AML and KYC: The fund operations mandate

Funds in the private market face increasing scrutiny to ensure their operations are secure, transparent, and compliant with global regulations. Anti-money laundering (AML) and know your customer (KYC) requirements are at the heart of these efforts, and designed to prevent crime and promote trust in the financial services ecosystem.

AML regulations require financial institutions to take specific measures to detect, prevent, and report financial crimes. Customer due diligence (CDD) and KYC rules are a core component of AML laws: They require financial institutions to verify their clients’ identities and monitor their business activities for potential red flags.

What is money laundering?

Money laundering is the process of making illegally gained proceeds, or “dirty money,” appear to be from a legitimate source. This financial crime is often associated with other serious offenses, such as embezzlement, bribery, terrorist financing, and fraud. The goal is to disguise the criminal origins of the money so it can be used without detection by law enforcement.

Criminals achieve this by moving funds through complex transactions, and private funds can be an attractive entry point for these proceeds due to their potential for high returns and anonymity. Ultimately, the laundered money is integrated back into the legitimate financial system, appearing as normal business profits or assets.

In 2020, a leaked FBI memo stated that the agency believes investment funds in the PE and hedge fund industry are being used to launder “at scale.” The memo called for greater AML scrutiny from existing enforcement agencies, and for Congress to enact uniform protocols for KYC compliance. As of now, it’s up to financial institutions to develop their own processes for compliance with KYC regulations.

What is anti-money laundering (AML)?

Anti-money laundering (AML) refers to the complete set of laws, regulations, and internal procedures that a fund establishes to detect and report suspicious financial activity. The purpose of an AML program is to prevent your fund from being used for illicit purposes. A strong AML framework protects the fund's integrity, its investors, and its reputation within the financial ecosystem.

The U.S. first established AML laws in 1970 as part of the Bank Secrecy Act (BSA), a piece of federal legislation that requires businesses and financial institutions to report cash deposits of more than $10,000, register foreign bank accounts, and take other measures intended to combat money laundering.

Think of AML as your firm's comprehensive defense system against financial crime. It's an ongoing program that includes everything from investor screening to transaction monitoring and reporting to government authorities. This program, a core part of your overall fund administration, demonstrates that you are actively working to keep illicit funds out of your investment vehicles.

What is know your customer (KYC)?

Know your customer (KYC) is a specific and required component of your overall AML framework. It's the process of verifying an investor's identity and assessing the potential risk they might pose to the fund. Think of KYC as the practical first step in any credible AML program, as it provides the foundational information needed to understand who is investing in your fund.

Beyond verifying customer identity, firms conducting KYC reviews on their customers look to see if a client has been the subject of negative news (such as regulatory enforcement actions), negative social media, or other publicity that might make a client undesirable.

KYC reviews may uncover politically exposed persons (PEPs) who are in positions of authority and potentially at risk for bribery or corruption. CDD may also uncover a connection to government sanctions from the Office of Foreign Assets Control (OFAC) or other governmental bodies. For example, recent additions to OFAC’s sanctions list relating to the Russia-Ukraine conflict require private equity (PE) funds with sanctioned Russian investors to restrict and report those clients’ investments. Financial institutions, like banks and credit unions, must determine an individual or institution’s risk profile and determine whether to go forward with that client.

AML regulations and sanctions

In the United States, government bodies oversee AML compliance with federal laws. The Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury, is the primary agency responsible for administering these regulations. Financial institutions, including many private funds, are required to comply with these rules.

Failure to comply with the broader scope of venture capital (VC) regulations can result in serious penalties, and OFAC administers these actions. This agency also enforces economic and trade sanctions based on U.S. foreign policy and national security goals. These sanctions can range from significant fines to other enforcement actions that can disrupt a fund's operations and damage its reputation.

While the VC, PE, and hedge fund industries have not historically faced AML or KYC requirements, industry watchdogs have amped up calls for heightening AML oversight in the private fund industry, particularly in the wake of broad U.S. sanctions of Russian oligarchs in 2022. FinCEN adopted a final rule to extend AML program requirements to SEC-registered investment advisers and exempt reporting advisers, who previously were not subject to the requirements. These requirements were set to take effect on Jan. 1, 2026, but have been delayed until at least Jan. 1, 2028, though FinCEN is expected to reconsider the scope of these requirements as part of a broader AML review.

Despite the rule’s delay, some institutional investors and financial institutions may require that a fund implement AML best practices as a condition of investing in a fund.

How AML and KYC function in fund operations

It helps to think of the relationship between AML and KYC with an analogy. KYC is like checking an investor's passport and background before they board a plane, while AML is the entire airport security system, including baggage screening, air marshals, and ongoing surveillance. One is a specific check, while the other is the complete security infrastructure.

