Standard 13: Client Due Diligence

the standard firms must conduct robust investor due diligence this includes investor verification and due diligence procedures appropriate to regulatory requirements; risk based approach to customer due diligence with enhanced procedures for high risk investors; and ongoing monitoring of investor activities and transactions for suspicious activity firms must establish suspicious activity detection and reporting mechanisms in compliance with applicable regulations and provide regular training and testing of aml/kyc procedures for all relevant personnel introduction investor onboarding and anti money laundering (aml) processes in the digital asset sector face a unique "anonymity vs transparency" paradox while blockchains are technically public ledgers, the use of pseudo anonymous addresses and instant global transfers creates a high stakes environment for verifying identities traditional know your customer (kyc) procedures—which rely solely on static document verification—are no longer sufficient modern illicit actors frequently use mixers, privacy enhancing protocols (like zero knowledge proofs), or "chain hopping" across cross chain bridges to hide the origin of their wealth standard 13 mandates an "intelligence first" onboarding program that bridges the gap between traditional identity and on chain behavior this requires firms to collect not only government issued identification but also the investor’s whitelisted wallet addresses to serve as a baseline for future monitoring today, regulatory frameworks like the eu's amla and the us "failure to prevent" doctrine have shifted the burden of proof to the manager, requiring active, forensic risk assessments that classify investors based on their geographic exposure, source of wealth, and technical footprint effective aml programs must evolve from a "one time checkbox" into a continuous risk management lifecycle utilizing advanced blockchain analytics is essential to identify "hops" between an investor's wallet and high risk entities or sanctioned jurisdictions under current global standards, firms are legally obligated to file suspicious activity reports (sars) immediately upon detecting anomalous patterns, such as sudden "layering" or interaction with suspicious smart contracts institutional excellence is defined by this proactive stance—investing in specialized forensic tools and independent audits to maintain a transparent and defensible compliance posture 13 1 investor onboarding and kyc the investor onboarding process is the critical first touchpoint for establishing a compliant relationship for digital asset managers, this process must be frictionless yet rigorous, bridging the gap between traditional identity verification and on chain accountability unlike traditional finance, where custodial intermediaries often silo investor data, digital asset onboarding requires the direct identification of on chain wallets to enable continuous transaction monitoring 13 1 1 customer identification program (cip) a formal cip, updated to meet the fincen 2026 aml rule requirements, must outline the mandatory steps for verifying an investor's identity for individuals collection of full legal name, date of birth, and residential address (verified via utility bills or bank statements) valid government issued identification (e g , passport, ssn, or national id) is mandatory firms must also document the source of wealth (sow) and verify accredited investor status where applicable for entities verification of legal name, jurisdiction of formation, and principal place of business crucially, the program must identify all beneficial owners with 25% or more ownership and designate a "control person " source of funds must be traced to a regulated financial institution verification methodology firms should employ a multi layered approach combining documentary verification (physical id review) with non documentary methods (searching third party databases, credit bureaus, and public records) to mitigate the risk of synthetic identity fraud 13 1 2 on chain kyc beyond traditional paperwork, institutional grade onboarding in 2026 requires linking a verified identity to specific blockchain addresses wallet address collection investors must disclose all wallet addresses intended for interactions with the fund, including those used for deposits, withdrawals, and defi participation proof of address control to prevent "identity piggybacking," firms must require proof of ownership this is typically achieved through signed messages the investor uses their private key to sign a unique, firm provided string (e g , "i own this wallet for fund x on dec 15, 2025"), proving control without exposing the key micro transactions a "satoshi test" where the investor sends a specific, tiny amount of capital to a designated address address screening every declared address is instantly screened using blockchain analytics (e g , chainalysis) for historical links to sanctioned entities, mixers, or darknet markets ongoing monitoring (kyt) once onboarded, these addresses enter a know your transaction (kyt) workflow automated alerts are triggered if an investor’s wallet interacts with high risk protocols or sanctioned "smart contracts" post onboarding takeaway message many managers mistakenly treat kyc (know your customer) as a one time check in reality, kyc is an ongoing process that requires regular updates and continuous monitoring as investor risk profiles change—such as sources of wealth, business activities, or transaction patterns—it's important to keep kyc information current investment managers should ensure thorough onboarding by collecting identity verification documents, verifying wallet addresses on chain, scheduling periodic kyc reviews, and tracking completion for high risk investors, enhanced due diligence is necessary, which may include additional checks and information collection during reviews, ask questions like 'describe your