FinCEN issues new AML rule impacting registered investment advisers and exempt reporting advisers

On August 28, 2024, the Financial Crimes Enforcement Network (FinCEN) issued a final rule that will impose new anti-money laundering and countering terrorism financing (AML/CFT) program requirements on registered investment advisers and exempt reporting advisers (collectively, Covered IAs) by, among other things, including Covered IAs within the definition of “financial institution” under the Bank Secrecy Act (BSA).¹ The new AML/CFT rule takes effect on January 1, 2026.

Background

While FinCEN has previously attempted to impose some level of AML/CFT program requirements on investment advisers (IAs), prior to FinCEN’s adoption of the final rule, there was no comprehensive set of regulatory obligations directly applicable to most IAs that required the adoption of AML/CFT programs.² Although certain IAs have previously been subject to AML/CFT program requirements, such requirements have applied as a result of those IAs’ affiliation with FinCEN-regulated entities, such as banks and broker-dealers.³

FinCEN’s efforts to impose AML/CFT program requirements on IAs date back to 2002, when FinCEN proposed that unregistered investment companies, including private funds, establish AML/CFT programs.⁴ However, that proposal was ultimately not implemented, and in 2007, FinCEN announced it would take a broader look at how the AML/CFT regulatory framework was being implemented across industries.⁵ In September 2015, FinCEN proposed minimum standards for AML/CFT programs to be established by certain investment advisers.⁶ That rule was eventually withdrawn with FinCEN’s 2024 proposal of the newly adopted AML/CFT requirements for Covered IAs.⁷    

The proposal that led to the implementation of the current final rule was based on FinCEN’s observed growth in private equity, venture capital and hedge funds and the role they play in the US financial system.⁸ In addition, FinCEN reviewed Suspicious Activity Reports (SARs) filed between 2013 and 2021 and found that 15.4 percent of Covered IAs were associated with, or referenced in, at least one SAR.⁹ FinCEN has also determined that because of their possibility for higher returns, private funds can be particularly attractive to those seeking to obscure the origin of illicit funds. In its release proposing the new AML/CFT requirements for Covered IAs, FinCEN noted that Covered IAs have been prosecuted for roles in substantial money laundering cases, including those involving funds stolen from the Malaysian government and have served as a point of entry for wealthy Russians seeking to obscure their ownership of US assets.¹⁰

Final AML rules for Covered IAs

FinCEN’s adoption of the final rule will extend the obligation to implement AML/CFT compliance programs more broadly across the IA sector. For the first time, Covered IAs will be defined for purposes of AML/CFT regulations as “financial institutions,” and like other regulated financial institutions, will be required to adopt risk-based procedures to, among other things, (i) perform due diligence on and risk assess, their customers; (ii) monitor for transactions that could be indicative of criminal activities or the financing of terrorism; and (iii) file, as warranted, SARs with FinCEN. The Securities and Exchange Commission (SEC) will be responsible for evaluating Covered IAs’ compliance with the new regulatory obligations. 

General scope of the term “investment adviser” under 31 C.F.R. § 1010.100

As noted above, the new rule adds the term “investment adviser” to the definition of “financial institution” under FinCEN’s regulations implementing the BSA, and defines “investment adviser” to include any adviser registered or required to be registered with the SEC under Section 203 of the Investment Advisers Act of 1940 (the IAA), or any person that is currently exempt from SEC registration under Sections 203(l) or 203(m) of the IAA.¹¹ Thus, the definition of “investment adviser” includes not only SEC-registered investment advisers (RIAs), but also exempt reporting advisers (ERAs). FinCEN determined to include ERAs within the scope of the term “investment adviser,” and thus subject ERAs to the new AML/CFT requirements, for various reasons, including that: (i) exempting ERAs could “create a loophole through which illicit actors would be able to access a range of private funds without being directly subject to AML/CFT requirements”; (ii) ERAs “bear the highest risks as they solely advise either private funds or venture capital funds, both of which were found in the Risk Assessment to be involved in illicit finance and other criminal investigations carried out by US law enforcement”; and (iii) private funds are more likely to be based in jurisdictions with weaker and less effective AML/CFT controls “making it more difficult for the ERA to assess the risk posed by the relationship or prevent abuse.”¹²

