FinCEN Finalizes Anti-Money Laundering Program Rule for Investment Advisers

On August 28, the Financial Crimes Enforcement Network (“FinCEN”), within the U.S. Treasury Department, issued a final rule, Anti-Money Laundering/Countering the Financing of Terrorism Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempt Reporting Advisers (“Final Rule”),¹ which extends certain anti-money laundering (“AML”) compliance obligations to:

• investment advisers registered with the Securities and Exchange Commission (“SEC”; such advisers, “RIAs”); and
• investment advisers that report to the SEC as exempt reporting advisers (“ERAs”).

The Final Rule, which has a compliance date of January 1, 2026, requires RIAs and ERAs to, inter alia, (1) adopt AML compliance programs; and (2) monitor for and report suspicious activity to FinCEN. FinCEN is delegating its examination authority to the SEC consistent with FinCEN’s existing delegation to the SEC of the authority to examine broker-dealers and mutual funds for compliance with AML requirements.

The Final Rule follows a Notice of Proposed Rulemaking (“Proposed Rule”), which was issued on February 13 and summarized in our prior alert.

Background

The Bank Secrecy Act (“BSA”), as amended by the USA PATRIOT Act, requires “financial institutions” to establish and maintain AML compliance programs meeting certain minimum requirements. The definition of financial institution encompasses several categories of financial businesses, including banks, broker-dealers, and mutual funds. However, the definition historically has not encompassed RIAs or ERAs; as a result, RIAs and ERAs generally have not been subject to comprehensive AML regulations or examined for AML compliance. The Final Rule expands the definition of financial institution to include “investment advisers” (i.e., RIAs and ERAs, subject to limited exceptions) and thereby extends the BSA’s affirmative AML program requirements to these categories of investment advisers.

Changes from Proposed Rule

The requirements of the Final Rule largely track those of the Proposed Rule, except for minor clarifications regarding the Final Rule’s applicability.²

First, the Final Rule narrows the definition of “investment adviser” to exclude RIAs that (1) register with the SEC solely because they are (a) mid-sized advisers, (b) multi-state advisers, or (c) pension consultants; or (2) are not required to report any assets under management to the SEC on Form ADV.

Second, the Final Rule clarifies that its application to foreign-located investment advisers is limited to advisory activities that (1) take place within the United States, including through the involvement of U.S. personnel; or (2) involve the provision of advisory services to a U.S. person or a foreign-located private fund with an investor that is a U.S. person.

Key Considerations for RIAs and ERAs

Compliance Program

The Final Rule requires that RIAs and ERAs establish and operationalize a written AML compliance program by January 1, 2026. The AML program must include the following minimum elements:

• internal policies, procedures, and controls reasonably designed to prevent the RIA or ERA from being used for money laundering, terrorist financing, or other illicit finance activities;
• designation of one or more AML compliance officers;
• provision of ongoing AML training for appropriate personnel;
• independent testing of the program’s effectiveness; and
• risk-based procedures for conducting ongoing customer due diligence to (1) understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and (2) identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.

While many RIAs and ERAs have voluntarily adopted AML programs that include some of the above elements, the Final Rule’s suspicious activity reporting and independent testing requirements, in particular, will be new terrain for many investment advisers. As discussed in the sections that follow, it will not be feasible to implement these requirements through adoption of a template policy (but, rather, will require advance planning and commitment of resources). In this regard, the preamble to the Final Rule states, “[b]ecause investment advisers operate through a variety of different business models, one generic AML/CFT program for this industry is not possible; rather, each investment adviser must develop a program based upon its own business structure.”

Suspicious Activity Reporting

Many RIAs and ERAs train their personnel to be vigilant for suspicious activity on the part of current and prospective investors and to report such activity to a compliance officer or supervisor. However, RIAs and ERAs have not been required to report suspicious activity to FinCEN, and advisers that report such activity voluntarily have not had the protection from liability (safe harbor) that applies to financial institutions when filing suspicious activity reports (“SARs”).

The Final Rule introduces a requirement for RIAs and ERAs to file SARs in respect of transactions “conducted or attempted by, at, or through” the RIA or ERA if:

• the transaction involves or aggregates funds or other assets of at least $5,000; and
• the RIA or ERA knows, suspects, or has reason to suspect that the transaction (or a related pattern of transactions):
  • involves funds derived from illegal activity or is intended or conducted to hide or disguise funds or assets derived from illegal activity;
  • is designed to evade BSA reporting requirements;
  • has no business or apparent lawful purpose or is not the sort in which the customer would normally be expected to engage, and the investment adviser knows of no reasonable explanation for the transaction after examining the available facts; or
  • involves use of the RIA or ERA to facilitate criminal activity.

