- AML, CTF and KYC: The fund operations mandate
- What is money laundering?
- What is terrorist financing?
- Stages of terrorist financing
- What is anti-money laundering (AML)?
- AML vs. KYC in fund operations
- Anti-money laundering and counter-terrorist financing regulations
- Regulators and supervisory bodies
- Sanctions implementers
- Guidance and standard setters
- Key regulations and legislation
- AML and CTF programmes for private funds
- 1. Customer due diligence (CDD)/Know your customer (KYC)
- 2. Risk assessment and screening
- 3. Enhanced due diligence (EDD) for high-risk investors
- 4. Continuous investor monitoring
- The severe consequences of non-compliance
- Criminal and civil penalties
- Reputational damage
- Regulatory action and licence revocation
- Failure to prevent offences
- Streamlining compliance with an integrated fund platform
- Frequently asked questions about AML and KYC
- Who is subject to AML regulations?
- What is an AML programme?
- What are the three stages of money laundering?
- What are the pillars of an AML compliance programme?
- Do AML and KYC apply to special purpose vehicles?
Private investment funds face increasing scrutiny to ensure their operations are secure, transparent and compliant with both domestic and global regulations. At the heart of these efforts lie anti-money laundering (AML), counter-terrorist financing (CTF) and know your customer (KYC) requirements, which are designed to prevent crime and promote trust in the financial services ecosystem.
The legislative framework preventing misuse of investment funds is more mature and mandated in the UK and Europe than some other regions, such as the United States. European regulators focus on ensuring that fund managers (legally defined as “obliged entities”) are applying the required risk-based approach and have implemented effective controls.
What is money laundering?
Money laundering is the process of disguising the origin of funds (i.e. making illegitimate funds to appear legitimate). It is a criminal offence, as defined under:
Article 506-1 of the Luxembourg Penal Code, or
Section 327, 328 or 329 of the UK’s Proceeds of Crime Act 2002
Money laundering involves moving funds through complex transactions to make it appear clean (hence the term “laundering”). The laundered money is then integrated back into the legitimate financial system, appearing as normal business profits or assets. Private funds can be an attractive entry point to this process, due to their potential for high returns and anonymity.
What is terrorist financing?
Terrorist financing is defined in Article 135-5 of the Luxembourg Penal Code and Section 15 of the UK Terrorism Act 2000 as the unlawful act of providing money, assets or goods with the knowledge or intention that they will be used to carry out a terrorist act.
Stages of terrorist financing
Raising: funds are acquired from both legitimate sources (e.g. charities or businesses) and illicit sources (e.g. drug trafficking or kidnapping). The goal of collecting these resources is to support a terrorist or a terrorist organisation
Moving: funds are stored, concealed and transferred across borders or between individuals and entities. The purpose of this stage is to move the required funds to a specific location or individual who will carry out the terrorist activity
Using: funds are deployed or used to execute the intended terrorist acts. This involves paying for operational expenses like weapons, communications, travel or training
For more detail on the ways that terrorist organisations exploit the financial sector, read the US government’s 9/11 Commission Report.
What is anti-money laundering (AML)?
Anti-money laundering refers to the set of laws, regulations and internal procedures that require financial institutions to detect, prevent and report suspicious financial activity – such as terrorist financing and other crimes. Think of AML as a fund’s in-built defence system.
AML vs. KYC in fund operations
The distinction between AML and KYC determines the role they play throughout a fund’s lifecycle. While AML is the continuous programme that governs the fund from formation to wind-down, KYC is a specific component of the overall AML framework.
KYC is foundational: It's the data collection and identity verification process that provides the raw material for an AML risk assessment. Without a robust KYC procedure for every investor, the AML programme has no defensible basis
AML is structural: It's the overarching compliance framework that uses KYC data to perform ongoing monitoring, risk management and mandatory reporting to regulatory bodies
Anti-money laundering and counter-terrorist financing regulations
The AML/CTF landscape in the UK and Europe is informed by several key regulations, government bodies and non-governmental organisations. While you don't need to be a legal expert, understanding the main players provides important context for your compliance programme.
Note that this is not an exhaustive list, and fund managers (or "obligated entities") must implement an AML/CTF programme as advised by their Money Laundering Reporting Officer (MLRO) or Compliance Officer (the “responsible person”).
