On August 28, 2024, the Financial Crimes Enforcement Network (FinCEN)  adopted a final rule that extends anti-money laundering (AML) and countering the financing of terrorism (CFT) compliance obligations to certain types of investment advisers (the Final Rule), and delegates to the U.S. Securities and Exchange Commission (SEC) the authority to examine investment advisers’ compliance with these obligations.[1] The Final Rule ends a long-running debate over whether to subject investment advisers to AML/CFT obligations after multiple prior proposals to do so had stalled. 

The Final Rule imports standards and requirements that will be familiar to investment advisers affiliated with financial institutions already subject to AML/CFT obligations, but may be new to  smaller and independent investment advisers.  For these entities, the compliance uplift required could be substantial.

The Final Rule is substantially similar to FinCEN’s initial proposal (the Proposed Rule) released in February (which we discuss here).  However, some modifications are noteworthy,  including that the Final Rule clarified the scope of investment advisers subject to its requirements and did not adopt a proposal that investment advisers’ AML/CFT program must be performed by persons in the U.S.  Absent further developments, the compliance date for the Final Rule is January 1, 2026.

The Final Rule is separate from two other pending proposals that could affect investment advisers’ AML/CFT requirements—a joint rule proposed by FinCEN and the SEC that would require investment advisers to implement a customer identification program (CIP) (which we discuss here) and a comprehensive proposal by FinCEN to update the AML/CFT program requirement generally (which we discuss here).  Although changes could result from these proposals, investment advisers would do well to begin assessing their readiness to comply with the Final Rule sooner than later, especially those that are not affiliated with financial institutions already subject to comprehensive  AML/CFT compliance requirements.

Below, we summarize the new requirements for investment advisers under the Final Rule and what advisers should expect as FinCEN and the SEC move forward with implementation and finalize other proposals:

Overview of the Final Rule

Who is covered?

The Final Rule applies to most registered investment advisers (RIAs) and exempt reporting advisers (ERAs)—but not foreign private advisers, state-registered investment advisers, and family offices—by including these advisers in the definition of “financial institution” under the Bank Secrecy Act (BSA).  This scope is generally consistent with the Proposed Rule, but reflects key narrowing in a few important areas: unlike the Proposed Rule, the Final Rule does not apply to mid-sized RIAs (such as advisers with $25 to $100 million in assets under management (AUM) that have their principal place of business in New York), and to RIAs whose registrations are based on particular specified provisions or that do not report any AUM.[2]

The Final Rule clarifies the extent to which it applies to RIAs or ERAs whose principal office and place of business—i.e. the offices from which their officers, partners, or managers direct, control, and coordinate their advisory activities—are located outside of the United States (foreign-located advisers).  Specifically, the Final Rule applies to a foreign-located adviser if that adviser has a nexus to the U.S., meaning that:

• its advisory activities take place within the United States, including through involvement of the investment adviser’s U.S. personnel or an agency, branch, or office within the United States, or
• it provides advisory services to a U.S. person or a foreign-located private fund with an investor that is a U.S. person.[3]

For a foreign-located adviser, the Final Rule only applies to its advisory activities that have a U.S. nexus.  A foreign-located adviser advising foreign-located private funds must determine whether each foreign-located fund has at least one investor who is a U.S. person.  If a single investor in a private fund is a U.S. person, the Final Rule’s requirements apply to the investment adviser with respect to the entirety of that private fund.  Foreign-located advisers must also follow existing SEC rules in determining whether an investor is a U.S. person, and in certain situations the adviser must “look through” holders of a fund’s shares to determine if the beneficial owner of the shares is a U.S. person.

