The Handbook

Standard 2: Regulatory Compliance

the standard firms must maintain robust compliance programs this includes an independent compliance function with appropriate resources, authority, and reporting lines; a comprehensive compliance program addressing all applicable laws, rules, and regulations across jurisdictions; and proactive monitoring of regulatory developments and their impact on firm operations firms must implement robust anti money laundering (aml) and know your customer (kyc) procedures appropriate to their investor base and establish a framework for managing multi jurisdictional compliance obligations introduction regulatory rules for digital assets are still not clear and are not fully established unlike traditional assets, which have well defined laws and regulations, digital assets raise many questions about which rules apply and which authorities are responsible often, rules designed for other asset types are used for tokens, but this can lead to confusion this uncertainty does not mean firms can ignore compliance; instead, it highlights the importance of adhering to good practices firms that operate without proper registration may find it difficult to attract institutional investors, regardless of the quality of their operations or investments standard 2 highlights that firms should have strong compliance programs, even when regulations are uncertain they should ensure they are registered with the appropriate authorities and keep detailed records of their activities it is also important to have systems in place to monitor and regularly test compliance if issues arise, firms should respond promptly and document how they address and resolve these problems failing to maintain proper compliance can lead to legal penalties, operational challenges, and damage to the firm’s reputation to meet this standard, firms should view compliance as a fundamental part of their operations, not just a legal obligation they should employ experienced compliance staff who understand both traditional finance and digital assets utilizing technology to monitor compliance effectively can be beneficial maintaining detailed records of all compliance activities is essential firms should also ensure that their compliance functions operate independently and are not influenced by business pressures compliance should be integrated into risk management and trust building efforts with investors, rather than treated as a mere formality or checkbox exercise 2 1 regulatory registration and licensing registration is the cost of accessing institutional capital operating without necessary licenses immediately disqualifies you from institutional investment regardless of operational quality digital asset firms often activate multiple regulatory regimes simultaneously—investment adviser registration, commodity trading advisor registration, money transmitter licenses, and foreign registrations each regime brings distinct obligations, examination risk, and operational requirements 2 1 1 sec investment adviser registration the securities and exchange commission (sec) registration threshold is $100 million in regulatory assets under management crossing this threshold brings federal jurisdiction, requiring form adv filing and sec examination oversight below this level, state registration applies, with each jurisdiction having distinct requirements most institutional allocators require federal registration regardless of aum level—state registered advisers face higher scrutiny and limited capital access form adv requirements form adv part 1 detailed disclosure of business operations, ownership structure, disciplinary history, custody arrangements, conflicts of interest, and affiliated entities digital asset advisers must disclose token custody models, counterparty relationships with exchanges, and defi protocol exposures form adv part 2 client disclosure brochure written in plain english describing services offered, fee structures, conflicts of interest, disciplinary information, custody practices, and material risks digital asset sections must address custody security, smart contract risks, protocol vulnerabilities, exchange counterparty risk, and regulatory uncertainty affecting client investments digital asset specific disclosures must explicitly address private key management and custody architecture, exchange failure and counterparty risk, smart contract vulnerabilities and audit limitations, defi protocol risks and governance participation, illiquidity in volatile markets, regulatory classification uncertainty, and potential for complete loss annual amendments are required within 90 days of the fiscal year end material changes require prompt amendments—new custody relationships, disciplinary actions, or ownership changes trigger immediate filing obligations failure to maintain the current form adv creates examination findings and allocator concerns about operational rigor 2 1 2 cftc and nfa registration engaging in trading cryptocurrencies like bitcoin or ethereum involves specific rules set by the commodity futures trading commission (cftc) the cftc considers both bitcoin and ethereum as commodities this means that trading futures for these cryptocurrencies must follow certain regulations traders need to become members of the national futures association (nfa) and must register as either a commodity trading advisor (cta) or a commodity pool operator (cpo) these rules are in place to make the market transparent, protect investors, and keep the market fair, especially as digital assets become more popular and widespread cta registration requirements all principals must pass the series 3 exam, demonstrating commodity trading knowledge disclosure documents must be filed with nfa separately from form adv, addressing commodity specific risks monthly reports must be submitted to nfa detailing assets under management and positions separate books and records must be maintained for commodity accounts with specific retention requirements cpo registration requirements operating pooled investment funds that trade commodity futures requires registration as a commodity pool operator (cpo) this registration involves stricter rules compared to becoming a commodity trading advisor (cta) cpos must prepare annual financial reports that are audited and follow either us gaap or ifrs standards they also need to send quarterly account statements to investors to keep them informed about fund performance cpos must use specific methods to