Regulators and supervisory bodies
Financial Conduct Authority (FCA): the UK’s main financial regulator, responsible for administering and enforcing AML/CTF legislation, issuing guidance and collecting suspicious activity reports
Commission de Surveillance du Secteur Financier (CSSF): drives the AML/CTF regulatory framework in Luxembourg
Administration de l'enregistrement, des domaines et de la TVA (AED): Luxembourg’s Registration Duties, Estates, and VAT Authority. The AED acts as the AML/CFT supervisor for certain financial vehicles, such as alternative investment funds (AIFs), that are unregulated by the main financial regulator (the CSSF)
Sanctions implementers
United Nations (UN): This body establishes international sanction regimes that are then implemented and enforced by individual member states (including the UK, Luxembourg, Jersey and Guernsey)
Office of Financial Sanctions Implementation (OFSI): This agency administers and enforces economic and trade sanctions for financial institutions operating in the UK
Office of Foreign Assets Control (OFAC): This agency administers and enforces economic and trade sanctions for financial institutions that deal with U.S. entities, individuals, transactions or currencies
Guidance and standard setters
Financial Action Task Force (FATF): an inter-governmental body that sets international standards for combating money laundering and terrorist financing, influencing local laws and regulations around the world
Wolfsberg Group: produces industry guidance and standards, such as the Wolfsberg Financial Crime Principles
Key regulations and legislation
Region | Regulation or legislation |
UK | Proceeds of Crime Act 2002 (POCA), as amended by the Serious Organised Crime and Police Act 2005 (SOCPA) |
UK | |
UK | Terrorism Act 2000 (TACT 2000) Terrorism Act 2006 (TACT 2006) |
UK | |
UK | |
UK | |
Europe | The European Union’s Anti-Money Laundering Directives (AMLDs) |
Luxembourg | Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended by CSSF Regulation 20-05 |
Luxembourg | |
Luxembourg | |
Jersey | Money Laundering (Jersey) Order 2008, supplemented by the Proceeds of Crime (Jersey) Law 1999 |
Guernsey | The Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Law, 1999, as amended |
Guernsey | Handbook on Countering Financial Crime and Terrorist Financing |
AML and CTF programmes for private funds
Anti-money laundering and counter-terrorist financing programmes have several purposes: to prevent private funds from being used for illicit purposes, protect investors and maintain the fund’s integrity within the financial ecosystem.
These ongoing programmes cover everything from investor screening to transaction monitoring and reporting to appropriate authorities. As “obligated entities”, fund managers are required to establish and maintain AML/CTF controls by executing a series of actions at specific points in the fund’s lifecycle:
1. Customer due diligence (CDD)/Know your customer (KYC)
Customer due diligence is the formal process of collecting, verifying and assessing client information. CDD ensures that funds verify investors’ identities and monitor their business activities for potential red flags before establishing a business relationship.
The documentation collected to identify a prospect is called “know your customer” (KYC). Funds must undertake suitable KYC to verify the identity of their customers – such as investors or transaction counterparties. The CDD/KYC process should involve the collection and verification of names, addresses, dates of birth and other identification information.
Ultimate Beneficial Ownership (UBO)
Under CDD/KYC, the obligated entity is also legally required to identify and verify the UBO and underlying principal of any corporate structure. The UBO is the natural person who ultimately owns or controls the entity (typically holding >25% capital or voting rights), even if legally held by another entity.
2. Risk assessment and screening
The information collected during the CDD step is then used to identify, assess and understand the risks posed by the fund’s relationship with a customer. The process is as follows:
Verify identity: confirm the authenticity of the KYC documentation and information provided.
Understand the purpose: document the reason for an investment and the nature of the business relationship.
Screening: check the investor’s name against global watchlists, sanctions lists and lists of Politically Exposed Persons (PEPs) who are in positions of authority and potentially at risk of bribery or corruption.
CDD/KYC checks can also be used to reveal negative news (e.g. regulatory enforcement actions), social media coverage or other publicity that might make the client undesirable.
The risk assessment and screening process helps fund managers determine which due diligence measures should be applied to each business relationship. According to industry standards, the level of CDD should be proportionate to the inherent risk:
Low risk: simplified due diligence
Medium Risk: standard due diligence
High Risk: enhanced due diligence
3. Enhanced due diligence (EDD) for high-risk investors
If the initial CDD process flags a potentially high-risk investor, fund managers must perform enhanced due diligence (EDD). This more comprehensive investigation involves collecting additional documentation, such as evidence of their source of wealth (SOW) and source of funds (SOF). EDD provides a deeper understanding of the investor, their background and any potential threat to the fund’s integrity.
High-risk factors that can trigger EDD include:
A Politically Exposed Person (PEP)
An investor located in a high-risk third country (as identified by the EU, FATF or local regulators)
Investments with opaque structures, like complex trusts or special purpose vehicles (SPVs)
4. Continuous investor monitoring
Customer due diligence does not end at closing. Continuous monitoring involves periodically screening investors against relevant sanctions lists, so that funds can keep KYC data up to date, be aware of any changes to an investor's risk profile and compare that risk profile to the firm’s documented risk assessment.
Using a modern platform like Carta can transform continuous monitoring from a manual, time-intensive process into an automated, always-on safeguard. With ongoing monitoring alerts triggered by changes to an investor's risk profile and delivered directly to our compliance team, Carta enables funds to proactively manage their AML programmes.
