AML/KYC for VC Funds: The New Requirements Every GP Needs to Know in 2026

Anti-money laundering and know-your-customer requirements for venture capital funds have historically occupied an awkward space: significant enough to matter, ambiguous enough that many GPs underinvested in compliance, and enforced inconsistently enough that the risk felt manageable.

That calculus has changed. FinCEN's Customer Due Diligence Final Rule and subsequent beneficial ownership reporting requirements have created clearer, more specific obligations for fund managers. The SEC's continued focus on investment adviser compliance has raised the baseline. And the cost of getting it wrong — reputational, operational, and regulatory — has increased.

This guide is written for GPs and fund managers who need to understand what AML and KYC compliance actually requires in 2026: the specific obligations, the options for implementing them, what to do when red flags appear, and the recordkeeping expectations that will define whether you can demonstrate compliance if you're ever examined.

Why VC Funds Are Subject to AML/KYC Requirements

The starting point is understanding the regulatory basis. Investment advisers registered with the SEC are subject to the Investment Advisers Act, which includes anti-fraud provisions that implicitly require knowing who you're doing business with. But the more direct AML obligations have evolved through the Bank Secrecy Act and FinCEN rulemaking.

The historical gap: Historically, many investment advisers (including VC fund managers) were not subject to the same explicit AML program requirements that applied to banks and broker-dealers. FinCEN proposed rules to close this gap, and the timeline for investment adviser AML requirements has continued to tighten through 2025 and 2026.

The current state: As of 2026, investment advisers are required to maintain AML programs that include written policies and procedures, employee training, a designated AML compliance officer, and independent testing. The specifics depend on registration status and fund structure.

Beneficial ownership reporting: The Corporate Transparency Act and FinCEN's implementing regulations require the beneficial owners of many legal entities to be reported. Fund management companies and the funds themselves may have BOI reporting obligations. Understanding which entities in your structure must report, and what information must be disclosed, is an active compliance requirement in 2026.

Consult your fund counsel for the specific applicability analysis. This guide focuses on the operational implementation of LP onboarding due diligence — what you need to collect, verify, and document — rather than legal interpretation of the regulatory framework.

The LP Onboarding Checklist: What to Collect

Solid LP onboarding due diligence covers several categories of information and verification. The depth of diligence should be risk-proportionate: a large institutional LP with public filings and known principals requires different handling than an individual LP whose source of wealth is unclear.

Identity Verification

Individuals: Collect government-issued ID (passport or driver's license), confirm name, date of birth, address, and government ID number. For US persons, a Social Security number or equivalent identifier. Verify the ID is genuine — this requires more than accepting a scan. Reputable providers use liveness checks and document authentication technology.

Entities: Collect legal entity name, jurisdiction of formation, principal place of business, and EIN or equivalent tax identification number. Obtain formation documents (certificate of incorporation or formation, operating agreement) and verify the entity is in good standing with its jurisdiction of formation.

Beneficial owners: For entities, identify and verify the individuals who are ultimate beneficial owners — generally defined as individuals who own 25% or more of the entity, or who exercise significant control. Each beneficial owner requires the same individual-level identity verification.

This is where the administrative burden is highest for complex LP structures: limited partnerships with institutional general partners, multi-layered family office vehicles, trust structures with multiple beneficiaries. The obligation runs through the structure to the natural persons who ultimately control or benefit.

Accreditation Verification

Accreditation is a legal requirement for most private fund investments, but it also functions as a due diligence mechanism: it ensures LPs have the financial sophistication and loss tolerance appropriate to the investment.

Accredited investor standards (as of 2026): Individual LPs must meet the income test ($200,000/year individual, $300,000 joint, in each of the two prior years with expectation of the same in the current year) or the net worth test ($1 million net worth excluding primary residence) or qualify as a "knowledgeable employee" of the fund or based on professional credentials (Series 65, CPA, attorney in good standing).

Verification approach: Self-certification (the LP checks a box on the subscription agreement) has historically been common but is increasingly insufficient, especially for larger funds or those with institutional LP bases. Positive verification requires third-party confirmation: an independent letter from the LP's CPA or attorney, bank/brokerage statements, or a verification letter from an accreditation verification service.

Qualified purchaser status: If your fund relies on Section 3(c)(7) rather than Section 3(c)(1), LPs must meet the qualified purchaser standard ($5M in investments for individuals, $25M in investments for entities). Verification requirements are similar but the documentation threshold is higher.

Consult your fund counsel on which standard applies and what documentation is sufficient for your fund structure.

