This past February saw the US Treasury’s Financial Crimes Enforcement Network (FinCEN) issue a proposal of new rulemaking that could significantly reshape Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) obligations for Registered Investment Advisers (RIAs) and similar entities. This action would expand the Bank Secrecy Act's reach, bringing new compliance requirements to your doorstep. We dissect the potential implications for advisors and institutions, offering a roadmap for navigating these changes, and ensuring early preparedness.
We should not be surprised that FinCEN is acting now to plug the gaps in the Bank Secrecy Act (BSA). Bad actors are constantly adapting their methods to exploit AML and CFT vulnerabilities, while the rise of innovative financial technologies is creating new opportunities for money laundering or terrorist financing.
FinCEN is now proposing to apply certain AML/CFT requirements to some investment advisers who presently do not fall within the Bank Secrecy Act’s (BSA) definition of a ‘financial institution’ – and so are not required, at either the state or federal level, to maintain AML/CFT programs or records under the BSA.
While some larger RIAs, who are part of financial institutions – such as broker-dealers or banks – have created BSA compliance programs, many private equity, hedge, and other fund vehicles are not obliged to comply with the BSA. As a result, as FinCEN notes, “thousands of investment advisers overseeing the investment of tens of trillions of dollars into the U.S. economy currently operate without legally binding AML/CFT obligations”.1
RIAs will be defined as ‘Financial Institutions’. In doing so, FinCEN will extend BSA/AML compliance obligations to all RIAs. Critically this also applies to RIAs located outside the U.S. Obligations include:
i. Designation of a BSA/AML Officer.
ii. BSA/AML training for all employees.
iii. Independent periodic testing of the BSA/AML compliance program.
iv. Recordkeeping and reporting: mandatory reporting of transactions that exceed $10,000; requirement to keep records for funds transmittals over $3,000.
v. Suspicious Activity Reporting (SARs): RIAs will now be required by law to flag suspicious activity exceeding $5,000 in the aggregate to law enforcement within 30 days of detection. This marks a significant expansion, and includes the creation of new compliance program requirements for RIAs. For example, the enhanced monitoring of wire transfers and trading activity, including wire source and destination as well as potential insider trading and other market abuses. The aim is to identify and report instances of suspicious activity and cooperate with FinCEN.
No customer due diligence requirements. Surprisingly, the proposed rule does not extend CDD requirements to RIAs. In the future, new requirements specific to RIAs will be proposed, and these are expected to include the identification and verification of natural persons of corporate clients.
Whatever the final shape of the rules and associated compliance timeline, this change will likely be an expensive process. Establishing a BSA/AML program requires the implementation of recordkeeping, reporting, and training programs, adding to the costs of existing compliance regimes.
But whichever way you frame it, the proposed requirements are onerous, and one size will not fit all. Most ‘reasonably designed’ BSA/AML compliance programs will require considerable time and money to address risks associated with LPs, products and services, and geographies. Funds backed by foreign investments will require a completely different program than those with a purely US domestic focus. As a result, the term ‘reasonably designed’ can mean different things to different RIAs based on their risk profile.
In addition, the lead time to hire and train qualified compliance staff may be challenging. BSA compliance programs also require new onboarding processes, ongoing monitoring, and additional reporting. Advisers with many LPs, or higher-risk LPs, will accordingly need to invest significant extra time and effort to conduct due diligence on both potential and existing investors, and to monitor transactions. They must also ensure that customer data is accurate, taking into account internal investigations, negative news, and other issues.
The most recent attempts to include RIAs as Financial Institutions, may be met with some level of scepticism given that similar attempts have been made by previous administrations. Many RIAs will likely wait until the rule is finalized to take any further actions; however, some steps an RIA can consider early include:
While we await the deadline for public comments to close on April 15, 2024, and for the subsequent publication of final rules and a timeline for compliance, RIAs should prepare for heightened supervisory scrutiny and ensure that their AML/CFT compliance programs are sufficient to endure regulatory examinations and heightened expectations. While a significant investment in people and technology may be necessary, starting today will optimize resource utilization and expedite compliance. Above all, it will protect institutions from longer term penalties, prosecutions, and reputational damage.