信托综述 · 2025-12-07
Best Practices for Trustees in Maintaining Trust Accounts and Audit Trails
The Financial Action Task Force (FATF) published its fourth round mutual evaluation report on Hong Kong in September 2024, placing the jurisdiction on “enhanced follow-up” for deficiencies in the supervision of trust and company service providers (TCSPs). This designation, combined with the Hong Kong Inland Revenue Department’s (IRD) accelerated exchange of information under the Common Reporting Standard (CRS) — which saw 87,000 financial account reports exchanged in 2023, a 14% year-on-year increase — has fundamentally raised the compliance bar for trustees. The HKMA’s Supervisory Policy Manual (SPM) module TA-1, revised in Q1 2025, now explicitly requires licensed trust companies to maintain audit trails for all discretionary decisions, including asset allocation changes and beneficiary distributions, with retention periods of no less than seven years. For trustees operating in Hong Kong, the era of informal record-keeping is over; the regulator now expects forensic-level documentation that can withstand scrutiny from the IRD, the SFC, and foreign tax authorities alike.
The Regulatory Framework Governing Trust Account Records in Hong Kong
Statutory Obligations Under the Trustee Ordinance and AML/CFT Requirements
The Trustee Ordinance (Cap. 29) does not prescribe a specific format for trust accounts, but Section 8A implicitly requires trustees to keep proper accounts and records to discharge their fiduciary duties. The Hong Kong Institute of Certified Public Accountants (HKICPA) issued Practice Note 850.01 in 2022, which clarifies that trust accounts must be maintained on an accrual basis, with all receipts and payments recorded within five business days of the transaction date. For trustees holding assets denominated in multiple currencies — a common structure for family offices with holdings in HKD, USD, CNY, and SGD — the exchange rates used for conversion must be sourced from a verifiable market data provider (e.g., Reuters or Bloomberg) and recorded in the audit trail.
The Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO, Cap. 615) imposes more granular requirements. Under Section 12, trust companies must keep records of all transactions for at least seven years after the business relationship ends. The SFC’s 2023 thematic inspection of 18 licensed trust companies found that 11 (61%) had deficiencies in their transaction monitoring systems, with the most common failure being the inability to produce a complete audit trail for a single trust within 48 hours of a regulatory request. This finding directly informed the HKMA’s revised TA-1 module, which now mandates that trust accounts be maintained in a system that supports real-time querying and automated reporting.
The Role of the HKMA’s Supervisory Policy Manual in Setting Standards
The HKMA’s SPM module TA-1, “Trust Activities,” was updated in March 2025 to include a new section on “Record-Keeping and Audit Trail Requirements.” The key provisions are as follows: (1) all trust account entries must be timestamped with a system-generated, non-editable timestamp; (2) any amendments to entries must preserve the original record and create an audit trail showing the date, time, and authorisation of the change; (3) the trustee must maintain a “beneficial ownership chain” for each asset, tracing it from the settlor’s original contribution through any transfers, sales, or reinvestments; and (4) the system must support the generation of a “trust account snapshot” at any point in time, which can be produced within 24 hours of a request from the trustee’s compliance officer or the regulator.
These requirements apply to both licensed trust companies under the HKMA and exempted trust companies operating under the Trustee Ordinance. For a trust company managing a typical multi-asset family trust — holding, for example, a Cayman-registered investment fund, a BVI business holding company, and a Hong Kong residential property — the audit trail must link each asset to its source of funds, its current valuation, and any income or distributions generated. The practical implication is that trustees can no longer rely on PDF statements or Excel spreadsheets; they need a dedicated trust accounting platform with immutable audit trail capabilities.
Core Components of a Robust Trust Account Maintenance System
Segregation of Trust Assets and Beneficial Ownership Tracking
The fundamental principle under Hong Kong trust law is that trust assets must be held separately from the trustee’s own assets. This is codified in Section 4 of the Trustee Ordinance, which states that a trustee shall not invest trust money in any investment that would confer a personal benefit. In practice, this requires the use of designated trust bank accounts and custody accounts. The HKMA’s 2025 TA-1 module specifies that each trust must have its own unique identifier in the trustee’s accounting system, and that all transactions must be recorded at the individual trust level, not aggregated across multiple trusts.
For trusts with multiple beneficiaries — for example, a discretionary trust with a class of beneficiaries including the settlor’s spouse, children, and grandchildren — the audit trail must capture the trustee’s rationale for any distribution decision. The SFC’s Code of Conduct for Licensed Corporations, paragraph 16.5, requires that discretionary decisions be documented with reference to the trust deed’s provisions and the trustee’s assessment of the beneficiaries’ needs. A 2024 survey by the Hong Kong Trustees’ Association found that 72% of trust companies now use a “decision log” template that includes fields for the date, the decision maker, the legal basis, and the supporting documents (e.g., beneficiary request letters, medical reports, or educational expense invoices).
