Press enter or click to view image in full size

Background

On July 29, 2025, the Hong Kong Monetary Authority (HKMA) issued multiple guidance and explanatory documents regarding the regulatory regime for stablecoin issuers, which officially takes effect on August 1, 2025. Among them, two sets of guidance were gazetted on August 1, 2025:

• The “Guideline on Licensed Stablecoin Issuers” Consultation Conclusions and the corresponding Guideline;
• The “Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) (for Licensed Stablecoin Issuers)” Consultation Conclusions and the corresponding Guideline;
• The “Summary of the Licensing Regime and Application Procedures for Stablecoin Issuers” related to the licensing system and application process;
• The “Summary of Transitional Provisions for Existing Stablecoin Issuers.”

Press enter or click to view image in full size

These documents constitute the core regulatory components for implementing Hong Kong’s stablecoin framework: not only including summary explanations related to licensing applications and transitional arrangements, but also two sets of core AML/CFT frameworks whose content directly concerns whether stablecoin issuers can establish compliant, controllable, and sustainable business frameworks. They also reflect HKMA’s systematic response to money laundering and terrorist financing risks, which is the focus of this interpretation.

Consultation Conclusions and Guidelines Issued in July

Consultation Conclusions: Establishing the Direction for Regulatory Optimization

During the public consultation period from May 26 to June 30, 2025, HKMA received 38 feedback submissions from banks, virtual asset platforms, Web3 companies, technology service providers, law firms, and others. The conclusions primarily address several key issues raised by the industry and accordingly revised the originally proposed requirements:

• Adjusting Regulatory Intensity on Non-Custodial Wallets: The market generally agrees on the need to manage risks related to customer wallets, but some opinions pointed out that current technical and analytical tools cannot effectively distinguish between on-chain non-custodial wallets and custodial wallets. HKMA requires licensees to verify the ownership or control of each customer wallet without categorizing wallet types.
• Flexible Application of On-Chain Monitoring Technologies: Most feedback supports the use of blockchain data to trace transactions but worries that mandatory technical specifications could hinder small and medium enterprises. HKMA adopted the principle of “technology adaptability,” encouraging use rather than mandating specific tools, requiring compliance capacity commensurate with business scale.
• Travel Rule Role Identification: Opinions noted that licensees must clarify whether they act as “originator,” “intermediary,” or “recipient” in transactions to fulfill different obligations. HKMA will continue close collaboration with stakeholders and provide further guidance as appropriate.
• Reasonable Limitation on Secondary Market Responsibilities: On whether stablecoin issuers should assume secondary market monitoring responsibility, some believe issuers should act because they have the most comprehensive understanding and ultimate control over the stablecoin lifecycle. Others argue issuers have limited visibility and control over secondary market and peer-to-peer transactions, especially involving non-custodial wallets, which are technically difficult to monitor. HKMA reiterated the necessity for stablecoin issuers to establish and implement sufficient and appropriate controls to prevent and combat money laundering/terrorist financing and other crimes related to their licensed stablecoin activities. Considering the attractive features of stablecoins to criminals and risks related to peer-to-peer and non-custodial wallets, HKMA will take a cautious approach during the initial implementation. Unless licensees can demonstrate and satisfy HKMA that their risk mitigation measures effectively prevent and combat ML/TF and other crimes, the identity of every stablecoin holder (including holders without a client relationship with the licensee) should be verified by one of the following: (i) the licensee; (ii) a duly regulated financial institution or virtual asset service provider; or (iii) a reliable third party.

In summary, the Consultation Conclusions reflect HKMA’s insistence on regulatory principles while placing greater emphasis on enforceability and regulatory flexibility, responding institutionally to issues such as uneven technology development and market diversity.

Guidelines: Codification and Execution Details

The Guidelines were formulated under section 171 of the Stablecoins Ordinance (Cap. 656) and section 7 of the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO, Cap. 615). They inherit the policy framework of the May Consultation Paper and substantially refine and legally transform it based on July’s Consultation Conclusions regarding non-custodial wallets, technological feasibility, and scope of responsibilities. Unlike the earlier Consultation Paper and Conclusions, which focused on policy design and public feedback, the Guidelines serve as a mandatory compliance manual within Hong Kong’s AML/CFT regulatory framework for stablecoins. They not only specify the obligations of stablecoin issuers but also directly establish administrative accountability, sanction mechanisms, and coordination with the Securities and Futures Commission (SFC).