This distinction clarifies their roles throughout the fund lifecycle. KYC is the critical onboarding task that happens when a limited partner (LP) subscribes to the fund, while AML is the continuous program that governs the fund from formation to wind-down.

• KYC is foundational: It's the data collection and identity verification process that provides the raw material for your AML risk assessment. Without a robust KYC procedure for every LP, your AML program has no defensible basis.

• AML is structural: It's the overarching compliance framework that uses KYC data to perform ongoing monitoring, risk management, and mandatory reporting to regulatory bodies.

Free venture fund playbook

A step-by-step guide to building a venture capital fund.

Download the playbook

Why AML and KYC are a core fiduciary responsibility

A rigorous AML and KYC program is more than a compliance task; it's a direct extension of a general partner's (GP) fiduciary duty, as the GP often acts as a registered investment adviser. This duty requires you to protect the fund’s capital and its LPs from financial crime and the severe reputational damage that follows. It's about safeguarding the integrity of the entire fund.

In the current environment, institutional LPs, prime brokers, and banking partners view a fund's AML program as a key diligence item. A weak or manual process can be a red flag that prevents you from securing commitments or opening necessary accounts. This makes strong AML and KYC compliance a matter of institutional readiness, as a risk-based CIP (see below) not only meets regulatory requirements but also provides a strategic advantage and protects the firm's reputation.

The AML and KYC compliance process for private funds

Implementing AML and KYC is not just about understanding the concepts; it's about executing a series of integrated actions at specific points in your fund's lifecycle. This operational playbook helps you meet your regulatory obligations and protect your firm from unnecessary risk. You can break the process down into several distinct stages.

1. The customer identification program (CIP)

The customer identification program (CIP) is your fund's formal policy for collecting and verifying investor information. This process happens during the subscription phase when an LP is committing capital to your fund. It's the first and most fundamental step in your KYC process.

As part of the CIP, and in line with new regulations like the Corporate Transparency Act, you must collect specific pieces of information to properly identify each investor. This typically includes:

• Full legal name of the investing entity or individual;

• A physical address for the individual or business;

• Date of birth for any individuals involved;

• Government-issued identification numbers, such as a Social Security Number for an individual or an Employer Identification Number for an entity.

2. Customer due diligence (CDD)

CDD is the next step, where you use the information gathered in your CIP to perform an initial risk assessment.

FinCEN released its CDD Rule in 2018. This rule requires financial institutions to create policies to help you determine if the investor's background or associations pose a risk to your fund. This is the first formal check to understand the risk profile of a potential investor.

• Verify customer information and identity;

• Understand the purpose of the business relationship with the financial institution;

• Monitor accounts for suspicious transactions;

• Develop risk profiles for clients.

This process involves screening the LP's name and any associated entities against numerous global watchlists, sanctions lists, and lists of PEPs. What was once a time-consuming, manual task prone to human error has become more efficient and reliable with modern platforms. This shift reflects how companies now operate, with a clear trend toward doing more with less.

The CDD Rule mandates financial institutions to identify beneficial owners and control persons for business accounts. Beneficial owners are individuals who benefit from an asset's ownership, even if legally held by another entity (e.g., VC fund investors). The rule requires verifying the identities of those holding at least 25% of an investment entity and identifying a control person (a senior executive making financial decisions) for all legal entities.

The most recent updates to AML regulations came in 2021 when FinCEN began to enforce the Anti-Money Laundering Act of 2020 (AMLA). With this law, Congress increased cryptocurrency guidelines and raised the financial penalties for infractions. Lawmakers also added more disclosure requirements for beneficial ownership of certain assets.

3. Enhanced due diligence (EDD) for high-risk LPs

When your initial CDD flags an investor as potentially high-risk, you must perform enhanced due diligence (EDD). This more intensive investigation gives you a deeper understanding of the investor and their background. It's a necessary step to mitigate the higher risk they present.

High-risk investors might include a PEP, an investor operating in a jurisdiction with specific rules like the Cayman Islands KYC/AML requirements, or an entity with a complex and opaque ownership structure. For complex structures like a Cayman Sandwich, EDD involves collecting additional documentation, such as evidence of the source of wealth and funds, to get comfortable with accepting their investment.

4. Continuous investor monitoring

AML compliance is not a one-time event that ends at closing. Continuous monitoring is the process of automatically and repeatedly screening all of your LPs against watchlists that update daily. This helps you stay aware of any changes to an investor's risk profile throughout the life of the fund.

Using a modern platform like Carta can transform continuous monitoring from a manual, time-intensive process into an automated, always-on safeguard. With ongoing monitoring alerts triggered by changes to an investor's risk profile and delivered directly to our compliance team, Carta allows you to proactively manage your AML program rather than discovering an issue during your next audit—or, worse, after a regulator has already identified it.