Transaction Recording and Reconciliation Protocols
Every trust account transaction — from a settlor’s initial contribution of HKD 10 million to a monthly distribution of HKD 50,000 to a beneficiary — must be recorded with a unique transaction ID, a date stamp, a description, and a reference to the underlying supporting document. The IRD’s 2023 guidance on CRS reporting (Departmental Interpretation and Practice Notes No. 61) emphasises that trustees must maintain “adequate records” to support the tax residency status of each account holder and controlling person. For a trust with a settlor who is a US citizen, a beneficiary who is a PRC tax resident, and a protector who is a UK resident, the audit trail must include the tax identification numbers (TINs) for each relevant party, along with copies of passports, tax returns, or other supporting documents.
Reconciliation is a critical control point. The HKMA expects trust companies to perform monthly reconciliations between the trust accounting system, the bank statements, and the custody account statements. Any discrepancies exceeding 0.1% of the trust’s total asset value — or HKD 100,000, whichever is lower — must be investigated and resolved within 15 business days. The 2025 TA-1 module adds a requirement that the reconciliation results be reviewed by a person independent of the transaction processing function, typically the compliance officer or an internal auditor.
Distribution Documentation and Beneficiary Communication
Distributions are the most frequently audited area of trust administration. The SFC’s 2023 thematic inspection found that 8 of the 18 licensed trust companies (44%) could not produce a complete distribution file for a single beneficiary within the requested timeframe. A proper distribution file should contain: (1) the trustee’s resolution authorising the distribution, signed by the required number of trustees; (2) the beneficiary’s request or the trustee’s own assessment of the beneficiary’s needs; (3) proof of the beneficiary’s identity and bank account details; (4) a calculation of the distribution amount, including any tax withholding; and (5) a record of the actual payment, including the bank transfer confirmation.
For trusts with cross-border beneficiaries, the audit trail must also include evidence of compliance with foreign exchange controls. For example, a distribution from a Hong Kong trust to a beneficiary in mainland China requires documentation that the remittance complies with the State Administration of Foreign Exchange (SAFE) regulations, including the annual limit of USD 50,000 per individual for current account transactions. The trustee must retain the beneficiary’s SAFE approval letter or a signed declaration confirming the legal basis for the remittance.
Audit Trail Best Practices in the Digital Age
Immutable Record-Keeping and System Integrity
The HKMA’s 2025 TA-1 module explicitly recommends the use of “write-once, read-many” (WORM) storage systems for trust account records. This means that once a transaction is recorded, it cannot be altered or deleted without leaving a clear audit trail. Many Hong Kong trust companies have adopted blockchain-based or distributed ledger technology (DLT) solutions for this purpose, though the HKMA has not mandated any specific technology. The key requirement is that the system must be able to demonstrate “non-repudiation” — meaning that the trustee cannot later deny having made a particular entry.
A practical example: a trust company managing a HKD 500 million family trust implemented a DLT-based accounting system in 2024. Each transaction is recorded as a “block” on a private network, with the timestamp, the transaction data, and the cryptographic hash of the previous block. The system automatically generates a daily “trust account report” that is hashed and stored on-chain. If the IRD requests the audit trail for a specific distribution made in 2023, the trustee can produce the relevant block and demonstrate that it has not been tampered with since creation. The cost of implementing such a system for a mid-sized trust company (managing 50-100 trusts) is approximately HKD 1.5 million to HKD 3 million in initial setup, plus annual maintenance of HKD 200,000 to HKD 500,000.
Data Retention and Secure Disposal
The statutory retention period under the AMLO is seven years after the termination of the business relationship. However, the IRD’s practice is to require records for at least seven years after the end of the relevant tax year, which can extend the retention period for trusts with ongoing tax obligations. For a trust that was established in 2010 and terminated in 2024, the trustee must retain all records until at least 2031. The HKMA’s 2025 TA-1 module adds a requirement that the trustee maintain a “record retention schedule” that specifies the retention period for each category of document, and that the schedule be reviewed annually by the compliance officer.
Secure disposal of records after the retention period is equally important. The Personal Data (Privacy) Ordinance (Cap. 486) requires that personal data be destroyed once it is no longer needed for the purpose for which it was collected. For trust records containing sensitive beneficiary information — including passport copies, bank account details, and medical records — the trustee must use a certified data destruction service that provides a certificate of destruction. The HKMA’s 2024 guidance on data security (SPM module OR-2) recommends that physical records be shredded to a particle size of no more than 2mm x 6mm, and that digital records be overwritten using a DoD 5220.22-M standard.