report performance consistently across reports protecting client assets is essential, so customer funds must be kept separate at registered futures commission merchants (fcms) good recordkeeping is also necessary to meet regulatory requirements and support audits overall, becoming a cpo involves higher costs and more operational work than just registering as an investment adviser this is because of the increased rules and protections designed to safeguard investors when trading commodity futures through pooled funds 2 1 3 money transmitter licensing the rules for money transmitters are complex and vary widely across different regions each jurisdiction sets its own standards for what counts as money transmission, creating a fragmented regulatory environment this situation increases compliance challenges for businesses operating in multiple areas typical activities that may trigger regulatory requirements include holding private keys for customer assets, enabling exchanges between fiat currencies and cryptocurrencies, managing omnibus wallet structures, and offering custody services that involve control over customer assets this patchwork of regulations makes compliance more difficult and highlights the need for clearer, more consistent frameworks such frameworks are essential to support the sustainable growth and stability of the digital asset industry, providing a reliable foundation for investment managers and other industry participants federal level requirements registration with the financial crimes enforcement network (fincen) as a money services business (msb) is required for most digital asset activities like sending, exchanging, and storing digital currencies this registration involves following certain rules to prevent illegal activities these rules include setting up a customer identification program (cip) to verify customer identities, filing suspicious activity reports (sars) to report suspicious transactions, and currency transaction reports (ctrs) for transactions over $10,000 companies must also have an anti money laundering (aml) program to detect and prevent money laundering and related crimes following these rules is important for legal reasons and helps keep the digital asset industry transparent it also reduces the chances of financial crimes and supports the integrity of the financial system state by state licensing state requirements for licensing money transmitters differ significantly in new york, the bitlicense is very strict, requiring firms to meet capital standards, implement comprehensive compliance and cybersecurity programs, establish anti money laundering procedures, undergo examinations, and cover high application costs other states may exempt certain activities or offer simpler licensing processes activities that require licensing in new york might be exempt in montana or wyoming investment firms should analyze the licensing requirements in each state where they have clients or operations operating without the necessary state licenses can lead to criminal liability and regulatory penalties, emphasizing the importance of understanding and complying with each state's regulations table 1 u s registration matrix true 205,456 left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type 2 1 4 international registration requirements international operations trigger additional registration obligations accepting non us investors, operating offshore funds, or maintaining non us offices each creates distinct registration requirements european union mifid ii (markets in financial instruments directive) applies to investment services across member states digital asset services may require authorization as an alternative investment fund manager or crypto asset service provider under mica (markets in crypto assets regulation) beginning 2024 united kingdom financial conduct authority (fca) authorization required for uk operations crypto asset firms require registration under money laundering regulations post brexit, uk regulation diverges from eu requirements cayman islands cayman islands monetary authority (cima) registration applies to fund managers most offshore hedge funds domicile in cayman, requiring cima registration for the management company and fund licensing singapore monetary authority of singapore (mas) licensing covers digital payment token services singapore's progressive framework makes it attractive for asian operations but requires significant compliance infrastructure switzerland finma (swiss financial market supervisory authority) regulates fund management and crypto service providers switzerland's 'crypto valley' offers favorable regulatory treatment but requires local presence and capital requirements takeaway message a common registration gap is assuming one license covers all activities sec investment adviser registration does not authorize futures trading (requiring cftc/nfa registration), custody operations may trigger state money transmitter requirements, and non us investors often require foreign registrations each business activity warrants analysis against applicable registration triggers best practice is maintaining a registration matrix that maps each activity to its regulatory requirements, with supporting legal analysis this should be reviewed whenever the business model evolves vague references to “appropriate registration” without documented analysis of specific activities—trading, custody, investor geography—may not withstand regulatory scrutiny or allocator diligence 2 2 compliance program architecture a compliance program acts as a system for ensuring adherence to regulations in digital assets, it should cover traditional issues such as insider trading and best execution, as well as new challenges like governance participation in decentralized finance, risk assessment of smart contracts, and monitoring on chain transactions institutional investors evaluate the effectiveness of their programs through testing records, violation logs, and remediation documentation, rather than relying solely on policy documents 2 2 1 chief compliance officer independence the chief compliance officer (cco) role requires specialized expertise and true independence the cco cannot effectively monitor activities while reporting to individuals whose conduct requires oversight essential independence elements include direct reporting to ceo or board cco must not report to cio, coo, or other operational leaders whose activities require monitoring direct board access