Hong Kong Sets New Global Standard for Stablecoin Travel Rule Compliance

August 1, 2025

Schwartzman boasts 19 years of experience in fintech and digital assets compliance, with a strong history of designing compliance programs and leading licensure strategies in crypto and financial companies.

Highlights

H2

H3 Toc heading

Linkedin link

twitter link

facebook link

Summary

Hong Kong just released groundbreaking guidelines requiring Travel Rule compliance for ALL stablecoin transfers regardless of amount. The framework places full liability on issuers even when using third-party tech solutions, mandates enhanced screening for self-hosted wallets, and requires real-time information transmission. This represents the most comprehensive stablecoin Travel Rule regime globally and signals where other jurisdictions may be headed.
‍

Hong Kong Sets New Standards for Stablecoin Travel Rule Compliance

Today, Hong Kong just raised the bar for stablecoin regulation worldwide. The Hong Kong Monetary Authority's (HKMA) new AML/CFT guidelines for licensed stablecoin issuers established a comprehensive Travel Rule framework, which will come into effect on 1 August 2025, and it has significant implications for the global stablecoin ecosystem.

Compliance with the Guidelines is enforced through the Stablecoins Ordinance and the AMLO. A licensee who fails to comply with this Guideline may be subject to disciplinary or other actions under the Stablecoins Ordinance and/or the AMLO.

Zero Tolerance for Compliance Gaps

Unlike jurisdictions that set minimum thresholds for Travel Rule compliance, Hong Kong takes a zero-threshold approach. Travel Rule compliance is required for every stablecoin transfer, no matter the value.

Ordering Institutions

Ordering institutions, meaning those initiating the stablecoin transfer, bear the most extensive obligations. They must “obtain and record” detailed originator and recipient information for all transactions.

For transfers above $8,000:

Issuers must obtain and record the originator's name, account number (or unique reference number), address (geographical, registered office, or principal place of business), customer identification number or ID document number (or date/place of birth for individuals), the recipient's name, and the recipient's account number (or unique reference number).
The submitted originator information must be accurate, meaning it has been verified as part of the customer due diligence (CDD) process.
Additionally, for occasional transfers ≥ $8,000, the originator's identity must be verified.

Before executing a transfer, the ordering institution must securely and immediately transmit this data to the beneficiary institution.

"Securely" means protecting the integrity, availability, and confidentiality of the information from unauthorized access or disclosure. This involves counterparty due diligence, potential bilateral data sharing agreements, encryption, and adequate information security controls.
“Immediately” means the information must be sent before or simultaneously with the transfer.

For transfers below $8,000:

Issuers must must obtain and record the originator's name, account number (or unique reference number), the recipient's name, and the recipient's account number (or unique reference number).
Occasional transfers under the threshold don’t require identity verification unless linked transactions collectively exceed the threshold or if suspicious activity is suspected.

Execution cannot proceed unless all these requirements are met. Ordering institutions must also keep detailed records to demonstrate how they fulfilled the transmission, security, and timing obligations.

Intermediary Institutions

Intermediary institutions, those participating in the transfer chain the transaction, must retain all originator and recipient information they receive and transmit it unchanged to the next party in the chain, whether another intermediary or the final beneficiary institution. This information must be submitted securely and immediately, mirroring the expectations placed on ordering institutions. They cannot modify or delay this transmission.

Beneficiary Institutions

Beneficiary institutions, those receiving the stablecoin transfer on behalf of the recipient, must obtain and record the information transmitted to them. If the transfer equals or exceeds HKD 8,000 and the recipient has not been previously verified under customer due diligence, they must complete that verification. They must also confirm that the recipient’s name and account number match the data received, and follow up with appropriate measures if any discrepancies arise.

This eliminates the compliance fragmentation we see in other markets where different thresholds and enforcement timelines create operational complexity. When dealing with Hong Kong-licensed stablecoin issuers, there's no guessing about when Travel Rule applies—it always does (see Notabene’s 2025 State of Crypto Travel Rule Report for a global comparison of thresholds and regulatory approaches).

Handling Incoming Transfers Lacking Required Information

Instructed institutions, meaning intermediary or beneficiary institutions, must implement robust procedures for handling incoming stablecoin transfers that lack the required originator or recipient information. They are expected to proactively identify such transfers through reasonable measures, which may include real-time or post-event transaction monitoring. Once identified, the institution must apply a risk-based approach to determine whether to proceed with the transfer, temporarily suspend the funds, or return the stablecoins to the sender. These policies should also guide what follow-up actions are appropriate based on the severity and context of the deficiency. Institutions must attempt to obtain the missing information from the instructing institution as soon as reasonably practicable. If the information cannot be retrieved, they should evaluate whether to restrict or terminate the relationship or apply other risk mitigation steps to address potential money laundering or terrorist financing risks. Additionally, if any submitted data is found to be incomplete or nonsensical, the institution must take prompt and reasonable actions to address the resulting ML/TF exposure.

Technology Providers: No Safe Harbor

Here's where things get particularly interesting for our industry. The guidelines make crystal clear that stablecoin issuers remain fully liable for Travel Rule compliance even when using third-party technology solutions. There's no safe harbor for outsourcing compliance.

The HKMA requires issuers to conduct thorough due diligence on any Travel Rule technology provider, evaluating:

Identify a transfer: Can the solution accurately identify stablecoin transfer counterparties and securely submit and retrieve required originator and recipient information in real time—including in cross-jurisdictional scenarios where data may be incomplete or missing.
Interoperability: Can the solution communicate with other systems?
Scalability: Will it handle high transaction volumes reliably?
Security: Does it adequately protect transmitted information?
Compliance integration: Can it support ongoing monitoring and sanctions screening?