(I) Scope and Overall Structure

The Guidelines apply to all licensed stablecoin issuers under section 15 of the Stablecoins Ordinance (licensees). A risk-based approach runs throughout the document, reflecting the decentralized, cross-chain, and highly anonymous characteristics of virtual assets. The Guidelines set norms in the following core areas:

• Institutional governance structure and AML framework construction;
• Customer due diligence (CDD) requirements during issuance and redemption;
• Ongoing transaction monitoring mechanisms during stablecoin circulation;
• Management of on-chain wallet types (especially non-custodial wallets);
• Suspicious transaction identification, reporting, and follow-up review obligations;
• Record keeping, staff training, and senior management oversight responsibilities.

(II) Seven Key Regulatory Dimensions

1. Institutional Risk Management Framework
   Licensees must establish written internal policies, control systems, and audit procedures to identify, assess, and mitigate money laundering and terrorist financing risks associated with stablecoin activities. Risk assessments should cover customer categories, geography, payment instruments, stablecoin types (single fiat-backed vs multi-asset backed), and on-chain liquidity. A designated AML/CFT compliance officer must report directly to the board. All implementation must be documented and auditable.
2. Customer Due Diligence and Enhanced Due Diligence (CDD and EDD)
   The Guidelines classify customer relationships as “business relationships” or “occasional transactions,” setting different CDD intensities accordingly: for ongoing business relationships, licensees must collect identity information, verification documents, beneficial ownership data, and business nature, cross-validated against on-chain behavior. For politically exposed persons (PEPs), high-risk jurisdictions, or use of mixing services, enhanced due diligence (EDD) is required, including proof of funds and increased review frequency.
3. Non-Custodial Wallet Management Measures
   Non-custodial wallets are classified as high-risk channels; licensees must not treat them as regulated financial accounts. Specific requirements include:

• Transaction control: set threshold limits for transactions involving non-custodial wallets or restrict them to low-risk redemption;
• Behavior identification and enhanced KYC: record on-chain behavior patterns of first-interaction wallets, applying additional due diligence (e.g., on-chain profiling, address binding);
• Blacklist and whitelist mechanisms: maintain on-chain address databases, blacklisting addresses linked to sanctions or illegal activities;
• Technical monitoring: deploy on-chain analysis tools to regularly scan wallet-transaction behavioral links and generate audit trails if necessary.

Notably, the Guidelines do not ban non-custodial wallets but require their inclusion in behavior-risk based review systems.

4. Stablecoin Transaction Monitoring and Tracking Analysis
HKMA highlights real-time transaction monitoring as a compliance focus. Licensees must have capabilities to:

• Track transaction chains in real-time, identifying high-risk hops, cross-chain bridges, mixers;
• Build databases of on-chain behavior patterns, setting automated alerts for abnormal transaction paths;
• Integrate wallet identification mechanisms to record counterparty identities and address risk;
• Produce compliance review reports supporting HKMA onsite inspections and enforcement interventions.

On-chain monitoring is deemed as important as bank payment monitoring; failure to deploy effective on-chain systems constitutes regulatory failure.

5. Suspicious Transaction Identification and Reporting Obligations (STR Mechanism)
Licensees must submit Suspicious Transaction Reports (STRs) to the Joint Financial Intelligence Unit (JFIU) within a reasonable time upon discovering or suspecting client involvement in illicit activities, abnormal on-chain behaviors, or unexplained asset sources, including:

• Customer identity, address, and transaction type;
• Involved stablecoin types, amounts, and wallets;
• System alerts and personnel responses at suspicion time;
• Handling measures and follow-up (e.g., freezing, restriction).

Regulators will audit STR systems and response logs regularly to verify effective handling. STR mechanisms should integrate with on-chain monitoring and KYC modules to support automated assistance.

6. Data and Record-Keeping Requirements
The Guidelines impose strict retention periods:

• Customer due diligence data (including on-chain address mappings): minimum 5 years;
• Transaction records (on-chain data including path snapshots, transaction tags, address analysis): minimum 5 years;
• Risk assessments, internal reviews, system parameter changes: HKMA may require extended retention.

