FinCEN Imposes AML Program and SAR Filing Requirements on Investment Advisers

September 23, 2024

On August 28, 2024, the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) released a final rule (the “Final Rule”)[1] that will require most SEC-registered investment advisers (“RIAs”) and exempt reporting advisers (“ERAs”) to adopt anti-money laundering (“AML”) / countering the financing of terrorism (“CFT”) compliance programs pursuant to the Bank Secrecy Act (the “BSA”).

In a win for the industry, the Final Rule narrowed the scope of covered advisers and reduced compliance burdens for non-U.S.-based advisers compared to FinCEN’s notice of proposed rulemaking released on February 15, 2024 (the “Proposal”).[2]

The principal changes in the Final Rule as compared with the Proposal will (i) narrow the scope of investment advisers subject to the rule to exclude certain smaller RIAs, pension advisers and advisers that do not manage customer assets; (ii) limit the compliance obligations of “foreign-located investment advisers” to their U.S. activities and customers (i.e., advisory clients); (iii) eliminate the proposal to require an adviser’s AML officer be based in the United States; and (iv) exempt certain types of customer that are already subject to AML/CFT obligations.

Under the Final Rule, most RIAs and ERAs (together, “Covered Advisers”) will be subject to AML/CFT obligations similar to those applicable to banks and broker-dealers under the BSA, and directly subject to AML/CFT examination (and potential enforcement) by the SEC and FinCEN for the first time. FinCEN estimates that almost 20,000 investment advisers will be covered by the Final Rule, including many advisers that are located outside the United States but have registered (or file reports) with the SEC because they have U.S. advisory clients, U.S. investors or otherwise conduct advisory activities in the United States. Many of these advisers already have AML/CFT programs that can be conformed to the Final Rule with minimal to moderate effort, but others will be required to construct programs largely from scratch.

The compliance date for the Final Rule is January 1, 2026.

Background

The Final Rule represents a partial culmination of more than two decades of effort, during which FinCEN on several occasions proposed, and then withdrew, proposals to subject private funds or investment advisers[3] to AML/CFT obligations pursuant to the BSA.

To rebut the previously successful arguments against imposing AML/CFT obligations on investment advisers, concurrently with FinCEN’s release of the Proposal in February, the Treasury Department published a risk assessment (the “2024 Risk Assessment”) that marshalled findings to suggest that investment advisers, and the private fund industry in particular, are a point of vulnerability for illicit funds, fraud and unwanted foreign access to the U.S. financial system and markets that could threaten national security.[4]  The 2024 Risk Assessment was a principal source of findings that FinCEN used to support the Final Rule. In connection with its release, FinCEN highlighted the 2024 Risk Assessment’s findings of “numerous cases in which sanctioned persons, corrupt officials, fraudsters and other criminals have exploited the investment adviser industry to access the U.S. financial system and launder funds” and that foreign states, particularly China and Russia, “leverage investment advisers and their advised funds through investments in early-stage companies to access certain technologies and services with national security implications.”[5]

FinCEN estimates the Final Rule will cover approximately 14,000 RIAs and 6,000 ERAs that collectively manage a total of $119 trillion in assets and have 861,000 employees.

Material Changes from the Proposal           

  • The Final Rule adds exclusions to the scope of Covered Advisers, excluding RIAs that register with the SEC solely because they are mid-sized advisers, multi-state advisers or pension consultants, as well as RIAs that do not report any assets under management (“AUM”) on their Form ADVs. Consistent with the Proposal, foreign private advisers, state-registered investment advisers and family offices are also excluded because they are neither RIAs or ERAs.
  • For “foreign-located investment advisers” that have their principal office and place of business outside the United States, the requirements of the Final Rule only apply to advisory activities that take place within the United States (such as by U.S. personnel) or are provided to U.S. persons, or a non-U.S. domiciled private fund with U.S. investors.
  • A Covered Adviser can exclude certain customers (i.e., advisory clients)[6] from its obligations under the Final Rule. In addition to mutual funds that were excluded under the Proposal, the Final Rule excludes customers that are other investment advisers (e.g., in a subadvisory relationship) and bank- and trust company-sponsored collective investment funds, provided in each case that the customer is subject to an AML/CFT program requirement under FinCEN’s regulations.
  • The Final Rule eliminates the so-called “Duty Provision”, which would have required that the duty to establish, maintain and enforce an investment adviser’s AML/CFT program be the responsibility of persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary of Treasury and the appropriate Federal functional regulator, pending further consideration by FinCEN. For now, the Final Rule does not limit a Covered Adviser’s ability to locate its AML officer and compliance function outside the United States, although the Duty Provision is a statutory mandate so we expect FinCEN will eventually engage further on the issue.