Free year-end fund tax and audit guide

Our year-end checklist lists out the milestones to complete for a smooth tax and audit season.

Download the checklist

Key AML and KYC regulations for fund managers

Several key regulations and government bodies form the AML environment in the U.S. and abroad. While you don't need to be a legal expert, understanding the main players provides important context for your compliance program. Frameworks like Regulation D dictate what your fund must do, including the specific rules that differentiate between 506(b) vs. 506(c) offerings and key exemptions found in Sections 3(c)(1) and 3(c)(7) of the Investment Company Act.

• The Bank Secrecy Act (BSA)

• The USA PATRIOT Act: This law expanded AML requirements to a wider range of financial institutions, including those that may qualify as an exempt reporting adviser (ERA), and strengthened the tools available to combat terrorist financing after the events of September 11.

• The Financial Crimes Enforcement Network (FinCEN): As a bureau of the U.S. Treasury, FinCEN is the primary administrator and enforcer of these laws, issuing guidance and collecting suspicious activity reports, while other filings like Form ADV are submitted to the SEC.

• The Office of Foreign Assets Control (OFAC): This agency administers and enforces economic and trade sanctions, while other compliance duties for certain advisers include filings like Form PF.

• The Financial Action Task Force (FATF): This is an inter-governmental body that sets international standards for combating money laundering and terrorism financing, influencing local laws and regulations around the world.

The severe consequences of non-compliance

For a fund CFO or GP, the stakes of AML non-compliance are incredibly high, as illicit finance is the common thread across threats to national security, including terrorism, corruption, and foreign aggression. The consequences go far beyond a simple slap on the wrist and can threaten the very existence of your firm. You shouldn't take these risks lightly.

Violations of OFAC regulations can lead to staggering fines that can cripple a fund's finances. Willful non-compliance can even carry criminal charges for the fund's partners, whose management entities are often structured as limited liability partnerships (LLPs). The reputational harm from an AML-related enforcement action can make it nearly impossible to raise a subsequent fund or maintain quality deal flow, effectively ending the firm's future prospects.

Streamlining compliance with an integrated fund platform

Managing AML and KYC with disconnected tools is an operational nightmare. The old way involves chasing down documents via email, tracking status in spreadsheets, and storing sensitive data in insecure shared folders. This manual approach is not only inefficient but also fraught with risk, as reliance on self-certified AML information without independent verification is a significant loophole identified by regulators.

Carta helps private funds manage investor risk with an integrated KYC solution that reduces administrative overheads and offers continuous protection against fraudulent activity. During a fund close, LPs can securely submit their subscription documents and identifying information through a dedicated portal. From there, you can initiate and track KYC checks directly within the platform, with all results and documentation automatically stored and linked to the investor's profile. This creates a clean, auditable trail that complements your financial general ledger.

This centralized approach gives the CFO a real-time view of the KYC status and risk score for every investor, a critical input for the fund's overall risk management and portfolio valuation. You can identify and address issues before they become significant problems and maintain compliance with financial reporting standards like ASC 820.

Manage your entire fund, in one platform

Experience fund admin at the intersection of world-class service and cutting-edge software.

Get started

Frequently asked questions about AML and KYC

Who is subject to AML/KYC regulation?

Federal law requires financial institutions, including U.S. banks and broker-dealers, to comply with AML regulations. FinCEN oversees AML compliance in the United States.

What is an AML program?

An AML program is a set of procedures designed to combat money laundering, terrorist financing, and threats to the integrity of the U.S. financial system. AML regulations assist government efforts to prevent financial crimes and limit the flow of illegally obtained money into the financial system. To comply with AML regulations, financial institutions must conduct due diligence on their customers.

What are the three stages of money laundering?

The three recognized stages are:

1. Placement: Illicit funds are first introduced into the financial system;

2. Layering: The funds are moved through complex transactions to obscure their origin;

3. Integration: The "cleaned" money is returned to the criminal from what appears to be a legitimate source.

What are the pillars of an AML compliance program?

A compliant AML program generally has four pillars. These include a designated compliance officer, written internal policies and controls (often detailed in an LLC operating agreement), ongoing employee training, and independent testing or auditing of the program to confirm it is effective.

Do AML and KYC apply to special purpose vehicles?

Yes, AML and KYC requirements apply to special purpose vehicles (SPVs), such as those used by an investment syndicate, just as they do to traditional fund structures. You must vet each investor in an SPV, who may need to be a qualified purchaser, to confirm the vehicle is not being used for illicit purposes, regardless of its specific structure or purpose.

This visibility changes the CFO's role from a reactive administrator buried in paperwork to a proactive risk manager. Request a demo to see how an integrated platform can help.