AML Compliance Ahead: Navigating the Upcoming FinCEN Requirements

By Cynthia Kelly

On August 28, 2024, the Financial Crimes Enforcement Network (FinCEN), part of the U.S. Department of the Treasury, issued its final rule titled Anti-Money Laundering/Countering the Financing of Terrorism Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempt Reporting Advisers (Final Rule). This rule significantly expands the scope of anti-money laundering (AML) requirements by including most SEC-registered investment advisers (RIAs) and all Exempt Reporting Advisers (ERAs) (jointly referred to as “advisers”) in the broader regulatory framework that was previously limited to more traditional financial institutions like banks, mutual funds, and broker-dealers.

The Final Rule will come into effect on January 1, 2026, and mandates that advisers subject to the rule (“covered advisers”) establish a risk-based comprehensive AML compliance program, conduct customer due diligence, and adhere to independent testing and reporting requirements, such as filing Suspicious Activity Reports (SARs) with FinCEN. These are just some of the adopted changes that are part of an ongoing effort to strengthen the financial system against money laundering, terrorist financing, and other illicit financial activities.

The Broader Context: Expansion of AML Obligations

The core legislation guiding these regulations is the Bank Secrecy Act (BSA), which, as amended by the USA PATRIOT Act, requires “financial institutions” to establish AML programs that meet certain standards. Historically, investment advisers were excluded from the BSA’s definition of “financial institutions,” meaning that RIAs and ERAs were not subject to the same AML rules as other financial entities.

However, the Final Rule modifies this exclusion, bringing investment advisers under the BSA’s regulatory umbrella. This expansion is meant to close a gap in the AML framework and ensure that the U.S. financial system is protected from abuse by bad actors, including money launderers and those attempting to finance terrorism. As a result, covered advisers will now be subject to the same AML obligations as banks and other financial institutions, with certain modifications.

Key Changes from the Proposed Rule

While the Final Rule largely mirrors the proposed rule issued in December 2020, a few important clarifications have been made in response to public comments and feedback:

Definition of “Investment Adviser”/Certain Excluded Advisers. The Final Rule specifically excludes certain RIAs from AML obligations. These include: Firms that qualify for SEC registration because they are a mid-sized advisory firm, a multi-state adviser, or a pension consultant; Those with $0 reportable assets under management; State-registered investment advisers; Foreign private advisers; and Family offices.

Certain Excluded Clients. Investment advisers that are subject to the Final Rule may exclude from the rule’s requirements the following types of clients: Mutual funds; Bank- and trust company-sponsored collective investment funds; Any other investment adviser subject to the rule.

Application to Foreign-Located Advisers. Foreign-located RIAs and ERAs will only be required to apply the requirements of the rule to their U.S.-based advisory activities, advisory activities provided to U.S.-based persons, and advisory activities provided to a foreign-located private fund that has U.S.-based investors.

FinCEN explained that these changes and the exclusions detailed above are designed to tailor the application of the Final Rule to the diverse range of activities and structures within the investment adviser community.

Primary Focus Areas for RIAs and ERAs

While the January 1, 2026, deadline may imply that time is on your side, firms should take a pragmatic approach and be realistic about the timeframe that will be necessary to design, adopt, implement, and test a fully compliant AML/Countering the Financing of Terrorism (CFT) program based on their own risks and business model. RIAs and ERAs must ensure they understand and can implement key elements of the Final Rule, particularly in the following areas:

1. AML Compliance Program

The cornerstone of the Final Rule is the requirement that covered advisers develop and adopt a written AML compliance program that is risk-based and reasonably designed. Advisers are cautioned not to take a one-size-fits-all approach to adopting an AML program. Advisers should focus on identifying where the risk of money laundering is highest based on their own operations and business model. This can only be determined through a thorough risk assessment, which helps identify potential weaknesses in customer due diligence, transaction monitoring, and other aspects of the firm’s operations that could be exploited for money laundering activities. Factors that should be considered could include: customer base; the types of services provided; and geography, such as reviewing for non-Financial Action Task Force (FATF) countries. By understanding their specific risks, advisers can design an AML program that is tailored to their unique business practices and customer base.

Specifically, the program must include:

Designated AML Compliance Officer(s): An adviser subject to the Final Rule must designate one or more persons or a committee to be responsible for implementing and monitoring its AML/CFT program. The person(s) designated with this responsibility must be an employee or officer of the covered adviser or its affiliate; an outsourced AML/CFT officer is not permitted. Advisers should consider whether the individual designated by the firm to serve in this role will need additional training and/or resources. An RIA is permitted, but not required, to designate its AML/CFT officer as the same individual who it has designated as its chief compliance officer.

Written Internal Policies and Controls: These policies must be reasonably designed to prevent the investment adviser from being used for money laundering and financial crimes. Internal controls should also outline the procedures for monitoring and reporting suspicious activities in compliance with the applicable provisions of the BSA.

Customer Due Diligence (CDD): The program must include risk-based procedures for assessing customers, understanding their risk profiles, and monitoring their activity. CDD will be an ongoing process designed to detect suspicious activity at an early stage. It should be noted that the Final Rule does not impose specific Customer Identification Program (CIP) requirements. The SEC and FinCEN have jointly proposed a CIP rule § 1032.220(a)(6), which has yet to be adopted. The Final Rule also does not require beneficial ownership verification for legal entity clients, but this requirement is expected to be integrated into a forthcoming revision to the CDD Rule.