Scope of Covered Advisers under the Final Rule

The Final Rule adds most RIAs and ERAs to the definition of “financial institution” subject to AML/CFT program obligations under the BSA and FinCEN’s implementing regulations. But certain categories of investment advisers are excluded from the scope of the Final Rule, including:

  • Mid-sized advisers: RIAs who have AUM between $25 million and $100 million and who register with the SEC because either: (i) they are not required to be registered as an adviser with the state securities authority in the state where they maintain their principal office and place of business; or (ii) they are not subject to examination as an adviser by the state in which they maintain their principal offices and places of business (such as New York);[7]
  • Multi-state advisers: RIAs who would otherwise be required to register in more than 15 states, but have less than $100 million in AUM, and can choose instead to register with the SEC;[8]
  • Pension consultants: RIAs who provide investment advice to (i) any employee benefit plan described in section 3(3) of the Employee Retirement Income Security Act of 1974 (“ERISA”), (ii) any governmental plan described in section 3(32) of ERISA or (iii) any church plan described in section 3(33) of ERISA;[9]
  • RIAs that do not manage customer assets: RIAs that report zero AUM on their Form ADVs, which include, for example, advisers engaged in nondiscretionary financial planning, such as fee-only advice, and publication of securities-related newsletters, model portfolios or research reports;
  • State-registered investment advisers: Advisers that are only registered with and supervised by one or more States, and do not register or file reports with the SEC;
  • Foreign private advisers: Non-U.S. advisers that rely on the “foreign private adviser” exemption from registration with the SEC because they (i) have no place of business in the United States, (ii) have fewer than 15 U.S. clients or 15 U.S. investors in private funds they advise, (iii) have less than $25 million in AUM attributable to such U.S. clients and investors and (iv) do not hold themselves out generally to the U.S. public as an investment adviser; [10] and
  • Family offices: Advisers that rely on the “family office” exclusion from the Advisers Act because they (i) have no clients other than family clients, (ii) are wholly owned by family clients and exclusively controlled by one or more family members and/or family entities and (iii) do not hold themselves out to the public as investment advisers.[11]

Foreign-Located Investment Advisers

For “foreign-located investment advisers”, defined as Covered Advisers whose principal office and place of business is outside the United States,[12] the Final Rule applies only to advisory activities that (i) take place within the United States, including through the involvement of the adviser’s U.S. personnel or (ii) provide advisory services to a U.S. person, including through a foreign-located private fund that has an investor who is a U.S. person.[13]

As used in the Final Rule, “U.S. personnel” means any director, officer, employee or agent of the adviser conducting advisory activities from a U.S. agency, branch or office of the investment adviser, regardless of citizenship. The term ‘‘agency, branch or office’’ of the RIA is not exclusive, and the Final Rule would apply to any location in the United States from which U.S. personnel of the foreign-located RIA adviser perform advisory activity, including, for example, if an employee manages assets of a customer from a U.S. office or other U.S. workplace of the investment adviser, or if the employee works remotely from the United States on a regular basis.[14]  Clerical and administrative activities conducted in the United States are not considered advisory activities.