Suspicious Activity Reporting (SAR)
If any suspicion of money laundering or terrorist financing arises, the fund must submit a confidential internal report to the Money Laundering Reporting Officer (MLRO), who will then file an external SAR with the relevant Financial Intelligence Unit:
UK: National Crime Agency (NCA)
Luxembourg: Cellule de Renseignement Financier (CRF)
Jersey: Joint Financial Crimes Unit (JFCU)
Guernsey: Financial Investigation Unit (FIU)
The severe consequences of non-compliance
Failure to comply with AML and CTF regulations can result in serious penalties for fund managers and obligated entities – from reputational damage and operational disruptions all the way to asset confiscation and other financial sanctions.
Criminal and civil penalties
Regulators can impose substantial fines on VC and PE firms as well as responsible individuals. Directors and compliance officers may face imprisonment or occupational prohibitions.
Reputational damage
Non-compliance leads to a loss of trust from the market, damaging relationships with investors, business partners and employees. The reputational harm from an AML-related enforcement action can be detrimental to future fundraising efforts and a fund’s ability to maintain quality deal flow.
Regulatory action and licence revocation
Authorities have the power to suspend or revoke a fund's operating licence or registration, effectively forcing it to shut down.
Failure to prevent offences
Jurisdictions like Jersey have introduced an offence of “failing to prevent money laundering”. If an associated person (such as an employee, agent or customer) engages in money laundering, the entity will be liable unless it can prove there were reasonable preventative procedures in place.
Streamlining compliance with an integrated fund platform
Managing AML and KYC with disconnected tools is a recipe for operational bottlenecks and costly errors. Time spent chasing down documents and sifting through outdated spreadsheets could be better spent on more strategic activities.This manual approach is not only inefficient but also fraught with risk, as relying on self-certified AML information without independent verification is a significant loophole identified by regulators.
Carta helps private funds manage investor risk with an integrated KYC solution that reduces administrative overheads and offers continuous protection against fraudulent activity. During a fund close, investors can securely submit their subscription documents and identifying information through a dedicated portal. From there, you can initiate and track KYC checks directly within the platform, with documentation and results automatically stored and linked to each investor's profile.
With Carta, fund managers and CFOs benefit from:
An auditable trail that complements the fund’s general ledger
A real-time view of every investor’s KYC status and risk score – critical inputs for portfolio valuations and the fund’s overall risk management process
The ability to identify and address issues before they become significant problems
A simpler way to maintain compliance with financial reporting standards like FRS 102
Frequently asked questions about AML and KYC
Who is subject to AML regulations?
UK and European laws require financial institutions, including banks and private investment funds, to comply with AML regulations. The Financial Conduct Authority (FCA) oversees AML compliance in the UK, while the Commission de Surveillance du Secteur Financier (CSSF) drives Luxembourg’s AML/CTF framework.
For information on other regulators in key European territories, see the above section on anti-money laundering and counter-terrorist financing regulations.
What is an AML programme?
An AML programme is a set of procedures designed to combat money laundering, terrorist financing and threats to the integrity of the European financial system. AML regulations assist government efforts to prevent financial crimes and limit the flow of illegally obtained money. To comply with AML regulations, financial institutions must conduct due diligence on their customers.
What are the three stages of money laundering?
The three recognised stages of money laundering are:
Placement: illicit funds are initially introduced into the financial system
Layering: the funds are moved through complex transactions to obscure their origin
Integration: the "cleaned" money is returned to the criminal from what appears to be a legitimate source.
Note that these stages are not strictly sequential, and illicit funds can enter the chain at any point.
What are the pillars of an AML compliance programme?
A compliant AML programme generally has four pillars:
A designated compliance officer
Written internal policies and controls
Ongoing employee training
Independent testing or auditing of the programme to confirm it is effective
Do AML and KYC apply to special purpose vehicles?
Yes, AML and KYC requirements apply to special purpose vehicles (SPVs), just as they do to traditional fund structures. You must vet each investor in an SPV, who may need to be a sophisticated investor, to confirm the vehicle is not being used for illicit purposes – regardless of its specific structure.
DISCLOSURE: This communication is on behalf of eShares, Inc. dba Carta, Inc. ("Carta"). This communication is for informational purposes only, and contains general information only. Carta is not, by means of this communication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business or interests. Before making any decision or taking any action that may affect your business or interests, you should consult a qualified professional advisor. This communication is not intended as a recommendation, offer or solicitation for the purchase or sale of any security. Carta does not assume any liability for reliance on the information provided herein. This post contains links to articles or other information that may be contained on third-party websites. The inclusion of any hyperlink is not and does not imply any endorsement, approval, investigation, or verification by Carta, and Carta does not endorse or accept responsibility for the content, or the use, of such third-party websites. Carta assumes no liability for any inaccuracies, errors or omissions in or from any data or other information provided on such third-party websites. © 2026 eShares, Inc. dba Carta, Inc. All rights reserved. Reproduction prohibited.