recent high risk investor onboarding what extra steps were taken, and what information was gathered?' if an investor cannot clearly distinguish between standard and high risk onboarding or cannot provide specific examples, it indicates a weak risk management approach 13 2 anti money laundering (aml) program an aml program consists of the internal policies, procedures, and controls designed to prevent a firm from being utilized for money laundering or terrorist financing institutional best practice dictates that digital asset managers maintain a formal, voluntary aml program that aligns with bank secrecy act (bsa) standards the success of such a program depends on a risk based approach (rba)—customizing controls to address the unique threat profile of decentralized finance (defi) rather than relying on generic, traditional finance rules 13 2 1 key components of an aml program a robust aml program in the current regulatory environment is built on five core "pillars" of compliance designated aml compliance officer a qualified individual with sufficient authority and direct access to the board this officer is responsible for day to day oversight and must possess specific expertise in blockchain based financial crime typologies written aml policy a board approved, annually reviewed document that outlines the firm's specific risk based procedures it must be updated to reflect recent 2026 regulatory changes, such as the digital asset banking act ongoing employee training annual (minimum) training for all staff on identifying "red flags" specific to crypto, such as rapid multi exchange movement of funds or the use of anonymity enhancing technologies (aecs) independent testing a risk based audit conducted annually by a qualified third party the audit tests the effectiveness of the firm's controls, and results must be reported directly to senior management and the board customer due diligence (cdd) a systematic process for identifying and verifying investors, with enhanced due diligence (edd) reserved for high risk categories like politically exposed persons (peps) or investors from jurisdictions with weak aml oversight 13 2 2 risk assessment a formal aml risk assessment remains the foundation for any firm managing digital assets, identifying specific vulnerabilities product risks assessing the risks of specific investment strategies, defi protocol participation, and redemption timeframes customer risks evaluating investor types, geographic distribution, and the presence of complex entity structures that could obscure beneficial ownership geographic risks monitoring transactions involving jurisdictions with weak aml regimes or those subject to active sanctions distribution risks analyzing risks associated with direct onboarding versus the use of intermediaries or placement agents takeaway message many investment managers make the common mistake of using a generic aml (anti money laundering) policy without customizing it to their specific business risks an effective aml program should be based on a thorough understanding of the actual risks the firm faces, rather than just following standard compliance rules generic policies often overlook unique crypto related risks, such as the use of mixers, interactions with decentralized finance (defi) protocols, or cross chain transfers to evaluate if an aml program is properly tailored, investors typically ask for a formal risk assessment that identifies the specific risks, an aml policy that includes crypto specific measures, examples of enhanced due diligence procedures for high risk situations, and independent testing results with findings and corrective actions during due diligence, a key question is "can you walk us through your aml risk assessment? what are your main risks, and how does your program address them?" if responses are generic and do not mention crypto specific risks, it indicates the program may not be properly customized for the crypto environment 13 3 transaction monitoring transaction monitoring is the process of reviewing investor activity to identify unusual or suspicious patterns this is a critical component of a functional aml program, serving as the primary mechanism for detecting illicit behavior after the initial onboarding phase for digital asset managers, this requires a dual track system traditional monitoring for fiat movements ("off chain") and specialized forensic analysis for blockchain activity ("on chain") 13 3 1 on chain and off chain monitoring a comprehensive monitoring framework must integrate both legacy financial data and real time blockchain telemetry to provide a 360 degree view of investor risk off chain monitoring (traditional) focuses on fiat deposits and withdrawals to detect traditional money laundering typologies anomalous patterns sudden spikes in transaction frequency or sizes that are inconsistent with the investor’s declared profile structuring identifying multiple small transactions designed to remain just below reporting thresholds (e g , $10,000) geographic risk flagging movements involving high risk or non cooperative jurisdictions on chain monitoring (crypto specific) utilizes blockchain analytics tools to trace the flow of digital assets direct & indirect exposure identifying if an investor’s wallet has interacted with sanctioned addresses (e g , the ofac sdn list) or darknet marketplaces anonymity enhancing tools monitoring for the use of mixers, tumblers, or privacy protocols (e g , tornado cash) that obscure the transaction trail protocol risks highlighting interactions with unregulated exchanges or high risk defi protocols known for money laundering vulnerabilities bridge activity tracking assets moving across cross chain bridges, which are frequently used by illicit actors to break the "chain of custody" 13 3 2 red flags firms must maintain an updated list of "red flags" that trigger immediate investigation these indicators help compliance teams distinguish between legitimate volatile