Key Takeaways:
- On September 4, 2024, the U.S. Treasury Department’s Financial Crimes Enforcement Network published a final rule imposing anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) requirements on certain U.S. Securities and Exchange Commission-registered investment advisers and exempt reporting advisers.
- The final rule imposes significant new AML/CFT compliance responsibilities, even for investment advisers that voluntarily maintain AML/CFT programs, such as obligations related to suspicious activity reporting, information sharing with the government and enhanced due diligence measures.
- Firms subject to the final rule will need to ensure they are in compliance with the new AML/CFT requirements by the effective date of January 1, 2026.
On September 4, 2024, the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) published a final rule (the “Final Rule”) imposing broad anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) requirements on certain investment advisers. The Final Rule, which represents the culmination of a multi-decade regulatory process, will for the first time subject many U.S. Securities and Exchange Commission (“SEC”)-registered investment advisers and exempt reporting advisers to formal AML/CFT requirements.
The Final Rule represents a significant regulatory change for covered investment advisers, which will have until January 1, 2026 to come into compliance. In this Debevoise In Depth, we address the “Top 10” commonly asked questions about the Final Rule and its practical implications for asset managers.
We are hosting a webinar on this topic on September 18, 2024. Please register here if you are interested in attending.
1. Which Investment Advisers Are Covered by the Final Rule?
The Final Rule generally applies to investment advisers (1) registered or required to register with the SEC under the Investment Advisers Act of 1940 (the “Advisers Act”) (such advisers, “RIAs”) and (2) exempt from SEC registration under section 203(l) or 203(m) of the Advisers Act. We refer to the advisers in scope of the Final Rule as “Covered IAs.”
FinCEN has excluded from the Final Rule certain advisers deemed to present lower illicit finance risks. Excluded advisers are RIAs that register with the SEC solely because they are one or more of the following: (i) mid-sized advisers (Item 2.A.(2) on Form ADV); (ii) multi-state advisers (Item 2.A.(10) on Form ADV); or (iii) pension consultants (Item 2.A.(7) on Form ADV). The Final Rule also excludes RIAs that do not report any assets under management on their Form ADV. State-registered advisers, foreign private advisers relying on the exemption provided by Section 203(b)(3) of the Advisers Act and family offices excluded from the definition of “investment adviser” pursuant to Section 202(a)(11)(G) of the Advisers Act are not in scope.
2. Are Non-U.S. Investment Advisers in Scope of the Final Rule?
Yes, but generally only to the extent of their advisory activities in the United States or involving U.S. clients or U.S. investors. Foreign-located investment advisers, defined as those with a principal office and place of business outside the United States, will only be required to apply the Final Rule to (i) their advisory activities that take place within the United States or (ii) advisory services they provide to a U.S. person or a foreign-located private fund with an investor that is a U.S. person. U.S. person is defined for these purposes by reference to SEC regulations.
3. Does the Final Rule Apply to Bank or Broker-Dealer Affiliated Advisers?
Yes. The Final Rule does not exclude an investment adviser that is dually registered as a broker-dealer, is chartered as a bank or is a bank subsidiary. However, such advisers need not establish multiple or separate AML/CFT programs so long as a comprehensive AML/CFT program covers all of the Covered IA’s relevant advisory activities in scope of the Final Rule. Similarly, organizations with a Covered IA among multiple entities with regulatory AML/CFT obligations may maintain an enterprise-wide AML/CFT program, provided that the program applies to the Covered IA and accounts for the Covered IA’s advisory activities. Such organizations also will need to ensure that each regulated entity, including the Covered IA, complies with the AML/CFT governance requirements applicable to it (e.g., the requirement that its board of directors or persons having similar functions approve its AML/CFT program).
4. What Are the New AML/CFT Requirements Imposed by the Final Rule?
In general, a Covered IA will be required to establish an AML/CFT program that includes an array of requirements that have not previously applied to investment advisers. This means that even those advisers with existing voluntary AML programs will likely need to enhance those programs. Among other regulatory requirements, Covered IAs will need to:
a. Implement a written AML/CFT program that must be approved by the Covered IA’s board of directors or other persons having similar functions. The program must apply to all advisory services—that is, not only to onboarding new investors or clients but also in making investments. The program must include the following minimum elements:
- Internal policies, procedures and controls reasonably designed to prevent the Covered IA from being used for illicit finance activities. A reasonably designed program must be risk-based, and a Covered IA is expected to review its advisory activities and clients to determine appropriate risk profiles.
- Independent testing to be conducted by a qualified outside party or an internal function not involved in the operation and oversight of the AML/CFT program. The frequency of testing is not specified.
- Designation of a responsible person or persons (including in a committee) to implement and monitor the operations and internal controls of the AML/CFT program. The person must be an employee of either the Covered IA or an affiliate.
- Ongoing training for appropriate persons to provide a general awareness of AML/CFT requirements and illicit finance risks as well as job-specific guidance tailored to particular employees’ roles and functions.
