On 28 August, the U.S. took a small step towards closer alignment with the anti-money laundering (AML) regimes of the UK and the EU when the Financial Crimes Enforcement Network (FinCEN) issued a new rule (Final Rule), which effectively extends certain AML compliance obligations to:
- Registered investment advisers (RIAs) (including 'foreign-located investment advisers') registered with the Securities and Exchange Commission (SEC); and
- Investment advisers that report to the SEC as exempt reporting advisers (ERAs).
We have covered the details of the Final Rule in an earlier Alert, but, in a nutshell:
- The U.S. Bank Secrecy Act (BSA), the principal federal statute governing AML requirements for financial institutions in the U.S., requires firms falling within the definition of "financial institution" to establish and maintain AML compliance programs with several minimum/mandatory features (the 'BSA AML Obligations'). The Final Rule amended the BSA by expanding the definition of "financial institution" to include RIAs and ERAs (subject to limited exceptions), which will now be subject to the BSA AML Obligations from 1 January 2026.
- The UK's Money Laundering Regulations 2017 (as amended, the 'MLRs') and the EU's money laundering legislation (comprising regulations and directives) similarly apply to "financial institutions" (in addition to other categories of firms), but the UK and EU definitions of that term have always been decidedly different to that of the U.S. Notably, the UK and EU definitions have long included investment advisers, whereas – until the Final Rule – the BSA did not.
How do the U.S. BSA AML Obligations compare with those of the UK and EU regimes?
Although the BSA AML Obligations include general features and elements that are broadly similar to several of those in the UK and EU regimes, there are some key areas of divergence, and RIAs/ERAs with multinational operations will need to navigate these cautiously. By way of example:
Similar features |
Key areas of distinction |
Internal policies, procedures, and controls designed to prevent the firm from being used for money laundering, terrorist financing, or other illicit finance activities. |
CDD: The UK MLRs largely mirror the EU AML
requirements for CDD, and effectively create a three-tiered
approach to CDD (i.e. simplified, standard, and enhanced CDD). The
level of CDD required (and thus the nature and extent of the
information required) is determined by reference to risk factors
set out in the legislation. The BSA has a more limited approach to CDD. For example, the BSA/Final Rule does not require RIAs/ERAs to:
In general terms, the BSA requires RAIs/ERAs to gather sufficient information on customers and transactions to apply a risk profile that can function as a baseline against which to make SAR-related decisions. |
Designation of one or more AML compliance officers. | |
Independent testing/auditing of the AML program's effectiveness (internally or by a qualified external adviser). | |
Ongoing AML training for relevant personnel. | |
Risk-based procedures for customer due diligence (CDD). |
|
Reporting requirements | Reporting: The BSA requires suspicious activity reports (SARs) for certain specific types of transactions "conducted or attempted by, at, or through" the RIA/ERA, and excludes non-advisory services provided to clients. This makes the reporting requirement much narrower than those of the UK and EU AML regimes, which require SARs when a firm knows, suspects, or has reasonable grounds to suspect that a transaction may be linked to money laundering/terrorist financing. |
Record-keeping requirements | Data
privacy: In the EU, data privacy is a fundamental right,
and the collection, processing, and transfer of personal data is
protected and regulated by the strict requirements of the EU's
General Data Protection Regulation (EU GDPR). The UK incorporated the EU GDPR into domestic law (known as the 'UK GDPR') ahead of Brexit. The U.S. has no federal equivalent to the EU/UK GDPR and a variety of sectoral and state privacy laws apply instead. Compliance with applicable data privacy/data protection regulation is a critical and typically complicated aspect of any AML compliance program. |
Key takeaways
Compliance deadline:
1 January 2026
What you should consider:
- For RIAs/ERAs with no existing AML program:
- Develop and implement an AML program to meet the BSA AML Obligations; and
- Ensure that such an AML program is specifically tailored to the AML risks identified in its business and operations.
- For RIAs/ERAs with existing, voluntarily established
AML programs:
- Review and update the AML program, to ensure that it meets the strict requirements of the BSA AML Obligations.
- For RIAs/ERAs operating in multiple jurisdictions, who
already have group-wide AML compliance programs in place to meet
demands outside of the U.S.:
- Ensure that any changes made for the purposes of complying with the BSA AML Obligations will not cut across or cause non-compliance with any aspects of the other AML regimes to which they are subject. This will require complex analysis of the nuances and differences in the detailed requirements in each jurisdiction.
The Final Rule will necessitate change and require careful consideration and planning. RIAs/ERAs have been given a long lead time for this purpose. While the changes may be somewhat easier to implement for global RIAs/ERAs who already have UK or EU AML policies in place, it is advisable to use the time wisely. Prudent RIAs/ERAs will want to take stock of what the Final Rule means, its impact in the very specific context of their businesses and any existing AML program, and work through how any planned changes may play out in the years to come, rather than rushing to make quick changes that may be costly to adjust or countermand later.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.