Table of Contents Show
HKMA Fines Banks HK$16.2m for Transaction-Monitoring Failures: IOBHK (HK$8.5M), BCOM (Hong Kong) (HK$4M), BCOM Hong Kong Branch (HK$3.7M) to Run Look-Back and Remedial Plan; HKMA Sending Clear Message: Gaps in TMS Coverage Will Not Be Tolerated, Even When Dealt With Responsibly
What happened (and why it matters)
On July 22, 2025, the Hong Kong Monetary Authority (HKMA) disclosed the punishments. HKMA approved three banks for a total of HK$16.2 million for non-compliance with ongoing monitoring requirements in their AML programs: IOBHK, BCOM (Hong Kong), and BCOM Hong Kong Branch, respectively fined HK$8.5 million, HK$4 million, and HK$3.7 million. IOBHK has a supplementary obligation to execute a look-back process and implement a remedial plan.
HKMA further found insufficient senior-management oversight for IOBHK and ordered the supervised completion of a look-back and submission of a remediation program.
Insight: HKMA’s emphasis is effectiveness over paperwork. If the system can’t see the transaction, nothing else in your AML program matters.
“Fix by Monday” plan for Heads of Compliance
- Map the firehose. Map your product and channel catalogs to what your TMS ingests and monitor. Ensure every transaction type as well as new feature releases by your core banking and channels make it into the rules engine. Document exceptions.
- Change control. No TMS ingestion checklist in place for critical attributes including data fields, file sizes, late files, retries, etc.? Connect core-banking and channel change tickets to it and allow no deploy until TMS ingestion checklist is complete.
- Coverage KPIs. No way to monitor coverage in the TMS? Fix it: minimum KPIs should include % of total transactions in monitoring, alert latency, rules utilization, and % of customers included in ongoing monitoring; report to the board monthly.
- Triggerable look-backs. Pre-agree on thresholds for missing feeds >24h, schema drift, etc. to auto-launch retrospective reviews.
- QA sampling. If your platform floods you with alerts, start with risk-stratified sampling on alerts per week, testing alignment of alerts to customer risk profiles.
The Hong Kong rules you’ll be judged against
AMLO Schedule 2, s.5(1)(b) requires that “carrying out ongoing monitoring…for the purpose of verifying that… the business relationship and transactions being conducted…continue to be consistent with the institution’s knowledge of the customer and the customer’s risk profile and sources of funds.” This clause is the anchor for the actions.
Insight: HKMA treats transaction monitoring as a core control. “Good intentions” or a clean enforcement history may soften penalties, but won’t save you if coverage is broken.
Tools & shortlists (when your stack isn’t keeping up)
If your platform can’t reliably ingest multi-channel data or drowns you in false positives, start with our Best AML Software Providers list for current market options and architectures.
Evaluating watchlist/screening & TM data quality? See our ComplyAdvantage review for coverage notes and API depth.
Tight onboarding-to-monitoring loop? Our KYCAID review covers IDV + liveness pipelines that feed AML contexts.
Quick FAQ
Which banks were penalised and by how much? IOBHK (HK$8.5M), BCOM (Hong Kong) (HK$4M), BCOM Hong Kong Branch (HK$3.7M).
What did HKMA focus on? Gaps in transaction-monitoring coverage and weak oversight. HKMA ordered IOBHK to perform a look-back exercise and submit to a remediation plan.
What’s the legal hook? Ongoing monitoring duties in AMLO, Cap. 615, Schedule 2.