Program Requirements

An investment adviser[4] must develop and implement a written AML/CFT program that is risk-based and reasonably designed to prevent the investment adviser from being used for money laundering, terrorist financing, or other illicit finance activities and to comply with applicable provisions of the BSA and its implementing regulations.[5]  This AML/CFT program must be approved in writing by the investment adviser’s board of directors or trustees, or, if the investment adviser does not have a such a board, the approval may be by one or more members of the investment adviser’s senior management, such as a CEO, CFO, CCO, chief operating officer, or chief legal officer.[6] 

The required AML program must include certain components, which are summarized below with a focus on key considerations for investment advisers as they assess AML/CFT-related risks and consider the design of their AML/CFT programs.  So long as these components are included, however, the Final Rule affords flexibility to investment advisers to tailor their AML/CFT programs to the specific risks presented by their services and clients or private fund investors.  Indeed, the adopting release for the Final Rule instructs that investment advisers’ AML/CFT programs are not “one-size-fits-all” and repeatedly states when discussing various Final Rule requirements that an investment adviser may focus its AML/CFT program on activities or customers that it considers higher risk while applying more limited measures to customers or activities that the investment adviser identifies as lower risk.

Additionally, the Final Rule permits an investment adviser to contractually delegate the implementation or operation of certain aspects of its AML/CFT program to third-party service providers, such as a qualified custodian or fund administrator, including foreign-located service providers.  In this regard, the Final Rule did not adopt a provision in the Proposed Rule that would have required that an investment adviser’s AML/CFT program be the responsibility of, and performed by, persons in the U.S. accessible to and subject to oversight and supervision by the Secretary of the Treasury and the SEC.[7]  However, if an investment adviser chooses to delegate any program functions to a third party—whether foreign-located or domestic—it must oversee any such delegation and remains ultimately responsible for overall compliance with all AML/CFT requirements.

Internal Policies, Procedures, and Controls: The Final Rule requires an investment adviser to establish and implement internal policies, procedures, and controls reasonably designed to prevent the investment adviser from being used for money laundering, terrorist financing, or other illicit finance activities and to achieve compliance with applicable provisions of the BSA and its implementing regulations.[8]  As noted above, investment advisers generally are expected to tailor these policies, procedures, and controls to their business.[9]  Rather than prescribing certain policies, procedures, and controls, the Final Rule identifies various factors that an investment adviser should consider when developing its AML/CFT program, including: the types, nature, and geographic locations of the advisory services it provides and of its clients and private fund investors, and its distribution channels.  Investment advisers to private funds should also consider the funds’ minimum subscription amounts, whether the funds restrict redemptions or withdrawals, and its ability or inability to obtain identifying information about private fund investors.

Designated AML/CFT Officer: An investment adviser subject to the Final Rule must designate one or more persons or a committee to be responsible for implementing and monitoring its AML/CFT program.[10]  The person(s) designated with this responsibility must be an employee or officer of the investment adviser or its affiliate; an outsourced AML/CFT officer is not permitted.  The person(s) that the investment adviser designates as AML/CFT officer must have sufficient authority, independence, and resources to fulfill the AML/CFT officer responsibilities and cannot have multiple or conflicting responsibilities that impede the officer from doing so.  An RIA is permitted—but not required—to designate as its AML/CFT officer the individual that is has designated as its chief compliance officer under the Compliance Rule. 

Independent Testing: The Final Rule requires that an investment adviser’s AML/CFT program be subject to independent testing.[11] While the requirement that testing be “independent” is well-established in the AML/CFT context, it does not have a close analogue in most other regulations that apply to investment advisers and thus will raise new considerations for many advisers that have not previously been subject to AML/CFT requirements.  Under the Final Rule (and in the AML/CFT context generally), “independence” refers to the independence of the testing from the investment adviser’s AML/CFT function, rather than from the adviser itself, meaning that testing may be conducted by an outside party that the investment adviser deems qualified or by the adviser’s own personnel or affiliates.   The key limitations on independent testing are that it may not be conducted by the investment adviser’s designated AML/CFT officer, personnel who report directly (or in some cases, indirectly) to the AML/CFT officer, or other personnel who are responsible for implementing the AML/CFT function being tested. 

Employee Training: An investment adviser must provide AML/CFT training for its appropriate personnel.[12]  The nature, scope, and frequency of the training should be based on the personnel’s responsibilities and the extent that those responsibilities may implicate the investment adviser’s AML/CFT obligations or program.  Investment advisers should retain records of the substance of this training and of personnel’s timely completion of this training. 