Ongoing Training: The scope, frequency, and content of the adviser’s AML/CFT training program should align with employees’ responsibilities and their exposure to AML/CFT requirements or risks. The program should provide general awareness of AML/CFT risks and requirements, along with specific guidance tailored to employees’ roles. Taking into consideration specific job functions when developing the firm’s training program will empower employees to identify potential signs of money laundering, terrorist financing, or other illicit activities. Training can be delivered through in-house or external seminars, as well as virtual or computer-based methods. Employees involved with AML/CFT matters must be trained upon assuming their duties and should receive periodic updates and refreshers to stay informed about the program and evolving risks.

Independent Testing: To ensure that the AML program is effective, the firm must arrange for independent testing. This testing can either be done internally by personnel not directly involved in the day-to-day operations of the AML program or through external vendors. The Final Rule outlines the importance of testing to identify vulnerabilities in the program and implement corrective actions.

Many advisers likely already have certain protocols in place that they can build upon while conducting a gap analysis. These may exist in the adviser’s current onboarding processes, existing customer identification practices, and Reg S-ID red flags program. Reviewing existing processes against the new AML requirements will help identify areas where processes need to be enhanced, or new ones implemented. Advisers can then formalize and refine these processes to comply with the specific requirements outlined in the Final Rule.

2. Suspicious Activity Reporting

One of the major compliance responsibilities introduced by the Final Rule is the requirement for covered advisers to file Suspicious Activity Reports (SARs) with FinCEN. SARs must be filed when a transaction meets the following criteria: Involves or aggregates assets of $5,000 or more; Indicates that the transaction: Involves illegal funds or is structured to conceal such funds; Evades BSA reporting requirements; Has no legitimate purpose or deviates from the typical behavior of a client, without a reasonable explanation; or facilitates criminal activity.

This new requirement for covered advisers mandates that they establish SAR programs as part of their AML/CFT compliance. Advisers must file SARs for transactions conducted “by, at, or through” them when they know, suspect, or have reason to suspect a possible violation of law. FinCEN clarified that advisers are not required to retroactively review pre-compliance date transactions but must include pre-compliance date information if relevant to SAR filings. Examples of reportable suspicious activities include unusual fund transfers, fraudulent transactions, and potential violations of sanctions or export controls.

The rule specifies that SAR obligations align with existing requirements for financial institutions like broker-dealers and mutual funds and are tailored to investment advisers’ advisory roles. It also permits joint SAR filings when multiple institutions are involved in the same transaction. Confidentiality requirements prevent disclosure of SARs except as authorized, and SAR-related information can only be shared within an adviser’s organization or with relevant authorities under specific conditions. The rule emphasizes that SAR filing responsibilities do not extend to non-advisory activities or portfolio companies but apply to transactions within the adviser’s scope of AML/CFT programs. Additionally, advisers are protected from liability for good-faith SAR filings under the safe harbor provisions. For example, if an adviser submits a SAR report and it is determined nothing nefarious was going on, the adviser would not be retaliated against under the safe harbor provisions.

3. Independent Testing

The Final Rule mandates that advisers ensure independent testing of their AML program’s effectiveness. Testing should be performed by personnel or qualified external parties who are not involved in the day-to-day operations of the AML program. While FinCEN acknowledges the potential burden for small advisers, it rejected a request to allow personnel involved in the AML/CFT program to conduct the testing, as this would compromise its purpose. Advisers with simpler operations and lower risk profiles may collaborate with similar firms to share resources for independent testing, provided independence is maintained.

4. Delegation of AML Responsibilities

Covered advisers are allowed to delegate the implementation and operation of certain AML/CFT program responsibilities to third-party service providers, including foreign-located fund administrators. However, advisers remain fully responsible and legally liable for compliance with AML/CFT requirements. Any delegation of AML/CFT responsibilities must be governed by contractual agreement. Fleshing out the third-party’s obligations will take time, and it is unclear whether third parties, such as custodians, brokers, and administrators, will be willing to sign a reliance agreement.

Advisers that elect to delegate certain AML/CFT program responsibilities must conduct due diligence and periodic oversight of service providers to ensure effective implementation. FinCEN clarified that foreign-located service providers are permissible as long as oversight follows a risk-based approach and ensures access to program-related records for FinCEN and the SEC. Delegation does not absolve advisers of responsibility for overall compliance, and conditions governing delegation permissions can pose significant challenges, including reluctance from third parties to contractually agree to assume responsibility.

5. Investment in Technology and Systems

To support effective AML compliance, advisers may consider investing in technology that can streamline and automate key compliance functions. Some tools that may be beneficial include:

AML Software: Automated systems can help with client onboarding, background checks, and ongoing transaction monitoring. These systems can also identify suspicious transactions in real time and alert compliance officers, making the SAR filing process more efficient and accurate.

Transaction Monitoring Tools: These tools are critical for tracking large or irregular transactions that could indicate money laundering or other illicit activities.

While technology can make AML compliance processes more efficient, they aren’t necessary. As noted earlier, advisers can leverage existing processes like customer onboarding procedures, client risk assessments, identity verification processes, customer due diligence, risk profiling, transaction screening, and any AML training provided to employees to identify red flags such as reluctance to provide information and frequent transactions in and out of accounts.

Final Thoughts: Staying Ahead of the Curve

The Final Rule marks a significant shift in the regulatory landscape for RIAs and ERAs. These firms must take proactive measures to design and implement comprehensive AML compliance programs before the January 1, 2026, deadline. By establishing robust internal controls, enhancing due diligence processes, training staff, and leveraging advanced technology to monitor and report suspicious activities, advisers can meet these new regulatory demands effectively.