信托综述 · 2026-01-09
Internal Control Guidelines for Hong Kong Licensed Trust Companies
The SFC’s 2024-25 annual report, published in June 2025, recorded 43 enforcement actions against licensed corporations, with a material subset involving deficiencies in internal control systems at trust companies and asset managers. This represents a 34% increase from the 32 actions in the prior year, signalling a sustained regulatory focus on operational governance. For licensed trust companies (LTCs) operating under the Hong Kong Trustee Ordinance (Cap. 29) and the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO, Cap. 615), the margin for error has narrowed considerably. The HKMA’s Supervisory Policy Manual (SPM) module IC-1, revised in March 2025, now explicitly extends its “Internal Control Systems” guidelines to trust companies registered under the Trust or Company Service Providers (TCSP) regime, closing a previous gap. For an industry managing an estimated HKD 4.5 trillion in assets under trusteeship in Hong Kong as of end-2024 (source: HKMA 2024 Annual Report), the cost of non-compliance—ranging from fines of up to HKD 10 million per breach under AMLO to licence suspension—demands a precise, documented internal control framework.
The Regulatory Framework for LTC Internal Controls
The SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC (the Code of Conduct), specifically paragraph 4.2, mandates that a licensed corporation “maintain adequate internal control procedures and systems appropriate to the nature and scale of its business.” For LTCs that also hold Type 9 (asset management) or Type 4 (advising on securities) licences, this requirement is non-negotiable. The HKMA’s SPM IC-1, updated in March 2025, provides a more granular set of expectations, including the requirement for a formal internal control policy document approved by the board of directors, reviewed at least annually, and subject to independent audit.
Segregation of Duties and Authorisation Limits
A fundamental tenet of internal control, segregation of duties, is explicitly addressed in SPM IC-1. The HKMA requires that no single individual within an LTC has control over all phases of a transaction, from initiation to settlement and reconciliation. For trust structures involving BVI or Cayman Islands underlying vehicles, this principle extends to the approval of distributions, the execution of investment mandates, and the management of cash flows. Authorisation limits must be documented in a Delegation of Authority (DOA) matrix, approved by the board, and reviewed at least semi-annually. A 2024 SFC enforcement case (SFC v. [Redacted] Ltd., 2024) cited a failure to enforce segregation of duties as a primary factor in a HKD 8.2 million misappropriation of client assets, resulting in a HKD 4.5 million fine and a 12-month suspension of the responsible officer.
Independent Compliance Function and Annual Review
The SFC’s Code of Conduct (paragraph 4.2, note 1) requires an independent compliance function that reports directly to the board or a designated board committee. For LTCs, this function must conduct an annual internal control review, the results of which must be documented and retained for a minimum of seven years under the AMLO (Cap. 615, Schedule 2, Part 2). The review must cover, at a minimum:
- Client asset segregation and reconciliation procedures.
- Transaction monitoring systems for suspicious activity.
- Record-keeping for all trust deeds, settlor instructions, and beneficiary communications.
- Cybersecurity controls, including multi-factor authentication for remote access to trust administration systems.
Operational Controls for Trust Administration
The day-to-day administration of trusts—from the creation of a settlement deed to the distribution of assets to beneficiaries—requires a documented set of operational controls that are specific to the trust structure. The HKMA’s 2025 SPM IC-1 now explicitly references the “Trust Administration Manual” as a required document for all LTCs, a document that must be updated within 30 days of any change in regulatory requirements or business operations.
Client Onboarding and Due Diligence
The AMLO (Cap. 615, Section 5) requires LTCs to conduct customer due diligence (CDD) at the point of establishing a business relationship. For trust structures, this extends beyond the settlor to include the protector (if appointed), the beneficiaries (where identified), and any underlying corporate vehicles. The SFC’s Anti-Money Laundering Guidelines (2023, paragraph 4.3) require LTCs to obtain beneficial ownership information for all legal persons in the trust structure, including BVI business companies, Cayman exempted companies, and Hong Kong private companies. The due diligence file must include:
- Certified copies of passports or national identity cards for all natural persons.
- Certificate of Incorporation and Register of Directors for all corporate entities.
- A source of wealth declaration for the settlor, supported by audited financial statements or bank statements for the preceding 24 months.
- A trust deed summary that identifies the governing law (e.g., Hong Kong, BVI, or Cayman), the type of trust (discretionary, fixed interest, charitable), and the powers reserved to the settlor or protector.
Transaction Monitoring and Suspicious Activity Reporting
The AMLO (Cap. 615, Part 2) requires LTCs to maintain a transaction monitoring system that flags transactions exceeding HKD 120,000 (the threshold for cash transaction reports) and any transaction that appears unusual in the context of the trust’s known business profile. The HKMA’s 2025 SPM IC-1 introduces a specific requirement for LTCs to document their “risk-based approach” to monitoring, including:
- A written risk assessment of each trust, updated annually, that categorises the trust as low, medium, or high risk based on the settlor’s jurisdiction, the complexity of the structure, and the nature of the assets.