Licensees must ensure records are traceable, secure, and tamper-proof for audit purposes.

7. Staff Training and Organizational Culture
All employees involved in customer identification, transaction monitoring, risk assessment, and compliance reporting must undergo regular AML/CFT training prior to employment. Senior management and board members must receive training clarifying responsibilities, ensuring resource allocation and policy enforcement. HKMA may inspect training systems and effectiveness records; discovering “paper compliance” will be treated as serious violations.

(III) Legal Liability and Regulatory Enforcement Mechanisms

Non-compliance with the Guidelines can trigger enforcement actions:

• HKMA may suspend, restrict, or revoke stablecoin issuer licenses;
• Serious violations may be referred to law enforcement under the AML Ordinance or other criminal laws.

HKMA reserves rights to conduct surprise inspections, risk assessment interviews, and technical system audits, cooperating closely with the Securities and Futures Commission (SFC), Customs, and JFIU for integrated enforcement.

(IV) Summary of Regulatory Significance and Logic

The issuance of the Guidelines legally responds to the Consultation Paper and Conclusions, marking a shift from “principle-based” to “mechanism-based” regulation. Compared with traditional finance, stablecoin risks are more dynamic and on-chain behaviors harder to define. The Guidelines represent:

• A full regulatory cycle from policy proposal (May) → consultation conclusions (July) → statutory enforcement (August);
• Introduction of on-chain behavior supervision, evolving AML towards “visualizable, verifiable, and traceable” systems;
• Balance of regulatory rigor and compliance flexibility, emphasizing “clear responsibility boundaries” and “quantifiable, controllable risks”;
• A testbed for future expansion to on-chain payments, asset tokenization (e.g., RWA), and cross-chain compliance.

These Guidelines form essential operational standards for licensees and a core interface for technical service providers (e.g., on-chain monitoring, identity verification, address management) engaging with Hong Kong’s regulatory regime.

Comparison of the Three Documents

The May 2025 Consultation Paper, July 2025 Consultation Conclusions, and August 2025 Guidelines form a complete loop of design, revision, and enforcement for Hong Kong’s stablecoin AML/CFT regime. They reflect HKMA’s cautious identification of stablecoin risks and regulatory expectations while demonstrating evolving feasibility and enforceability considerations based on market feedback. Comparing their structure and content reveals the regulatory logic and key changes from “principle setting” to “operational guidance”:

The Consultation Paper proposed a preliminary framework emphasizing core regulatory principles and objectives, focusing on ML/TF risks and areas such as customer due diligence, non-custodial wallet management, transaction monitoring, and STR reporting, accompanied by draft guidelines to solicit market feedback on regulatory direction and technology paths.

The Consultation Conclusions absorbed 38 market opinions, addressed controversies (e.g., whitelist mechanisms, difficulty categorizing non-custodial wallets, Travel Rule practicability), and introduced more enforceable revisions. Notably, the Conclusions tightened regulatory positions by cancelling the whitelist proposal and reinforcing non-client identity verification obligations.

The Guidelines, effective August 2025, legally establish stablecoin issuers’ AML/CFT obligations in a more systematic and detailed manner. They translate principles into compliance workflows, add enforcement and sanction mechanisms, and enable inter-agency cooperation, ensuring binding and enforceable regulatory goals.

Key hierarchical progressions and differences include:

1. Regulatory requirements shift from abstract principles to rigid operational rules: e.g., the Paper suggested blockchain analytics tools for tracing illicit funds, while the Guidelines specifically require external technology providers with real-time monitoring capabilities, due diligence on coverage, update frequency, and accuracy, making the tools responsible for compliance evidence.
2. Significant change in non-custodial wallet management strategies: the Paper proposed a whitelist mechanism for secondary market risk control; the Conclusions removed this idea, requiring identity verification for all non-client holders unless effective risk mitigation can be proven. The Guidelines inherit and codify this revision, extending KYC obligations from clients to all holders, reflecting fundamental regulatory caution toward DeFi anonymity.
3. Travel Rule regulation evolves from principle to enforcement framework: The Paper introduced Travel Rule as an AML clause; the Guidelines elaborate execution details including tiered amounts, payer/intermediary/payee obligations, encrypted transmission, missing data handling, and vendor due diligence, establishing comprehensive Travel Rule supervision for stablecoin transfers consistent with FATF standards.
4. Legal liabilities and enforcement powers fully clarified: The Guidelines add many enforcement provisions including license impact for violations, regulatory intervention on record retention, and on-site system inspections. The Paper barely addressed enforcement deterrence.
5. Enhanced governance and audit requirements: The Guidelines strengthen AML/CFT organizational oversight, mandating senior management supervision, appointment of compliance officer and MLRO with defined responsibilities, independent audits reporting directly to the board, and integrity and fitness requirements for staff hiring — aspects not elaborated in the prior two documents.

