KYC, AML, and why institutional capital is gated

KYC stands for Know Your Customer. AML stands for Anti-Money Laundering. Together they form the regulatory regime that requires regulated financial institutions to identify their clients, understand the source of their funds, and monitor their activity for suspicious patterns. The rules are global. National regulators (FinCEN in the US, the FCA in the UK, BaFin in Germany, MAS in Singapore) set their local versions, coordinated through the Financial Action Task Force (FATF).

The penalties for non-compliance are real. If a bank, fund, or broker handles money for a client without doing this work, regulators can fine them, suspend their license, or jail their compliance officers. That bar shapes everything downstream. Institutional capital can't simply flow into a venue that doesn't gate access. The institution carries the obligation, not the platform.

What the rules actually require

KYC is the front-end check. The institution does it at onboarding and refreshes it on a fixed schedule. It collects government ID, proof of address, beneficial ownership disclosure (who actually controls the entity, down to natural persons holding 25% or more), and documentation of where the money came from. The list scales with entity complexity. Corporate clients submit board resolutions, articles of incorporation, and a chain of ownership all the way up. Funds add subscription documents, accredited or qualified investor status, and tax forms.

AML is the ongoing surveillance. Once a client is onboarded, every transaction passes through screening: against sanctions lists (OFAC in the US, the UN consolidated list, EU restrictive measures), against politically exposed persons (PEP) databases, and against transaction-pattern rules that flag structuring, rapid movement through multiple accounts, or counterparty concentration. Anomalies get escalated to a compliance officer. Material concerns become a Suspicious Activity Report filed with the regulator.

A concrete example. A German pension fund wants to allocate $100M to a credit strategy. Before a single euro moves, the fund's compliance team runs KYC on the receiving entity (the manager, the SPV, the custodian), and the manager's compliance team runs KYC on the fund (board, beneficial owners, source of capital). Both sides screen continuously through the life of the investment. If either side's controls fail, the trade doesn't clear.

Why this gates institutional capital

The fines for getting it wrong are substantial. HSBC paid $1.9 billion in 2012 for AML failures involving Mexican drug cartels. Standard Chartered paid $1.1 billion in 2019 for sanctions violations. Danske Bank's Estonian branch processed roughly €200 billion of suspicious flows from non-resident clients between 2007 and 2015, triggering criminal investigations across multiple jurisdictions. Weak controls cost more than strong ones.

That asymmetry shapes what institutions will and won't touch. A pension trustee, an insurance treasury, a sovereign wealth office: each has fiduciary and statutory duties that prohibit moving capital into venues without enforceable KYC and AML at the entry point. These obligations are existential. They define what an institution can and can't touch.

Crypto's original promise was permissionless access. That promise still serves retail users and software-defined finance well. Institutional capital comes with different requirements: identity-bound access, sanction screening, transaction surveillance, and an audit trail a regulator can read. Without that stack, the capital stays out.

Where this shows up in institutional crypto-backed lending

In an institutional protocol, KYC and AML are encoded in the access layer from the start. That means permissioned tokens (ERC-3643), gate contracts that check identity attestations before deposit or withdrawal, and segregated entities for KYC'd capital kept separate from open retail markets. The plumbing stays invisible to the depositor. Compliance runs continuously in the background while the on-chain experience stays close to native DeFi.

For how that compliant access layer fits into a fund's overall structure, see The dual-fund structure: why institutional RWA protocols use two entities.