Source of Wealth and Funds

For higher-risk LP relationships, collect information about the source of the LP's wealth (how they accumulated their capital) and the source of the specific funds being invested (the direct source of the committed capital). This is distinct from accreditation — you're looking to understand whether the funds being invested are consistent with a legitimate economic origin.

Red flags that warrant deeper investigation: LPs who can't articulate a clear source of wealth, funds arriving from jurisdictions with weak AML regimes, a mismatch between the LP's stated profile and investment sophistication, or unusual payment routing (funds arriving from a third-party account with no clear explanation).

Political Exposed Persons (PEP) Screening

A politically exposed person is an individual who holds or has held a prominent public function — heads of state, senior government officials, senior executives of state-owned enterprises, senior political party officials, judges of supreme courts, and their immediate family members and close associates.

PEPs are not prohibited from investing in private funds, but relationships with PEPs carry elevated risk under AML frameworks because of the potential for corruption-related proceeds. PEP relationships require enhanced due diligence and often require senior management approval before acceptance.

PEP screening is not something you can do manually with any reliability. The universe of PEPs is large, changes constantly, and varies by jurisdiction. Automated screening against maintained PEP databases is the standard approach.

OFAC Sanctions Screening

The Office of Foreign Assets Control maintains the Specially Designated Nationals (SDN) list and other sanctions lists that restrict US persons from transacting with certain individuals, entities, and countries. Investing alongside a sanctioned party is not a compliance technicality — it's a potential federal criminal violation with serious consequences.

OFAC screening must happen at LP onboarding and should be repeated periodically thereafter (designations can occur after an LP relationship is already established). Every LP and every beneficial owner of an LP entity should be screened against the SDN list and applicable country sanctions programs.

Screening should also run against the EU consolidated sanctions list and, where relevant, OFAC's non-SDN lists (SSI list, CAPTA list, etc.).

Adverse Media Screening

Beyond the official sanctions and PEP lists, credible adverse media screening checks whether an LP, their beneficial owners, or affiliated entities have been the subject of news coverage that would indicate criminal activity, regulatory action, fraud, or other significant reputational risk.

This is not searching for unflattering press coverage. It's specifically looking for: criminal charges or convictions, financial fraud allegations, regulatory enforcement actions, terrorism financing associations, or connection to organized crime.

Automated adverse media screening uses natural language processing to sweep large volumes of news content. Manual Google searches are not sufficient — they miss non-English language coverage, paywalled content, and historical records.

Manual vs. Automated Approaches

The Manual Approach

For very small funds with a handful of LPs, manual processes are technically feasible: collect subscription documents, photocopy IDs, run manual OFAC checks on the FinCEN website, ask LPs to provide accreditation letters from their CPA. Document everything in a filing system.

The problems: OFAC screening needs to happen at onboarding AND periodically for existing LPs, and the SDN list updates frequently. PEP status changes — someone becomes a government official after their initial investment. Adverse media requires expertise and scale. Manual processes also lack the audit trail that regulators expect: a documented workflow with timestamps, the database versions screened against, and evidence that the screening actually happened.

Manual compliance works until it doesn't. The failure mode is usually not catching something because the process didn't catch it — or not being able to prove you did the screening because you have no documented record.

Automated KYC/AML Platforms

Dedicated compliance platforms automate the collection, verification, and screening workflows:

Identity verification: Document scanning with authenticity checking, liveness detection for individuals, business registry verification for entities.

Accreditation verification: Integrated accreditation checks or workflows for collecting third-party verification letters.

OFAC and sanctions screening: Automated screening against maintained, up-to-date sanctions lists with audit logs showing the database version at the time of each screen.

PEP screening: Continuous PEP database coverage across jurisdictions with automated alerting when an existing LP acquires PEP status.

Adverse media: NLP-based scanning across news sources with configurable risk thresholds.

Ongoing monitoring: Automated re-screening of existing LP relationships on a scheduled cadence (typically quarterly or annually, and triggered by significant list updates).

Audit trail: A complete, timestamped record of every check performed, the result, and any review decisions — exactly what you need to demonstrate compliance in an examination.

Platforms like Jumio, Onfido, Comply Advantage, and Trulioo operate in this space. For fund management specifically, Archstone's compliance module integrates AML/KYC workflow tracking so that onboarding due diligence is part of the LP record rather than a separate system.

Handling Red Flags and Suspicious Activity

Not every AML check comes back clean. Understanding how to handle exceptions is part of building a functional compliance program.