FinCEN acknowledges that the Final Rule will require foreign-located investment advisers to determine whether any foreign private funds they advise have U.S. person investors. To simplify compliance, the Final Rule leverages existing SEC standards for identifying U.S. person investors. Private funds are defined by reference to the Advisers Act definition,[15] which in turn references funds that rely on Section 3(c)(1) or 3(c)(7) of the Investment Company Act of 1940 (the “40 Act”) to be exempt from registration as investment companies.[16] To identify U.S. person investors, FinCEN expects foreign-located investment advisers to apply the look-through rules the SEC has adopted under the 40 Act for legal entity investors that were “formed for the purpose” of investing in the private fund, or (for 3(c)(1) funds) own 10% or more of the voting securities of the private fund. FinCEN believes foreign-located investment advisers that advise private funds should be familiar with these standards, and emphasizes that it expects such advisers to (i) determine to the extent reasonable and practicable whether its customers and the investors in its private funds are within the scope of the Final Rule and (ii) ensure that it does not provide advisory services to its private fund customers in a manner that results in the adviser being unable to identify a potential U.S. customer or investor.[17]

Foreign-located investment advisers must maintain records demonstrating how they determined the scope of their activities that are subject to the Final Rule, and make these records and reports, along with the records and reports generally required under the Final Rule for in-scope activities, available to FinCEN and the SEC.

Exemptions for Certain Customers

The Final Rule permits a Covered Adviser to exclude from its compliance obligations advisory services provided to certain mutual funds, bank- and trust company-sponsored collective investment trusts and other investment advisers for which the Covered Adviser serves as subadvisor. For these customers, a Covered Advisor’s compliance obligations are deemed satisfied under the Final Rule so long as the advisory customer is itself subject to AML/CFT program obligations under the BSA. The Final Rule helpfully clarifies that the Covered Adviser will not be required to determine whether the customer in fact maintains a BSA-compliance AML/CFT program, which allows the exemption to be applied solely based on regulated status.

The preamble to the Final Rule notes that the subadvisory exemption may allow Covered Advisers to exclude wrap-fee programs, separately managed accounts or other advisory relationships so long as the customer is another investment adviser as defined in the Final Rule, and the Covered Adviser does not have a direct contractual relationship with the underlying customer of the other investment adviser. But the exemption does not extend to similar programs and structures sponsored by other BSA-regulated financial institutions like banks and broker-dealers.

Risk-Based AML/CFT Program

Under the Final Rule, Covered Advisers must develop and implement a written, risk-based AML/CFT program. The program must be approved in writing by the Covered Adviser’s board of directors or trustees, as applicable, or persons having similar functions (such as a general partner) if the Covered Adviser has no board.

If a Covered Adviser is dually registered as a bank or broker-dealer, or affiliated with an entity that is already subject to AML/CFT program requirements under the BSA, a single comprehensive or enterprise-wide program could be adopted to satisfy this requirement, rather than several standalone policies, so long as all relevant businesses and activities subject to BSA requirements are covered, and their particular risks are addressed.

The program should include, at a minimum, the following features the BSA requires of all financial institutions subject to AML/CFT program obligations:

  • Policies, procedures and internal controls reasonably designed to prevent the Covered Adviser from being used for money laundering or the financing of terrorist activities and to achieve and monitor compliance with applicable provisions of the BSA and FinCEN’s implementing regulations;
  • Periodic independent testing of the program by independent internal personnel (e.g., an audit function) or a qualified unaffiliated service provider;
  • Designation of an AML compliance officer or committee (which could be the Covered Adviser’s Chief Compliance Officer or another person or committee);
  • An ongoing employee training program; and
  • Implementation of appropriate risk-based procedures for conducting ongoing customer due diligence, including:
    • Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
    • Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.

The Final Rule does not include the specific requirements to maintain a customer identification program (“CIP”) or identify beneficial owners of legal entity customers (the “CDD Rule”) that many other BSA-regulated financial institutions, such as banks and broker-dealers, must satisfy today, because these requirements have been deferred pending other rulemakings.