In response to comments filed following publication of the proposed AML/CFT rules for Covered IAs,¹³ FinCEN decided to modify the definition of “investment adviser” to balance the burdens imposed on smaller RIAs. As a result, the definition of “investment adviser” under the final rule does not include an IA who registers or who is required to register with the SEC under Section 203 of the IAA solely because such IA meets the conditions of (i) a mid-sized adviser, as set forth in Section 203A(a)(2)(B) of the IAA, (ii) a pension consultant (as defined under 17 C.F.R. § 275-203A-2(a)); or (iii) a multi-state adviser (as defined under 17 C.F.R. § 275-203A-2(d)).¹⁴ Furthermore, RIAs that do not report any assets under management on their Form ADV are also excluded from the definition of “investment adviser” under the final rule.¹⁵ FinCEN also elected to exclude from the coverage of the final rule, at least “at this time,” State-registered advisers.¹⁶

Foreign-located investment advisers

As proposed, the definition of “investment adviser” covers “foreign-located investment advisers” that are registered or required to register with the SEC (RIAs, subject to the exemptions set forth in 31 C.F.R. § 1010.100(nnn)(2)) or that file reports with the SEC on Form ADV (ERAs). A “foreign-located investment adviser” is defined in Section 1031.110 of the final rule as an IA “whose principal office and place of business is outside the United States.” FinCEN considers a Covered IA’s “principal office and place of business” to be the “executive office of the investment adviser from which the officers, partners or managers of the investment adviser direct, control and coordinate the activities of the investment adviser.”¹⁷

FinCEN justified the extra-territorial application of the AML/CFT requirements to foreign-located IAs on the grounds that all foreign-located IAs subject to the final rule’s requirements must have a sufficient US nexus with respect to their advisory activities. Accordingly, a foreign-located IA’s advisory activities are subject to the final rule’s requirements if the advisory activities: (i) take place within the United States, including through involvement of US personnel of the investment adviser,¹⁸ such as the involvement of an agency, branch or office within the United States; or (ii) provide advisory services to a “U.S. person”¹⁹ or a “foreign-located private fund”²⁰ with an “investor”²¹ that is a “U.S. person.”²² Accordingly, a foreign-located IA will not be subject to the final rule’s requirements (i) when it provides services exclusively to a foreign-located person, and (ii) the personnel providing the advisory services are all outside of the United States.²³ Notably, FinCEN did not include foreign private advisers or family offices within the definition of financial institution because such entities are not RIAs or ERAs under the IAA. 

Recordkeeping and Travel Rules and Currency Transaction Reports

Under the final rule, Covered IAs will be added to the list of institutions among which transfers are excepted from the requirements of the Recordkeeping Rule (31 C.F.R. § 1010.410(e)) and Travel Rule (31 C.F.R. § 1010.410(f)) under the BSA (Covered IAs will be treated in the same manner, and with the same exceptions for transfers to certain other financial institutions, such as banks, broker-dealers, futures commission merchants and mutual funds).²⁴ However, where a Covered IA acts as a transmittor or recipient in transactions other than excepted transfers, Covered IAs will be required to comply with the requirements of the Recordkeeping and Travel Rules. This means that in the case of certain transactions that equal or exceed US$3,000, as transmitting or receiving institutions, Covered IAs will be required to collect and retain certain identifying information about the sender of the transmittal.²⁵ Regarding information required to be collected, FinCEN noted that IAA Rule 204-2(a)(7)(ii)’s requirement to maintain “originals of all written communications received and copies of all written communications sent by [an] investment adviser relating to…any receipt, disbursement or delivery of funds or securities” may “assist RIAs in satisfying their obligations to identify relevant information that may be required to be collected under the Recordkeeping and Travel Rules” where an RIA is a transmittor’s or recipient’s financial institution.²⁶

FinCEN noted in the IA AML/CFT Final Rule Release that where a Covered IA’s customer has a direct account relationship with a qualified custodian that is subject to AML/CFT requirements, including the requirements of the Recordkeeping and Travel Rules, and requests that such qualified custodian initiate a funds transfer or transmittal of funds, the Covered IA would “generally not be required to comply with the requirements of the Recordkeeping and Travel Rules.”²⁷ FinCEN stated further that “[t]his would likely apply to many RIAs advising retail customers that custody customer assets with a qualified custodian.” In contrast, RIAs advising private funds and ERAs may be more likely to be required to comply with the Recordkeeping and Travel Rules due to their discretion and authority over fund and customer assets in the fund.²⁸

Additionally, the final rule would require Covered IAs to file Currency Transaction Reports. These requirements currently apply to transactions by other BSA-defined financial institutions in amounts exceeding US$10,000.²⁹

