On August 28, the Financial Crimes Enforcement Network (FinCEN) issued a final rule establishing anti-money laundering and countering the financing of terrorism (AML/CFT) compliance obligations for US Securities and Exchange Commission (SEC)-registered investment advisers (RIAs) and exempt reporting advisers (ERAs).
Among its mandates, the final rule requires that investment advisers develop a risk-based, reasonably designed compliance safety program that must be approved by the board of directors or, if no board exists, its functional equivalent. The final rule is largely consistent with the proposed rule released on February 13, discussed in a previous alert. Below, we describe the final rule's important changes and dive into a novel aspect of the rule.
Changes From the Proposed Rule
The final rule contains several changes from the proposed rule. Although the final rule sweeps investment advisers — including most RIAs and ERAs — into the definition of "financial institution" under the Bank Secrecy Act (BSA), it excludes certain investment advisers. Specifically, an RIA is not considered a financial institution under the BSA if (1) it registers with the SEC solely because it is a mid-sized adviser, multi-state adviser, or a pension consultant or (2) it is not required to report any assets under management to the SEC on Form ADV.
Foreign-located investment advisers, or those who have a principal office and place of business outside the United States, are subject to the final rule if they are engaging in specified activities. An investment adviser must report activities that (1) take place within the United States, including the involvement of the investment adviser's US personnel, (2) provide advisory services to a US person, or (3) provide advisory services to a foreign-located private fund with an investor that is a US person.
Although contemplated in the proposed rule, the final rule does not exempt registered close-end companies from its directive to establish AML/CFT compliance programs.
AML/CFT Compliance Program Mandates
The final rule requires investment advisors to create an AML/CFT risk-based, reasonably designed compliance program that must be applied to all advisory services provided to all clients. Whether the program is "reasonably designed" will inevitably raise some questions. To meet the final rule's minimum standards, RIAs and ERAs must:
- Develop internal policies, procedures, and controls.
- Designate a compliance officer.
- Implement an ongoing employee training program.
- Utilize independent audit functions to test the programs.
Comments on the proposed rule raised concerns that the minimum requirements were too prescriptive to allow for tailored programs based on each adviser's specific needs. In response, FinCEN reiterated that the risk-based approach allows advisers to adjust each requirement based on their "specific risks and advisory activities." FinCEN further stated that an adviser may be in compliance with the final rule if it focuses aspects of its AML/CFT program on clients it considers a higher risk, while applying "limited measures" to clients or activities it identifies as lower risk. We would advise investment advisors looking to comply with the rule to conduct a risk assessment to identify higher- and lower-risk clients.
Develop Internal Policies, Procedures, and Controls
As a preliminary step in developing an AML/CFT compliance program, an investment adviser must assess its vulnerabilities by reviewing the advisory services offered, nature and geographic locations of its clients, investment products offered, investment recommendations, distribution channels, types of accounts offered, and so on. Further, an investment adviser working with private funds should consider, among other aspects, the fund's minimum subscription amounts and restrictions on investors, redemptions, or withdrawals.
After assessing its specific risks, an investment adviser should work with its designated AML/CFT compliance officer to develop internal policies, procedures, and controls based on the risks identified.
Designate an AML/CFT Compliance Officer
RIAs and ERAs must designate a "sufficiently qualified" person or persons to implement and monitor the internal policies, procedures, and controls of their AML/CFT compliance programs. Among other criteria, a sufficiently qualified AML/CFT compliance officer must understand the adviser's specific risks and have sufficient knowledge, expertise, and experience to adequately perform their duties.
Implement Ongoing Employee Training Programs
An investment adviser's personnel must be trained in general AML/CFT requirements as well as those applicable to their specific roles. Personnel must also be able to identify signs of money laundering, terrorist financing, and other illicit financial activity. An investment adviser may utilize both outside and/or in-house methods to conduct its training. To determine the scope and frequency of its training programs, an investment adviser must analyze the extent to which an employee's role exposes them to AML/CFT requirements or possible illicit activity. In other words, training programs must be tailored to meet role-specific risks.
Utilize Independent Auditors
Under the final rule, investment advisers must conduct independent tests and audits utilizing a qualified external party or trained internal personnel, subject to certain restrictions. Specifically, trained internal personnel acting as auditors must not be involved in the operation or oversight of the AML/CFT compliance program. FinCEN makes clear that any individual, including the AML/CFT compliance officer, involved in creating and implementing the compliance program may not participate in the independent testing.
We expect that most investment advisers will engage outside consultants or lawyers to review their compliance programs — both to ensure independence and to benefit from the recommendations of outside professionals.
Key Takeaways
Investment advisers have until January 1, 2026, to comply with the final rule and must:
- Implement a risk-based and reasonably designed AML/CFT compliance program.
- File suspicious activity reports and currency transaction reports.
- Comply with recordkeeping and travel rules.
- Respond to law enforcement requests made under Section 314(a) of the PATRIOT Act.
- Conduct special due diligence for correspondent and private banking accounts.
Attorneys at ArentFox Schiff are available to help advisers understand the implications of the final rule and to review, design, and implement effective AML/CFT compliance programs.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.