The CIP requirement is the subject of a separate notice of proposed rulemaking, released jointly by FinCEN and the SEC on May 12, 2024 (the “CIP Proposal”).[18] FinCEN has indicated that it is working with the SEC to finalize the CIP Proposal and intends for it to have the same compliance date as the Final Rule. FinCEN has indicated it will not require Covered Advisers to comply with the CDD Rule until that rule has been revised as required under the Corporate Transparency Act,[19] and FinCEN has not yet proposed any revisions to the CDD Rule.

In July, FinCEN released a notice of proposed rulemaking that would amend the AML/CFT program rules applicable to other financial institutions under the BSA (the “July Proposal”).[20] The July Proposal would formalize the requirement for financial institutions to conduct AML/CFT risk assessments that are then incorporated into the design of their AML/CFT programs, and make other, mostly technical changes, including certain changes required by the AML Act of 2020. The July Proposal does not address how it might apply to Covered Advisers, and the Final Rule notes that if FinCEN were to amend generally applicable AML/CFT program requirements, pursuant to the July Proposal or otherwise, it would consider the specific attributes of investment advisers when deciding whether and how to apply such requirements to investment advisers.[21]

Covered Advisers should continue to monitor FinCEN rulemaking activity, including the CIP Proposal, the July Proposal, and any upcoming CDD Rule revisions, to understand how those rulemakings may affect the design of and expectations for their AML/CFT Programs.

Location and Delegation of AML/CFT Compliance Function

FinCEN has determined not to include the “Duty Provision” from the Proposal in the Final Rule. The Duty Provision would have required that the duty to establish, maintain and enforce a Covered Adviser’s AML/CFT program remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary of the Treasury and the appropriate Federal functional regulators. This requirement was added to the BSA as part of the AML Act of 2020, and applies broadly to all financial institutions subject to AML/CFT program requirements under the BSA.[22] The preamble to the Final Rule explains that FinCEN has deferred implementing this requirement pending further consideration and the assessment of comments on the July Proposal to update FinCEN’s AML/CFT program rules applicable to other financial institutions. For now, the Final Rule does not limit a Covered Adviser’s ability to locate its AML officer and compliance function outside the United States, but we expect that FinCEN will eventually engage further on the issue as a result of the statutory mandate.

Covered Advisers will be permitted to delegate contractually the implementation and operation of certain aspects of their AML/CFT program to a third-party provider (including a fund administrator). The Covered Adviser would remain fully responsible and legally liable for the program’s compliance with the Final Rule, including the need to identify and document procedures that address the Covered Adviser’s AML/CFT vulnerabilities, and FinCEN would expect the Covered Adviser to ensure that FinCEN and the SEC are able to obtain information and records relating to the program and undertake reasonable steps to assess whether the third party would carry out such procedures effectively.[23]

SAR Filing Requirements

The Final Rule adopts the SAR filing requirements from the Proposal largely unchanged, and they generally track those applicable to other financial institutions under the BSA. Covered Advisers would be required to file a SAR for any transaction meeting the following criteria:

  • The transaction is “conducted or attempted by, at or through” the Covered Adviser;
  • The transaction involves or aggregates funds or other assets of at least $5,000; and
  • The Covered Adviser knows, suspects or has reason to suspect that the transaction:
    • Involves funds derived from illegal activity or is intended or conducted to hide or disguise funds or assets derived from illegal activity;
    • Is designed, whether through structuring or other means, to evade BSA requirements;
    • Has no business or apparent lawful purpose and no reasonable explanation for the transaction is available after examining the available facts; or
    • Uses the Covered Adviser to facilitate criminal activity.