AML/CFT program requirements for Covered IAs

More significantly, Covered IAs will be required to establish AML/CFT compliance programs that are specifically tailored to the characteristics and risk profiles of their businesses.³⁰ As it does frequently when describing the characteristics of a risk-based compliance program, FinCEN made clear that the AML/CFT program requirement is “not a one-size-fits-all requirement.”³¹ However, at a minimum, AML/CFT compliance programs must include certain fundamental elements. Specifically, a Covered IA’s AML/CFT compliance program must: (i) establish internal policies, procedures and controls reasonably designed to prevent the Covered IA from being used for money laundering, terrorist financing or other illicit finance activities and to achieve compliance with applicable provisions of the BSA and implementing regulations; (ii) provide for independent testing for compliance to be conducted by the Covered IA’s personnel or a qualified outside party; (iii) designate a person or persons responsible for implementing and monitoring the operations and internal controls of the program; (iv) provide ongoing training for appropriate persons; and (v) implement appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to: (A) understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and (B) conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.³² In light of current requirements under the BSA, the final rule permits Covered IAs to exclude from the scope of their AML/CFT programs (i) mutual funds; (ii) collective investment funds sponsored by a bank or trust company; and (iii) other Covered IAs, provided that such mutual funds, collective investment funds or other Covered IAs are advised by the Covered IA and subject to an AML/CFT program requirement under the final rule.³³   

While investment advisers that report no assets under management on Form ADV are excluded from the scope of the definition of “investment adviser” under the final rule, where an RIA both manages client assets and provides other advisory services that do not involve the management of client assets, FinCEN declined to exclude the “non-management” services from coverage of the final rule’s requirements.³⁴

Under the final rule, Covered IAs’ SAR filings would be subject to the same timeframes, recordkeeping and confidentiality requirements that apply today to broker-dealers.³⁵ FinCEN committed to providing additional guidance regarding sharing of SAR information within organizational entities.³⁶ Covered IAs will also have to comply with the information-sharing procedures set forth in section 314(a) and 314(b) of the USA PATRIOT Act.³⁷ Of these two sections, 314(a) requires the implementation of procedures that position entities to make timely responses to requests for information from Federal and State law enforcement agencies and to court-issued subpoenas.³⁸ Section 314(b) authorizes Covered IAs to decide if they want to enter into specified voluntary information sharing arrangements with other Covered IAs.³⁹

One notable distinction of the final rule is that it does not require the categorical collection of beneficial ownership information for legal entity customers that applies to other types of financial institutions covered by the AML/CFT program requirements.⁴⁰ FinCEN postponed the application of this requirement to Covered IAs, pending the completion of its ongoing review of the requirement of the customer due diligence (CDD) rule.⁴¹ In the meantime, Covered IAs are permitted to make a risk-based determination regarding the need to collect beneficial ownership information based on a customer’s risk profile.⁴² As part of the CDD process, FinCEN expects Covered IAs to gather sufficient information on customers and their expected financial activities to formulate a risk profile which can function as a baseline for purposes of making decisions on filing SARs.

The final rule permits a Covered IA to delegate or outsource certain AML/CFT compliance functions to third parties (including foreign-located service providers and fund administrators) but make clear that the Covered IA will remain fully responsible and legally liable for, and be required to demonstrate to examiners, the program’s compliance with AML/CFT requirements and FinCEN's implementing regulations.⁴³  

Conclusion

While FinCEN provided Covered IAs with a relatively generous time period to come into compliance with the final rule, for many Covered IAs, standing-up an AML/CFT compliance program, that requires: (i) the hiring of key personnel (ii) the development, board approval and implementation of policies and procedures; (iii) performing risk assessments; (iv) calibrating AML/CFT controls appropriate to the organization’s risk profile; (vi) performing due diligence on the organization’s existing customer base as well as on new customers; (vii) training employees to the new procedures; and (viii) ensuring that suspicious activities are appropriately evaluated and that SAR decisions are made consistently and filed on a timely basis, will require substantial time and investment. Covered IAs should be cautious to not to let valuable time pass and to begin implementation planning as soon as possible. 

[1] FinCEN, Final Rule, Anti-Money Laundering/Countering the Financing of Terrorism Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempt Reporting Advisers(August 28, 2024) (the IA AML/CFT Final Rule Release). Read the full IA AML/CFT Final Rule Release. Relatedly, FinCEN published a fact sheet regarding the final rule. We note that on the same day, FinCEN also adopted a final rule applying certain AML regulations to residential real estate transfers and certain real estate brokers. However, this client alert only discusses the AML/CFT program requirements adopted by FinCEN with respect to Covered IAs.

