AML & KYC: What you need to know

July 19, 2022
Rachel Sapers

Anti-money laundering (AML) regulations require financial institutions to take specific measures to detect, prevent, and report financial crimes. Customer due diligence rules—also called know your customer (KYC) rules—are a core component of AML laws: They require financial institutions to verify their clients’ identities and monitor their business activities for potential red flags.  

What is money laundering?

Money laundering is a financial maneuver to disguise the origins or destination of unlawfully obtained funds. In other words, it’s when someone attempts to make “dirty money” acquired through criminal activity appear legal, or “clean,” by having it pass through one or more intermediaries, including investment funds or other legitimate businesses. 

Money laundering is often associated with financial crimes like embezzlement, bribery, and fraud. This is because the recipient of the money needs to make the source of funds look legitimate to observers. Laundered money can also help finance large-scale criminal acts, like terrorism, drug smuggling, or human trafficking. For example, drug cartels have been known to launder money by placing the funds in U.S. banks or offshore accounts under the guise of revenue from various business fronts.  

What is AML?

AML, or anti-money laundering, is a set of laws and guidelines designed to combat financial crime. The U.S. first established AML laws in 1970 as part of the Bank Secrecy Act (BSA), a piece of federal legislation that requires businesses and financial institutions to report cash deposits of more than $10,000, register foreign bank accounts, and take other measures intended to combat money laundering.

What is KYC?

KYC, or Know Your Customer, is the process of learning about your company’s client base. 

To comply with AML regulations, financial institutions must conduct due diligence on their customers. Beyond verifying customer identity, firms conducting KYC on their customers look to see if a client has been the subject of negative news, such as regulatory enforcement actions, negative social media, or other publicity that might make the firm not want the client as a customer. 

KYC reviews may uncover politically exposed persons (PEPs) who are in positions of authority and potentially at risk for bribery or corruption. Due diligence may also uncover a connection to government sanctions from The Office of Foreign Assets Control (OFAC) or other governmental bodies. For example, with the recent additions to OFAC’s sanctions list relating to the Russia-Ukraine conflict, private equity funds with sanctioned Russian investors must now take steps to restrict and report those clients’ investments. Financial institutions must determine an individual or institution’s risk profile and determine whether to go forward with that client. 

The KYC process is designed to protect clients, advisors, and the company at large from fraud, complicity in money laundering, criticism, and potential enforcement by regulators.

By leveraging a strong KYC process and program, fund managers can benefit by better understanding their investors, and by satisfying potential concerns from banking partners or other investors.  

KYC and AML compliance

Who is subject to AML and KYC regulation?

Federal law requires financial institutions, including U.S. banks and broker-dealers, to comply with AML regulations. 

The Financial Crimes Enforcement Network (FinCEN) oversees AML compliance in the United States. Most venture capital and private equity firms aren’t included in FinCEN’s definition of a financial institution, which means they’re not legally required to have AML programs. But companies and fund managers may still benefit from AML best practices, which can help them avoid inadvertently doing business with financial criminals and other risky clients—and because their investors may nonetheless expect them to follow AML best practices. 


Following the 9/11 attacks in 2001, Congress passed the USA PATRIOT Act, which mandates that financial institutions know their customers (KYC) both as they onboard and as they interact with the institution. The USA PATRIOT Act also strengthened the BSA by setting more stringent AML standards for financial institutions. The new standards require financial institutions to set uniform AML policies, educate employees via AML training, hire AML compliance officers, and conduct audits and other customer due diligence (CDD) measures. 

Customer due diligence

In another bid to strengthen the BSA, FinCEN released its Customer Due Diligence Rule in 2018. This rule requires financial institutions to create policies to:

  • verify customer identity
  • understand the purpose of the relationship with the financial institution
  • monitor accounts for suspicious transactions
  • develop risk profiles for clients

The CDD Rule also requires financial institutions to identify beneficial owners of business entities that open accounts with them. Beneficial owners are those individuals who stand to gain from ownership of an asset, even if it’s legally owned by an entity with another name. For example, all investors in a venture fund are beneficial owners of the fund, even if they invest through another entity, like a trust. The CDD rule requires financial institutions to verify the identities of anyone who holds at least a 25% of an investment entity, and to identify a control person for all legal entities. A control person is someone who can make financial decisions for the entity—typically a senior executive such as a CFO.

The most recent updates to AML regulations came in 2021, when FinCEN began to enforce the Anti-Money Laundering Act of 2020. With this law, Congress increased cryptocurrency guidelines and raised the financial penalties for infractions. Lawmakers also added more disclosure requirements for beneficial ownership of certain assets. 

What general partners need to know about AML and KYC

Criminals use private equity (PE) and other asset classes to hide dirty money. In 2020, a leaked FBI memo stated that the agency believes investment funds in the PE and hedge fund industry are being used to launder “at scale.” The memo called for greater AML scrutiny from existing enforcement agencies, and for Congress to enact uniform protocols for KYC compliance—as of now, it’s up to financial institutions to develop their own processes for compliance with KYC regulations.   

While the VC, PE, and hedge fund industries have not historically faced AML or KYC requirements, industry watchdogs have ramped up calls for heightening AML oversight in the private fund industry—particularly in the wake of broad U.S. sanctions of Russian oligarchs in 2022. 


Sanctions are economic restrictions that prevent all U.S. citizens and companies from doing business with specific nations, foreign entities, and individuals. Proponents of extending AML regulation to private funds have argued that regulators cannot adequately enforce sanctions because they have no legal means of identifying the high net-worth individuals who often invest in PE or VC firms. 

If you have a sanctioned individual or entity on your cap table or among your fund’s LPs, their assets may need to be blocked and reported to OFAC. Your firm or company may not be directly subject to AML laws, but U.S. companies and individuals are all subject to OFAC sanction programs. Penalties for breaking with sanctions can be extremely severe, with fines of up to $20 million and jail time up to 30 years for serious offenders. 

How Carta helps with KYC

A fund’s reputation for excellence is paramount for courting LPs—and incurring severe legal or financial penalties for breaking with sanctions can put an entire firm at risk. Your bank and investors, particularly institutional investors, will expect that you have conducted due diligence on your investors, including a KYC check. 

How KYC due diligence works

At Carta, we begin the KYC process at onboarding by reviewing customer-identifying information of investors. From there, we continue to monitor their information for potential sanctions concerns. Our team provides custom reporting to help GPs identify risks, such as whether:

  • An LP has been sanctioned or is related to a sanctioned party
  • There has been legal enforcement against an LP
  • There is negative news coverage about an LP
  • An LP or owner is a politically exposed person (PEP) and may therefore be at risk of bribery or other influence

To learn more about how Carta can help your fund implement processes for AML and KYC compliance, contact a Carta fund administration associate


DISCLOSURE: This communication is on behalf of eShares Inc., d/b/a Carta Inc. (“Carta”).  This communication is for informational purposes only, and contains general information only.  Carta is not, by means of this communication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services.  This publication is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business or interests.  Before making any decision or taking any action that may affect your business or interests, you should consult a qualified professional advisor.  This communication is not intended as a recommendation, offer or solicitation for the purchase or sale of any security. Carta does not assume any liability for reliance on the information provided herein. ©2022 eShares Inc., d/b/a Carta Inc. (“Carta”). All rights reserved. Reproduction prohibited.