- Ongoing customer due diligence (“CDD”) to include, but not be limited to:
- understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
- conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.
b. Comply with reporting obligations related to currency transactions or suspicious activity:
- Currency Transaction Reports (“CTRs”). Covered IAs will be required to file a CTR with FinCEN for certain transactions in currency of more than $10,000. This requirement will replace the existing requirement that Covered IAs report currency-related transactions on Form 8300.
- Suspicious Activity Reports (“SARs”). The Final Rule requires Covered IAs to file SARs with FinCEN for any suspicious transaction (or pattern of transactions) conducted or attempted by, at or through the Covered IA that involves or aggregates at least $5,000 in funds or other assets.
- A Covered IA’s SAR reporting obligations apply to the adviser’s “advisory activities on behalf its clients.” Examples of activities “by, at or through” a Covered IA include a customer providing an instruction to the adviser or the adviser instructing a custodian as to transactions on behalf of the Covered IA’s customer.
- FinCEN makes clear that Covered IAs may need to file SARs on suspicious activity involving private fund investments (e.g., funding through multiple wires from different accounts) or portfolio companies (e.g., fund investors seeking information about a portfolio investment that could implicate illicit technology transfer concerns).
- However, non-advisory activities (e.g., if an adviser’s staff occupy management roles at portfolio companies) are not in scope of a Covered IA’s SAR filing obligation.
c. Comply with information-sharing requirements that implement sections 314(a) and 314(b) of the USA PATRIOT Act:
- Section 314(a). Under section 314(a) of the USA PATRIOT Act, FinCEN may solicit information from financial institutions related to persons suspected of terrorist acts or other criminal activities. Certain financial institutions, such as banks and broker-dealers, regularly receive such FinCEN requests, and Covered IAs will be in scope. Covered IAs receiving 314(a) requests will be required to search their account and transactional records for any matches to a FinCEN request and to report such matches. In responding to a 314(a) request for a private fund, Covered IAs generally will be expected to respond only for the fund and not with respect to underlying investors in the fund.
- Section 314(b). Section 314(b) of the USA PATRIOT Act authorizes voluntary information sharing between financial institutions for AML/CFT purposes. Covered IAs will be entitled to participate in voluntary information sharing with each other and with other financial institutions.
d. Apply special standards of diligence to correspondent and private banking accounts involving foreign persons.
- Covered IAs will be required to maintain due diligence programs for “correspondent accounts” for foreign financial institutions and “private banking accounts” for non-U.S. persons, including policies, procedures and controls that are reasonably designed to detect and report any known or suspected money laundering or suspicious activity conducted through or involving any such accounts.
- The special due diligence requirements for correspondent accounts will apply to Covered IAs’ services that provide foreign financial institutions with a conduit for engaging in ongoing transactions in the U.S. financial system.
- For private banking accounts, the special due diligence requirements will apply to accounts for which a Covered IA manages at least $1 million (including in a private fund) for the benefit of or on behalf of a non-U.S. individual who is the account holder or controls the account and involves services provided by an employee or agent of the Covered IA acting as a liaison (e.g., a relationship manager) to such non-U.S. person.
e. Comply with special measures that the Treasury Secretary has imposed or may in the future impose under section 311 of the USA PATRIOT Act if (s)he finds that reasonable grounds exist to conclude that a foreign jurisdiction, institution, class of transaction or type of account is of primary money laundering concern. These special measures can include recordkeeping, information collection or reporting requirements or limitations on correspondent or payable-through accounts. Special measures under other authorities related to Russian money laundering or illicit opioid trafficking also are in scope.
f. Keep records and provide information related to transmittals of funds under rules requiring financial institutions to create and retain records for transmittals of funds (such as funds transfers) and ensure that certain information pertaining to a transmittal of funds travels with the transmittal to the next financial institution in the payment chain. These requirements apply to transmittals that equal or exceed $3,000, unless an exception applies.
5. Do the Final Rule’s Requirements Apply Beyond the Fund Level to Underlying Investors of a Fund?
Yes, in certain respects. As a result, Covered IAs will need to ensure that relevant AML/CFT processes do not stop at the level of the private funds they advise and take into account underlying investors on a risk basis.
Generally, FinCEN expects a Covered IA that is the primary adviser to a private fund to make a risk-based assessment of the illicit finance activity risks presented by investors in the fund and to design its program to meet these risks. A Covered IA’s SAR reporting obligations may be triggered by suspicious activity involving underlying investors in a fund or intermediaries or nominee holders representing underlying investors and, thus, a Covered IA should collect sufficient information to enable detection and reporting of suspicious activity associated with such persons. Additionally, where a Covered IA assesses a private fund or investors represented by intermediaries to present higher risk, the Covered IA may need to collect additional information about the underlying investors to develop a baseline for suspicious activity reporting regarding the private fund.
For Covered IAs, implementing processes to address FinCEN’s expectations related to investors in private funds may present one of the more complex compliance aspects of the Final Rule.
