Educational

Customer Due Diligence Checklist for Fund Administrators in 2026

A practical CDD workflow for fund administrators onboarding new vehicles, investors, and counterparties. Entity verification, UBO mapping, sanctions screening, and ongoing monitoring.

Customer Due Diligence Checklist for Fund Administrators in 2026

TL;DR. FATF Recommendation 10 requires regulated entities to identify and verify customers, including the beneficial owners behind them, before or during onboarding. Fund administrators face a layered obligation: CDD applies both to the fund vehicle itself (as the administrator’s customer) and to the investors subscribing to that fund. The four-step workflow is identify, verify, screen, and monitor. Fund-specific complexity comes from multi-layer SPV ownership structures, the regulator-recognised ability to accept delegated investor KYC from the fund manager in some circumstances, and the depositary attestation context under AIFMD Article 21, which audits the administrator’s process as part of depositary oversight. Getting any one layer wrong creates file gaps that surface in regulatory inspections.

1. What CDD means for a fund administrator (vs a bank)

A bank and a fund administrator both sit under FATF Recommendation 10, but the customer topology is different.

A bank has one obvious customer: the account holder. A fund administrator has two overlapping customer populations. First, the fund vehicle itself is the administrator’s direct customer. The administrator provides services to the fund, and the fund must be verified as a legal entity in good standing, with the fund manager’s regulatory authorisations confirmed. Second, the investors subscribing to the fund are, from an AML/CFT perspective, the customers of the fund. The administrator carries out investor CDD on behalf of, or at the direction of, the fund and its manager. In many AIFMD-regulated jurisdictions, the administrator performs investor onboarding operationally even when the fund manager retains regulatory responsibility.

This dual-layer structure means a fund admin CDD programme must cover two distinct verification tracks that run in parallel and are documented separately.

FATF Recommendation 10 requires financial institutions to verify the identity of customers and beneficial owners, understand the purpose and intended nature of the business relationship, and conduct ongoing monitoring. For regulated European fund administrators, AIFMD (Directive 2011/61/EU) adds the depositary relationship: the depositary appointed under Article 21 is required to oversee the fund manager’s compliance with investor subscription and redemption procedures, which directly intersects with investor CDD documentation. ESMA Guidelines on sound remuneration policies and internal governance under AIFMD also address the control environment that supports CDD quality.

UCITS V Directive adds equivalent investor protection and oversight obligations for UCITS management companies and their administrators.

2. The CDD lifecycle for a new fund vehicle

When a fund administrator takes on a new fund mandate, the fund entity itself is the first CDD subject.

Entity identification and status. Confirm the fund’s legal name, registration number, and jurisdiction of incorporation from the relevant registry. A Cayman Islands exempted limited partnership is registered at the Cayman Islands Monetary Authority (CIMA); a Luxembourg SICAV appears in the RCS Luxembourg; a Dublin QIAIF is in the Irish CRO. The registry record establishes that the legal entity exists and is active.

Regulator authorisation check. For an Alternative Investment Fund, confirm that the fund manager is authorised as an AIFM by the relevant competent authority: FCA in the UK, CSSF in Luxembourg, Central Bank of Ireland, MFSA in Malta, or MAS in Singapore for Asian-domiciled funds. For UCITS, confirm UCITS management company authorisation. Authorisation status is publicly searchable on each regulator’s register. A fund manager who has allowed their authorisation to lapse is a red flag that overrides all other documentation.

Prospectus and constitutional document review. The fund prospectus, offering memorandum, or private placement memorandum establishes the investment strategy, investor eligibility criteria, and subscription terms. The constitutional documents (articles of association, limited partnership agreement, trust deed) establish governance and authority. These documents are not CDD documents in themselves, but they anchor the purpose-of-relationship assessment required by FATF Recommendation 10.

Board composition and governance. Identify the directors or general partner representatives of the fund vehicle. For corporate funds, confirm directors against the registry record. Check all directors against PEP and sanctions lists. A fund vehicle with a sanctioned director cannot be onboarded regardless of the fund manager relationship.

Manager AIFMD/UCITS cross-check. Confirm that the mandate from the fund manager is consistent with the manager’s authorisation scope. An AIFM authorised for certain asset classes should not be managing fund strategies outside that scope without variation approval from their competent authority.