enables escalation without management filtering protected budget authority cco controls compliance budget without requiring approval from individuals whose activities generate compliance costs inability to retain counsel or implement monitoring tools without business unit approval eliminates independence authority to halt violations cco must have clear authority to stop activities violating policies or regulations without requiring approval trading restrictions, marketing holds, or operational changes should not require business unit consent termination protections cco termination should require board notification if not board approval management's ability to remove cco without board oversight eliminates independence when compliance challenges business priorities the cco must possess both traditional compliance experience from sec, cftc, or finra backgrounds and digital asset knowledge including smart contracts, defi protocols, and blockchain technology generalist compliance professionals without crypto specific expertise cannot assess protocol risks, custody vulnerabilities, or on chain transaction patterns conversely, crypto native personnel without traditional compliance backgrounds lack understanding of fiduciary obligations, insider trading rules, and examination procedures firms with aum below $100 million often use fractional or consulting ccos this model functions effectively if the consultant has sufficient time allocation, direct board access, and independence from management part time arrangements with inadequate hours, limited access, or reporting through operational management create appearance of compliance without substance 2 2 2 compliance manual structure your compliance manual covers both traditional and digital asset requirements generic templates are ineffective because they include language that does not match actual operations the manual should include clear operational procedures that employees can follow, rather than just aspirational statements about compliance culture it is important that the manual provides practical guidance tailored to the specific processes involved in managing digital assets, ensuring that all team members understand their responsibilities and actions required to maintain compliance effectively this approach supports the fiduciary standards set by the governing board for investment management in the digital asset space, aligning operational practices with regulatory expectations and best practices in the industry core manual components regulatory framework documents all applicable regulations including sec, cftc, state, and international requirements identifies specific rule obligations and implementation procedures personal trading controls specifies pre clearance procedures, restricted lists, holding periods, and reporting requirements digital asset provisions must address token holdings, defi positions, staking, and governance participation conflicts of interest identifies potential conflicts specific to digital assets including protocol investments, service provider relationships, token allocations, and affiliate transactions establishes disclosure and mitigation procedures best execution establishes trade routing procedures, counterparty selection criteria, execution quality monitoring, and documentation requirements addresses digital asset specific factors including exchange liquidity, custody arrangements, and settlement risk marketing and advertising governs all client communications including performance advertising, social media, conference presentations, and pitch materials requires compliance review before distribution books and records specifies retention requirements for all regulatory documents, client communications, trading records, and compliance testing digital preservation with immutable timestamps required supervision procedures establishes monitoring procedures for all supervised persons including investment team, operations, and business development frequency, scope, and documentation requirements specified 2 2 3 annual compliance review sec rule 206(4) 7 requires annual compliance program review assessing adequacy and effectiveness this is not a checkbox exercise—it requires systematic evaluation of whether procedures prevented violations, testing identified issues, and remediation addressed problems the annual review should examine changes in business activities new strategies, service providers, custody arrangements, or client types that require policy updates or additional controls testing results analysis of all compliance testing performed during the year, violations identified, root causes, and remediation effectiveness regulatory developments new rules, guidance, examination findings, or enforcement actions requiring policy or procedure changes technology changes new systems, platforms, or tools affecting recordkeeping, supervision, or control effectiveness adequacy assessment whether current procedures address all material risks, cover all supervised activities, and enable effective monitoring the annual review should be documented in writing and presented to senior management and the board it should lead to specific plans for fixing any identified issues generic reviews that only state that policies are adequate, without analyzing testing results, violations, or areas needing improvement, indicate a focus on appearance rather than effective oversight takeaway message compliance programs commonly fail in two ways the cco lacks genuine independence, or the cco lacks digital asset expertise a cco reporting to the cio may face challenges objectively monitoring investment activities a cco without blockchain knowledge may struggle to assess protocol risks or interpret on chain transaction patterns effectively best practice is ensuring the cco has both structural independence (reporting to ceo or board, with direct board access) and substantive expertise (understanding of custody mechanics, defi protocols, and blockchain analytics) allocators often evaluate compliance through testing evidence—methodology, samples, findings, and remediation—rather than manual quality alone well documented testing work papers demonstrate that compliance is operational, not just documented 2 3 anti money laundering program anti money laundering obligations in digital assets are more extensive than in traditional finance because of features such as pseudonymous transactions, cross border transfers without intermediaries, mixing services that hide