Back to Sia Partners A Sia product
Back to RegAI Book a demo
RegAI  /  Banking  /  MAS vs HKMA
Practical guide · APAC

MAS Notice 626 vs HKMA SPM — a side-by-side compliance map.

Published April 26, 2026 8-minute read By Sia

Banks operating in both Singapore and Hong Kong tend to maintain two compliance programs that look almost identical and diverge in twenty different places. Same regulatory intent — anti-money-laundering, counter-financing of terrorism, customer due diligence — but the operational obligations differ. Here's the practical map.

If you run AML for a bank with branches in both jurisdictions, you've already lived this. This guide is the version we wished existed when running multi-jurisdictional engagements: comparable obligations across the two regimes, where they align, where they diverge, and where the operational impact actually shows up.

What each regime is

MAS Notice 626 (Singapore) — issued by the Monetary Authority of Singapore. Applies to banks. Sets out the AML/CFT obligations: customer due diligence, ongoing monitoring, suspicious-transaction reporting, record retention, internal controls. Most recently amended 2024.

HKMA Supervisory Policy Manual ("SPM") — module GS-1 (Hong Kong) — Hong Kong Monetary Authority's general standards on AML/CFT. Applies to authorized institutions. Sits alongside the AMLO (Anti-Money Laundering Ordinance) and the JFIU's STR guidance.

Both regimes derive from the FATF 40 Recommendations and broadly align on intent. Where they diverge is in operational specifics: thresholds, timing, documentation requirements, and reporting channels.

Where they align

  • Risk-based approach. Both regimes mandate a written ML/TF risk assessment, periodically reviewed.
  • Customer due diligence (CDD). Identification, verification, and risk-rating of customers at onboarding.
  • Enhanced due diligence (EDD). Required for high-risk customers (PEPs, high-risk jurisdictions, complex structures).
  • Ongoing monitoring. Transaction surveillance proportionate to risk rating.
  • Suspicious transaction reporting (STR). Internal suspicion → SAR / STR to the local FIU (STRO in Singapore, JFIU in Hong Kong).
  • Record retention. Generally 5 years post-relationship in both, with some category nuances.
  • Independent audit. Both require periodic independent review of the AML/CFT program.

Roughly 70% of obligations map cleanly between the two. The remaining 30% — the divergences — is where multi-jurisdictional banks burn budget.

Where they diverge — five practical examples

1. PEP definition scope

MAS Notice 626 distinguishes between "foreign politically exposed persons" and "domestic politically exposed persons" with different EDD triggers. HKMA SPM applies a single definition with PEP screening required across the board for all categories. Operational impact: screening and approval workflows differ; client risk scoring on PEPs needs jurisdiction-aware logic.

2. Beneficial ownership thresholds

MAS 626 generally uses a 25% beneficial-ownership threshold for legal entities. HKMA generally aligns on 25% but with explicit guidance on layered structures and "control through other means." Operational impact: the corporate-onboarding checklist needs jurisdiction-specific BO logic, particularly for trust structures and SPVs.

3. STR timing

MAS 626 requires STR filing "as soon as reasonably practicable" — typically interpreted as 15 working days. HKMA / AMLO requires STR filing "as soon as it is reasonable for him to do so" — JFIU guidance generally interprets as no later than 30 days but with operational pressure for faster. Operational impact: SLAs in your case-management workflow need to be jurisdiction-aware.

4. Record retention nuances

MAS 626 retention is 5 years from end of relationship for CDD records. HKMA / AMLO retention is generally 6 years for transaction records and 5 years for identification records. Operational impact: different shred schedules; your records-management policy must accommodate both.

5. Wire transfer thresholds

Both align on FATF Recommendation 16 in spirit. Specific thresholds for cross-border vs. domestic transfers differ in detail. Operational impact: messaging-system rules and beneficiary-information requirements must be jurisdiction-aware.

Building a unified controls inventory across both

The pragmatic answer is not "one policy that works in both jurisdictions" — that policy ends up as the strictest of either, which over-controls in the other and creates operational friction. The right architecture:

  1. One shared control taxonomy at the obligation level (CDD, ongoing monitoring, STR, etc.).
  2. Jurisdiction-specific implementation at the procedure level (different SLAs, different thresholds, different retention).
  3. A unified evidence pack that internal audit can review for either regime.

This is the architecture RegAI produces by default. Source: MAS 626 and HKMA SPM-GS-1 ingested separately. Mapping: each obligation linked to your shared control library with a jurisdiction tag. Output: one matrix, two regulator views.

Where RegAI helps in practice

  • Ingest both regimes (and the underlying AMLO, JFIU, and STRO guidance) once.
  • Auto-map shared obligations to your control library with confidence scoring.
  • Surface the divergences explicitly — the platform highlights "this MAS obligation differs in implementation from this HKMA obligation; here's the diff."
  • Produce regulator-specific evidence packs without duplicating policy work.
  • On the APAC engagement covering 6 jurisdictions and ~500 issuances, the team produced an up-to-date Requirements Inventory in weeks. See the case study →

Closing

The cost of running parallel programs is the cost of not seeing where they overlap. A clean mapping turns a 1.7× compliance budget into a ~1.2× one. Book a 45-minute walkthrough → on your own MAS or HKMA scope and a sample policy.

Related reading

Run RegAI across MAS and HKMA — same matrix.

A 45-minute walkthrough on your own slice. We bring the platform.

Book a demo More on banking