3. The CDD lifecycle for a new investor (subscription stage)

Investor CDD runs in parallel with fund onboarding for a new vehicle, and separately for each subsequent subscription in an open-ended fund.

Natural person investors. Verify legal identity from a government-issued photo ID. Confirm current residential address from a recent utility bill or bank statement (dated within three months in most policy frameworks). Assess source of funds for the specific subscription: the origin of the money being invested, not general wealth. Conduct PEP screening: check the investor, their immediate family members, and known close associates against PEP databases. Conduct sanctions screening against OFAC SDN, EU Consolidated Financial Sanctions List, UK OFSI Consolidated List, and UN Security Council Consolidated List at minimum.

Corporate and institutional investors. Verify the legal entity against the registry of incorporation. Download or confirm the official company extract. Map the ownership structure to identify natural-person ultimate beneficial owners above the relevant threshold (25% by default under FATF Recommendation 24 and EU 5AMLD, lower for high-risk investors). Each intermediate corporate holding company requires its own registry lookup. The ownership walk stops only at natural persons or at entities that qualify for simplified CDD under your risk framework (listed companies on recognised exchanges, regulated financial institutions in FATF-equivalent jurisdictions). Verify regulatory status if the investor is itself a regulated entity: confirm authorisation status with the relevant regulator’s public register.

Source of funds documentation. For subscriptions above your institution’s threshold, or for any investor assessed as medium-to-high risk, collect source-of-funds documentation: audited accounts, dividend distribution records, sale-of-asset proceeds documentation, inheritance grant, or equivalent. Source-of-funds documentation should match the subscription amount in quantum and timing.

4. The 11-point fund admin CDD checklist

This checklist applies per entity (fund vehicle or investor). A separate checklist instance should exist in the compliance file for each.

  1. Confirm legal entity registered status. Obtain an official extract from the registry of incorporation confirming current active status. For fund vehicles: CIMA (Cayman), RCS Luxembourg, Irish CRO, MFSA (Malta), Companies House (UK), ACRA (Singapore). Extract should be no older than three months at onboarding.

  2. Confirm fund manager regulatory authorisation. Verify the AIFM or UCITS management company authorisation on the relevant regulator’s public register: FCA, CSSF, Central Bank of Ireland, MFSA, MAS, or equivalent. Document the search date and authorisation number.

  3. Identify natural-person UBOs above the relevant threshold. Default threshold is 25% ownership or control. Apply a lower threshold (10% or material influence test) for investors assessed as high-risk. Walk the ownership chain to natural persons. Document each layer and each registry used. Where a UBO cannot be confirmed from public sources, collect a certified beneficial owner declaration with supporting ID.

  4. Sanctions screening. Screen all entities, directors, and UBOs against: OFAC SDN list (including OFAC 50% rule for entities owned by SDN-listed persons), EU Consolidated Financial Sanctions List, UK OFSI Consolidated List, and UN Security Council Consolidated List. Document the lists screened, date of screening, and disposition of any matches or near-matches.

  5. PEP screening. Screen all natural-person directors, UBOs, and (for natural person investors) the investor and their immediate family and known close associates. FATF Recommendation 12 requires enhanced due diligence for PEPs, their family members, and close associates. A PEP determination does not automatically block onboarding but triggers EDD.

  6. Source of funds documentation. Collect and verify documentation for the origin of funds being invested. Tier this by subscription size and investor risk rating. Document the basis for accepting or declining the documentation provided.

  7. Adverse media screening. Review commercially available adverse media databases or conduct structured news searches for all entities and key natural persons. Document material adverse findings and their disposition. Adverse media does not automatically block onboarding but informs the risk rating.

  8. Tax residence and FATCA/CRS classification. Collect self-certification of tax residence from each investor. Classify under FATCA (IRS/US Treasury) as a US Person, Passive NFFE, Active NFFE, or Financial Institution as applicable. Classify under CRS (OECD) for automatic exchange of information obligations. Confirm consistency between self-certification and other documentation collected.

  9. Risk rating. Assign a risk rating (low, medium, high) based on investor type, jurisdiction, source of funds clarity, PEP and sanctions results, adverse media, and product type. The risk rating drives the review frequency and the level of ongoing monitoring applied.