market activity and potential financial crime transactions with no apparent economic purpose or investment rationale individuals or entities in high risk jurisdictions without reasonable explanation sudden unexplained increases in transaction size or frequency transactions with known or suspected illicit actors identified through blockchain analytics unusual transaction patterns inconsistent with stated investment objectives reluctance providing requested information or documentation complex ownership structures without legitimate business purpose rapid movement of funds through account without investment activity takeaway message source of funds verification for crypto origin wealth requires capabilities beyond traditional kyc blockchain analytics tools can provide visibility into wallet history that investor representations alone cannot—identifying connections to high risk activity, sanctions exposure, or mixing services that warrant additional scrutiny or rejection best practice is implementing blockchain analytics capability for investors whose funds originate from cryptocurrency wallet screening should assess transaction history, counterparty risk, and any connections to sanctioned addresses or high risk services the analysis should be documented and factored into the overall investor risk assessment 13 4 suspicious activity reporting (sar) when a firm identifies activity that it knows, suspects, or has reason to suspect involves illicit funds or a violation of the bank secrecy act, it must file a suspicious activity report (sar) with the financial crimes enforcement network (fincen) filing a sar is a mandatory legal obligation, not a discretionary choice any hesitation or failure to file can result in severe regulatory enforcement actions, including significant fines and potential criminal liability for the firm and its officers 13 4 1 sar filing process the filing of a sar is subject to strict regulatory timelines and procedural requirements a sar must be filed within 30 calendar days from the date of initial detection of the suspicious activity notably, this window begins when the suspicion is first identified, not when the internal investigation is completed the formal process consists of the following phases investigation review the flagged behavior (e g , unusual on chain movements or structuring of fiat deposits) to determine if it meets the $5,000 threshold for reporting managers must gather all relevant transaction data, conduct internal interviews if necessary, and document the rationale for filing or not filing preparation draft a comprehensive narrative that explains the "who, what, where, when, and why" of the suspicion the narrative must be clear, accurate, and supported by all gathered documentation the report is submitted electronically through the fincen bsa e filing system filing and tracking ensure the filing is submitted within the 30 day window if the suspicious activity is ongoing, the firm must monitor the account and file supplemental sars at least every 90 to 120 days to provide updates to law enforcement documentation retention under federal law, firms are required to retain copies of filed sars and all supporting documentation for a period of five years these records must be stored securely and made available for regulatory examinations or law enforcement requests 13 4 2 confidentiality the confidentiality of a sar is a cornerstone of the aml framework disclosing to the subject of a report—or to any unauthorized third party—that a sar has been filed, or even discussed, is a direct violation of federal law this is often referred to as "tipping off" and carries significant criminal penalties strict confidentiality protocols must include need to know access access to sar related information must be restricted to the aml compliance officer and only those senior personnel necessary for the decision making process secure infrastructure all sar records must be maintained in a secure, encrypted environment with restricted access and immutable activity logging prohibition on disclosure sars must never be referenced in investor reports, marketing materials, or standard financial audits employee training all staff must be trained on the legal requirement of sar confidentiality and the severe consequences of unauthorized disclosure law enforcement cooperation while strictly confidential, information can and should be shared with appropriate law enforcement agencies when authorized or upon receipt of a subpoena takeaway message sanctions compliance in digital assets extends beyond traditional name screening to include wallet address monitoring investors may transact with wallets that later appear on sanctions lists, or counterparties may be added to sanctions lists after relationships are established effective screening requires both initial and ongoing monitoring best practice is implementing comprehensive sanctions screening that covers investor names and entities (against ofac and relevant international lists), wallet addresses (against blockchain sanctions databases), and ongoing monitoring as lists are updated positive matches should trigger documented review and, where confirmed, appropriate action including potential relationship termination allocator due diligence considerations institutional allocators evaluate aml/kyc programs by checking how well they understand their investors, identify risks, and monitor activities regularly if they cannot clearly explain how they classify investor risks, show detailed checks for high risk investors, or provide proof of ongoing monitoring, their compliance program may not meet industry standards program assessment describe your aml/kyc framework structure and governance who is your aml officer and what is their background? how do you assess investor risk systematically? what training do you provide and how is effectiveness measured? how often do you test your program and what were recent findings? onboarding