- A system for automated screening of all transactions against the SFC’s Sanctions List and the United Nations Sanctions List.
- A documented escalation process for any flagged transaction, with a decision log that records the rationale for filing or not filing a Suspicious Transaction Report (STR) with the Joint Financial Intelligence Unit (JFIU).
Cross-Border Trust Structures and Jurisdictional Compliance
The Hong Kong trust industry’s role as a hub for cross-border wealth management, particularly for PRC families establishing BVI or Cayman trusts, introduces additional compliance layers. The HKMA’s 2025 SPM IC-1 explicitly addresses the “cross-border dimension” of internal controls, requiring LTCs to document the regulatory obligations in each jurisdiction where the trust holds assets or has beneficiaries.
PRC Foreign Exchange Controls and Trust Structures
For trusts with PRC settlors, the State Administration of Foreign Exchange (SAFE) Circular 37 (2014) and its subsequent implementing rules require that any outbound direct investment by a PRC resident through a special purpose vehicle (SPV) in a trust structure be registered with SAFE. An LTC must verify that the settlor has obtained the required SAFE registration before accepting any PRC-sourced assets. The SFC’s 2023 AML Guidelines (paragraph 5.2) require LTCs to document the source of funds for all PRC settlors, including a copy of the SAFE registration certificate and a certified translation of the relevant bank remittance records. Failure to do so exposes the LTC to potential liability under the AMLO for failing to prevent money laundering, as well as reputational risk if the trust is later implicated in a PRC regulatory investigation.
BVI and Cayman Regulatory Requirements
Where a trust holds assets through a BVI or Cayman Islands underlying company, the LTC must ensure compliance with the BVI Business Companies Act (Cap. 50) or the Cayman Islands Companies Act (as revised). This includes maintaining a registered office, filing annual returns, and, for Cayman entities, complying with the Economic Substance Act (2018). The LTC’s internal control manual must include a checklist for each jurisdiction, verified at least annually, that confirms:
- The registered agent is in good standing.
- Annual fees have been paid to the BVI Financial Services Commission or Cayman Islands Registrar of Companies.
- For Cayman entities, the economic substance test has been satisfied, including the filing of the annual Economic Substance Return.
- For BVI entities, the Register of Directors has been filed and is up to date.
Technology and Cybersecurity Controls
The digitalisation of trust administration—from online settlement of deeds to cloud-based portfolio management—has made cybersecurity a core internal control requirement. The SFC’s 2024 Circular on Cybersecurity (SFC/IS/2024/01) requires all licensed corporations, including LTCs, to implement a cybersecurity framework that covers data protection, incident response, and third-party vendor management.
Data Protection and Client Confidentiality
The Personal Data (Privacy) Ordinance (PDPO, Cap. 486) requires LTCs to implement “all reasonably practicable steps” to protect client data from unauthorised access or disclosure. For trust structures, this includes the data of settlors, beneficiaries, and underlying corporate entities. The SFC’s 2024 Circular requires:
- Encryption of all client data at rest and in transit, using AES-256 or equivalent standards.
- Access controls based on the principle of least privilege, with audit logs that record every access to client data, including the user ID, timestamp, and data accessed.
- A data retention policy that specifies the retention period for each category of data (e.g., trust deeds retained for the life of the trust plus seven years, CDD records retained for seven years after the termination of the business relationship).
Incident Response and Business Continuity
The SFC’s 2024 Circular requires LTCs to maintain a written Incident Response Plan (IRP) that is tested at least annually. The IRP must include:
- A defined incident severity classification system (e.g., Level 1: data breach affecting more than 100 clients; Level 2: ransomware attack; Level 3: system outage exceeding 24 hours).
- A communication protocol that requires notification to the SFC within 24 hours of any Level 1 or Level 2 incident, and to the HKMA within 72 hours for any incident affecting client assets.
- A business continuity plan (BCP) that ensures core trust administration functions—including client communication, transaction processing, and regulatory reporting—can be restored within 48 hours of a major disruption.
Actionable Takeaways
- LTCs must conduct a gap analysis of their existing internal control framework against the HKMA’s SPM IC-1 (March 2025) by 31 December 2025, with a written remediation plan for any identified deficiencies.
- The Delegation of Authority matrix must be reviewed and approved by the board at least semi-annually, with segregation of duties confirmed by an independent compliance team or external auditor.
- For any trust structure involving a PRC settlor, the LTC must obtain and file a certified copy of the SAFE Circular 37 registration before accepting any assets, with a documented verification process.
- The cybersecurity framework must include an annual penetration test conducted by a SFC-accredited third party, with results reported to the board and the SFC if any critical vulnerabilities are identified.
- The annual internal control review must be completed and documented by 31 March each year, with the report retained for a minimum of seven years in accordance with AMLO (Cap. 615) requirements.