  10. Board minute or subscription acceptance documentation. Document the CDD completion in a board minute, compliance sign-off, or subscription acceptance record. For high-risk investors, document senior management approval. This creates the audit trail linking the file to the formal acceptance decision.

  11. File retention per applicable rule. Flag the file for retention at the required period. The standard across EU AML Directives, UK Money Laundering Regulations, MAS AML/CFT Notices, and the FATF Recommendations is five years from the end of the business relationship. Some jurisdictions (Cayman, certain US contexts) specify longer. Set the file disposition date on onboarding, not at relationship termination.

5. Where the data actually lives

Registry layer. The primary data source for entity identity and status is the official registry of the jurisdiction of incorporation. For common fund domiciles: Luxembourg (RCS at rcs.lu), Ireland (CRO at cro.ie), Cayman Islands (CIMA at cima.ky for regulated funds, General Registry for corporate entities), Malta (MFSA registry at mfsa.mt), UK (Companies House at companieshouse.gov.uk), Singapore (ACRA BizFile+ for corporate vehicles). For investor entities spanning other jurisdictions, the businessdataguide jurisdiction guides cover the access patterns for registries by country. See the relevant jurisdiction guide for the specific document to request and the current cost.

Sanctions lists. The four primary lists for a fund administrator with a global investor base are: OFAC SDN at sanctions.ofac.treas.gov (apply the 50% ownership rule for entity screening), EU Consolidated Financial Sanctions List via the European Banking Authority FSAP tool, UK OFSI Consolidated List at gov.uk/ofsi, and the UN Security Council Consolidated List at un.org/securitycouncil/sanctions. These lists are free and publicly accessible. Most administrators run screening through a commercial screening service that aggregates and normalises across all four and adds fuzzy name matching for transliteration variants.

PEP and adverse media. PEP databases and adverse media screening are provided by commercial services: Refinitiv World-Check, LexisNexis WorldCompliance, Dow Jones Risk and Compliance, and Comply Advantage are among the commonly used platforms in the fund administration sector. The quality of PEP family-member and close-associate coverage varies considerably between providers; verify before relying on a single source.

Tax residency. Self-certification (IRS Forms W-8BEN, W-8BEN-E, W-9, and equivalent CRS self-certification forms) is the primary source. Cross-check self-certification claims against other documentation: a US mailing address on a W-8BEN claiming non-US status, or a FATCA-exempt claim from an entity that cannot demonstrate its qualifying status, requires follow-up.

Regulator registers. FCA authorisation status at register.fca.org.uk, CSSF at supervisedentities.cssf.lu, CBI at registers.centralbank.ie, MAS at masnet.mas.gov.sg/fid/FinancialInstitutionInquiry.

6. Risk-based approach in practice

FATF Recommendation 10 and the EBA Guidelines on customer due diligence require a risk-based approach: the intensity of CDD scales with the assessed risk.

Standard CDD applies to the default investor population: institutional investors domiciled in FATF-member jurisdictions with no PEP connection, no adverse media, clear source of funds from a regulated entity’s own accounts. Standard CDD means completing all 11 checklist items at onboarding, with a periodic review cycle of at least annually.

Simplified CDD applies where the risk is demonstrably low. Listed companies on recognised exchanges, regulated financial institutions in FATF-equivalent jurisdictions, and government bodies typically qualify. Simplified CDD reduces the depth of UBO mapping and source-of-funds documentation required. It does not eliminate the obligation to screen for sanctions and PEPs. Document the basis for applying simplified CDD explicitly in the file.

Enhanced Due Diligence applies where risk factors are present: PEP investors, investors from FATF grey-list jurisdictions, complex ownership structures with no clear economic rationale, unusually large subscriptions inconsistent with the investor’s profile, or adverse media on connected persons. EDD adds source-of-wealth verification (not just source of funds), senior management sign-off, and tighter review cycles.

Product type also shapes the risk calibration. Open-ended funds with frequent subscription and redemption windows require more active monitoring than closed-ended vehicles where investors are locked in for the fund’s life. Retail-accessible funds face stricter investor eligibility checks than institutional-only vehicles.

7. Documentation and audit trail standards

A CDD file that is complete at onboarding but disorganised and difficult to retrieve is a compliance risk in itself.