[2] IA AML/CFT Final Rule Release at 12. For example, Federal and State securities regulators have historically focused on investor protection in the IA industry through anti-fraud and anti-manipulation regulations. See id.at 10.

[3] IA AML/CFT Final Rule Release at 11 (Some investment advisers may nonetheless apply AML/CFT requirements, for example, if they are also banks (or are bank subsidiaries), are registered as brokers and dealers in securities…or advise mutual funds, but this is not consistent across the industry.).See also IA AML/CFT Final Rule Release at 11, note 39. We note that some IAs have been subject to AML/CFT program requirements as a result of contractual representations and warranties to clients and counterparties.

[4] SeeFinCEN, Notice of Proposed Rulemaking, Anti-Money Laundering Programs for Unregistered Investment Companies, 67 Fed. Reg. 60617 (Sept. 26, 2002).

[5] See FinCEN, Withdrawal of Notice of Proposed Rulemaking, Withdrawal of the Notice of Proposed Rulemaking; Anti-Money Laundering Programs for Investment Advisers, 73 Fed. Reg. 65568 (Nov. 4, 2008).

[6]See FinCEN, Notice of Proposed Rulemaking, Anti-Money Laundering Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers, 80 Fed. Reg. 52680 (Sept. 1, 2015).

[7] FinCEN, Notice of Proposed Rulemaking, Anti-Money Laundering/Countering the Financing of Terrorism Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempt Reporting Advisers, 89 Fed. Reg. 12108 (Feb. 15, 2024) (IA AML/CFT Proposed Rule Release).

[8] See IA AML/CFT Proposed Rule Release at 12117. Concurrent with FinCEN’s 2024 rule proposal that led to the final AML/CFT rules for Covered IAs, the US Department of the Treasury released a risk assessment of the IA industry that identified that the IA industry has served as an “entry point into the US market for illicit proceeds associated with foreign corruption, fraud, [and] tax evasion,” as well as other criminal activities. See US Department of the Treasury, 2024 Investment Adviser Risk Assessment, 1 (February 2024) (Risk Assessment).

[9] IA AML/CFT Final Rule Release at 15.

[10] IA AML/CFT Proposed Rule Release at 12114-16.

[11] 31 C.F.R. § 1010.100(nnn).

[12] IA AML/CFT Final Rule Release at 48.

[13] See IA AML/CFT Final Rule Release at 39-46.

[14] 31 C.F.R. §1010.100(nnn)(2)(i). An IA that is registered because it meets the conditions of more than one of these exemptions, but that is not otherwise required to register, is also exempt from the scope of the definition of “investment adviser” as adopted by FinCEN for purposes of new AML requirements applied to Covered IAs. See IA AML/CFT Final Rule Release at 41, note 94.

[15] 31 C.F.R. § 1010.100(nnn)(2)(ii).

[16] IA AML/CFT Final Rule Release at 42.

[17] The definition of “principal office and place of business” adopted by FinCEN under the new rules is consistent with that used by the SEC in its IA regulations. See IA AML/CFT Final Rule Release at 53, note 123; see also 17 C.F.R. § 275.2221(b).

[18] For purposes of 31 C.F.R. § 1032.111, US personnel means, regardless of citizenship, any director, officer, employee or agent of the investment advisor conducting advisory activities from a US agency, branch or office of the investment adviser. See IA AML/CFT Final Rule Release at 54-55. Note that personnel that perform activity that is clerical or administrative in nature are not involved in advisory activity for purposes of the final rule. See IA AML/CFT Final Rule Release at 55.

[19] Under the final rule, the term “U.S. person” has the same meaning as the term “U.S. person” under Rule 902(k) of Regulation S of the Securities Act of 1933. Note that a US-located private fund advised by a foreign-located IA is itself a “U.S. person” under the definition adopted by the final rule. Thus, a foreign-located IA will be required to apply the final rule’s requirements with respect to any US-located private fund it advises, regardless of the presence or absence of any U.S. person investors in such US-located private fund. See IA AML/CFT Final Rule Release at 56.