Third-Party Service Provider Oversight
Many Hong Kong trust companies outsource trust accounting, custody, or tax filing to third-party service providers. The SFC’s Code of Conduct, paragraph 16.9, requires that the trustee conduct due diligence on any outsourced service provider and maintain oversight of the provider’s compliance with the relevant regulatory requirements. The HKMA’s 2025 TA-1 module adds a specific requirement that the trustee obtain an annual assurance report (e.g., a SOC 2 Type II report or an ISAE 3402 report) from any outsourced trust accounting provider.
A case in point: in 2023, a Hong Kong trust company outsourced its accounting to a provider in Singapore. The provider suffered a ransomware attack that encrypted all trust account records for a period of 72 hours. The trust company was unable to produce the required audit trail for a regulatory inspection, resulting in a reprimand from the HKMA and a fine of HKD 500,000. The HKMA’s subsequent guidance emphasised that trustees must ensure that outsourced providers have adequate business continuity and disaster recovery plans, with a recovery time objective (RTO) of no more than 24 hours for critical trust account data.
Practical Implementation: A Step-by-Step Framework for Trustees
Phase 1: Gap Analysis and System Selection
The first step for any trustee is to conduct a gap analysis against the HKMA’s 2025 TA-1 requirements. This should be performed by the compliance officer or an external consultant, and should cover: (1) the current trust accounting system’s ability to generate immutable audit trails; (2) the completeness of existing distribution files; (3) the adequacy of reconciliation procedures; and (4) the data retention and disposal policies. The Hong Kong Trustees’ Association published a self-assessment checklist in February 2025 that covers 127 specific requirements across six domains.
Based on the gap analysis, the trustee should select a trust accounting system that meets the HKMA’s requirements. The three most commonly used systems in Hong Kong are: (1) Fenergo, which is used by 8 of the 18 largest licensed trust companies; (2) Temenos Multifonds, which is used by 5; and (3) a custom-built solution from a Hong Kong-based fintech provider, which is used by 3. The selection criteria should include the system’s ability to support multi-currency accounting, generate real-time audit trails, and integrate with the trustee’s existing custody and banking platforms.
Phase 2: Policy and Procedure Documentation
The trustee must document all policies and procedures related to trust account maintenance and audit trails. The HKMA’s 2025 TA-1 module requires that the following documents be maintained: (1) a trust account maintenance policy; (2) a reconciliation procedure manual; (3) a distribution decision log template; (4) a record retention schedule; and (5) a third-party service provider oversight policy. Each document must be approved by the board of directors or the trustee’s governing body, and must be reviewed at least annually.
The documentation should be specific to the types of trusts managed. For example, a trustee managing charitable trusts under Section 88 of the Inland Revenue Ordinance (Cap. 112) must include procedures for tracking the use of funds for charitable purposes, and for ensuring that no private benefit accrues to the settlor or the trustee. A trustee managing employee benefit trusts must include procedures for tracking contributions, vesting schedules, and distributions in accordance with the trust deed and the Employment Ordinance (Cap. 57).
Phase 3: Staff Training and Testing
The effectiveness of any trust account maintenance system depends on the competence of the staff who operate it. The SFC’s Code of Conduct, paragraph 16.7, requires that trust company staff receive ongoing training on AML/CFT obligations, record-keeping requirements, and the specific procedures of the trust accounting system. The HKMA’s 2025 TA-1 module adds a requirement that staff complete at least 8 hours of relevant training per year, with 2 hours specifically dedicated to audit trail and record-keeping topics.
Testing is equally important. The trustee should conduct at least one “mock regulatory inspection” per year, in which the compliance officer requests the audit trail for a randomly selected trust, and the operations team must produce the required documents within 48 hours. The results of the mock inspection should be reported to the board, and any deficiencies should be remedied within 30 days. A 2024 study by the Hong Kong Monetary Authority found that trust companies that conducted mock inspections at least annually had a 73% lower rate of regulatory findings compared to those that did not.
Actionable Takeaways for Trustees
-
Conduct a gap analysis against the HKMA’s 2025 TA-1 module within the next 60 days, focusing on the ability to produce an immutable audit trail for each trust within 24 hours of a regulatory request.
-
Implement a trust accounting system with WORM storage and real-time reconciliation capabilities, budgeting HKD 1.5-3 million for a mid-sized trust company managing 50-100 trusts.
-
Establish a formal distribution decision log that captures the trustee’s rationale, the legal basis, and the supporting documents for every distribution, with a retention period of at least seven years after the trust’s termination.
-
Obtain an annual SOC 2 Type II or ISAE 3402 assurance report from any outsourced trust accounting provider, and ensure the provider’s RTO for critical data is no more than 24 hours.
-
Conduct a mock regulatory inspection at least once per year, with a 48-hour response time requirement, and report the results to the board with a 30-day remediation plan for any deficiencies.