requirements of the "Guidelines". In addition, the compliance system of stablecoin issuers needs to be continuously optimized and adjusted in conjunction with business scenarios, technical architecture, and regulatory dynamics. The solutions listed in this proposal are based on the analysis of current technical capabilities and industry practices and may require further adjustments and supplements based on actual business needs, technological evolution, and changes in the regulatory environment. It is recommended that issuers maintain ongoing communication with professional compliance and security service institutions (such as Slow Mist Technology) based on their own business characteristics and refer to the latest guidelines from relevant regulatory agencies to ensure the integrity and effectiveness of the compliance system.

Summary

The Hong Kong Monetary Authority has established a legally effective, clearly defined, and accountable regulatory framework for stablecoin AML/CFT through a consultation draft, a round of market summary, and a formal guideline. This system not only responds to the international requirements of the FATF for virtual asset regulation but also provides important institutional support for Hong Kong to build an international fintech hub, protect market stability, and safeguard user rights. With the system officially taking effect on August 1, 2025, stablecoin issuers will face unprecedented regulatory compliance challenges. In this context, it is necessary to establish organizational governance, introduce technological tools, strengthen on-chain visibility management, and enhance employees' compliance awareness to truly achieve the regulatory logic of "compliance equals market access."

Reference link:

The consultation document "Guidelines for Combating Money Laundering and Terrorist Financing (Applicable to Licensed Stablecoin Issuers)" published in May 2025 (

) Consultation Summary of the "Guidelines for Combating Money Laundering and Terrorist Financing (Applicable to Licensed Stablecoin Issuers)" to be released in July 2025.

( The official guidelines on "Guidelines for Combating Money Laundering and Terrorist Financing (Applicable to Licensed Stablecoin Issuers)" effective August 2025.