Following up on its Notice of Proposed Rulemaking (“NPR”), which we discussed back in March, the Financial Crimes Enforcement Network (FinCEN) released on August 28th a final rule extending Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) requirements to certain investment advisers (Final Rule).
The Final Rule adds “investment adviser” to the definition of “financial institution” at 31 C.F.R. 1010.100(t). The Final Rule applies to registered investment advisers (RIAs), and investment advisers (IAs) that report information to the Securities Exchange Commission (SEC) as exempt reporting advisers (ERAs), subject to certain exceptions. IAs generally must register with the SEC if they have over $110 million in assets under management (AUM). ERAs are investment advisers that (1) advise only private funds and have less than $150 million in AUM in the United States or (2) advise only venture capital funds.
The Final Rule requires certain IAs to: (1) develop and maintain an AML/CFT compliance program; (2) file Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs); (3) comply with the Recordkeeping and Travel Rules; (4) respond to Section 314(a) requests; and (5) implement special due diligence measures for correspondent and private banking accounts.
FinCEN released a Fact Sheet in conjunction with the Final Rule, which becomes effective January 1, 2026.
Background
Earlier this year, FinCEN issued a separate Notice of Proposed Rulemaking (AML/CFT NPRM) proposing to amend the definition of “financial institution” to include IAs. Separately, FinCEN and the Securities Exchange Commission (SEC) issued a joint notice of proposed rulemaking (CIP NPRM) that would require RIAs and ERAs to establish a CIP program.
Prior to this Final Rule, there were no Federal or State regulations requiring IAs to maintain AML/CFT programs, including a CIP program or records under the Bank Secrecy Act (BSA), although some IAs did in specific circumstances such as if they were also licensed as banks (or were bank subsidiaries), registered as broker-dealers, or advised mutual funds. FinCEN highlighted that, although the obligations for banks, broker-dealers and other financial institutions can assist in detecting illicit activity, these entities do not directly interact with the adviser’s customers and may not be in the best position to obtain information such as source of wealth and investment objectives to better understand the financial trail and purpose of a given transaction.
FinCEN reiterated the illicit finance and national security risks posed by the IAs. FinCEN acknowledged the fact that some private fund advisers already perform sanctions and politically exposed person (PEP) screening; however, because advisers are not subject to consistent AML/CFT supervision, these measures are not applied consistently and deficiencies may not be identified or remediated. FinCEN noted the risks associated with venture capital funds and that the threat of misuse is not only related to laundering illicit proceeds but also the illicit technology transfer through investments in portfolio companies.
Definition of “Financial Institution” and “Investment Adviser”
While the BSA includes a list of enumerated “financial institutions,” it also provides FinCEN with the authority to add entities that, in FinCEN’s view, are engaged in “an activity similar to, related to, or a substitute for any activity,” in which any of the BSA enumerated financial institutions are authorized to engage. FinCEN has determined that IAs meet that standard highlighting, for instance, how IAs “work closely with financial institutions when they direct broker-dealers to purchase or sell client securities, and therefore engage in activities that are closely related to the activities of covered financial institutions.” FinCEN notes that custody of or directly holding customers’ funds is not a prerequisite for being included in the definition of “financial institution.”
In response to comments, FinCEN finalized a slightly amended definition of “investment adviser” from that proposed in the IA NPRM to exempt certain types of RIAs. Specifically, RIAs that are registered with the SEC on one or more of the following basis (and that have no other basis for registration) are exempt from the definition of “investment adviser”:
(1) Mid-Sized Advisers;
(2) Multi-State Advisers;
(3) Pension Consultants; and
(4) RIAs that do not report any AUM on Form ADV.
FinCEN indicates that these RIAs pose lower risks and are less vulnerable to misuse for illicit purposes. The Final Rule provides the following example: an RIA that (1) has an AUM of more than $110 million and registered as a “large advisory firm” on the Form ADV; and (2) is required to register with more than 15 states is not exempt.
The Final Rule notes that State-registered advisors are lower risk for money laundering and illicit finance and are not required to comply with the rule at this time; however, FinCEN cautioned that it will continue to monitor activity of state-registered advisers and will consider “regulatory measures if appropriate.”
The Final Rule includes ERAs in the definition of “investment adviser” as proposed. FinCEN noted that ERAs pose higher risks of illicit finance as they solely advise either private funds or venture capital funds. Moreover, private funds are more likely to be based in jurisdictions with weaker and less effective AML/CFT controls, making it more difficult for the ERA to assess risks and prevent abuse. FinCEN intends to work with the SEC so that examinations of ERAs for compliance with the Final Rule takes into account the risk-based nature of AML/CFT programs.
Lastly, the definition of “investment adviser” applies to foreign-located IAs that are registered or required to register with the SEC or that file reports with the SEC on Form ADV. FinCEN clarified the scope of the Final Rule applies to foreign-located investment advisers only with respect to advisory activities that (1) take place in the U.S., including through involvement of U.S. personnel of the investment adviser, such as involvement of an agency, branch, or office within the United States; or (2) provide advisory services to a U.S. person or a foreign-located private fund with an investor that is a U.S. person. In other words, the foreign-located IA’s activities must have a U.S. nexus. The Final Rule adopts SEC definitions and standards for identifying U.S. investors in foreign-located private funds. The Final Rule notes that “de minimis” ties to the U.S. do not automatically make a foreign-located investment adviser subject to the rule.
