Blog

A roadmap for implementing AML compliance for IAs

Written by Lisa Roth | Nov 27, 2024 3:15:00 PM

It wasn’t too long ago that I wrote a blog about the importance of modernizing anti-money laundering (AML) compliance programs. I expressed my view that BD AML programs, having been in place for more than two decades, were due to be dusted off and enhanced where applicable. I stopped short of promoting voluntary compliance by IAs; and I did not put adequate stock in the February 2024 pending proposal that, if approved, would make AML compliance mandatory for IAs. After all, frustrating to some, and a relief to others. Prior proposals in 2003 and 2015 had not gone forward.

In my mind, AML has always been important to help safeguard the investment adviser sector from illicit finance activity, including misuse by criminals, foreign adversaries, and other money laundering and terrorist financing threats. I support the concept that IAs play an important role in the effort. Into that environment, came proposal number 3. And, as of late August 2024, what may have been perceived as a gap has been closed. The requirement for IAs to maintain an Anti-Money Laundering/Countering the Financing of Terrorism Program (AML/CFT) including a Customer Identification Program (CIP) and Suspicious Activity Report (SAR) filing requirements under the Bank Secrecy Act (BSA) is now on the books.

It is FinCEN’s conviction that the rule will help level the regulatory playing field through a consistent application of risk-based AML/CFT requirements and that the final rule will bring benefits to investors by improving the U.S. financial system’s transparency and integrity. Ultimately, the goal is to reduce the likelihood that proceeds of crime and other illicit activities will be invested in U.S. markets. Reporting aspects of the rule is designed to expose highly useful information to law enforcement authorities and national security agencies. Because some IAs currently comply voluntarily, and others comply due to affiliations with banks or BDs, the application of AML/CFT requirements across the investment adviser sector has been somewhat uneven. This unevenness has allowed an opportunity for both legitimate and illicit investors to “shop around” for an adviser who does not apply AML/CFT controls, such as inquiring into the investor’s source of wealth.

The new rule, formally the Anti-Money Laundering/Countering the Financing of Terrorism Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempt Reporting Advisers goes into effect January 1, 2026.

Enough rambling. Let’s get down to business.

Who is covered, and who is not

By adding “investment adviser” to the definition of “financial institution” under the BSA’s implementing regulations, the rule covers firms including:

  • IAs registered with or required to register with the SEC
  • IAs that report information to the SEC as exempt reporting advisers (ERAs)

SEC-registered foreign IAs are covered for advisory activities that take place within the United States, or advisory services provided to a U.S. person or a foreign-located private fund with an investor that is a U.S. person. 

Excluded are:

  • IAs that register with the SEC solely because they are mid-sized advisers, multi-state advisers, or pension consultants;
  • IAs that are not required to report any AUM to the SEC on Form ADV
  • State registered IAs
  • Foreign private advisers
  • Family offices

For their part, state-registered advisers are not in scope at the present time, however NASAA has expressed its support for FinCEN’s rule for SEC IAs and ERAs. In its comment letter to the proposal, NASAA referenced FinCEN’s conclusion that evidence does not suggest that state registered IAs are being used as conduits for money laundering. Nonetheless, NASAA has opened its doors to FinCEN engagement should issues arise in the future.

Components of the AML/CFT program

Implementation of an AML/CFT program will take planning and resources. But there are volumes of available guidance to be leveraged. And if you are going to invest the time and energy to get a program in place, it may as well be a modern and effective program. I hope you will feel free to revisit segments of my earlier blog which might help get your program off the ground. For instance, consider leveraging the guidance in the SEC’s 2021 and 2023 Risk Alerts regarding BD and IA examinations, “red flags” found in the Appendix A to Reg S-ID and FINRA’s 2024 Annual Risk and Oversight Report including guidance for addressing cybercrime in AML programs. In my view, since the SEC has been auditing BD AML programs for many years, it could be worthwhile exploring similar FINRA territory and adopting relevant practice standards already deployed in financial institutions and already familiar to SEC examiners.

