Final Anti-Money Laundering Rule for Investment Advisors Issued

On August 28, 2024, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued its final rule expanding the definition of a financial institution under the Bank Secrecy Act (BSA) to include certain investment advisors. With the rule, FinCEN imposes anti-money laundering and countering the financing of terrorism (AML/CFT) requirements on certain registered investment advisors (RIAs) and exempt reporting advisors (ERAs).

This final rule is the culmination of more than 20 years of efforts to safeguard the investment advisor industry from being used to launder illicit funds, and to reduce the national security risks present in venture capital investments from China and Russia.

Changes in the final rule

While the final rule doesn’t substantially differ from the version of the rule presented in February’s Notice of Proposed Rulemaking (NPRM), FinCEN did adjust some aspects of the rule based on public comments. The changes cover:

Exemptions to the definition of investment advisor. Due to comments raising concerns about the burden the rule imposes on smaller advisors that FinCEN has determined to be lower risk, the following RIAs have been exempted from inclusion in the definition of a financial institution as it pertains to the rule:

1. RIAs that register with the U.S. Securities and Exchange Commission (SEC) solely because they are midsize advisors, multi-state advisors, or pension consultants. An RIA that meets one of the criteria but is required to register with the SEC on any additional basis is not exempt from the rule.
2. RIAs that aren’t required to report assets under management to the SEC on Form ADV. This means they don’t manage client assets as part of their advisory activities.

Narrowed application for foreign-located investment advisors. FinCEN qualified the application of the rule for RIAs and ERAs registered with the SEC that have a principal office and place of business located outside the United States. The final rule only applies to advisory activities with a U.S. nexus. This includes:

• Activities that take place within the U.S., including through the involvement of U.S. personnel of the RIA.
• Advisory services provided to a U.S person.
• Advisory services provided to a foreign-located private fund with an investor that is a U.S. person.

Foreign-located investment advisors (IAs) are required to conduct “look-throughs” to determine which foreign-located private funds have U.S. investors.

Citing the need to develop further guidance, FinCEN is not including the implementation of 31 U.S.C. § 5318(h)(5) (the “Duty Provision”) in this rule. That provision would have made the establishment, maintenance, and enforcement of the AML/CFT program the responsibility of a U.S. person subject to oversight and supervision by U.S. regulators. While not part of this rule, FinCEN has indicated that it may include the provision in subsequent rulemaking.

Extended compliance date. The final rule established a compliance date of January 1, 2026. This represents an extension of the timeline of 12 months from the effective date of the final rule as indicated in the NPRM.

Narrowed requirements for RIAs and ERAs subject to the rule. The final rule allows advisors to exclude certain investment funds from the AML/CFT program requirements. Advisors may exclude mutual funds from such programs and are not obligated to verify that any mutual fund has implemented an AML/CFT program. Also excluded are bank and trust company-sponsored collective investment funds that comply with the requirements of 12 CFR 9.18.

Final rule requirements

Aside from the changes mentioned above, requirements in the final rule remain the same as what were in the NPRM. The IAs that are now considered to be financial institutions will be subject to BSA/AML requirements and SEC examination. The final rule requires covered IAs to:

• Implement risk-based AML and CFT programs based on the core pillars of compliance, which include internal controls, policies, and procedures; an employee training program; independent testing; and designation of a compliance officer.
• File suspicious activity reports and currency transaction reports with FinCEN.
• Maintain originator and beneficiary information for transactions in compliance with the recordkeeping requirements and the Travel Rule.
• Comply with information-sharing obligations under Section 314(a) of the USA PATRIOT Act.
• Implement special due diligence for correspondent and private banking accounts under Section 312 of the USA PATRIOT Act, special measures within Section 311 of the USA PATRIOT Act, and 9714(a) of the Combating Russian Money Laundering Act.
• Conduct ongoing due diligence to develop customer risk profiles and maintain updated customer information on a risk basis.

Covered IAs will also be permitted to voluntarily share information with other financial institutions pursuant to Section 314(b) of the USA PATRIOT Act.

Key compliance considerations

• IAs subject to this rule now have a clear deadline for compliance. By January 1, 2026, covered IAs must have an adequate risk-based AML/CFT program in place. Within that timeframe, they’ll need to evaluate current programs, conduct a risk assessment, engage key stakeholders, make any necessary program changes, and receive approval from their board of directors or other senior management as applicable.

Anyone affected by these rules should consider:

Exploring options for a customer identification program (CIP). While this final rule doesn’t include requirements for IAs to implement a CIP, it does allow FinCEN and SEC to issue requirements in a separate rule. On May 28, 2024, the agencies issued an NPRM on this subject detailing anticipated requirements. It included a statement that those requirements would depend on IAs first being designated as financial institutions. Now that the AML final rule has been issued, IAs can expect a final rule on CIP requirements soon.

Implementing a risk-based beneficial owner identification program. Although FinCEN will require covered IAs to implement risk-based procedures for conducting ongoing due diligence as prescribed in the Customer Due Diligence (CDD) Rule, categorical identification and verification of beneficial owners isn’t required at this time. IAs should still consider implementing a risk-based program soon to collect beneficial ownership information based on customer risk profiles. While FinCEN plans to address beneficial ownership of legal entity customers when the CDD rule is revised pursuant to the Corporate Transparency Act, it will require some level of beneficial ownership collection. That’s why it makes sense to start the process now.

Conducting look-throughs and evaluating future exposure. Foreign-located RIAs and ERAs with at least one U.S. investor in a foreign-located private fund need to start conducting look-throughs to ensure that any customers and investors in the foreign-located private funds they advise are within the scope of the rule. Foreign-located IAs that are not currently in scope will also need to determine whether their controls are adequate to identify whether such requirements could be triggered in the future.

Assessing broader risk and compliance concerns within current operating models. To avoid siloes and effectively integrate all risk and compliance considerations within their current operating model, IAs may need additional guidance from experts. At Guidehouse, our seasoned teams have decades of experience in the IA and securities industry—including former FinCEN leaders who have helped develop relevant AML/CFT rules—and advise clients on:

AML/CFT risk assessment, program design, execution, and management.

• Staffing assessment and target operating model design.
• AML/CFT sanctions training, assessment, and remediation.
• Know Your Customer risk profiling, risk appetite, and file remediation.
• Strategic planning, vendor sourcing, and governance.