Overall, the Paper provides a conceptual blueprint outlining regulatory goals and directions; the Conclusions make substantive revisions defining bottom lines and core obligations; the Guidelines complete legal, procedural, and operational formalization, reflecting HKMA’s international-standard-based, locally adapted, and strict control approach to emerging risks. Particularly in non-custodial wallet handling, Travel Rule implementation, technical vendor due diligence, and full record retention, the Guidelines have moved beyond “recommendations” to binding legal regulations offering licensees clear, practical, and auditable compliance frameworks.

Compliance and Security Solutions

Although the Guidelines effective August 1, 2025 have refined and strengthened many specific requirements compared to the Consultation Paper, SlowMist’s previously developed compliance solutions based on the Paper — especially the “SlowMist: Smart Contract Implementation Guidelines for Stablecoin Issuers in Hong Kong” and The “SlowMist: Leading Compliance and Security for Hong Kong Stablecoin Issuers” co-developed with ecosystem partners — remain highly compatible as compliance references for the current Guidelines in terms of logical framework, systemic design, and technical modules.

On one hand, the Smart Contract Guide already covers many technical control measures consistent with the Guidelines’ formal requirements, providing a reference blueprint for licensees’ contract architecture.

Press enter or click to view image in full size

Press enter or click to view image in full size

On the other hand, the risk management and AML/CFT solution, drawing from SlowMist’s practical experience in blockchain security, compliance auditing, and risk management, offers strong operational technology solutions and implementation pathways.

Overall, the Guidelines cover broad and complex compliance requirements spanning technology, operations, governance, and AML/CFT. This solution focuses only on interpretation and response strategies for select key clauses and does not provide a full coverage of all requirements. Furthermore, stablecoin issuers’ compliance systems must continuously optimize and adjust based on business scenarios, technology architecture, and regulatory dynamics. The solutions presented here are based on current technical capabilities and industry practices and may require further adjustment or supplementation depending on actual business needs, technology evolution, and regulatory changes. It is recommended that issuers engage with professional compliance and security service providers (such as SlowMist) and stay abreast of the latest regulatory guidance to ensure completeness and effectiveness of their compliance frameworks.

Summary

Through a consultation draft, market feedback summary, and formal Guideline, the HKMA has established a legally binding, clear, and accountable stablecoin AML/CFT regulatory framework. This system responds to FATF’s international virtual asset regulation standards and supports Hong Kong’s ambition as a global fintech hub, safeguarding market stability and user rights. With the regime effective August 1, 2025, stablecoin issuers will face unprecedented regulatory compliance challenges. Meeting these requires establishing organizational governance, adopting technical tools, enhancing on-chain visibility management, and strengthening employee compliance awareness, truly realizing the regulatory logic that “compliance equals market access.”

Reference Links

[1] Consultation Paper on Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) Requirements for Licensed Stablecoin Issuers, May 2025
https://www.hkma.gov.hk/media/eng/regulatory-resources/consultations/20250526_Consultation_Paper_on_the_Proposed_AMLCFT_Req_for_Regulated_Stablecoin_Activities.pdf

[2] Consultation Conclusions on AML/CFT Guidelines for Licensed Stablecoin Issuers, July 2025
https://www.hkma.gov.hk/media/eng/doc/key-functions/ifc/stablecoin-issuers/Consultation_conclusions_aml_stablecoin.pdf

[3] Guideline on AML/CFT for Licensed Stablecoin Issuers, effective August 2025
https://www.hkma.gov.hk/media/chi/doc/key-functions/banking-stability/aml-cft/Guideline_on_Anti-Money_Laundering_and_Counter-Financing_of_Terrorism_For_Licensed_Stablecoin_Issuers_chi.pdf

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.