Ongoing Customer Diligence: An investment adviser’s AML/CFT program must implement risk-based procedures for conducting ongoing customer due diligence that include (i) understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile, and (ii) conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.[13]  The customer risk profile consists of information gathered at the onset of the advisory relationship to develop the baseline against which customer activity is assessed for suspicious activity reporting and to develop appropriate risk-based procedures for conducting ongoing customer due diligence.

Consistent with its risk-based approach, the Final Rule does not mandate specific measures that an investment adviser must take with respect to its customer due diligence or a specific form for customer risk profiles, so long as the adviser adopts an approach sufficiently detailed to distinguish between significant variations in the illicit finance risks of its customers.  Likewise, the Final Rule’s requirements to conduct ongoing monitoring and update customer information do not require an investment adviser to conduct media searches or information screening for all customers, but an adviser may need to take additional measures such as conducting targeted open-media searches regarding certain customers where its risk assessment or other developments indicate potential risks related to that customer.  With respect to private funds, the adopting release acknowledges that investment advisers may not initially collect certain information about underlying investors.  Moreover, where investors invest in a private fund through an intermediary, the investment adviser’s due diligence on the intermediary may obviate the need for it to also conduct diligence on the underlying investors, provided that the information collected by the investment adviser is sufficient to detect and report suspicious activity associated with nominee holders or intermediaries representing underlying investors and related to underlying investors. 

Special Standards for Certain types of Accounts: The Final Rule subjects investment advisers to special standards of due diligence for “correspondent accounts” maintained for foreign financial institutions and “private banking accounts,” both of which are defined terms.[14]  These requirements are substantially the same as those that have long applied to other financial institutions covered by the BSA.

Reporting and Recordkeeping Requirements

The Final Rule generally subjects investment advisers to certain BSA reporting and recordkeeping regulations that also already apply to other financial institutions, such as banks and broker-dealers, in the same fashion and subject to the same exceptions as those financial institutions.  These include:

Suspicious Activity Reports (SARs): The Final Rule requires that an investment adviser file a SAR with FinCEN if a transaction is:

• “conducted or attempted by, at, or through an investment adviser”;
• involves funds or assets of $5,000 or more; and
• the investment adviser knows, suspects, or has reason to suspect that the transaction (or a pattern of transactions):
• involves funds derived from illegal activity or is intended to hide or disguise funds or assets,
• is designed to evade other requirements of the BSA,
• has no business or apparent lawful purpose or is an atypical transaction for which the investment adviser knows of no reasonable explanation, or
• involves the use of the investment adviser to facilitate criminal activity.[15]

An investment adviser must file a SAR within 30 calendar days after it initially detects facts that may constitute a basis for filing a SAR, but its SAR-filing obligations generally do not extend to its non-investment advisory activities and do not require an investment adviser to collect information related to its non-advisory activities.[16]  For example, where an investment adviser’s personnel engage in managerial or operational activities on behalf of a portfolio company in which a private fund managed by the adviser invests, the investment adviser is not required to collect additional information from the portfolio company about its activities.  Rather, the investment adviser should be able to satisfy its SARs obligation with regard to a portfolio company through the information that is available to it in the course of directing the private fund’s investments in the portfolio company (such as its pre-investment due diligence) and the information that it gathers and possesses to fulfill its AML/CFT obligations with respect to its advisory activities.  However, if an investment adviser knows, suspects, or has reason to believe that there is suspicious activity based on information that it possesses or obtains through its investment advisory activities or through its AML/CFT program, then it would typically be required to file a SAR. 

Currency Transaction Reports (CTRs): Under the Final Rule, investment advisers will be required to file a CTR to report transactions in currency involving $10,000 or more.[17]  This CTR requirement will replace investment advisers’ existing obligation to file reports on joint FinCEN/IRS Form 8300 for the receipt of $10,000 or more in currency.

