What To Know About FinCEN's Investment Adviser AML Program Final Rule

After two decades and three proposed rulemakings on whether investment advisers should have anti-money laundering (AML) and countering the financing of terrorism (CFT) program requirements and attempting to identify the proper regulator for such requirements, on August 28, 2024, the Financial Crimes Enforcement Network (FinCEN) finalized a rule (Final Rule) under the Bank Secrecy Act (BSA) that would require certain Registered Investment Advisers (RIAs) and Exempt Reporting Advisers (ERAs) to create and implement AML/CFT programs, submit Suspicious Activity Reports (SARs) to FinCEN, and comply with other related reporting and information-sharing requirements.

The Final Rule is an attempt by FinCEN to strengthen and protect the U.S. financial system and to bring the U.S. in line with international counterparts by addressing deficiencies identified by the Financial Action Task Force in its 2016 Mutual Evaluation of the United States. The Final Rule is also a response to FinCEN's February 2024 Risk Assessment that highlighted illicit finance activity associated with investment advisers.

The rulemaking is significant because it represents the conclusion of a years-long effort by FinCEN to impose AML/CFT program requirements on investment advisers. While many RIAs and ERAs have already adopted AML/CFT programs as best practices prior to the adoption of the Final Rule, the Final Rule will bring new supervisory and potential enforcement attention and consequentially require the direction of additional time and resources.

The Final Rule adopts most of the requirements in the notice of proposed rulemaking (Proposed Rule), with some important changes that we discuss below, as well as some of the questions and issues that investment advisers must consider and address—for the first time for many—before the January 1, 2026, compliance deadline.

FinCEN Narrows the Scope of Covered Investment Advisers but Leaves the Door Open to Future Expansion

In response to comments to the Proposed Rule, FinCEN narrowed the scope of investment advisers covered by the rule. The Final Rule adds "financial adviser" to the definition of "financial institution" subject to FinCEN's AML/CFT program, reporting, and recordkeeping requirements, and generally defines "financial adviser" to include RIAs and ERAs. However, the Final Rule narrows the definition of "investment adviser" to exclude RIAs that register with the U.S. Securities and Exchange Commission (SEC) only because they are (1) mid-sized advisers, (2) multi-state advisers, or (3) pension consultants, as well as (4) RIAs that do not report any assets under management on Form ADV, but only to the extent that the RIA is registered with the SEC on one or more of these bases and has no other basis for registration. Should the registration status of an RIA change such that it would no longer be exempted, the adviser has until the next annual updating amendment to Form ADV to come into compliance with the requirements in the Final Rule. In narrowing coverage, FinCEN acknowledged that these investment advisers are less vulnerable to misuse for illicit finance and unlikely to generate relevant information that could assist government authorities in combating illicit finance.

The Final Rule also keeps an exemption from the Proposed Rule for state-registered investment advisers, foreign private advisers, and family offices. However, FinCEN noted that these entities may be misused for illicit finance and said that it will continue to monitor activity involving these advisers for "indicia of money laundering, terrorist financing, or other illicit finance activities" and "may consider regulatory measures if appropriate."

One Size Does Not Fit All

The Final Rule requires covered investment advisers to design and implement a written AML/CFT program that is risk-based and reasonably designed to prevent the investment adviser from being used for illicit finance activities. In establishing a set of minimum requirements, FinCEN emphasized that one generic AML/CFT program for the investment adviser industry is not possible. Each investment adviser must "identify its exposure to money laundering, terrorist financing, and other illicit finance activity risks; understand the BSA requirements applicable to it; identify the risk factors relating to these requirements; design the internal policies, procedures, and controls that will be required to reasonably assure compliance with these requirements; and periodically assess the effectiveness of the procedures and controls."

The AML/CFT program must address all advisory activities of the covered investment adviser, but it is not required to include activities with mutual funds, collective investment funds, and other investment advisers that are also subject to the Final Rule. However, FinCEN notes that this is a permissive exclusion, and an investment adviser may decide to include mutual funds it advises in complying with the Final Rule.