Additionally, the solution should support counterparty due diligence workflows, facilitate information requests between institutions, and maintain robust record-keeping capabilities.

Counterparty Due Diligence Gets Serious

Perhaps the most operationally challenging aspect is the comprehensive counterparty due diligence requirements. The HKMA makes it clear: the risk doesn’t end at the licensee’s perimeter. It extends to any other financial institution or VASP involved in a stablecoin transfer. The objective is twofold: prevent transfers to or from illicit actors or sanctioned entities, and ensure Travel Rule compliance throughout the transaction chain.

Before a licensee conducts a transfer or makes stablecoins available to a recipient, it must assess the ML/TF risk posed by the stablecoin transfer counterparty. This involves determining whether the transfer involves another regulated entity or an unhosted wallet, and if it’s the former, identifying the counterparty using public registries of licensed or registered institutions. A risk-based approach (RBA) must be used to evaluate several factors: the nature of the counterparty’s business, customer base, geographic footprint, and most importantly, the strength of its AML/CFT controls and the regulatory oversight in its jurisdiction.

The due diligence doesn’t stop at identification. Licensees must verify that the counterparty can meet its obligations under the Travel Rule, especially in cross-border scenarios. This includes confirming whether the counterparty is subject to equivalent regulatory requirements, has implemented robust controls to protect personal data, and can reliably exchange originator and beneficiary information. Institutions deemed higher-risk such as those operating in weak regulatory jurisdictions, lacking licensing or registration, or connected to suspicious activities—must be monitored more closely.

Importantly, this due diligence process isn’t required for every single transaction. If a counterparty has already been vetted and no new risks have emerged, the licensee can rely on existing due diligence. But ongoing monitoring is mandatory. That means watching for red flags, such as unexpected behavior, transaction anomalies, or adverse media, and regularly updating the risk profile. If new risks emerge, the licensee must reassess whether it can continue to transact with the counterparty and, if necessary, impose stricter controls or terminate the relationship entirely. The bottom line is clear: if a counterparty cannot be trusted to meet baseline compliance obligations, the licensee is expected to walk away.

Unhosted Wallets Get Enhanced Scrutiny

The regulatory framework treats unhosted wallets with particular scrutiny. These wallets allow users to hold their own private keys and transact peer-to-peer without an AML/CFT-regulated intermediary, making them an attractive tool for illicit actors seeking to exploit gaps in oversight. The HKMA takes a cautious but risk-based approach: if licensees want to interact with unhosted wallets, they must prove that their controls work.

For stablecoin transfers involving unhosted wallets held by customer stablecoin holders, licensees must collect detailed information. If a customer initiates a transfer to an unhosted wallet, the licensee must capture the customer’s name, account number, and identifying information, along with the recipient’s name and wallet address. If the transfer is from an unhosted wallet into the licensee’s ecosystem, similar information must be recorded, but now it’s the originator’s wallet address and the recipient’s account with the licensee that come into focus. For transfers under HKD 8,000, certain identity elements can be omitted—unless the transactions appear linked or suspicious.

But collecting data is only one part of the equation. Licensees must actively manage the risks posed by customer wallets used for issuance or redemption. This includes verifying that the customer owns or controls the wallet through mechanisms like cryptographic signature proofs, micropayment tests or message signing. They must also screen wallet addresses for connections to sanctioned entities or suspicious activity. If a wallet is flagged as high risk, enhanced controls are required. These aren’t theoretical expectations. The HKMA encourages firms to maintain internal lists of wallet addresses that have triggered scrutiny to enable swift action when risk surfaces again.

The takeaway is clear: in Hong Kong, interacting with unhosted wallets doesn’t exempt firms from AML/CFT standards. It raises the bar. Controls must be evidence-based, continuously monitored, and capable of scaling with the evolving threat landscape.

Real-Time Compliance Required

The guidelines mandate "immediate" transmission of Travel Rule information—meaning before or simultaneously with the transfer, not after blockchain settlement. This aligns with global regulatory trends toward pre-transaction risk assessment, but it's technically challenging for many existing systems.

Traditional post-transaction Travel Rule implementations won't cut it in Hong Kong. Systems need to support real-time authorization flows where compliance checks happen before funds move.

Global Implications

Hong Kong's approach signals where global stablecoin regulation may be heading. The jurisdiction is positioning itself as a compliant stablecoin hub, but only for issuers willing to meet the highest standards.

The zero-threshold approach also has practical implications for global stablecoin operations. As more jurisdictions adopt comprehensive frameworks, we're moving toward a world where Travel Rule compliance becomes universal rather than threshold-based.

The Cautious Regulator's Dilemma

The HKMA's "risk-based but cautious approach" reflects a broader regulatory reality: authorities want to enable innovation while preventing regulatory arbitrage.

The guidelines repeatedly emphasize that issuers must prove their systems work. This evidence-based approach to compliance represents a significant shift from checkbox exercises toward measurable risk mitigation.

What This Means for the Industry

For stablecoin issuers eyeing Hong Kong licenses, compliance-by-design isn't optional—it's the entry requirement. The days of bolting on Travel Rule capabilities as an afterthought are over.

Generic Travel Rule solutions won't suffice; systems need to handle the specific requirements of the Hong Kong framework, including zero thresholds and enhanced unhosted wallet controls.

Most importantly, this framework shows that comprehensive stablecoin regulation is not only possible but practical. Hong Kong is proving that you can maintain the speed and efficiency of blockchain-based payments while meeting the highest AML/CFT standards.

The question now is which other jurisdictions will follow Hong Kong's lead—and whether the global stablecoin ecosystem will converge around similarly comprehensive standards.

References