transaction history, and regulatory arbitrage across different jurisdictions investment managers who accept clients or trade on exchanges become part of the financial system and are expected to comply with anti money laundering regulations institutional allocators evaluate anti money laundering programs by examining on chain monitoring capabilities, sanctions screening procedures, and the implementation of the travel rule these measures are important even beyond the basic know your customer (kyc) documentation, ensuring comprehensive compliance and risk management in digital asset activities 2 3 1 customer due diligence framework customer identification program requirements are relevant for all money services businesses and many digital asset firms enhanced due diligence is necessary for higher risk customers, including foreign investors, politically exposed persons, entities with complex ownership structures, and customers from high risk jurisdictions investment managers in the digital asset space should adhere to these guidelines to ensure compliance and maintain integrity in fiduciary responsibilities proper identification and thorough review of clients from high risk categories are essential to prevent financial crimes and uphold regulatory standards it is important to follow these procedures diligently to support transparency and accountability within the industry standard kyc collection legal name and date of birth with government issued identification verification residential address verification through utility bills, bank statements, or government documents tax identification number (ssn for us persons, tin for entities) source of funds and source of wealth for high risk investors beneficial ownership information for entities (fincen cdd rule) digital asset specific enhanced due diligence wallet address disclosure for direct blockchain transactions on chain transaction history analysis using blockchain analytics tools exchange account verification and source of crypto assets screening for connections to mixing services, darknet markets, or sanctioned addresses geographic risk assessment for cross border crypto transfers 2 3 2 transaction monitoring and red flags ongoing transaction monitoring identifies suspicious activity requiring suspicious activity report (sar) filing digital asset monitoring requires both traditional pattern analysis and on chain surveillance red flags specific to digital assets include deposits from mixing services or privacy coins suggesting transaction history obfuscation rapid movement through multiple wallets without economic purpose structuring to avoid reporting thresholds or regulatory attention activity inconsistent with stated investment purpose or client profile connections to addresses on sanctions lists or known illicit actors 2 4 marketing and investor communications marketing violations in digital assets often involve performance presentation rather than fraudulent claims common errors include showing returns for a single account rather than a composite, cherry picking favorable time periods, using gross returns without fee disclosure, comparing to inappropriate benchmarks, and making forward looking statements without adequate risk disclosure securities law treats all investor communications as 'advertising' requiring compliance review—this includes pitch decks, newsletters, social media, conference presentations, and website content 2 4 1 securities law framework rules from the sec prohibit false or misleading statements in advertising they require fair presentation of important facts and specific disclosures when marketing digital assets, it is important to address issues such as the regulatory classification of tokens, risks related to custody and security, the potential for illiquidity in volatile markets, the possibility of total loss, and conflicts of interest generic disclaimers about cryptocurrency volatility are not enough clear and detailed disclosures about specific risks are necessary to support informed investment decisions required content standards no misleading statements all material facts presented fairly without omission half truths or misleading implications violate advertising rules even if individual statements are technically accurate performance presentation must use composites rather than cherry picked accounts gross and net returns clearly distinguished time periods representative, not selected for favorable results risk disclosure material risks disclosed prominently, not buried in footnotes digital asset specific risks including custody, regulatory, smart contract, and market risks addressed specifically fee disclosure all direct and indirect fees disclosed management fees, performance fees, fund level expenses, and trading costs clearly presented compliance approval all marketing materials reviewed and approved by cco before distribution documentation of approval maintained 2 5 regulatory examinations regulatory examinations test whether operations match disclosures and policies match practice sec exams focus on form adv accuracy, custody rule compliance, fee calculation accuracy, conflicts disclosure, marketing rule adherence, and books and records completeness cftc/nfa exams emphasize segregation of customer funds, disclosure document accuracy, performance calculations, and recordkeeping the most damaging examination finding is not a substantive violation but rather inability to produce requested documents—this signals systematic control failures 2 5 1 examination readiness examination readiness requires systematic document management enabling prompt production of any requested record organizations should maintain centralized document repository all policies, procedures, testing records, training materials, and compliance documentation organized and readily accessible trade authorization records documentation showing investment decision rationale, approval process, execution instructions, and best execution analysis marketing materials archive all presentations, pitch decks, performance reports, website content, and social media posts with compliance approval documentation client communications all correspondence, meeting notes, advisory agreements, and disclosure documents testing work papers all compliance testing performed including methodology, sample selection, findings, and remediation allocator due diligence considerations institutional allocators assess compliance by testing how well programs operate under real world