Auditors reviewing a fund administrator’s CDD programme under AIFMD Article 21 depositary oversight look for: a complete document set for each onboarded entity, dated at time of collection; evidence that sanctions and PEP screening was performed at onboarding; a risk rating that is traceable to the file contents; evidence of periodic re-verification at the cadence implied by the risk rating; event-triggered re-verification when material changes occurred; and a record of any EDD applied and the approval given.

The Wolfsberg Group’s guidance on Customer Due Diligence in the private banking and investment management context, while written primarily for private banks, sets the industry benchmark for what “adequate” file contents look like. Wolfsberg’s AML Principles articulate the documentation expectation: contemporaneous records, clear methodology, traceable decisions.

ESMA Guidelines on AIFMs and the risk profile of Alternative Investment Funds address the control environment surrounding investor due diligence. Fund boards and depositaries reference ESMA guidance in their oversight activity.

For record retention: EU AML Directives and their transpositions in Luxembourg, Ireland, Malta, and Germany require five years from the end of the business relationship. UK MLRs 2017 require five years. MAS Notice 626 (Singapore) requires five years. Cayman AML Regulations require five years. Where different rules apply in the same file, apply the longest retention period.

8. When CDD escalates to EDD (and the handoff)

Standard CDD has a defined ceiling. When a file crosses certain thresholds, the practitioner obligation shifts to Enhanced Due Diligence.

A PEP determination anywhere in the ownership chain triggers EDD under FATF Recommendation 12. This applies to the PEP, their family members, and known close associates. The EDD for a PEP investor includes source-of-wealth verification (the history of accumulated wealth, not just the origin of the specific subscription funds), senior management approval, and more frequent file review.

An investor or fund manager domiciled in a FATF grey-list jurisdiction triggers country-risk EDD. As of May 2026, the grey list includes jurisdictions that have been placed under increased monitoring. The current list should always be confirmed at fatf-gafi.org, as it is updated at each plenary (February, June, October).

Ownership structures where corporate layers do not have an evident commercial rationale, or where UBO confirmation cannot be achieved through normal documentation, trigger EDD. The Wolfsberg principle here is that a structure that exists primarily to obscure the beneficial owner is itself a risk indicator.

The article on enhanced due diligence discusses the specific documentation requirements, senior management sign-off standards, and the ongoing monitoring intensity that EDD entails.

9. Common fund admin CDD failures

Over-reliance on the fund manager’s KYC. A fund administrator may accept the fund manager’s KYC output as part of its process, but this is not the same as delegating the regulatory obligation. The administrator must satisfy itself independently that the investor file is adequate. Accepting a summary sheet from the manager without reviewing underlying documentation is a common gap that surfaces in depositary reviews.

Stopping UBO mapping at the first corporate layer. If a corporate investor is itself owned by a holding company in another jurisdiction, the UBO mapping must continue. The obligation under FATF Recommendation 24 and EU 5AMLD Article 3(6) is to reach the natural person, not to confirm that a corporate shareholder exists.

Stale sanctions screening between subscription and contribution. A subscription may be signed months before capital is actually called. If a sanctions designation occurs in the intervening period and the screening is not refreshed at contribution, the fund receives money from a newly designated party without detection.

Missing PEP family connections. A direct PEP match is often detected. A PEP’s spouse or adult child holding an investment position through a corporate vehicle is frequently missed. PEP databases vary in their family-member coverage; the file should document the scope of PEP screening performed, not just “screened.”

Treating “regulated entity” as a free pass. A regulated financial institution (a bank, a fund, an insurance company) from a FATF-member jurisdiction may qualify for simplified CDD in certain frameworks. Simplified CDD still requires basic entity verification, a sanctions check, and a PEP check on controlling individuals. It reduces documentation depth; it does not remove the screening obligation.

Failing to update the file after the relationship changes. A change in fund management company, a change in the investor’s corporate structure, or a director resignation at a corporate investor entity all trigger a file update requirement. Without event-triggered review, the file becomes progressively less accurate over time.

10. FAQ

Can a fund administrator rely on the fund manager’s KYC?