Where a covered investment adviser is dually registered as a broker-dealer or bank, it is not required to establish a separate AML/CFT program so long as a comprehensive plan covers the entities' businesses and activities subject to BSA requirements and identifies and mitigates the risks arising across the organization as they relate to customers served by both regulated entities. Recent SEC enforcement actions for AML violations in particular highlight shortcomings in having a global AML/CFT program that fails to capture the individual compliance requirements for each of the covered businesses.

With flexibility consistent with a risk-based approach, covered investment advisers will need to consider how best to structure their AML/CFT program, including what types of advisory services to include, where to place the program within the organization, and which functions to keep in-house versus outsourcing to a third-party provider. However, while the Final Rule removes the requirement to onshore the investment adviser's AML compliance function, this requirement will most likely be adopted for all BSA-regulated financial institutions (including IAs, broker-dealers and mutual funds) when FinCEN's proposed AML program rule is finalized. In implementing their AML programs, covered investment advisers should bear in mind that key compliance functions and personnel will need to be located in the United States.

Appropriate Oversight of Third-Party Providers

The Final Rule permits covered investment advisers to delegate the implementation and obligations of some or all aspects of its AML/CFT program by contract to a third-party provider, including a fund administrator. However, FinCEN makes clear that investment advisers remain fully responsible and liable for and will be required to demonstrate to examiners the program's compliance with the requirements of the Final Rule. Covered investment advisers are required to assess whether the service provider would carry out its AML/CFT program effectively and conduct appropriate oversight of the provider's operations in line with the adviser's overall risk profile and the type of responsibilities delegated to the provider. Covered advisers should review and, if necessary, renegotiate contracts with third-party providers to whom they need to delegate or with whom they share compliance obligations. RIAs will also need to consider how oversight of outsourced AML/CFT compliance responsibilities interact with potential requirements under the SEC's proposed Outsourcing Rule.

What About CIP and BOI?

As part of its AML/CFT program, the Final Rule requires that covered investment advisers have appropriate risk-based procedures for conducting ongoing customer due diligence (CDD) that includes: (i) understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile, and (ii) conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. The Final Rule does not require covered investment advisers to apply customer identification program (CIP) requirements to identify and verify the identity of customers or categorically collect beneficial ownership information (BOI) for legal entity customers. Instead, FinCEN noted that CIP requirements for investment advisers is the subject of a forthcoming joint final rulemaking by FinCEN and the SEC. Given FinCEN's packed regulatory agenda, it is likely that any BOI collection and verification requirement for investment advisers will be adopted as part of the beneficial ownership rule revisions mandated by the AMLA and expected to be proposed by FinCEN in October.

Although CIP is not the subject of the Final Rule, covered investment advisers may be wise to start considering the impacts of the proposed CIP requirements as it implements the CDD requirements in the Final Rule. FinCEN provided that it intends for the CIP final rule to have the same compliance date as the Final Rule. Additionally, all BSA-regulated financial institutions, including broker-dealers and mutual funds, should consider the newly added requirements: (1) for an investment adviser's risk assessment to consider sanctions lists and foreign state-sponsored investment activity in critical or emerging technologies, and (2) to collect and verify the date of formation for legal entity customers. These requirements, while currently not in the BSA regulations, are very likely to be incorporated into the future AML program rule.

Delegation of Examination Authority to SEC

Under the Final Rule, FinCEN delegates examination authority to the SEC to ensure investment advisers' compliance with the rule. The Final Rule acknowledges that the SEC already has a well-established regulatory and examination apparatus with respect to investment advisers. While FinCEN notes that the SEC does not have an AML/CFT examination manual for investment advisers, FinCEN directs covered investment advisers to look to the SEC's relevant resources on AML/CFT for both broker-dealers and mutual funds. Covered investment advisers may also wish to look at recent SEC enforcement actions against broker-dealers and mutual funds for AML violations for further guidance. Indeed, covered investment advisers can expect the SEC to take a similar approach in examinations and enforcement actions as it has with broker-dealers and mutual funds. The SEC has made compliance with AML obligations an examination priority in recent years, so covered investment advisers should likewise expect future examinations to focus on their AML/CFT programs and their filing of SARs.

+++

For more information about how the new AML requirements for covered investment advisers may impact your business, please contact any of the authors of this blog post or your usual Davis Wright Tremaine contact. The firm's securities regulatory team would be pleased to assist with any questions about the new AML requirements or securities regulation more broadly.