Recordkeeping and Travel Rule/CTRs
The Recordkeeping and Travel Rule applies to transmittals of funds equal to or in excess of $3,000. RIAs and ERAs must obtain and retain, along with other information, the name and address of the transmittor and the transaction. IAs will be treated in the same manner as other financial institutions subject to the Recordkeeping and Travel Rules. The Final Rule provides additional guidance in connection with the information that must be collected to comply. For example, where an advisor’s customer has a direct account relationship with a qualified custodian that is subject to AML/CFT requirements, such as a bank or broker-dealer, the adviser would generally not be required to comply with the requirements of the Recordkeeping and Travel Rules. In this example, the qualified custodian would have the obligation to comply with the Recordkeeping and Travel Rules as the entity that received the instruction and transmitted the funds.
Currently, IAs are required to file Form 8300 for the receipt of $10,000 in cash and certain negotiable instruments in the course of business. IAs are now subject to CTR requirements, which replaces the requirement to file Form 8300.
Minimum Program Requirements
In general, RIAs and ERAs must implement a risk-based, written AML/CFT program, which must include the following at a minimum: the development of internal policies, procedures, and controls; the designation of a compliance officer; an ongoing employee training program; and an independent audit function to test programs. FinCEN reiterates that an AML/CFT program is risk-based and must be reasonably designed to prevent the IA from being used for money laundering, terrorist financing, or other illicit finance activities.
The AML/CFT program must be approved by the IA’s board of directors or trustee. If the IA does not have a board, the AML/CFT program must be approved by its sole proprietor, general partner, trustee, or other persons that have functions similar to a board of directors.
An exception exists for mutual funds, as they have their own AML/CFT program requirements. IAs may choose to include mutual funds it advises in their AML/CFT program. There is no duty on the part of the IA to verify that the mutual fund has implemented an AML/CFT program. The Final Rule also expands this exception to collective investment funds sponsored by a bank or trust company subject to the BSA. The Final Rule adopts the term “collective investment funds” by reference to the Office of the Comptroller of the Currency regulations (see 12 C.F.R. § 9.18). The exclusion may extend to collective investment funds formed pursuant to state law or regulation, so long as those laws incorporate the requirements of 12 C.F.R. § 9.18.
The Final Rule also permits an IA to exclude from their AML/CFT program any “investment adviser that is advised by the adviser and that is subject to this rule.” FinCEN previously requested comments on whether specific services should be included or excluded. Ultimately, FinCEN determined that permitting IAs to exclude certain advisory customers versus advisory services struck the appropriate balance avoiding unnecessary duplication and limiting illicit finance risk. Therefore, an IA may be able to exclude wrap-fee programs, separately managed accounts, or other advisory relationships if the customer is another IA and the adviser does not have a direct contractual relationship with the underlying customer of the IA. Similarly, an IA may be able to exclude subadvisers with a direct contractual relationship with the primary adviser and not the underlying customer of the primary adviser.
However, these exclusions are not available where the advisory customer is a BSA-defined financial institution, such as a bank or broker-dealer. In addition, the Final Rule notes that RIAs that both manage client assets and provide other advisory services that do not involve management of assets may not exclude the “non-management” services.
IAs that are also registered as broker-dealers or banks are subject to the Final Rule and must ensure that a comprehensive AML/CFT program covers all of the IAs relevant activities. IAs that are affiliated with or a subsidiary of, another entity required to establish an AML/CFT program are not required to implement separate compliance programs. A single AML/CFT program may extend to all affiliated entities subject to the BSA.
We note that the Final Rule does not incorporate FinCEN’s proposed changes as set forth in proposed rulemaking aimed at strengthening and modernizing AML/CFT programs (the “Modernization NPRM”). We blogged on the Modernization NPRM here. The Modernization NPRM would require all “financial institutions” to implement a risk assessment as part of an effective, risk-based, and reasonably designed AML/CFT program. Once the Modernization NPRM is finalized, IAs, as an enumerated “financial institution,” must also implement a risk assessment as part of their overall AML/CFT program.
CDD, CIP, and Ongoing Monitoring
An IA will be included in the definition of “covered financial institution” for purposes of the Customer Due Diligence (CDD) Rule. As indicated in the IA NPRM, FinCEN must implement provisions of the Corporate Transparency Act (CTA) which will revise the current CDD Rule. In addition, FinCEN and the SEC will issue a final CIP rulemaking.
IAs must implement risk-based procedures to conduct ongoing monitoring to identify and report suspicious activity. Thus, IAs must file timely SARs for suspicious activity that involves or aggregates at least $5,000. This includes transactions conducted or attempted by, at, or through an IA. In addition, filing a SAR does not relieve an IA from responsibility for complying with any other reporting requirements that may be imposed by the Advisers Act or other Federal Securities laws. The duty to update customer information will generally be triggered only when the IA becomes aware of relevant information.
FinCEN will delegate examination authority to the SEC and will not publish an examination manual.
Compliance Dates
The Final Rule provides a longer implementation period than proposed. The Final Rule becomes effective January 1, 2026. Thus, IAs must have an AML/CFT program in place on or before January 1, 2026 and be able to comply with CTR and SAR filing requirements upon the effective date. IAs subject to the Final Rule should keep an eye out for the forthcoming joint final rulemaking regarding CIP.