process walk through your investor onboarding process step by step how do you verify cryptocurrency derived wealth specifically? what factors cause enhanced due diligence to be triggered? what is typical onboarding timeline for different risk levels? show example documentation demonstrating thoroughness monitoring capabilities how do you monitor investors on an ongoing basis? what systems and tools do you use for monitoring? how often do you refresh kyc information? what triggers immediate investor review outside normal cycle? show monitoring reports and alert investigation documentation regulatory compliance have you filed any suspicious activity reports and how many? have you experienced any regulatory examinations or findings? how do you stay current with evolving requirements? what outside advisors or service providers support your program? have you identified any compliance issues and how were they remediated? documentary evidence requirements complete aml/kyc policies and procedures manual sample investor files demonstrating process (appropriately redacted) risk assessment documentation with methodology staff training records with completion tracking independent audit reports on program effectiveness common pitfalls and remediation kyc treated as onboarding exercise only client verified at relationship inception but never reassessed circumstances change—beneficial ownership evolves, transaction patterns shift, sanctions lists update—but client risk profile remains frozen at onboarding remediation implement risk based kyc refresh annual review for standard risk clients, more frequent for elevated risk monitor for trigger events (significant transaction pattern change, adverse media, sanctions list updates) requiring immediate review regardless of cycle aml policy ignores digital asset realities generic aml framework addresses traditional banking risks but misses crypto specific concerns mixer and tumbler usage, privacy coin transactions, bridge activity, defi protocol interactions, and wallet clustering patterns remediation customize aml policies for digital assets define crypto specific red flags mixer interactions, rapid movement through multiple wallets, privacy coin conversion, sanctioned address proximity train staff to recognize patterns traditional aml wouldn't flag no blockchain analytics capability transaction monitoring limited to exchange reports without visibility into on chain activity can't identify mixer usage, sanctioned address interactions, or suspicious wallet patterns because the data isn't being analyzed remediation deploy blockchain analytics platform with address clustering, risk scoring, and sanctions screening capabilities integrate outputs into client monitoring and transaction surveillance train compliance staff to interpret results and investigate flagged activity reluctance to file sars suspicious activity identified but sar filing avoided or delayed to preserve investor relationship or avoid difficult conversations regulatory obligation subordinated to business considerations remediation reinforce that sar obligations are non negotiable—duty to the financial system supersedes client relationships document all sar deliberations including decisions not to file with supporting rationale when in doubt, file—regulators criticize under filing, not over filing wallet addresses not collected or verified client onboarded without capturing wallet addresses used for transactions on chain activity can't be monitored because the firm doesn't know which wallets belong to which clients remediation require wallet address disclosure during onboarding for any client transacting in crypto verify wallet control through signed message or small test transaction include all disclosed addresses in ongoing monitoring update as clients add wallets aml training is generic and infrequent annual training covers traditional aml concepts but not crypto specific red flags staff can't identify digital asset money laundering patterns because they haven't been taught what to look for remediation provide annual training with crypto specific content on chain red flags, mixer identification, defi related risks, and case studies from enforcement actions tailor training to role—front office, compliance, and operations face different scenarios test comprehension, not just attendance aml program lacks independent testing program designed and self assessed by compliance without external validation weaknesses persist because no independent party examines whether controls actually work remediation commission annual independent aml review by qualified third party scope should cover policy adequacy, control effectiveness, and sample transaction testing present findings to board or compliance committee track remediation with defined timelines and accountability sanctions screening inconsistent or point in time screening performed at onboarding but not refreshed as sanctions lists update newly designated parties or addresses not detected because screening isn't ongoing remediation implement continuous sanctions screening against ofac and relevant international lists screen both client names/entities and wallet addresses automate rescreening when lists update establish immediate escalation protocol for potential matches—sanctions violations have strict liability escalation procedures unclear or untested staff uncertain how to report suspicious activity, who to notify, or what documentation is required hesitation and delay when suspicious activity is identified because process is unclear remediation document clear escalation procedures what triggers escalation, who receives reports, required documentation, and response timelines make escalation matrix easily accessible test periodically through scenarios—if staff can't demonstrate the process, training and documentation need improvement key controls & documentation true 165,165,165,166 left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type