Recordkeeping and Travel Rules: Under the Recordkeeping and Travel Rules, investment advisers must create and retain records for transmittals of funds in an amount of $3,000 or more and ensure that certain information pertaining to the transmittal of funds is sent with (i.e. “travels” with) the transmittal to the next financial institution in the payment chain.[18]  To meet this obligation, investment advisers may need to obtain and retain certain information about the party transmitting or receiving the funds, including the party’s name and address.[19]  However, transmittals of funds between many financial institutions (e.g., banks, broker-dealers, futures commission merchants, and mutual funds), are excepted from the requirements of the Recordkeeping and Travel Rules under 31 CFR 1010.410(e)(6), and investment advisers will be added to the list of institutions between which transmittals of funds are excepted, and so the extent to which an investment adviser is subject to these rules will depend on the nature of the adviser’s activity and type of its clients.[20]  For example, where an investment adviser’s customer has a direct relationship with a qualified custodian that is subject to AML/CFT requirements, such as a bank or broker-dealer, and requests that such qualified custodian initiate a funds transfer or transmittal of funds, the adviser would generally not be required to comply with the requirements of the Recordkeeping and Travel Rules.  Investment advisers to private funds, on the other hand, may be more likely to be subject to the Recordkeeping and Travel Rules based on their authority over the funds and the funds’ assets. 

The Final Rule requires investment advisers to retain certain information related to their AML/CFT program for a period of five years, and requires investment advisers to make these records available to FinCEN or the SEC staff upon request.[21]  The Final Rule delegates to the SEC authority to examine investment advisers’ compliance with its obligations.  Notably, the adopting release provides examples of the types of records that investment advisers must make available to examiners upon request, including: the written AML/CFT program, SAR filings and underlying documents supporting such filings, and a foreign-located adviser’s documentation of its determination regarding applicability of the Final Rule.  Future SEC publications, such as its Exam Priorities, will likely provide additional detail regarding the SEC’s priorities and contemplated activities related to investment advisers’ AML/CFT obligations. 

Information Sharing: The Final Rule subjects investment advisers to protocols for information-sharing in response to regulatory and law enforcement authorities, in accordance with Section 314(a) of the USA PATRIOT Act, as well as to voluntary information-sharing with other financial institutions pursuant to Section 314(b) of that statute.[22]  Thus, upon a request from FinCEN, an investment adviser must expeditiously search its records for specified information to determine if it maintains or has maintained any account for, or has engaged in any transaction with, an individual, entity, or organization named in FinCEN’s request. In a modification from the Proposed Rule that is important for investment advisers to private funds, the Final Rule clarifies that FinCEN would not expect investment advisers to have “accounts” for the underlying investors in a private fund unless it has a separate advisory relationship with that underlying investor.  Thus, an investment adviser responding to a Section 314(a) request for a private fund would generally be expected to respond for the fund but not for the investors in that private fund.

What’s Next?

As noted, FinCEN has yet to finalize a proposed customer identification program requirement that it proposed jointly with the SEC as well as a broader package of BSA/AML reforms required under the AML Act of 2020.   Depending on their final form, both proposals could result in further changes to the ultimate AML/CFT compliance framework for investment advisers.[23]  Recent developments in administrative law that have made administrative actions easier to challenge—and seen regulated parties bring more successful challenges to regulatory efforts—may further contribute to this uncertainty.[24]

But satisfying the requirements of the Final Rule may require significant expense and effort for investment advisers that have not been subject to AML/CFT requirements due to their affiliation with other regulated entities—risk-based policies, procedures and controls, testing, and reporting functions will need to be developed; new personnel may need to be hired; an appropriate AML/CFT officer or officers will need to be identified; and the adviser’s senior management or board of directors will have to review and approve its AML/CFT program.  Moreover, it would be reasonable to expect the SEC to launch an exam initiative focusing on investment advisers’ compliance with the Final Rule soon after the January 1, 2026, compliance date.  For these reasons, we expect many investment advisers to begin planning to comply with the Final Rule promptly notwithstanding potential the potential for further changes to their AML/CFT regulatory framework.  

