Venture capital firms are used to operating with high risk, high reward. But there’s one kind of risk no firm can afford to ignore: financial crime. And from 1 January 2026, that risk becomes regulatory.
For the first time, venture capital (VC) and private equity firms in the United States will be formally brought into the anti-money laundering (AML) framework under the Bank Secrecy Act (BSA). The move, led by the Financial Crimes Enforcement Network (FinCEN), is a response to growing concerns that bad actors, whether kleptocrats, drug traffickers, or sanctioned entities, are using opaque investment structures to funnel illicit funds through US markets. Some VCs have already faced multi-million dollar fines for ignoring money laundering red flags.
This is not business as usual. AML is no longer just a banking problem. Every VC and investment firm must now understand the risks, responsibilities, and reporting requirements they face and prepare to comply. Here’s what you need to know.
Why now? Understanding the AML risk
Money laundering, terrorist financing and sanctions evasion have evolved. Sophisticated actors exploit investment vehicles to integrate illicit wealth into the legitimate economy. VC and private equity firms can be especially attractive: high-volume deals, complex fund structures, cross-border activity, and a culture of fast growth can create blind spots.
According to FinCEN, the new rules aim to “close a significant regulatory gap” and align the US framework with international AML standards, particularly those of the Financial Action Task Force (FATF), which has long called for greater coverage of investment advisers and private capital.
What’s changing from January 2026?
Under the new FinCEN rule which comes into force 1 January 2026, the following entities will become subject to AML obligations under the BSA:
- SEC-registered investment advisers (RIAs)
- Exempt reporting advisers (ERAs)
- Unregistered investment firms (e.g., VC, PE) with discretionary authority over client assets
These entities will be considered financial institutions, and must comply with core AML requirements, including:
- Establishing and maintaining an AML programme
- Conducting customer due diligence (CDD)
- Identifying and reporting suspicious activity via Suspicious Activity Reports (SARs)
- Complying with AML national priorities (terrorism, proliferation, sanctions, etc.)
- Retaining records and enabling regulatory audits
VCs and investment firms will also be expected to adopt a risk-based approach, tailoring their AML controls to the nature and complexity of their clients, investments, and exposure.
What does this mean in practice?
AML compliance is not a box-ticking exercise. It requires leadership buy-in, operational changes, and cultural awareness across your firm. Here’s what your VC needs to get right:
Risk Assessment
Before anything else, firms must assess their exposure to AML risks:
- Who are your clients and LPs?
- Where do their funds come from?
- Are you operating in or receiving money from high-risk jurisdictions?
- Do any parties have political exposure (PEPs)?
- Do you invest in sectors vulnerable to illicit finance (e.g. crypto, fintech, defence, cannabis)?
A documented AML risk assessment is critical.
Customer Due Diligence (CDD)
Firms will need to carry out CDD on clients and beneficial owners. This means:
- Verifying identities
- Understanding ownership structures
- Screening against sanctions and PEP lists
- Assessing the purpose and intended nature of the relationship
Enhanced Due Diligence (EDD) is required for higher-risk relationships. For example, a politically exposed person investing via a Cayman fund linked to Russia would warrant much deeper scrutiny than a US-based individual investor. The FATF’s list of high risk jurisdictions should be consulted, and separate risk assessments carried out by your firm.
Suspicious Activity Reporting
If you know, suspect, or have reason to suspect that a transaction involves criminal property, is designed to evade AML laws, or lacks an apparent lawful purpose, you must file a Suspicious Activity Report (SAR) with FinCEN.
This is a legal requirement. The threshold for suspicion is deliberately low. Firms must train staff to recognise red flags, such as rapid investment withdrawals, anonymous structures, or resistance to CDD checks.
Ongoing Monitoring
AML isn’t a one-and-done process. Customer profiles must be kept up to date, and activity monitored over time. Watch for:
- Changes in control, ownership or geography
- Unusual deal patterns or fund movements
- Media reports or sanctions designations
- Discrepancies in declared vs observed behaviour
Effective monitoring tools and processes must be embedded into deal and fund workflows.
AML Governance and Training
Senior managers, compliance officers and deal teams must understand their roles. AML programmes should cover:
- Written policies and procedures
- Appointment of a designated AML officer
- Internal controls and audit trails
- Ongoing training tailored to firm-specific risks
Off-the-shelf policies won’t cut it. FinCEN expects a bespoke, risk-based programme that reflects the size, scope and activities of the firm.
Key risk areas: What should VC firms watch out for?
■ Politically Exposed Persons (PEPs):
PEPs pose a heightened risk due to the potential for bribery, corruption or political misuse of funds. FinCEN expects enhanced checks, including source of funds and ongoing monitoring.
■ Sanctions evasion:
Investments linked to sanctioned countries, entities, or individuals, especially Russia, Iran, North Korea, and China, are under intense scrutiny. The US has doubled the sanctions record-keeping requirement from 5 to 10 years.
Case in point: OFAC’s $215.9m fine against GVA Capital in 2025 for ignoring legal advice and enabling a sanctioned Russian oligarch to liquidate assets.
■ Cannabis-related businesses:
Cannabis remains illegal at the federal level. Investing in cannabis-related ventures, even in legal US states, creates legal risk and may require filing SARs as per FinCEN guidance.
■ Complex offshore structures:
Layered or opaque entities, particularly from high-risk jurisdictions—should be treated with caution. These are classic vehicles for laundering or obscuring illicit wealth.
Best practice from other jurisdictions
While the US is catching up, VC firms can learn from UK and EU rules that already apply AML laws to investment firms. Key best practices include:
- Regular AML training and certifications
- Tech-driven KYC onboarding platforms
- Risk scoring of investors and funds
- Inclusion of AML in fund marketing and onboarding
What should your firm do now?
✅ Step 1: Appoint an AML lead
Identify who will be responsible for compliance and begin scoping the AML programme.
✅ Step 2: Conduct a firm-wide risk assessment
Map out your risk exposure and use it to shape policies and priorities.
✅ Step 3: Draft or update AML policies
Include CDD, monitoring, SARs, training, and governance. Make them relevant to VC workflows.
✅ Step 4: Review onboarding and screening tools
Evaluate software and services for identity verification, sanctions screening, and ongoing due diligence.
✅ Step 5: Train your people
From analysts to partners, staff must recognise red flags, understand reporting obligations, and embed AML thinking into everyday dealmaking.