[20] The final rule defines the term “investor” to have the same meaning as the term “investor” under IAA Rule 202(a)(30)-1(c)(2). Accordingly, a foreign-located IA will be required to perform the same “look through” with respect to any private fund it advises that relies on Section 3(c)(1) of the Investment Company Act of 1940 (the ICA) as required under that section, subject to two modifications: (i) the foreign-located investment adviser must count beneficial owners of a private fund’s commercial paper as investors (consistent with IAA Rule 202(a)(30)-1(c)(2)); and (ii) a person who is considered a beneficial owner for purposes of ICA Section 3(c)(1) will be considered an “investor” in the private fund despite holding its interests indirectly. See IA AML/CFT Final Rule Release at 57-58. Similarly, for purposes of both ICA Section 3(c)(1) and ICA Section 3(c)(7), a foreign-located IA will be required to “look through” any entity formed for the purpose of investing in a foreign-located private fund that the foreign-located IA advises. See id. at 58.

[21] For purposes of the final rule, the term “foreign-located private fund” means any foreign-located issuer that is a private fund as that term is defined under Section 202(a)(29) of the IAA—i.e., an issuer that would be an investment company, as defined in ICA Section 3, but for ICA Section 3(c)(1) or ICA Section 3(c)(7).

[22] See 31 C.F.R. § 1032.111; IA AML/CFT Final Rule Release at 54.

[23] IA AML/CFT Final Rule Release at 61.

[24] 31 C.F.R. §1032.410; IA AML/CFT Final Rule Release at 78-79.

[25] 31 C.F.R. § 1032.410; IA AML/CFT Final Rule Release at 78-79.

[26] IA AML/CFT Final Rule Release at 80.

[27] IA AML/CFT Final Rule Release at 79-80.

[28] See IA AML/CFT Final Rule Release at 80.

[29] 31 C.F.R. § 1032.310.

[30] See IA AML/CFT Final Rule Release at 81.

[31] See IA AML/CFT Final Rule Release at 81.

[32] 31 C.F.R. § 1032.210. Note that a Covered IA that is dually registered as a broker-dealer, or that is a bank (or bank subsidiary), does not need to establish a separate AML/CFT program to comply with the final rule’s requirements so long as a comprehensive AML/CFT program covers all of the Covered IA’s relevant activities. See IA AML/CFT Final Rule Release at 101. Furthermore, a Covered IA affiliated with, or a subsidiary of, another entity required to establish an AML/CFT program will not be required to implement multiple or separate programs and may elect to extend a single program to all affiliated entities that are subject to the requirements of the BSA, provided that the AML/CFT program is designed to identify and mitigate the different money laundering, terrorist financing and other illicit finance activity risks posed by the different aspects of each affiliate’s (or subsidiary’s) business(es) and satisfies each of the risk-based AML/CFT program and other BSA requirements to which the entities are subject in all of their BSA-regulated capacities. See id. at 101-102.

[33] 31 C.F.R. § 1032.210(a)(i)-(iii). FinCEN notes in the IA AML/CFT Final Rule Release that the exclusion relating to Covered IAs will permit a Covered IA (acting as sub-adviser) to exclude from its AML/CFT program another Covered IA to which it provides sub-advisory services “where the sub-adviser has a direct contractual relationship with the primary adviser and not with the underlying customer of that primary adviser.” IA AML/CFT Final Rule Release at 92. FinCEN also stated that the Covered IA may also be able to “exclude wrap-fee programs, separately managed accounts or other advisory relationships, so long as the customer is another [Covered IA] as defined at section 1010.100(nnn) and the adviser does not have a direct contractual relationship with the underlying customer of the other [Covered IA].” See id.

[34] IA AML/CFT Final Rule Release at 99.

[35] See generally 31 C.F.R. § 1032.320; IA AML/CFT Final Rule Release at 138-59.

[36] See IA AML/CFT Final Rule Release at 153.

[37] See 31 C.F.R. §§ 1010.520; 1010.540.

[38] See 31 C.F.R. §§ 1032.520; 1010.520.

[39] See 31 C.F.R. §§ 1032.540; 1010.540.

[40] See IA AML/CFT Final Rule Release at 130-31.

[41] We note that earlier this year, FinCEN also proposed to apply customer identification program (CIP) requirements to Covered IAs through a joint rulemaking with the SEC. See FinCEN and SEC, Notice of Proposed Rulemaking, Customer Identification Programs for Registered Investment Advisers and Exempt Reporting Advisers, 89 Fed. Reg. 44571 (May 21, 2024). As of the date of this alert, finalization of the proposed CIP rule for Covered IAs is still pending as the US Department of the Treasury and the SEC are reviewing comments on the proposed rulemaking. See IA AML/CFT Final Rule Release at 17-19.

[42] See IA AML/CFT Final Rule Release at 126.

[43] IA AML/CFT Final Rule Release at 102 and 109.