Anti-money laundering (AML) regulations require financial institutions to take specific measures to detect, prevent, and report financial crimes. Customer due diligence (CDD) rules—also called know your customer (KYC) rules—are a core component of AML laws: They require financial institutions to verify their clients’ identities and monitor their business activities for potential red flags.
What is money laundering?
Money laundering is a financial maneuver to disguise the origins or destination of unlawfully obtained funds. In other words, it’s when someone attempts to make “dirty money” acquired through criminal activity appear legal, or “clean,” by having it pass through one or more intermediaries, including investment funds or other legitimate businesses.
Money laundering is often associated with financial crimes like embezzlement, bribery, and fraud. This is because the recipient of the money needs to make the source of funds look legitimate to observers. Laundered money can also help finance large-scale criminal acts, like terrorism, drug smuggling, or human trafficking. For example, drug cartels have been known to launder money by placing the funds in U.S. banks or offshore accounts under the guise of revenue from various business fronts.
What is AML?
AML, or anti-money laundering, is a set of laws and guidelines designed to combat financial crime. The U.S. first established AML laws in 1970 as part of the Bank Secrecy Act (BSA), a piece of federal legislation that requires businesses and financial institutions to report cash deposits of more than $10,000, register foreign bank accounts, and take other measures intended to combat money laundering.
What is an AML program?
An AML program is a set of procedures designed to combat money laundering, terrorist financing, and threats to the integrity of the U.S. financial system. AML regulations assist government efforts to prevent financial crimes and limit the flow of illegally obtained money into the financial system. To comply with AML regulations, financial institutions must conduct due diligence on their customers.
What is KYC?
Know Your Customer (KYC) is a process designed to collect and verify the identity of customers or other stakeholders like investors. KYC is a central part of the due diligence that AML programs require. Beyond verifying customer identity, firms conducting KYC reviews on their customers look to see if a client has been the subject of negative news—such as regulatory enforcement actions—negative social media, or other publicity that might make a client undesirable.
KYC reviews may uncover politically exposed persons (PEPs) who are in positions of authority and potentially at risk for bribery or corruption. CDD may also uncover a connection to government sanctions from The Office of Foreign Assets Control (OFAC) or other governmental bodies. For example, recent additions to OFAC’s sanctions list relating to the Russia-Ukraine conflict require private equity funds with sanctioned Russian investors to restrict and report those clients’ investments. Financial institutions, like banks and credit unions, must determine an individual or institution’s risk profile and determine whether to go forward with that client.
KYC and AML compliance
The KYC process, and larger AML program, is designed to protect clients, advisors, and the company at large from fraud, complicity in money laundering, criticism, and potential enforcement by regulators.
Who is subject to AML and KYC regulation?
Federal law requires financial institutions, including U.S. banks and broker-dealers, to comply with AML regulations. The Financial Crimes Enforcement Network (FinCEN) oversees AML compliance in the United States.
The USA PATRIOT Act of 2001
Following the 9/11 attacks in 2001, Congress passed the USA PATRIOT Act, which mandates that financial institutions know their customers (KYC) both as they onboard and as they interact with the institution. The USA PATRIOT Act also strengthened the BSA by setting more stringent AML standards for financial institutions. The new standards require financial institutions to set uniform AML policies, educate employees via AML training, hire AML compliance officers, and conduct audits and other CDD measures.
Customer Due Diligence Rule
In another bid to strengthen the BSA, FinCEN released its Customer Due Diligence Rule in 2018. This rule requires financial institutions to create policies to:
verify customer identity
understand the purpose of the relationship with the financial institution
monitor accounts for suspicious transactions
develop risk profiles for clients
The CDD Rule also requires financial institutions to identify beneficial owners of business entities that open accounts with them. Beneficial owners are those individuals who stand to gain from ownership of an asset, even if it’s legally owned by an entity with another name. For example, all investors in a venture fund are beneficial owners of the fund, even if they invest through another entity, like a trust.