In most circumstances, a SAR must be filed within 30 calendar days after the initial detection of facts that may constitute the basis for filing a SAR, and supporting documentation relating to each SAR must be collected, maintained and made available upon request to FinCEN and other law enforcement agencies. Other relevant features, which are unchanged from the Proposal, include:

  • A requirement to immediately notify law enforcement where a situation involves a violation of law that requires immediate attention, such as suspected terrorist financing or ongoing money laundering schemes.
  • Provisions for voluntary SAR notifications, which are both permitted and encouraged with respect transactions that do not meet the mandatory filing criteria if the Covered Adviser believes the transaction to be relevant to a possible violation of any law or regulation.
  • Provisions for coordinating a “joint” SAR filing when more than one financial institution subject to a SAR rule is involved in a transaction.
  • A safe harbor from civil liability for financial institutions that file SARs, which protects SAR filers and their employees, officers, directors and agents, from civil liability that might otherwise arise from the filing of a SAR or from any failure to provide notice of such disclosure to the person who is the subject of or identified in the SAR under any U.S. or state law or regulation or contract or other legally enforceable agreement.
  • Strict prohibitions on disclosure of a SAR, or of information that would reveal the existence of a SAR, by a Covered Adviser or any employee, officer, director or agent thereof, subject to limited exceptions for disclosing information:
    • To FinCEN or other law enforcement agencies or to the SEC,
    • To other financial institutions, but only for the purposes of preparing a joint SAR (see above), and
    • Within an investment adviser’s corporate organizational structure for purposes consistent with the BSA as determined by regulation or in regulatory guidance.

In response to comments, the preamble to the Final Rule provides some examples where it might be appropriate for a Covered Adviser to file a SAR, including, e.g., fraud, attempts to engage in placement or layering of illicit funds (e.g., through wire transfers from multiple accounts in different institutions or jurisdictions) or suggestions that a customer is acting as a proxy for an undeclared third party. In one notable example, FinCEN suggests that an adviser to a private venture capital fund could file a SAR if an investor in the fund requests access to detailed non-public technical information about a portfolio company that is inconsistent with a professed focus on economic return, as a potential case of illicit technology transfer in violations of sanctions or export control laws.[24]

Other BSA Compliance Obligations

The Final Rule requires Covered Advisers to comply with other regulatory requirements generally applicable to financial institutions under the BSA, including:

  • The requirement to file a Currency Transaction Report, or CTR, for a transaction involving a transfer of more than $10,000 in currency (which would replace the Covered Adviser’s current Form 8300 filing requirement for cash receipts in excess of $10,000);
  • The requirements to obtain and retain certain information with respect to “transmittals of funds” that equal or exceed $3,000 and to ensure that certain information “travels” to other financial institutions along with such transmittals (the so-called “Recordkeeping Rule” and “Travel Rule”);
  • The requirement, with respect to amounts exceeding $10,000, to create and retain records for extensions of credit and cross-border transfers of currency, monetary instruments, checks, investment securities and credit;
  • Special information sharing procedures established under Sections 314(a) and (b) of the USA PATRIOT Act that require financial institutions to search their records to determine whether they have maintained an account or conducted a transaction with a person that law enforcement has certified is suspected of engaging in terrorist activity or money laundering and that provide protection from civil liability for financial institutions that share otherwise confidential information with each other for purposes of facilitating BSA compliance;
  • Special due diligence requirements for correspondent accounts maintained for foreign financial institutions and private banking accounts for non-U.S. persons (with investment advisory relationships added to the definition of “correspondent account”); and
  • Special measures to combat money laundering issued by FinCEN pursuant to Section 311 of the USA PATRIOT Act, Section 9714(a) of the Combatting Russian Money Laundering Act or Section 7213A of the Fentanyl Sanctions Act.

Examination and Enforcement Authority

Under the Final Rule, FinCEN delegates its examination authority to the SEC, and we expect that most AML/CFT examination activities will be conducted by the SEC’s Division of Examinations, either as part of an Advisers Act exam or as a stand-alone AML/CFT exam. Covered Advisers’ AML/CFT programs will also remain subject to inspection directly by FinCEN, however, and FinCEN will retain overall authority for enforcement and compliance, including coordination and direction of procedures and activities of the SEC and other agencies exercising delegated authority.