The administrator can incorporate the fund manager’s KYC output into its own process, but the regulatory obligation under the applicable AML framework typically attaches to the administrator independently. AIFMD does not create a blanket delegation from the manager to the administrator on AML. The administrator should document the basis for reliance (what documentation was received, when, and what the administrator independently verified) rather than treating the manager’s file as a substitute for its own.

What is the difference between investor CDD and fund vehicle CDD?

Fund vehicle CDD treats the fund entity as the administrator’s direct customer: entity verification, manager authorisation, constitutional documents, board governance, and AIFMD/UCITS cross-checks. Investor CDD treats the subscribing investors as customers of the fund: ID verification, UBO mapping, source of funds, sanctions and PEP screening. Both tracks must be completed, documented separately, and retained.

Does the 25% UBO threshold apply to fund investors?

The 25% threshold is the default for identifying UBOs under FATF Recommendation 24 and the EU AML Directives. For a corporate investor, you are mapping the corporate structure to find the natural persons who own or control 25% or more of the corporate investor. For an investment fund investing in another fund, the thresholds and methodology become more complex; apply your institution’s written policy on fund-of-fund investor treatment and document it.

How often should investor CDD be refreshed?

The minimum standard across FCA, CSSF, and MAS frameworks is annually for standard-risk investors. High-risk investors should be reviewed more frequently, with the review cycle set by your institution’s risk rating framework. In addition to scheduled reviews, any material change in the investor’s circumstances (change of beneficial owner, sanctions designation of a connected person, adverse media, change of tax residence) triggers an out-of-cycle review.

What does the depositary check vs the fund admin?

The depositary appointed under AIFMD Article 21 is responsible for oversight of the fund manager’s compliance with subscription and redemption procedures, cash monitoring, and asset safekeeping. In practice, the depositary reviews the administrator’s investor CDD process as part of its oversight function. The depositary checks whether the administrator has a documented process, applies it consistently, and retains adequate records. The depositary does not perform primary CDD itself on each investor; it reviews the quality and completeness of the administrator’s work.

Are master-feeder structures treated differently?

Yes, in practice. A feeder fund investing into a master fund creates a two-tier investor population: the feeder’s investors are customers of the feeder, and the feeder itself is an investor in the master. The master fund administrator must perform CDD on the feeder as an investor entity. Depending on the jurisdiction and regulatory guidance, the master administrator may be permitted to rely on the feeder administrator’s investor-level KYC, but only where this is documented, the feeder administrator is regulated to an equivalent standard, and the master administrator has assessed the quality of the feeder’s AML programme.

How are FATCA/CRS obligations linked to CDD?

FATCA (US Treasury/IRS) and CRS (OECD) are tax reporting obligations that require the fund administrator to identify each investor’s tax residence and classify them for reporting purposes. CDD and FATCA/CRS share some of the same documentation: investor ID, address, and jurisdiction of tax residence are common data points. In practice, FATCA/CRS self-certification forms are collected as part of the subscription process alongside CDD documentation. A material inconsistency between FATCA/CRS self-certification and other CDD documentation (for example, a US address on file with a W-8BEN claiming non-US tax status) should be flagged for resolution and is itself an AML indicator if the inconsistency appears deliberate.

Last verified: May 2026. Sources: FATF Recommendations 10, 11, 12, and 24 (fatf-gafi.org); AIFMD Directive 2011/61/EU, Article 21; UCITS V Directive 2014/91/EU; EU 5th Anti-Money Laundering Directive (5AMLD) 2018/843/EU; Wolfsberg Group AML Principles and Customer Due Diligence guidance (wolfsberg-principles.com); OFAC SDN list and 50% Rule guidance (sanctions.ofac.treas.gov); EU Consolidated Financial Sanctions List (European Banking Authority FSAP); UK OFSI Consolidated List (gov.uk/ofsi); UN Security Council Consolidated List (un.org); FATCA (IRS/US Treasury, 26 USC 1471-1474); OECD Common Reporting Standard (oecd.org/tax/transparency); FCA register (register.fca.org.uk); CSSF supervised entities (supervisedentities.cssf.lu); MAS Notice 626 AML/CFT; ESMA Guidelines on sound remuneration policies and internal governance under AIFMD; EBA Guidelines on customer due diligence (EBA/GL/2024/01).

Related articles