6. If Our Firm Already Maintains an AML/CFT Program, Does the Final Rule Represent a Significant Change?
Very likely, yes. The Final Rule imposes a number of requirements beyond those typically addressed in the voluntary AML/CFT programs maintained currently by many advisers. For example, Covered IAs will now have legal requirements to file SARs, comply with section 314(a) requests, adopt enhanced due diligence requirements for certain types of customers, keep certain records related to transmittals of funds and conduct independent testing of the AML/CFT program’s effectiveness. Moreover, Covered IAs will need to ensure that their programs apply to all facets of their advisory activities, consider changes to the governance around their existing programs and engage in more comprehensive reviews and oversight of service providers (with revisions to associated agreements). Foreign-located investment advisers also will need to determine the proper scope of their activities and customers that are subject to the Final Rule.
In addition, Covered IAs’ voluntary AML/CFT programs have not been subject to formal supervisory review or examination. The Final Rule provides that Covered IAs’ compliance with AML/CFT requirements will be subject to examination by the SEC. Both the SEC and FinCEN will have enforcement authority related to violations of AML/CFT requirements by Covered IAs.
7. Are There Additional Requirements or Related Rulemakings Pending?
Yes. FinCEN regulations currently subject many other financial institutions (including banks, broker-dealers and mutual funds) to customer identification program (“CIP”) obligations that require them to identify and verify the identities of their customers. FinCEN and the SEC issued a joint proposed rulemaking earlier this year that would apply CIP requirements to Covered IAs. FinCEN intends for the potential CIP final rule to have the same compliance date as the Final Rule.
Additionally, under the so-called “CDD rule,” FinCEN requires certain financial institutions to identify and verify the identities of beneficial owners of their legal entity customers. The Final Rule does not obligate Covered IAs to comply with the CDD rule. However, FinCEN is required to revise this rule in connection with its implementation of the Corporate Transparency Act and is considering how any such revisions may impact investment advisers.
FinCEN also has proposed amendments to AML/CFT program requirements for all covered financial institutions (other than Covered IAs), including potential mandatory risk assessment process requirements and requirements to onshore the duty to establish, maintain and enforce an AML/CFT program. The Final Rule does not reflect these proposed amendments; thus, if these amendments are finalized, further changes may follow for Covered IAs’ AML/CFT program requirements.
8. Does the Final Rule Allow an Adviser to Use an Administrator, Custodian or Other Service Provider to Fulfill the Adviser’s AML/CFT Obligations?
Yes. A Covered IA may retain a third party, including a third party based abroad, to assist with the implementation and operation of some or all aspects of its AML/CFT program.
However, a Covered IA that delegates AML/CFT activities will remain fully responsible and legally liable for the Covered IA’s compliance with applicable AML/CFT requirements. The Covered IA also will need to ensure that FinCEN and the SEC are able to obtain information and records relating to its AML/CFT program.
FinCEN has made clear that use of a service provider must be married with appropriate oversight of that service provider. For example, the Final Rule expressly states that “it would not be sufficient to simply obtain a ‘certification’ from a service provider that the service provider ‘has a satisfactory [AML/CFT] program.’” The frequency and nature of a Covered IA’s oversight of a service provider will depend on the Covered IA’s risk profile and the specific AML/CFT responsibilities delegated to that service provider.
9. What Are the Consequences of Non-compliance with the Final Rule?
Covered IAs may now face regulatory scrutiny or enforcement penalties by the SEC or FinCEN for non-compliance with AML/CFT obligations. In recent years, Bank Secrecy Act (“BSA”)/AML compliance has been a hotbed of enforcement activity, with banks and broker-dealers being subjected to significant monetary penalties for technical non-compliance with AML/CFT requirements and other violations.
Moreover, Covered IAs may face criminal penalties, including severe monetary penalties, for willful violations of the BSA and its implementing regulations.
10. What Steps Should Our Firm Undertake between Now and the Final Rule’s Effective Date?
The Final Rule’s effective date is January 1, 2026. In advance of this date, firms should consider taking the following steps:
- Review the Final Rule for gaps in current AML/CFT programs or processes, including, but not limited to, the areas discussed above in Questions 4 and 6;
- Assess the scope of the firm’s advisory activities and customers that will be subject to the Final Rule;
- Update AML/CFT programs, policies, procedures and controls to comply with the Final Rule as necessary, including refreshing or documenting any risk-based AML/CFT approaches or determinations, in preparation for heightened regulatory scrutiny and examinations;
- Consider whether changes to investor onboarding documentation or processes may be necessary;
- Review and amend AML/CFT delegation arrangements with custodians, broker-dealers, fund administrators or other service providers to determine the appropriate scope of AML/CFT responsibilities to be delegated and provide for appropriate oversight measures;
- Ensure appropriate AML/CFT staffing, technology, resources, training and oversight are in place by the effective date, as well as a process for periodic independent testing; and
- Inform appropriate stakeholders of the new AML/CFT obligations and additional compliance measures to be implemented.
This publication is for general information purposes only. It is not intended to provide, nor is it to be used as, a substitute for legal advice. In some jurisdictions it may be considered attorney advertising.