The CDD rule requires financial institutions to verify the identities of anyone who holds at least a 25% of an investment entity, and to identify a control person for all legal entities. A control person is someone who can make financial decisions for the entity—typically a senior executive such as a CFO.
The most recent updates to AML regulations came in 2021 when FinCEN began to enforce the Anti-Money Laundering Act of 2020. With this law, Congress increased cryptocurrency guidelines and raised the financial penalties for infractions. Lawmakers also added more disclosure requirements for beneficial ownership of certain assets.
What venture fund managers need to know about AML and KYC
Most venture capital and private equity firms aren’t included in FinCEN’s definition of a financial institution, which means they’re not legally required to have AML programs. But fund managers may still benefit from AML best practices, which can help them avoid inadvertently doing business with financial criminals and other risky clients.
Criminals use private equity (PE) and other asset classes to hide dirty money. In 2020, a leaked FBI memo stated that the agency believes investment funds in the PE and hedge fund industry are being used to launder “at scale.” The memo called for greater AML scrutiny from existing enforcement agencies, and for Congress to enact uniform protocols for KYC compliance—as of now, it’s up to financial institutions to develop their own processes for compliance with KYC regulations.
While the VC, PE, and hedge fund industries have not historically faced AML or KYC requirements, industry watchdogs have ramped up calls for heightening AML oversight in the private fund industry—particularly in the wake of broad U.S. sanctions of Russian oligarchs in 2022. Some institutional investors may also require that a fund implement AML best practices as a condition of investing in a fund.
What founders need to know about AML and KYC
While most U.S. companies may not be required to build out an AML program, all U.S. individuals and businesses must adhere to relevant U.S. sanctions programs, as administered by OFAC.
OFAC and sanctions
OFAC administers and enforces economic sanctions programs. Sanctions primarily target countries and groups of individuals, such as terrorists and narcotics traffickers, and can be either comprehensive or selective. Sanctions attempt to accomplish foreign policy and national security goals by blocking assets and creating trade restrictions. Active sanctions prevent all U.S. citizens and companies from doing business with the targeted countries, foreign entities, or individuals.
Proponents of extending AML regulation to private funds have argued that regulators cannot adequately enforce sanctions because they have no legal means of identifying the high net-worth individuals who often invest in PE or VC firms.
If you have a sanctioned individual or entity on your company’s cap table or among your fund’s limited partners, their assets may be frozen by OFAC. Penalties for breaking with sanctions can be extremely severe, with fines of up to $20 million and jail time up to 30 years for serious offenders.
The benefits of an AML program
Although it is not required for private funds or private companies, institutional investors and financial regulators consider implementing an AML program that aligns with BSA requirements a prudent business practice.
Depending on a company or fund’s relationship to U.S. financial institutions (its banking, trading, custody, and debt profile) certain activities may be subject to implementing an AML compliance program that aids OFAC sanctions and anti-fraud obligations.
As a startup founder or private fund manager, your banking partners may require you to identify your investors or limited partners and identify their sources of wealth and funds so that they can comply with their own AML requirements. Having an appropriate AML program in place will help you meet these requests and avoid potential problems related to your investments.
How Carta helps with KYC
A reputation for good judgment is critical for courting investors—and incurring severe legal or financial penalties for breaking with sanctions can put an entire firm at risk. Your bank and investors, particularly institutional investors, will expect that you have conducted due diligence on your investors, including a KYC check.
How KYC due diligence works
At Carta, we begin the VC KYC-as-a-service process at onboarding by reviewing identifying information of our fund client’s investors. From there, we continue to monitor the investors’ information for potential sanctions concerns. Our team provides custom reporting to help GPs identify risks, such as whether:
an LP has been sanctioned or is related to a sanctioned party
there has been legal enforcement against an LP
there is negative news coverage about an LP
an LP or owner is a PEP and may therefore be at risk of bribery or other influence
If you’re already a Carta fund admin customer, talk to your account manager to learn more about KYC as a service. If you’re new to Carta, request a demo to learn more: