In August 2024, FinCEN introduced new AML and CTF regulations with implications for private equity funds. Our webinar panel discussed why these new rules are being proposed, and dug into how they see these changing the work of compliance teams.
As many of you are aware, the financial landscape is continuously evolving, driven by regulatory changes and a growing emphasis on transparency and accountability. Recently, FinCEN has introduced a series of new regulations aimed at combating money laundering, terrorist financing, and other illicit financial activities. These regulations are part of a broader effort to enhance oversight within the financial services industry, which has gained significant momentum over the past few years.
The private equity sector, which plays a crucial role in the economy, is not immune to these regulatory changes. In fact, private equity funds are poised to be significantly impacted by the new requirements regarding beneficial ownership reporting, customer due diligence, and enhanced compliance obligations. These regulations are designed to provide greater transparency into who is ultimately behind the investments being made and to ensure that funds are not unwittingly being utilized as vehicles for illicit activities.
The implications of these new regulations are far-reaching. For one, private equity funds will need to reassess their existing compliance frameworks and invest in new technologies and processes to ensure adherence. This includes implementing robust due diligence procedures and establishing efficient reporting systems to meet the heightened expectations of regulators. As a result, fund managers may face increased operational costs and changes in how they structure their funds and relationships with investors.
Moreover, these regulations can influence the overall investment landscape. With stricter compliance requirements, private equity funds may need to be more selective in their investment choices, focusing on those opportunities that align with regulatory expectations. This could also lead to a shift in how funds communicate with their investors, requiring greater transparency and more frequent disclosures.
Today’s discussion will delve into these hot topics, providing insights into the specific compliance challenges that private equity funds face under the new FinCEN regulations. We will explore the practical steps funds can take to navigate these changes, the best practices to adopt, and the potential impact on the industry as a whole. Our expert panel will share their perspectives on the opportunities and challenges that lie ahead and offer valuable advice on how to prepare for a compliant and successful future.
Watch the full video below and read on for a summary recap.
How about we get started with you, Mark. Could you introduce yourself and give us a brief run down of your role here at Passthrough?
Mark Mangion
Nice to have everyone on the panel today. I’m Mark Mangion and I'm the Head of Financial Crime for Passthrough. I've been here for around five months and was an advisor for Passthrough for a little over two years, building out the KYC and AML product that we offer. My background has primarily been in regulatory compliance, anti-money laundering, and counter-terrorist financing. So from working with banks and broker-dealers and mutual funds to go through and remediate any cease and desist or consent orders they may have received, as well as actually doing money laundering investigations in the field. And additionally working with government-sponsored enterprises and building out their AML compliance programs and fraud and anti-financial crime prevention and detection procedures and policies pretty much across the board. So thank you all for joining.
Cassie Gharnit
Julius, could you introduce yourself and give us a brief description of your role at Moment and your background in compliance?
Julius Leiman-Carbia
I'm the Chief Legal Officer at Moment Technology, which is a fixed income market app. Before doing that, I was a chief legal officer at Passthrough. And before that I had several roles in larger organizations including MUFG, Citibank, Goldman, and the SEC, I was a regulator twice. The last time as the head of examinations for broker-dealers. On the AML side, I actually was the global head of sanctions compliance at MUFG, which was a really tough job that I enjoyed very much and have approximately 30 years experience in the industry.
Cassie:
Sadrack, could you give everybody a brief introduction of yourself and your role at Aztec Group?
Sadrack Belony:
Absolutely. My name is Sadrack Belony. I am the Head of Investment Services for the Aztec Group. I oversee a team of professionals who handle the investor and client experience, which involves investor onboarding, client onboarding, the collection of AML KYC documentation, investor reporting, regulatory reporting functions, as well as banking and treasury functions. I'm very excited to be here, have been in the industry for a little over 20 years, and looking forward to this discussion.
Cassie:
Let's jump into some of the questions and start breaking down what these new FinCEN regulations are. So how about we start with you, Mark, can you provide a brief overview of the new FinCEN regulations and their primary objectives?
Mark Mangion:
So the new rules coming from FinCEN and the SEC are applicable to exempt reporting advisors and registered investment advisors that are registered with the SEC. So essentially the rules are saying that these ERAs and RIAs need to implement an AML program and they're going to be considered financial institutions going forward, and because of that, they need to implement the five pillars of an effective AML program. And we're going to get into this more during our discussion here, but at a high level, those pillars are implementing an AML compliance officer or someone in the compliance role responsible for all AML day-to-day operations, implementing internal control, policies and procedures, risk-based approach to KYC and customer due diligence as well as methodology and screening of applicable investors and beneficial owners. Next is training for all employees annually. After that is testing from an independent party that's not involved in the compliance program.
And then lastly is customer due diligence and having a program to clearly identify the investors, for example, that are coming in to your fund as well as any of the beneficial owners behind those investors. Other than the five pillars of an effective AML program, FinCEN is also requiring ERAs and RIAs to file suspicious activity reports with FinCEN as part of investigating any unusual or suspicious activity. So, over certain thresholds that we'll talk through here today, you need to actually file what's called a SAR or Suspicious Activity Report with FinCEN, and also monitor any kind of unusual or suspicious activity across your portfolios, investments and so on. That's just a high level of what these new rules are and I think we'll talk through here just some differences between what these rules are for ERAs and RIAs compared to what any rules or requirements might have been for them previously.
Cassie:
Digging them into those five pillars a bit, Julius, could you tell us how the new regulations specifically affect private equity funds compared to other financial institutions?
Julius Leiman-Carbia
Most private equity firms are not necessarily familiar with this. The larger ones will be, because either they have a broker-dealer, or the banks that clear their transactions will have required them to have it as a result of bank regulation that it's applied indirectly to them. In many ways it's going to be a whole new discipline to private equity and it may be one difficult to implement, especially given the structure of private equity investments that it's through multiple holding companies and in particular, the beneficial ownership requirement is going to prove very difficult for them because especially the clients are not used to, and these are clients who may have multiple layers of ownership. So I think it's going to be a challenge for them.
Cassie:
Can you get into a little bit more about what beneficial ownerships generally are and why they're so confusing to break down and get into for fund managers?
Julius Leiman-Carbia
Beneficial ownership requires understanding the ownership structure of the organization at the ultimate stage. So who has 25% control over the organization. And so I may be off of the number, but it requires understanding who is the ultimate control. And at each stage you have to understand who controls who. Often, because private equity is such an important way of diversifying investment, what it means is that many people from many countries are investing in private equity and so they don't do it directly for many reasons, including for reasons that have to do with taxes or reasons that have to do with security, in some cases. They will create multiple holding companies and multiple affiliates in different locations. And in doing so, it puts the new Anti-Money Laundering Compliance Department of any of these venture firms in the position of having to dig further and further.
Now, there is some level of risk assessment that can be done, but the risk assessment is not really substantial and for the most part, in the case of beneficial owners, it doesn't apply. You have to find out who you're dealing with. So I think in particular that's going to be a hard situation. It's going to be a little bit easier on the general KYC side, because that's where you can apply somewhat more of a risk assessment or you can actually go ahead and not include the investor in your fund. That's a harsh way of ensuring compliance, but that's going to be difficult.
Another aspect of this that's going to be very difficult for venture firms is documentation, because most venture firms, especially if they're not very big, creating a documentation trail of everything that has happened is going to be difficult, and this is where Passthrough could be really, really helpful because they actually create the documentation that is necessary for when the venture firm is actually examined or the venture firms they have an IRA or they need an ERM. When they are examined, they're going to have to show what they've done. And that's where Passthrough actually provides that information very handily. Documentation is going to be an obstacle because most people are not used to the level of documentation that you need to pass a compliance audit like that. A lot of these are issues that the firms will need to get used to and will ultimately get used to, provided they get the right tools. But I see those two as particularly difficult.
Cassie:
Sadrack, can you share a little bit more about what the timeline for implementing these new regulations looks like and how private equity fund should prepare?
Sadrack Belony:
Absolutely. The deadline as provided by FinCEN is January 1st, 2026. And what fund managers will have to do in order to comply with that is really start looking at the internal policies and procedures and processes that they have today. It's not something that we want to wait to start at a later time. Establishing a brand new policy and procedure is not something that will happen overnight. So I really do believe that giving yourselves a twelve-month lead way to start the process is a good starting point.
Looking for the subject matter experts, if it's not internally, obviously reach out to third-party service providers such as Passthrough, such as an administrator such as Aztec, to be able to get the knowledge and expertise that may not be available internally. One of the things that the rule does allow is that a fund manager can delegate this authority and delegate this processes to a third party, but ultimately the private equity firm and the fund manager is still the one responsible for complying in case there is an audit by the SEC or FinCEN.
Mark Mangion:
Sadrack, that last point is great because I think in the initial rule proposal there was a recommendation for fund managers to only be able to outsource two financial institutions, but they came back and said that you can delegate to third party such as Passthrough or Aztec Group or fund administrators. That probably gave some relief to the ERAs and RIAs out there that you don't need to necessarily rely on your banking partner, or your financial institution, or a financial institution consulting side to actually help implement all these rules and maintain them going forward.
Cassie:
So does that speak to the first pillar of having that designated compliance officer that can be a third party or service provider?
Sadrack Belony:
Correct. It'll take away from the amount of time it would take to build it internally if that is something that from a cost perspective is not in the budget for lack of better words. So you could designate having that third party to serve as a organization that has all the compliance regulations, that has all the testing as well as the training requirements internally and just confirm and even as a fund manager, test yourselves that those AML KYC checks are being done.
Cassie:
Mark, how about we toss it back to you? What do you anticipate the financial impact of compliance on private equity funds will be, both in terms of direct costs and operational costs?
Mark Mangion:
The direct impact is probably going to be somewhat significant, mainly for the smaller firms, or firms that don't have designated personnel right now that's focusing solely on anti-money laundering and anti-money laundering compliance. I think the impact may be more focused on the implementation, so working with a firm to help get this all rolled out, doing a gap analysis as well to see where your current processes stand compared to where you need to be by January 1st, 2026, and also for maintaining that. Between the three of us, from our experience, I feel like we'll all agree that that's probably a good place to start as well. And that might be from outsourcing to a third party as well to be like, "Hey, this is where you need to focus and develop a roadmap," As well as partnering with a third party.
The implications and the impact of working with a third party, such as the Aztec Group, Passthrough, or others to help go through and develop these processes. And I know some firms are using Passthrough, for example, from a best practices perspective, or if they're banking partners or insurance companies are requiring them to do screening and document collection. But this is a much more enhanced and scrutinized process now with coming in from a federal regulatory oversight role with FinCEN and the SEC. So I think with that comes more territory that you want this to really be buttoned up. And Julius, I'm sure, can give more context on this, but when they roll out the rules from the SEC, there's usually a window from when they'll actually come in and start performing their exams to make sure that the ERAs and RIAs are following these requirements and that the program has been implemented.
Julius Leiman-Carbia
At that point, it's usually when they roll out a rule, the commission actually does an initial set of testings just to make sure that the rule is being applied correctly and understanding the impact of the rule. So it's reasonable to expect that at the beginning, a series of firms will be targeted just because the commission will want to know what's going on, are people complying, and also send that message that this is something that they're looking for. And just keep in mind that the SEC does not need to gear up here because they already have examiners who focus on AML, so this is not going to be anything new for them. They already have people who are focusing on this and understand it. Let me also add something that to what Mark said, in my experience, a firm that is not under a regulatory order usually spends something in the order of one to 5% of their budget in financial crimes, depending on the complexity.
And 1% sounds like a lot, it is a lot, especially depending on your margins, and if you haven't had to do that before. And depending on the complexity, it could be harder, could be one to 5% as I said before. And if you actually are under regulatory order, it could be substantially higher than that if you have to add lawyers. So that's difficult to measure. But this is one of the reasons why using third-party tools effectively is a good strategy because what you find yourself often with a sudden and disproportionate increase in the number of people that you need to complete many of the tasks. And that not only creates a budget issue, it also creates a cultural issue in your organization. It exacerbates a cultural problem. Having been in organizations with regulatory matters and no regulatory matters, I can tell you in both cases it's a big cost.
Mark Mangion:
And just to add to that, I think Julius makes a good point from the budgetary reasons that right now the compliance might not be currently the tone at the top of the organization from being a main focus area. But I think from where this is headed, hopefully that's something that the organization is going to put front and center, that having the right resources, staffing, budget to deal with this because the cost is probably going to be much more if they have to deal with any administrative penalties, enforcements, or so on when that first sweep or testing comes in. Right, Sadrack?
Sadrack Belony:
Exactly. What is the cost of not having this in place? Or what is the cost of having the reputation tarnished by failing an audit by the SEC? I think those costs are much higher in comparison to having your thing in place.
Cassie:
Sadrack, can you tell us a little bit more about how private equity funds will have to scale their risk management and compliance functions to adhere to these new regulations? What are a few steps there?
Sadrack Belony:
The things to consider is the people, the process, and the technology. Do you have the right people internally or do you need to leverage external users? Do you have the process already in place, and do you have the technology? Technology is a big thing because if you don't have the technology in place, they may be sometimes one of the bigger costs in order to establish a policy like this. Because not only will you have to do the due diligence on the investors, but do you have the technology to do the nightly scans? You have document collections, do you have a place to store it? So all of these things will be fundamental when it comes to scaling and getting ready for these new regulations.
Especially when it comes to identifying the beneficial ownership, similar to what Julius mentioned earlier, drilling down to each of those individuals and being able to, once you identify them, scan them, which may cause other things to pop up that once you start doing your risk rating, it may cost additional processes and things to do. So I think the people, the process, the technology, are the things that you have to look at internally to see how you're able to scale. And if you're not able to scale, of course, seek external accounts or seek external vendors and other companies that could assist with that process.
Cassie:
I know that there's a part of this new rule that's about information sharing, and I know you mentioned document collection and storage being a big part of it. Can you chat about that a little bit more and how that's going to change how fund managers will have to operate?
Sadrack Belony:
Absolutely. One of the requirements is to submit SARs, the Suspicious Activities Report, which are essentially if the transactions from when your investors or clients are not in line with their business process, or if anything look out of place, you can't just overlook it, you're going to have to submit a Suspicious Activities Report to FinCEN. And also I think the travel portion of the rule where when you're processing transactions to other financial institutions, there's a travel rule, meaning that the information about that transaction and individuals have to travel along with it so that other firms are able to have that history as well. That’s the information sharing piece of the regulation.
Cassie:
Julius, can you tell us a little bit about what private equity funds will have to communicate to their investors and stakeholders about these changes? How those communications are different now that it's official?
Julius Leiman-Carbia
I'm not sure that there's an ongoing communication, although some of that may happen, but it's really, the issue will come as you are fundraising and you're trying to bring in investors and some of the investors are investors who are repeat investors who have never had to deal with this, so you’re going to have to communicate to them, "Well, I know that two years ago I didn't ask you these questions when I now need to ask you these questions." The investors will say things like, "I never had to answer this. Other organizations don't do this. Why are you the only one?" There's going to be a commercial tension that it is inevitable. Sadrack made a great point, the travel rule is difficult to comply with because of the information that you're going to need. That's another type of information that you're going to need to get from your investors that they're not used to providing.
At this point, the firm is directly responsible, the examiner will come to them and they will have to provide evidence of how they're complying with the travel rule. And the more international you go, the more difficult it is. Like in Japan, you have kana, you have different English and different types of traditional alphabets, and all of that is going to complicate the travel rule. But I think that the real friction will be as you are trying to fundraise and you're trying to close really quickly, your clients are going to say, "I've never had to give this information, I don't want to." And there's an interest on their side not to give it because the privacy of not having to give this information. And then it's not because they're trying to evade anything. Often it is security. They don't want the governments in their countries that change all the time to figure out what they're doing because they feel that they are in jeopardy.
Mark Mangion:
What do you both think about how we might hear now that some of these smaller firms, they're not really proving the source of funds or the source of wealth, and then when it comes to the distributions, it might be the first time they're seeing the financial information and then how the travel rule is going to impact that. Because obviously the risks are, say we have an investor that's based in the US but they have a bank account they're trying to use in a high-risk jurisdiction and they're going to get a distribution or they're committing to the fund. I guess what are your thoughts there on how this is all coming into play with these new rules and how having a risk-based approach and having the right controls in place to identify and detect any kind of illicit activity that might come from that oversight?
Sadrack Belony:
If an investor does have a bank account in a high-risk country, now the fund manager's going to have to think twice about releasing that payment and sending a payment back. Because once we start checking if is that country on a sanctions list or are there any other things to consider when processing that wire to go back, and it's going to cause frictions because as Julius says, it's going to cause friction between the fund managers and the investors because now I invested in your fund, I'm looking get my money back, but all of a sudden there's no rules in place that can't allow me to receive my fund.
So it is definitely going to cause more of a bit of headache and tension between some investors and some fund managers. And it may, as Julius mentioned earlier, it may cause some investors to think twice about investing in the US if they don't want to disclose their personal information. They don't want to disclose to their government who they are and how much funds they have invested externally. So there are a lot of things that will impact fund managers today that need to be considered with regards to who their current investors and future investors are.
Cassie:
Mark, can you speak to what the industry's response has been to these new rules?
Mark Mangion:
From what people in roles such as Julius, Sadrack, and myself, this has been something that FinCEN and the SEC have proposed for the last five or so years, and it finally stuck this time. We all were expecting that this was coming, but I do think when it comes to the actual fund manager side, there's probably a lot of shock around this. It's a huge lift to go from having maybe a standard KYC process to comply with your banking partners or any kind of best practices to now having to have all these strict rules in place and then also dealing with the federal regulator that's going to examine you quite frequently. So I think from that perspective, that's where the shock is going to come into play as well as maybe some nervousness around like, all right, how are we going to do this?
Because while January 1st, 2026 might seem far away, I think what it comes down to, it's not, it's going to take time to get these things rolled out and you really need ample time to do it, the ample resources to do it as well. And it's not just like, all right, let's get to that January 1st timeframe and be done with it. It needs to be implemented in a way that you can then maintain the right compliance mind frame and prevent any kind of illicit activity from coming through. So I imagine maybe it's settling in a little bit more for fund managers now and hopefully a webinar like this and then more continued conversations will help people understand, all right, now we know this is happening, what's the best way to actually handle it and deal with it? But I do think that there's probably still some shock since it just came out a few weeks ago.
Cassie:
Do you have any sense of why now, why it finally got finalized?
Sadrack Belony:
One of the things that the Treasury Secretary mentioned is that they’re trying to close the loopholes that are available to bad actors in the industry. One bad apple ruined it for the whole bunch. So it's a way to combat illicit use of the industry through using RIAs to get funds in without being tracked, and to try to prevent any kind of terrorist financing and to prevent illicit funds from entering the US financial system. So as Mark mentioned, they've been trying to for a while, but it's just a shock that now it finally got through and passed as a rule.
Cassie:
Everybody's shocked right now. I wonder by 2028, will everyone just treat it like a normal process, and investors just know what's coming. Julius, can you share what long-term impacts you foresee these regulations having on the private equity industry as a whole?
Julius Leiman-Carbia
The long-term impact, of course, is the amount of work, resources, and money that's going to be devoted to getting this done. And then ultimately, I hate to say it, but this is good for the business of compliance. There will be more employment for compliance officers. I ultimately do not see people leaving, making investment decisions based on this. At the beginning they'll threaten and there will be a lot of back and forth, but for the most part, investment decisions are based on return and the money will flow to the place where there is opportunity of return. It's just that it's going to be a process people have to get used to. There will be enforcement actions on the way.
And just keep in mind that it's not only the federal government. My expectation is that the states like New York and other states will be also proactive in this And if it's not the federal government, it's going to be the state government actually attaching to the smaller organizations. So that will create another layer of effort. The sanctions rules have always applied to investment advisors, but now there is a concerted effort to do examinations.
It's going to trickle down to the smaller organizations. It's not just going to be the larger organizations. To give you example, it used to be that when you got an SEC exam or a FINRA exam for broker-dealers, it would be like, how do you complying with sanctions? My expectation now is not how you comply with sanctions. It's tell me what are you doing with respect to the travel rule? And they will develop exams that way, which are going to be more painful, and you're going to have to have documentation on everything. So that's the long-term trend on this, but I don't think it's economically from an investment perspective, it's going to make the difference so long as the diversity of returns is available in the United States.
Sadrack Belony:
In the past you could say maybe they'll try to leave and go to a less stringent jurisdiction, but if you really look at the world now, we're up to the world with this policy and to be as stringent as some of the rest of the world, there's no more going to Caymans. There's no more going to Europe because the rest of the world is simply as stringent as we are. And honestly, as Julius mentioned, it's really going to be a matter if you're getting your returns, it might end up being just par for the course to invest in the financial sectors.
Julius Leiman-Carbia
Sadrack, you and I had a conversation before about compliance in other countries. It's worth pointing out what you said, that some countries had a reputation in the past of non-compliance, that reputation remains. Do you want to comment on that about some of the jurisdictions out there that may not have had compliance in the past and now are just as strong compliance, provoked proponents, as the United States has definitely come?
Sadrack Belony:
For example, everyone used to think that the Cayman Islands were the place to go in regards to not being stringent for tax purposes, for AML KYC purposes. CIMA has always been stringent, but the moment that the Cayman Islands were put on the gray list, that's actually what caused them to implement and to start doing their own reviews as well for service providers for funds that are registered in the Cayman Islands. And as we've seen in the past, CIMA has also delivered some hefty fines to companies who are not following CIMA regulations in regards to AML KYC and customer identification documentations. So I'll be interested to see long-term if there is an attempt to go to other jurisdictions, but I think the world's getting smaller when it comes to regulations and ensuring that customers are being identified and proper due diligence is being collected.
Cassie:
I just have one last question that I'll pose to all of you and then we've gotten some great questions I'd love to get into. At a high level, what advice would you all give to private equity fund managers as they navigate these new regulatory requirements?
Julius Leiman-Carbia
One thing we haven't discussed is the impact on these rules on the investments themselves. And there is going to be a need for there to be a more in-depth review of AML considerations when investing. And we haven't discussed that, but that's something that is there. And it may not be the initial approach of the regulators, but my expectation is that ultimately it will evolve to, "Have you considered this?" And if it's not the regulatory side, it's going to be the reputational side. Already, it is somewhat like that. I mean, you don't want to invest in organizations that are engaged in human trafficking, but if you are investing an organization that receives money directly or indirectly from human trafficking, then now you are exposed to the possibility that the regulator will say not only should your investors raise this issue with you, but I'm going to raise it with you because you should have done some due diligence on this and identified this before it was actually raised by your investors. But putting that aside, going back to the question that Cassie asked, I've done this for many years and I have been global head on the sanction side, and I have to say it is really difficult, unless you have unlimited amount of resources, it is very difficult to run this all by yourself.
And if you think about it, it's not policies and procedures, it's case management, it's technology structure for risk assessment, periodical risk assessments, audits, and so in all of this as human beings, but some of this can be replaced with technology, and made easier through the technology process. So I really advise people to start considering the third-party tools that not only provide ability to do this, but to document the process. Really don't want to get an exam knowing full well that you did everything that the rule required. And so the examiner comes in and says, "Prove it to me." And you have absolutely nothing to prove. It would be the most frustrating situation.
Sadrack Belony:
From a fund administrator's perspective, regardless of if a fund was registered in the US and this rule was not in place, one of the things we make sure we do is regardless, we had to apply some kind of AML KYC requirements because we wanted our clients to be prepared just in case anything were to happen, any bad actors, on their behalf. We have the processes in place, we have the technology in place, we have the people as well that has expertise in AML KYC, just as Julius said, to ensure that our clients are protected.
So I agree wholeheartedly that if there's not a capacity to build this internally, to be able to grow this process internally and look for a third party, work with a company like Passthrough, work with administrator like Aztec, or just seek that external help that will allow you, because one year goes by very, very fast: very quickly it'll be January 2026. If you've been working with a third party, there's a good possibility they may have already been doing this, but if not, seek the help, have transparency, have communication, speak to internal stakeholders as well as external stakeholders. And similar to what Julius said earlier, make sure you communicate with your investors that these are the changes that are happening and here's why and here's how we're going to mitigate that risk.
Mark Mangion:
Timing is of the essence. It's probably a good time to start evaluating your current process, see if you need to go outside of your internal organization to third parties like the Aztec Group, Passthrough, and others to help. I think it might be, as Julius was pointing out before, understanding what your current profile currently consists of. That way, if you have any potential industries in there, I know certain banks, or most banks, don't allow firms to go through and deal with cannabis, for example, or arms trafficking or anything along those lines. Sanctions has always been a requirement, but it might be good to do what we in the industry consider a look back and just get ahead of anything down the road.
So it gives you an opportunity to apply these new rules that you're putting in place against your existing customer or investor base because that is probably a step in the right direction to also help you narrow for future funds that you have this process and are aware of the risks identified and also the reputation and repercussions that might come from continuing to do business with anyone that might be either in the gray area or definitely someone that you do not want to do business with.
So I think definitely start sooner than later and there's never a too early time to start evaluating this and seeing where you need to be to comply with these requirements.
Sadrack Belony:
Agreed.
Cassie:
It sounds like the speed at which everybody has to be compliant, it's like start yesterday. We've gotten some great questions. Wendy asked, what data and documentation needs to be collected for the beneficial owners? Julius, could you speak to that a little bit?
Julius Leiman-Carbia
What data has to be collected is the ownership data and evidence of that. So this is a very good question because at the end of the day, it's not necessarily the data that you need to produce to regulators, the data that you need to satisfy yourself, that what they're telling you is actually true, right? Because anyone can say, "Oh no, I'm 100% owner, don't worry about it. I know it. Here, just take my information." But it's going to be the data that you need to be able to prove that. Plus, at some point, and there is regulation on this, it's what kind of information do you need to verify who the person is?
A lot of that it's under the AML due diligence side and not necessarily under the beneficial ownership side, but I would apply the rules equally because of consistency and expectation of regulators. So you're probably going to need a passport, or you're going to need a driver's license, depending on where you are. You're going to need some sort of identification. You will be faced with situations like, "well, yeah, I have a passport, but I don't have a photograph.” So if shareholder records is going to be important, passports and identification of the individual owners is going to be important. And I think that sort of identification and official records, is probably going to be enough. When it comes to official records. One of the problems is also going to be that different countries have different types of official records, and in some cases you will be asked, "Can I just give you a notarized representation of what's in a particular record registry?"
And that probably is okay if you can get comfortable that the affidavit that you're getting is actually valuable and correct, and you may not be able to get anything more than that. So just to summarize, there's no specific requirement on the beneficial ownership. I would extend the requirements that apply to the due diligence over to the beneficial ownership side. And I would say that you have to apply a certain level of logic to achieve the comfort that when the information that you're getting is accurate and answers the question that you're looking to resolve.
Cassie:
We got a question from Owen and Sadrack, I'll pass this one over to you. For small fund managers that don't have a third line of defense, like an internal audit function, how would they meet the requirements and the rule to ensure that there is an independent assessment of the effectiveness of the AML program?
Sadrack Belony:
If they don't have that internally, I would say work with a third party, look for a service provider who's able to assess and review your AML policies and test it to make sure it's correct. Or hire a third-party vendor to be able to, like the rule allows you to, to be able to manage all of that onboarding, processing, the AML to KYC, the technology piece of it. Because that may be a big investment for some firms. So I think in working with a third party and getting that external subject matter expert to come in and take a look at the processes would be the key to help with that.
Cassie:
Tuan asked: if you already have a fund administrator, how can we utilize Passthrough, what's your integration process with other partners? What is Passthrough planning to do around these pillars and helping fund managers be compliant? So Mark, I'll pass that over to you.
Mark Mangion:
Fom our current process now, it's primarily focused on document collection like we were talking through here, based on different investor types and entity types. So if it's an LLC, we want to see the operating agreement as well as anyone who has 25% or more ownership interest in the investing entity. And then we also run screening against sanctions, political exposure, fitness and probity, which is regulatory enforcement. And we have a methodology that we provide risk ratings to our customers at the investor level just with, we have critical risk, which is pretty much anyone who is on a sanctions list. And we're saying, this is our recommendation for you not to move forward as well as high risk that you should evaluate. But there could be some implications. Moderate risk is more in the middle, but still evaluate a low risk.
So our role to date has been more from an advising capacity. But I've seen some questions in here like, "Hey, can we continue to have round tables and talk through this further?" Passthrough is evaluating how we can help our existing clients and also future clients to comply with these rules by evaluating an AML compliance officer responsibility, doing training, building out policies, procedures, doing look backs, also doing independent assessments. So I'm sure a lot of firms are evaluating this as well, and it's good to have these kind of conversations, but from the Passthrough role as the regulatory landscape changes, we want to make sure that we're helping our clients meet these regulatory compliance needs and then helping them along the way. That way they feel comfortable going into this January 1st, 2026 deadline.
Cassie:
Another great question from Owen is for fund managers with existing funds and investors, will the implementation of this role require customer due diligence measures across all pre-existing investors in the fund as well as any new fund investors coming into the fund?
Julius Leiman-Carbia
Great question. I think that you should assume that you're going to have to do due diligence on existing customers. So one of the important aspects of this is that you have to do a risk assessment of the individual investors who are your clients and you're going to have to send them money. And so all of that means that with respect to each one of the clients that are currently in your portfolio, and I don't mean investment portfolio, in your client portfolio, you're going to have to do a due diligence. And this is going to be a problem as we have seen organizations that all of a sudden realize that they have thousands of customers and they now need to do that due diligence and the risk assessment on each one of them, and then go out and ask for information.
So I would take advantage of the next year to start the process of transition. I would create a plan to decide which clients that you're going to start doing this. And I would start with the clients who will be getting distributions in the medium term — in three or five years — going towards the clients that you've had in your portfolio the longest.
Those are the clients who also are going to have to change investment because the fund will expire and now they need to go into new investment, you already have done the due diligence on them and all you're doing is risk assessment. With respect to the newer clients, you probably want to start a little bit later, but I would create a plan over the next year so that you're not caught off guard to fundraise in 2026 and you can't let the clients either invest, or you can't send them money and then they get really upset.
Sadrack Belony:
I agree 100%. Don't take the stance that it may not apply to your past investors. I have not seen it in 20 years for the other jurisdictions where they only applied it to a point in time going forward, they usually always go back and test in the past. I would say assume that it will apply to your existing investors and ensure that they comply with the rules.
Cassie:
Sadrack, this is something I think you could speak to. If fund admins manage AML for a fund's LPs, will the new rule require them to bring this in-house, or do you expect fund admins to adjust the AML process?
Sadrack Belony:
For fund admins that are already doing the AML KYC processes, this should already cover a private equity fund. They should already have these rules in place, especially if they deal with multiple jurisdiction. So this is something that should already exist. And if you have a fund administrator you're already working with, make sure you reach out and just confirm that all of these requirements by the new rule is already covered. Because although they are doing the work, as we said earlier, you as a fund manager are still liable for when the audit happens. So I would say yes, fund administrators are able to already provide that service you already covered, but definitely have that conversation. Trust but verify, essentially.
Cassie:
Can you provide some examples of the OFAC and screening technologies that Passthrough utilizes and how that process works?
Mark Mangion:
We use a tool called Comply Advantage. It's automatically integrated with Passthrough. So when an investor is filling out their KYC documentation in Passthrough they're able to identify who the investing entity is and then the beneficial ownership structure behind the investor. So say there's five beneficial owners behind this one investor, we have all six of the entities or individuals that are associated with this transaction automatically screened against sanctions lists. We have over 200+ lists currently with Comply Advantage that we screen against. So it's not only sanctions, it's regulatory enforcement, it's for political exposure. So we want to see if there's any state-owned entities or anyone who was either formerly a PEP or currently a PEP, which is like a senator or a congressman, anything along those lines. As well as we look at adverse media and negative news, so seeing if they've been associated with any kind of litigation or anything that might be financial crime related.
We do it at time of onboarding and then we have it enabled where even though we might review these investors and beneficial owners and say there's nothing comes back, we feel that the risk is relatively low and they're in a low-risk jurisdiction, say something comes back and they get added to a sanctions list or whatever it may be from a high-risk perspective or maybe they moved jurisdictions. We have a nightly screening, or continuous monitoring, enabled.
So every night our entire investor and beneficial ownership database is run against those same lists just to see if anyone has been added to a list after they've already been onboarded. And then from our managed service, we'll go through, evaluate, see if it's actually a positive match or a false positive, and then work with our clients on mitigating and we'll provide best practices on how to help. And then what it actually means if someone is on a sanctions list and you've already accepted money from them, or you send a distribution and their assets are frozen. So I hope that answered the question from the screening process.
Cassie:
We're pretty much at time, so I want to thank our awesome panelists. Thank you Sadrack, Julius, and Mark. And thank you so much tot he audience for joining us.