conditions, rather than just reviewing polished manuals they can tell the difference between firms with genuine compliance systems and those that only maintain paperwork to meet minimum standards if a firm cannot produce testing reports, explain specific violations, or show systematic steps taken to fix issues, it indicates that compliance is more of an aspiration than an operational reality registration completeness provide current form adv parts 1 and 2a with all amendments outdated filings signal inadequate regulatory attention what registration analysis determined which licenses you need? firms operating without required money transmitter licenses or cftc registration face immediate disqualification if you trade futures or advise on commodity pools, provide cftc/nfa registration documentation walk through your money transmitter analysis—which activities triggered review, which states require licensing, what analysis supported exemption claims? for international operations, provide all foreign registrations and explain jurisdictional analysis compliance program independence how does the cco maintain independence—reporting structure, budget authority, termination protections? provide compliance testing reports from past 12 months showing methodologies, findings, and remediation walk through a recent compliance violation—how was it identified, investigated, remediated, and what controls were enhanced? what technology platforms support compliance monitoring for trading surveillance, personal trading, marketing review, and aml? how do you monitor regulatory developments? aml program and on chain monitoring walk through your kyc onboarding from initial contact through approval what blockchain analytics tools monitor investor wallet activity post onboarding? what specific triggers require enhanced due diligence? describe the process from suspicious activity detection through sar filing how frequently do you screen against ofac and sanctions databases? examination history provide dates and scope of all regulatory examinations over past five years provide all deficiency letters received with full findings and response letters for each deficiency, provide evidence of remediation implementation what is your current examination status—any ongoing examinations or regulatory inquiries? disclose all litigation, enforcement actions, or regulatory investigations documentary evidence requirements complete compliance manual with version control and board approval compliance testing reports for past 12 months training records with completion rates and attestations violation logs with investigation documentation and remediation all examination correspondence including deficiency letters and responses complete set of all registrations—federal, state, and international aml risk assessment and transaction monitoring reports sar filing logs (redacted appropriately) personal trading pre clearance and exception logs common pitfalls and remediation registration analysis is incomplete or outdated firm assumes sec registration covers all activities, missing cftc requirements for futures/swaps, state money transmitter triggers for custody operations, or foreign registration for non us investors remediation obtain legal memorandum mapping each business activity to registration requirements review when adding strategies, investor types, or jurisdictions—and at minimum annually cco lacks independence or crypto expertise cco reports to cio (compromising objectivity) or lacks blockchain knowledge to assess protocol risks, interpret on chain activity, or evaluate custody controls remediation restructure reporting to ceo or board with direct board access require cco expertise in both traditional compliance frameworks and digital asset operations—or supplement with specialized external resources compliance manual is a generic template procedures reference "appropriate controls" without specifying what they are digital asset specific risks—custody key management, defi protocol exposure, on chain transaction monitoring—aren't addressed remediation customize every procedure to reflect actual operations add sections addressing wallet management, protocol due diligence, blockchain monitoring, and crypto specific conflict scenarios no systematic compliance testing policies exist but no one verifies they're followed no testing schedule, no sample selection methodology, no documented findings remediation implement quarterly testing covering key controls—personal trading, best execution, valuation, custody procedures document methodology, samples tested, findings, and remediation actions in retained work papers marketing materials bypass compliance review pitch decks, performance presentations, and social media posts distributed without cco approval—creating regulatory exposure from unsubstantiated claims or misleading performance remediation require documented cco sign off before any investor facing material is distributed maintain archive of all materials with approval records train investor relations and business development on advertising rules recordkeeping won't survive examination documents scattered across email, personal drives, and multiple systems no retention schedule, no consistent organization, no ability to produce complete records promptly remediation implement centralized repository organized by record type define retention periods by category test retrieval capability—if producing documentation for a single trade takes more than a few hours, the system needs improvement aml program ignores on chain activity kyc collects standard documentation but doesn't screen wallet addresses, analyze transaction patterns, or monitor for sanctions exposure on chain remediation implement blockchain analytics for investor wallet screening and ongoing transaction monitoring establish procedures for sanctions list screening of addresses and response protocols for identified risks annual compliance review is a checkbox exercise review document recites that "policies remain adequate" without analyzing testing results, violation trends, business changes, or control gaps remediation conduct substantive annual assessment covering testing findings and remediation status, violations and root causes, business or regulatory changes requiring policy updates, and specific improvement priorities present to board with implementation timelines key controls & documentation true 165,165,165,166 left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type