[White paper] Mitigating risk in the digital age: A roadmap to AI-enhanced adverse media screening

Here are some basics of the new rule.

The rule requires RIAs and ERAs to:

  • file certain reports, such as Suspicious Activity Reports (SARs), with FinCEN;
  • keep certain records, such as those relating to the transmittal of funds (i.e., comply with the Recordkeeping and Travel Rules); 
  • fulfill certain other obligations applicable to financial institutions subject to the BSA and FinCEN’s implementing regulations, such as special information sharing procedures; and 
  • implement a risk-based and reasonably designed AML/CFT program.

And here are some of the key components required of an AML/CFT program:

  • Establishment and implementation of internal policies, procedures, and controls reasonably designed to prevent illicit finance activities.
  • Provisions for independent testing of the program by the investment adviser’s personnel or a qualified outside party. Notably, a person involved in implementing the program may not participate in testing the program.
  • Designation of one or more persons to implement and monitor the program.
  • Provision for ongoing employee training.
  • Implementation of risk-based procedures for performing ongoing customer due diligence (CDD), in accordance with FinCEN’s CDD Rule.

Let’s quickly break those down.

Samples and templates that may provide helpful pointers for a written program are available through numerous resources. One that may help smaller firms is the FINRA Small Firms AML Template. Yes, it is written for broker-dealers, but it provides coverage of the fundamental components such as CIP/customer DD, identifying and reporting red flags, transaction monitoring, BSA and FinCEN rule references, and sample language that are likely to be helpful as you organize your own program. Except for the fact that it is written in the 1st person for which I am not a fan, I think it is a useful resource. Of course, as for any written compliance program, it is important to tailor to policies and procedures to the size of the firm and the services it offers.

Independent testing can be performed by an individual in the firm, provided the individual is adequately qualified and does not report to the individual designated to implement and monitor the AML program. For year one, consider seeking a 3rd party consultant to perform the testing for purposes of instilling an objective assessment. In subsequent years, identifying a qualified internal resource who can follow along the methodology is likely acceptable.

As for the AML program designee, specialized training is key to help ensure the individual is him/herself up to speed on the requirements of the rule. Whether through credentialling such as the ACAMS certification, or whether through independent study, familiarity with the BSA, FinCEN rules, AML 2020, and other fundamental components of AML compliance is imperative.

Similarly, associated persons must also undergo annual training. For this purpose, vendor-offered training programs may provide a meaningful basis for your staff’s orientation to AML compliance. Distribution of your program to your associated persons, especially important in year one, coupled with an online course or two, would likely be in line with the industry standard.

Finally, risk-based procedures for ongoing monitoring will likely be the backbone of the program. For this aspect of your program, careful attention must be given to tailoring the monitoring to your business lines and services. Ongoing monitoring may be accomplished in several ways. Technologies that integrate customer information into the investment adviser's transaction monitoring system may provide an efficient resource for identifying potentially suspicious transactions. Firms may voluntarily comply with the information sharing provisions under section 314(b) of the USA PATRIOT Act to request relevant information from other financial institutions that may hold relevant information on a proactive basis.

Once drafted and upon material change, the program must be approved in writing by the IA’s board of directors/trustees or a comparable authority.

Deadline

As the compliance calendar goes, January 1, 2026 is right around the corner. Lucky for us, there are two decades of foundation, courtesy of your financial services peers, and a number of vendors to complement your efforts. So, let’s just take a moment and do something that all can enjoy. To my knowledge, no one has yet given this new rule an acronym. By the letter, it would be the AML/CF of TP and SAR RFRs for RIAs and ERAs, but that’s a bit clumsy, don’t you agree? I would love to hear suggestions.

For an AI-focused approached to bolstering AML/KYC compliance, read this white paper: Mitigating risk in the digital age: A roadmap to AI-enhanced adverse media screening. 

 

The opinions provided are those of the author and not necessarily those of Fidelity Investments or its affiliates. Fidelity does not assume any duty to update any of the information.

1173422.1.0