FinCEN interprets the phrase “conducted or attempted by, at, or through” to encompass advisory services that RIAs and ERAs provide on behalf of clients, such as when (1) a customer provides instructions for the investment adviser to pass on to the custodian (e.g., instructions to withdraw assets, liquidate particular securities, or a suggestion to purchase particular securities for the customer’s account); or (2) an investment adviser instructs a custodian to execute transactions on behalf of a customer.

FinCEN has excluded non-advisory services—such as managerial or operational decisions about portfolio companies—from the scope of transactions “conducted or attempted by, at, or through” an investment adviser. However, this distinction with respect to portfolio companies may become blurred in practice, leading investment advisers to resort to “defensive filing” practices that FinCEN has criticized on the part of other financial institutions. For example, the preamble to the Final Rule suggests that information that an investment adviser obtains through diligence in connection with an investment in a portfolio company could be reportable. FinCEN also provided examples of when an adviser may be required to file a SAR on a portfolio company, including when the adviser (1) is approached by a limited partner about unusual access to technology developed by a portfolio company; (2) becomes aware that a limited partner has reached out to a portfolio company for such information; or (3) is asked to obscure participation by an investor in a particular transaction to avoid notification to government authorities.

Although the obligation to file SARs does not take effect until January 1, 2026, FinCEN observes that “some SAR filings triggered by activity after the compliance date may implicate transactions that occur on behalf of a customer prior to the compliance date,” underscoring that effective implementation of the suspicious activity reporting requirement may have the practical effect of advancing the Final Rule’s implementation date. 

Independent Testing

The Final Rule requires RIAs and ERAs to provide for independent testing of their AML program by the adviser’s personnel or a qualified outside party. For advisers that seek to perform such testing internally (versus incur the cost associated with an outside provider), the internal personnel tasked with performing the testing must be independent from the AML program—i.e., neither involved in, nor reporting to a person involved in, implementing the AML program. For many investment advisers, the requirement for independent testing, as a practical matter, may necessitate the use of external resources. Acknowledging this “potential burden,” in the preamble to the Final Rule, FinCEN proposes a communal approach: “Investment advisers with less complex operations, and lower money laundering … risk profiles may consider utilizing a shared resource as part of a collaborative arrangement with similarly less complex and lower risk profile advisers to conduct testing.”

Know-Your-Customer (“KYC”) Requirements

The Final Rule does not require RIAs and ERAs to establish customer identification programs (“CIPs”) that include risk-based procedures for identifying and verifying the identities of customers. These requirements are being addressed through separate rulemaking issued jointly by FinCEN and the SEC. A Notice of Proposed Rulemaking (“CIP Proposed Rule”) was issued on May 13 and is summarized in our prior alert.³

Similarly, the Final Rule does not require RIAs or ERAs to identify and verify the beneficial ownership of legal entity customers. FinCEN plans to address these requirements through a forthcoming revision to the Customer Due Diligence (“CDD”) Rule.

Importantly, however, this does not mean that RIAs and ERAs are absolved (at least temporarily) of all customer due diligence obligations. As discussed above, the Final Rule requires RIAs and ERAs to implement risk-based procedures for conducting ongoing customer due diligence, including “to develop [a] baseline against which customer activity [can be] assessed for suspicious activity reporting.”

Delegation

The Final Rule permits RIAs and ERAs to contractually delegate the implementation and operation of some or all aspects of their AML programs to a third party, such as a fund administrator. Importantly, however, if an investment adviser elects to delegate any aspects of its AML program to a third party, the adviser remains fully responsible and legally liable for the program’s compliance with the Final Rule’s requirements. In addition, the adviser must (1) ensure that FinCEN and the SEC are able to obtain information and records relating to the AML program; and (2) identify and document procedures to address its risk profile.

An RIA or ERA that delegates any aspect of its AML program to a third party must undertake reasonable steps to ensure that the third-party delegate conducts such procedures effectively. While the Final Rule does not prescribe minimum requirements for conducting such oversight, the preamble clarifies that obtaining a certification from the third-party delegate, without more, is insufficient. Examples of appropriate oversight measures may include pre-engagement due diligence, a written agreement with representations and covenants (including requirements to adhere to reasonably designed policies and update the RIA or ERA if there are deficiencies identified in the third-party delegate’s audit), and/or periodically monitoring the third-party delegate’s compliance.

Of note, the Final Rule’s delegation requirements are distinct from the reliance requirements described in the CIP Proposed Rule. The CIP Proposed Rule would permit RIAs and ERAs to rely only on another financial institution to perform CIP procedures. By contrast, the Final Rule does not require third-party delegates to be financial institutions and would permit delegation to non-U.S. administrators.

Conclusion

For many RIAs and ERAs, including those with existing AML programs, implementation of the Final Rule’s requirements will require significant attention and planning. We therefore encourage covered investment advisers to begin their implementation efforts early and to continue to monitor for further developments, including anticipated publication of a final CIP program rule.

Compliance with the Final Rule will be complex and require individual consideration. If you have any questions, please consult your Ropes & Gray adviser.