What is a TCSP in Hong Kong?

A Trust or Company Service Provider (TCSP) is a licensed entity in Hong Kong that provides incorporation and corporate secretarial services to companies. TCSPs must be licensed under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance.

How can Bridge Corporate Services help set up a TCSP company?

Bridge Corporate Services provides end-to-end consulting for establishing licensed TCSP companies in Hong Kong, including regulatory guidance, license application support, compliance framework setup, and operational implementation.

What compliance requirements do Hong Kong TCSPs need to meet?

Hong Kong TCSPs must comply with AML/CFT regulations, maintain proper KYC procedures, submit regulatory reports, conduct risk assessments, and meet ongoing compliance obligations set by the Companies Registry and other regulatory bodies.

What features does the Bridge TCSP management platform offer?

Our SaaS platform offers comprehensive client management, automated compliance tracking, KYC renewal reminders, secure document storage, regulatory reporting tools, workflow automation, and real-time analytics for TCSP operations.

Bridge Corporate Services | TCSP Consulting & Compliance Solutions Hong Kong

What Are the AML/CFT Obligations for Hong Kong TCSP Companies in 2026?

In 2026, Hong Kong Trust or Company Service Providers (TCSPs) are required to implement a comprehensive Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) framework as a condition of maintaining their licence. These obligations are governed primarily by the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO), Cap. 615, and enforced by the Companies Registry. Failure to meet these requirements carries serious consequences, including licence suspension, financial penalties, and criminal prosecution.

AML/CFT compliance for TCSP operations is not a checkbox exercise — it is an ongoing operational responsibility that shapes how you onboard clients, monitor transactions, train staff, and report suspicious activity. This article breaks down every core obligation your business must meet in 2026 and explains how technology and expert guidance can make sustained compliance achievable.

The Legal Framework Governing AML/CFT Compliance for TCSP Businesses

The primary legislative instrument is the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO), which was significantly amended to bring TCSPs under the regulatory remit of the Companies Registry beginning in March 2018. The Companies Registry serves as the licensing authority and the frontline regulator for TCSP AML/CFT compliance in Hong Kong.

The Financial Action Task Force (FATF), the global AML/CFT standard-setter of which Hong Kong is a member through the Asia/Pacific Group on Money Laundering (APG), periodically evaluates Hong Kong's compliance with its 40 Recommendations. Hong Kong's 2019 Mutual Evaluation Report highlighted specific areas where TCSPs needed to strengthen their controls — and regulators have responded with more rigorous expectations in the years since.

The Hong Kong Monetary Authority (HKMA) and the Securities and Futures Commission (SFC) issue supplementary guidance relevant to financial institutions with overlapping service lines, providing additional context for TCSPs operating at the intersection of corporate services and financial activity.

Core AML/CFT Obligations Every TCSP Must Meet in 2026

1. Customer Due Diligence (CDD) and Know Your Customer (KYC)

TCSPs must conduct CDD on all clients before establishing a business relationship. This includes:

Verifying the identity of the client and any beneficial owners holding 25% or more of the entity
Identifying and verifying the identity of persons acting on behalf of the client
Understanding the nature and purpose of the proposed business relationship
Conducting ongoing due diligence throughout the relationship

For higher-risk clients — including politically exposed persons (PEPs), clients from high-risk jurisdictions, or complex ownership structures — Enhanced Due Diligence (EDD) is mandatory. The risk level determines the depth and frequency of review.

2. Beneficial Ownership Identification

One of the most scrutinised areas in TCSP AML/CFT compliance is the accurate identification of ultimate beneficial owners (UBOs). Under the AMLO and associated guidance, TCSPs must trace ownership chains through corporate layers until a natural person is identified. This requirement has become more rigorous as regulators across Hong Kong, the Cayman Islands, and the British Virgin Islands align their UBO registers and information-sharing protocols.

3. Risk-Based Approach (RBA)

The AMLO requires TCSPs to adopt a documented risk-based approach. This means conducting a firm-wide risk assessment, maintaining a written AML/CFT policy, and calibrating due diligence measures to the risk profile of each client and transaction. A one-size-fits-all approach is non-compliant. Your policy must be reviewed and updated regularly — at least annually — or whenever there is a material change to your business or client base.

4. Ongoing Transaction Monitoring

TCSPs are required to monitor client activity on a continuous basis to identify transactions that are inconsistent with the established client profile, business purpose, or expected activity pattern. Unusual or suspicious transactions must trigger an internal escalation process.

5. Suspicious Transaction Reporting (STR)

Where there are reasonable grounds to suspect that a transaction or activity involves proceeds of crime or terrorist financing, the TCSP's designated Money Laundering Reporting Officer (MLRO) must file a Suspicious Transaction Report (STR) with the Joint Financial Intelligence Unit (JFIU). This obligation exists regardless of transaction value. In 2023, the JFIU received over 135,000 STRs from reporting institutions across Hong Kong's financial system — a figure reflecting the scale and seriousness with which the reporting obligation is taken.

6. Record-Keeping

All CDD records, transaction records, and account files must be retained for a minimum of six years from the end of the business relationship or the date of the transaction. Records must be stored in a manner that allows them to be retrieved promptly on request by the Companies Registry or law enforcement agencies.

7. Staff Training and Awareness

TCSPs must implement a regular AML/CFT training programme for all staff who handle client relationships or transactions. Training must cover the recognition of red flags, the firm's internal reporting procedures, and applicable legal obligations. New employees must be trained before they begin client-facing duties.

