Is holding coins subject to real-name verification? The true boundaries of KYC obligations for stablecoins in Hong Kong.

Recently, discussions about the regulation of stablecoins in Hong Kong have become increasingly heated. Many interpretations have emerged online, suggesting that "stablecoin holders are required to undergo KYC verification," which has sparked widespread controversy:

"On-chain transfers all require KYC, how can it be decentralized?"

"Isn't regulation too conservative, hindering financial innovation?"

These voices are not without reason, but do they truly reflect the regulatory intentions of the Hong Kong Monetary Authority (HKMA)? After thoroughly studying two key documents - the "Guidelines for the Supervision of Stablecoin Issuers" and the "Anti-Money Laundering and Counter-Terrorist Financing Guidelines", we arrived at a more technically detailed and legally bounded answer:

???? Not all holders need KYC, provided that the issuer can prove that its risk control mechanism is sufficiently effective.

This article will start from the distinction between customers vs non-customers and Primary vs Secondary Market, organizing the applicable logic of stablecoin KYC, clarifying the true bottom line of regulation, and providing a judgment framework applicable to both project parties and compliance teams.

Who is a customer and who is not a customer?

First, we must clarify: within the regulatory framework of the HKMA, the "stablecoin holder" is not equivalent to the "client of the stablecoin issuer."

According to the definition in Chapter 4 of the "Anti-Money Laundering and Counter-Terrorism Financing Guidelines", a person is only considered a "customer" (customer stablecoin holder) when they directly request the issuer to issue or redeem stablecoin, or when a business relationship has been established. This group of people needs to strictly follow the KYC/KYB process.

Users who receive, transfer, and trade stablecoins on-chain but have never interacted directly with the issuer (for example, users who acquire stablecoins through DEX purchases or transfers between wallets) are classified as "non-customer stablecoin holders" and, in principle, do not require KYC.

As shown in the figure below, only institutional users in the Primary Market are considered customers, while participants in the Secondary Market are not defined as customers under the HKMA regulatory framework.

However, this does not mean that they are completely out of regulatory sight. Chapter 5 of the guidelines clearly states: issuers have an ongoing obligation to monitor all circulating stablecoins, including portions held by both customers and non-customers.

KYC is not the only way, but it is the regulatory baseline.

Many misunderstandings often overlook an important premise set by the HKMA:

???? "Non-customer stablecoin holders may not need to undergo KYC, provided that the issuer must establish an effective on-chain risk control mechanism and be able to demonstrate to regulatory authorities that it is sufficient to prevent money laundering and terrorist financing risks."

In other words, KYC is not the only means, but it is the last resort.

If the issuer employs methods such as blockchain analysis tools, address blacklists, transaction risk scoring, wallet profiling and freezing mechanisms (5.10), etc., to monitor the flow and use of coins, and is able to satisfy the HKMA (to the HKMA’s satisfaction - 5.11), then these technical risk control measures can serve as alternatives, and it is not necessary to enforce KYC on all holders individually.

But if this cannot be achieved, or if these measures prove insufficient to mitigate risks in practice, regulatory expectations will automatically revert to the most conservative option—performing identity verification on all holders, regardless of whether they are customers. It is important to note that even if KYC is required for holders, stablecoin issuers can delegate the KYC process to VASPs and trusted third parties.

is a "choose one from two" question for the issuer.

For stablecoin issuers, this is actually a "choose one" compliance decision:

• Either establish a comprehensive risk monitoring system covering the entire chain, including real-time address profiling, suspicious transaction identification, blacklist interception, freezing mechanisms, and STR reporting processes;
• Either accept a more direct but costly solution: perform KYC on all holders, even if they only received a stablecoin on the chain.

From a regulatory perspective, this design is actually not conservative; rather, it ties technological capability to regulatory obligations: you may not need to verify every user, but you must have the ability to control risks. Otherwise, you have to revert to the most primitive method – performing KYC.

This is also the key point that this article hopes to clarify:

"Do stablecoin holders need KYC": This is not a one-size-fits-all question, but rather depends on whether the issuer's risk control capabilities are trustworthy.

Conclusion: The regulations are clear, it's time for the technology to submit.

The regulation of stablecoins is not about blocking technology, but about establishing a clear red line:

You can choose a technical solution to replace KYC, but you cannot evade the responsibility of risk control.

For issuers, the most critical question is not "Whether to do KYC," but rather—do you have the ability to make the HKMA believe that you can do without it.

Under the principle of "same activity, same risk, same regulation", stablecoins, as a quasi-payment tool, are moving towards the same compliance requirements as traditional finance. For Web3 projects, this is not the end, but a new starting point: regulation is clear, and technology should be delivered.

Finally, provide a quick reference table for easy querying of regulatory requirements.