Gazettal of Guideline on AI-to-AI Information Sharing for the Detection or Prevention of Crime Enclosure: Guideline on AI-to-AI Information Sharing for the Detection or Prevention of Crime

Introduction

On 07 Nov 2025, the Hong Kong Monetary Authority (HKMA) gazetted the Guideline on AI-to-AI Information Sharing for the Detection or Prevention of Crime, clarifying the statutory framework and regulatory expectations for authorized institutions (AIs) to voluntarily share information among themselves to detect or prevent prohibited conduct under Part XIIAA of the Banking Ordinance (Cap. 155).

Legal Framework and Safe Harbour

The Guideline operationalizes Part XIIAA of the Banking Ordinance, establishing a legal framework for AIs to share information regarding prohibited conduct (money laundering, terrorist financing, or financing of WMD proliferation). Section 68AAG provides a safe harbour protecting AIs that disclose information in good faith with reasonable care, provided they comply with conditions including: (i) sharing only for detecting/preventing prohibited conduct; (ii) ensuring information accuracy; and (iii) disclosing via designated platforms unless HKMA-approved for off-platform sharing. AIs must maintain adequate systems of control under section 68AAH to access designated platforms.

Information Sharing Mechanisms

The Guideline mandates sharing via designated platforms (e.g., FINEST for own-initiative sharing, ICLNet for request-response procedures) unless HKMA grants written approval for off-platform sharing in exceptional circumstances. Off-platform sharing requires HKMA approval, must ensure confidentiality, and necessitates copying JFIU officers via ICLNet. Information must be relevant to prohibited conduct, cannot be used for collateral purposes (e.g., marketing), and must avoid 'fishing expeditions' or indiscriminate de-risking. The Guideline explicitly prohibits sharing with non-AIs, as such disclosure falls outside the safe harbour.

Confidentiality, Record-Keeping, and Correction

Section 68AAF strictly prohibits disclosing that information was shared (except to JFIU, HKMA, or platform operators), requiring AIs to treat shared information as confidential with access limited to specialist staff. Section 68AAI mandates record-keeping for five years (or longer if required by HKMA) for all requests, disclosures, and actions taken. Section 68AAE imposes a duty to correct inaccurate information promptly, with corrections sent via the same channel as the original disclosure and identified as such. Corrections must be made without seeking entity consent, and AIs must mitigate adverse consequences for affected persons.

Relationship with STR Regime and PDPO

The Guideline clarifies that information sharing under Part XIIAA does not replace the Suspicious Transaction Report (STR) regime; AIs must still file STRs as required. Section 68AAG(3) exempts disclosures from 'tipping off' offences under OSCO/DTROP/UNATMO. The Guideline ensures compatibility with the Personal Data (Privacy) Ordinance (PDPO), noting that Part XIIAA's authorization of data sharing engages PDPO sections 58 (exempting data held for crime prevention) and 60B (exempting disclosure under enactment). AIs must comply with PDPO data retention requirements (DPP2) and may refuse data access requests under section 58(1) if disclosure would prejudice crime detection.

Complaint Handling and Governance

AIs must establish policies for handling customer complaints arising from information sharing (e.g., account closures), avoiding confirmation of whether information was shared (per section 68AAF(1)). Section 68AAH(1) requires AIs to maintain adequate systems of control, including governance arrangements with senior management oversight, internal protocols for security/confidentiality, and staff training on PDPO and financial crime compliance. Policies must be reviewed regularly to ensure effectiveness and alignment with evolving risks.