The tiered response: Not every adverse result requires the same response. A minor name match on an SDN list that clearly refers to a different individual (different date of birth, different country) can be documented and cleared. A close match on a PEP database for an individual who may hold a relevant government position requires enhanced due diligence and management escalation before proceeding.

The escalation path: Your AML policy should specify who reviews flagged results, what documentation is required to clear a flag, and who has authority to approve or decline a flagged LP. This is typically the AML compliance officer plus senior GP sign-off for elevated-risk situations.

When to decline: Some LP relationships should be declined even if no specific sanctions list match exists. A pattern of indicators — unusual fund routing, inability to explain wealth source, entity structures with no apparent business purpose, excessive urgency — can constitute sufficient grounds for declining an LP relationship under a risk-based approach. Document your reasoning.

Suspicious Activity Reports (SARs): Investment advisers have SAR filing obligations when a transaction involves funds derived from illegal activity (or intended to evade reporting requirements) and the transaction amount exceeds $5,000. This is rare in VC fund LP onboarding, but the obligation exists and your AML policy should address the process for making a SAR filing determination.

Recordkeeping Requirements

A compliance program that exists only in people's heads — or in undated, disorganized files — is not a compliance program. Regulators examining your firm will look for:

Written AML policies and procedures. A documented description of your program: who is responsible for AML compliance, what the LP onboarding process requires, how ongoing monitoring works, and how red flags are handled. This document should be current and reflect your actual practice.

LP due diligence files. For each LP, a file containing: the collected identity documents, verification results, accreditation documentation, screening results (with database versions and screening dates), and any exception documentation. These records should be retained for five years from the date of each activity (the standard BSA recordkeeping period).

Training records. Evidence that relevant personnel have received AML training, including dates, topics covered, and acknowledgment by the individual trained.

Screening logs. Timestamped records of every OFAC, PEP, and adverse media screening, the result, and any follow-up action.

Exception approvals. Documentation of any screening result that required escalation, the review performed, and the decision reached with rationale.

Annual AML review. Most AML programs require periodic independent testing or review of the program's effectiveness. Document this review and its findings.

Penalties for Non-Compliance

The consequences of AML non-compliance are not theoretical. They range from administrative action to criminal prosecution depending on the nature and severity of the violation.

SEC enforcement: The SEC can bring enforcement actions against registered investment advisers for failures in AML programs. Penalties include censure, suspension or revocation of registration, and civil money penalties. Publicized enforcement actions create reputational damage far exceeding the nominal penalty.

FinCEN civil penalties: FinCEN can impose civil money penalties for BSA violations. For willful violations, penalties can reach $1 million or more per violation. For non-willful violations, lower thresholds apply — but "non-willful" is a fact-specific determination.

Criminal prosecution: In cases involving knowing facilitation of money laundering or deliberate avoidance of AML requirements, criminal prosecution is possible. This is rare for fund managers who had an AML program but made implementation errors. It is not rare for fund managers who deliberately ignored red flags or destroyed records.

Practical consequences: Beyond formal enforcement, the consequences of accepting problematic LP capital include: reputational damage that affects future fundraising, potential forfeiture of invested funds, LP liability concerns, and personal liability for GPs who knew or should have known about compliance failures.

The cost of a functional AML program for an emerging fund — whether a dedicated compliance officer's time or an automated platform — is a small fraction of any of these consequences.

Building a Scalable Compliance Program

For a fund raising $5M–$30M from a modest number of LPs, an AML/KYC program doesn't require a compliance team or a large compliance budget. It requires:

1. Written policies that reflect your actual process (not a template you downloaded and forgot about)
2. A designated compliance officer — in a small fund, this is often a GP, but the role must be defined and the person must be trained
3. An LP onboarding checklist that ensures every required element is collected and verified before acceptance
4. Automated screening that provides documented, up-to-date OFAC and PEP screening rather than manual spot checks
5. Recordkeeping infrastructure that keeps LP due diligence files organized, accessible, and retained for the required period
6. Annual program review that tests whether your actual practice matches your written policy

For emerging managers, the right approach is building the compliance infrastructure before you need it — before you're in a fundraise, before an LP asks to see your AML policy, before an SEC examination is scheduled. A compliance program assembled in response to scrutiny reads differently than one built proactively into fund operations.

The regulatory environment for fund AML/KYC is continuing to evolve. Requirements that are advisory today may be mandatory next year. Building strong practices now puts you ahead of the curve rather than scrambling to catch up.