We will continue monitoring developments and provide additional updates as warranted.

Footnotes

[1] “Final Rule: Financial Crimes Enforcement Network: Anti-Money Laundering/ Countering the Financing of Terrorism Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempt Reporting Advisers,” Federal Register, Vol. 89, No. 171 (Sept. 4, 2024).

[2] 31 C.F.R. 1010.100(nnn)(1) and (2).

[3] The Final Rule defines “investor,” “U.S. person,” and “foreign-located private fund,” and incorporates existing definitions of the same or similar terms in SEC rules adopted under the Investment Advisers Act of 1940 (Advisers Act) and the Securities Act of 1933.  See Id. at 1032.111(a)(3).

[4] For simplicity, and consistent with the Final Rule text (see, e.g., id. at 1032.200), references to “investment advisers” when discussing the Final Rule’s requirements include RIAs and ERAs that are within the scope of the Final Rule but not advisers that are outside the Final Rule’s scope.

[5] 31 C.F.R. 1032.210(a)(1).

[6] Id. at 1032.210(a)(2).

[7] As noted above, one of the other pending FinCEN proposals could apply this requirement to all financial institutions subject to the BSA.

[8] 31 C.F.R. 1032.210(b)(1).

[9] In complying with this requirement of the Final Rule, RIAs should be able to leverage their experience with establishing and implementing risk-based, reasonably designed policies and procedures under the Compliance Rule (Rule 206(4)-7) under the Advisers Act). 

[10] 31 C.F.R. 1032.210(b)(3).

[11] Id. at 1032.210(b)(2).

[12] Id. at 1032.210(b)(4).

[13] Id. at 1032.210(b)(5)(i) and (ii).

[14] Id. at 1010.610 and 1010.620.

[15] Id. at 1032.230(a))(2).

[16] An investment adviser should establish internal parameters for categorizing certain of its activities as non-advisory services for purposes of its SAR-filing obligations and its AML/CFT program generally, taking into consideration relevant SEC guidance (such as Form ADV Instructions related to determining AUM) as well as whether it treats advisory or non-advisory for other regulatory and operational purposes.

[17] 31 C.F.R. 1010.310–315 and 1032.310–315. 

[18] 31 C.F.R. 1010.410(e) and (f); 31 C.F.R. 1032.410.

[19] RIAs should be able to use their existing measures to comply with their obligation pursuant to Rule 204-2(a)(7)(ii) under the Advisers Act to retain records of written communications related to the receipt, disbursement or delivery of funds or securities to assist them with meeting their obligations, if any, under the Recordkeeping and Travel Rules.

[20] See Final Rule, at 72179–81 (discussing application of the requirements under the Recordkeeping and Travel Rules to investment advisers).

[21] This five-year retention period corresponds to the typical record retention period for RIAs under the Advisers Act.  While many non-U.S. investment advisers are not required to comply with the Advisers Act’s recordkeeping obligations and/or have limited prior exposure to SEC exams, the Final Rule explicitly states that foreign-located advisers are subject to the requirements to retain records and make them available to FinCEN and/or the SEC upon request.  See 17 C.F.R. 1032.111(b); see also id. at 1032.320(f) (stating that investment advisers “shall be examined” for compliance with their SARs obligations).  

[22] 31 C.F.R. 1032.500, 1032.520, and 1032.540.  See also id. at 1010.520 and 1010.540; USA PATRIOT Act, Pub. L. 107-56, sec. 314(a), (b).

[23] For example, FinCEN’s proposed updates to the AML/CFT program requirements for all financial institutions include onshoring requirements that were included in the Proposed Rule but dropped in the Final Rule, and it remains to be seen how, if at all, FinCEN will reconcile that proposal with the Final Rule. 

[24] We discuss four related U.S. Supreme Court cases from the Court’s most recent term here. 

David Sewell, Timothy Clark, and Ivet Bell are Partners, David Nicolardi is Counsel, and Nathaniel Balk is an Associate at Freshfields Bruckhaus Deringer LLP. This post first appeared on the firm’s blog. 

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).