8. Appointment of a Qualified MLRO

Every licensed TCSP must appoint a Money Laundering Reporting Officer. The MLRO is responsible for receiving internal suspicious activity reports, making STR filings with the JFIU, and overseeing the firm's day-to-day AML/CFT compliance. The MLRO must be sufficiently senior, qualified, and empowered to perform this function effectively — a standard that the Companies Registry applies strictly during licensing reviews and inspections.

What Happens During a TCSP AML/CFT Inspection?

The Companies Registry conducts both routine and targeted inspections of licensed TCSPs. During an inspection, examiners review:

The firm-wide risk assessment and AML/CFT policy documentation
A sample of client files to assess CDD and EDD quality
Transaction monitoring records and escalation logs
STR filing history and internal reporting procedures
Staff training records and the MLRO's qualifications
Record-keeping systems and data security arrangements

Deficiencies discovered during inspection can result in formal warnings, conditions imposed on the licence, financial penalties, or — in serious cases — licence revocation. For firms with operations spanning Singapore, London, or other international hubs, a Hong Kong licence suspension creates reputational damage that extends well beyond the SAR.

How Technology Strengthens AML/CFT Compliance for TCSP Firms

Managing AML/CFT obligations manually across a growing client base is operationally unsustainable and creates unacceptable compliance risk. Purpose-built compliance platforms allow TCSPs to automate KYC data collection, schedule CDD reviews based on risk tier, flag transaction anomalies in real time, and generate audit-ready documentation with minimal manual effort.

Bridge Services offers a purpose-built SaaS platform for client and compliance management specifically designed for Hong Kong TCSPs. The platform centralises client onboarding, automates risk-based review scheduling, and maintains comprehensive audit trails aligned with AMLO requirements — giving compliance teams visibility and control across every client relationship.

For TCSPs operating across multiple jurisdictions — including the Cayman Islands, British Virgin Islands, Switzerland, and Singapore — a centralised compliance platform is not a luxury; it is an essential operational infrastructure.

You can explore how compliance software features support your obligations in the detailed breakdown on trust services compliance software.

Frequently Asked Questions: AML/CFT Compliance for TCSP

Q: What is the minimum record-keeping period for AML/CFT records under the AMLO?

A: TCSPs must retain all CDD documents, transaction records, and business correspondence for a minimum of six years from the date the business relationship ends or the transaction occurs. Records must be retrievable on short notice if requested by the Companies Registry or law enforcement.

Q: Does AML/CFT compliance for TCSP require a full-time in-house compliance officer?

A: Not necessarily. The AMLO requires a qualified MLRO to be appointed, but many licensed TCSPs — particularly smaller firms — meet this obligation through outsourced compliance arrangements, provided the MLRO has sufficient authority, independence, and involvement in the firm's day-to-day compliance activities. The Companies Registry evaluates substance over structure.

Q: How often must a TCSP review its firm-wide risk assessment?

A: The risk assessment must be reviewed at minimum annually and updated promptly whenever there is a material change to the business model, client base, service offerings, or the regulatory environment. Regulators expect to see evidence of genuine, reasoned review — not a rubber-stamp date update on an unchanged document.

Building a Sustainable AML/CFT Compliance Programme

AML/CFT compliance for TCSP businesses is most effective — and least burdensome — when it is designed as a business system rather than a reactive task list. The firms that navigate inspections cleanly are those that have embedded compliance into their client onboarding workflow, automated their monitoring and review schedules, and invested in qualified personnel or expert partners to oversee the programme.

Bridge Services provides end-to-end TCSP company setup and licensing consulting, including the design and implementation of AML/CFT frameworks that satisfy the Companies Registry's requirements from day one. For firms already licensed and looking to strengthen their existing programme, our advisory team provides gap analysis, policy drafting, MLRO support, and platform implementation.

AML/CFT compliance is not a cost of doing business — it is the foundation of credibility in the trust services sector. A TCSP that cannot demonstrate robust controls cannot retain institutional clients, access correspondent banking, or withstand regulatory scrutiny. The investment in a properly designed compliance programme is, in every practical sense, an investment in the firm's long-term viability.

The 2026 Regulatory Outlook for Hong Kong TCSPs

Hong Kong's AML/CFT regime continues to evolve in response to FATF updates and domestic policy priorities. In 2026, TCSPs should anticipate:

Increased inspection frequency from the Companies Registry, particularly for firms that have not been reviewed since initial licensing
Greater scrutiny on virtual asset-related clients, following the licensing of virtual asset service providers (VASPs) under the SFC's expanded remit
Cross-border information sharing with regulators in the BVI, Cayman Islands, and other offshore centres where Hong Kong TCSPs frequently facilitate corporate structures
Technology expectations, with regulators increasingly expecting firms to demonstrate that their monitoring is systematic and documented, not ad hoc

Firms that treat their AML/CFT programme as a living compliance system — updated in response to regulatory guidance, staffed by qualified professionals, and supported by fit-for-purpose technology — are positioned to grow with confidence. Those that do not will find themselves managing regulatory fires rather than building a business.

For TCSPs considering their compliance architecture for 2026 and beyond, the starting point is a clear-eyed assessment of current gaps against the AMLO requirements outlined above. Bridge Services offers structured compliance reviews and expert guidance on Hong Kong TCSP regulations, AML/CFT implementation, and technology deployment — designed for both new applicants and established licence holders looking to raise their compliance standard.

Last Reviewed: July 2025