FinCEN has the authority to impose civil penalties on Covered Advisers for willful violations of the BSA and its regulations, and in exceptional cases, can refer willful violations to the Department of Justice for potential criminal penalties. The SEC can also bring civil enforcement actions for violations that separately constitute a violation of Advisers Act requirements, such as the anti-fraud rules, fiduciary duties or recordkeeping rules.

Compliance Date

Covered Advisers must be in compliance with the Final Rule on or before January 1, 2026, including developing and implementing an AML/CFT program that satisfies the requirements under the Final Rule.

[1] 89 Fed. Reg. 72,156 (Sep. 4, 2024), available here.

[2] 89 Fed. Reg. 12,108 (Feb. 15, 2024), available here, and described in our Alert Memorandum here.  

[3] See 67 Fed. Reg. 60,617 (Sept. 26, 2002) (proposed private fund rule), available here; 68 Fed. Reg. 23,646 (May 5, 2003) (proposed investment adviser rule), available here; 80 Fed. Reg. 52,680 (Sept. 1, 2015) (proposed investment adviser rule), available here.

[4] See U.S. Dep’t of Treasury, 2024 Investment Adviser Risk Assessment (Feb. 2024), available here.  Our Alert Memorandum on the Proposal (here) also describes key features and findings in the 2024 Risk Assessment.

[5] See FinCEN, Fact Sheet: FinCEN Issues Final Rule to Combat Illicit Finance and National Security Threats in the Investment Adviser Sector (Aug. 28 2024), available here.

[6] The BSA and FinCEN typically refer to the customers of a financial institution, and the Final Rule uses the term “customers” for those natural and legal persons who enter into an advisory relationship with Covered Adviser, despite the fact that the Advisers Act and its implementing regulations primarily use the term “clients.”  This Alert Memorandum adopts FinCEN’s terminology and refers to customers of a Covered Adviser, except where referring to specific provisions of the Advisers Act.

[7] See 15 U.S.C. § 80b–3a(a)(2).

[8] See 17 C.F.R. § 275.203A–2(d).

[9] See 17 C.F.R. § 275.203A–2(a)(2).

[10] See 15 U.S.C.§ 80b-2(a)(3); 17 C.F.R. § 275.202(a)(30)-1.

[11] See 17 C.F.R. § 275.202(a)(11)(G)–1.

[12] FinCEN adopts the definition of “principal office and place of business” the SEC uses under the Advisers Act, to mean the “executive office of the investment adviser from which the officers, partners or managers of the investment adviser direct, control and coordinate the activities of the investment adviser,” and notes that RIAs and ERAs are required to identify their principal office and place of business on Form ADV. 89 Fed. Reg. at72,172; 17 C.F.R. § 275.222-1(b). 

[13] The Final Rule adopts the definition of U.S. person in the SEC’s Regulation S, 17 C.F.R. § 230.902(k).

[14] 89 Fed. Reg. at72,172.

[15] 15 USC § 80b-2(a)(29).

[16] Section 3(c)(1) of the 40 Act, 15 U.S.C. § 80a-3(c)(1), excludes from the definition of investment company a privately offered issuer having fewer than 100 beneficial owners. Section 3(c)(7), 15 U.S.C. § 80a-3(c)(7), excludes from the definition of investment company a privately offered issuer the securities of which are owned exclusively by “qualified purchasers” (generally, persons and entities owning investments whose value exceeds a specified threshold).

[17] 89 Fed. Reg. at 72,175.

[18] 89 Fed. Reg. 44,571 (May 21, 2024), available hereSee also our Alert Memorandum on the CIP Proposal here.

[19] 31 U.S.C. § 5336, enacted as part of the Anti-Money Laundering Act of 2020, Pub. L. 116-283, 134 Stat. 3388 §§ 6001-6511 (2020) (the “AML Act of 2020”).

[20] 89 Fed. Reg. 55,428 (July 3, 2024), available here.

[21] See 89 Fed. Reg. at 72,167.

[22] 31 U.S.C. § 5318(h)(5).

[23] 89 Fed. Reg. at 72,187-88.

[24] 89 Fed. Reg at 72,200.