FinCEN extends AML obligations to investment advisers

Viewpoints
September 18, 2024
4 minutes

On 28 August, the U.S. took a small step towards closer alignment with the anti-money laundering (AML) regimes of the UK and the EU when the Financial Crimes Enforcement Network (FinCEN) issued a new rule (Final Rule), which effectively extends certain AML compliance obligations to:

  • Registered investment advisers (RIAs) (including ‘foreign-located investment advisers’) registered with the Securities and Exchange Commission (SEC); and
  • Investment advisers that report to the SEC as exempt reporting advisers (ERAs).

We have covered the details of the Final Rule in an earlier Alert, but, in a nutshell:

  • The U.S. Bank Secrecy Act (BSA), the principal federal statute governing AML requirements for financial institutions in the U.S., requires firms falling within the definition of “financial institution” to establish and maintain AML compliance programs with several minimum/mandatory features (the 'BSA AML Obligations'). The Final Rule amended the BSA by expanding the definition of “financial institution” to include RIAs and ERAs (subject to limited exceptions), which will now be subject to the BSA AML Obligations from 1 January 2026. 
  • The UK’s Money Laundering Regulations 2017 (as amended, the ‘MLRs’) and the EU’s money laundering legislation (comprising regulations and directives) similarly apply to “financial institutions” (in addition to other categories of firms), but the UK and EU definitions of that term have always been decidedly different to that of the U.S. Notably, the UK and EU definitions have long included investment advisers, whereas – until the Final Rule – the BSA did not. 

How do the U.S. BSA AML Obligations compare with those of the UK and EU regimes?

Although the BSA AML Obligations include general features and elements that are broadly similar to several of those in the UK and EU regimes, there are some key areas of divergence, and RIAs/ERAs with multinational operations will need to navigate these cautiously. By way of example:

Similar features

Key areas of distinction

Internal policies, procedures, and controls designed to prevent the firm from being used for money laundering, terrorist financing, or other illicit finance activities.

CDD: The UK MLRs largely mirror the EU AML requirements for CDD, and effectively create a three-tiered approach to CDD (i.e. simplified, standard, and enhanced CDD). The level of CDD required (and thus the nature and extent of the information required) is determined by reference to risk factors set out in the legislation.

The BSA has a more limited approach to CDD. For example, the BSA/Final Rule does not require RIAs/ERAs to:

  • establish customer identification programs (CIPs) that include risk-based procedures for identifying and verifying the identities of customers; or
  • identify and verify the beneficial ownership of legal entity customers.

These requirements are the subject of separate, in-progress rulemaking processes. For more information, please see our Alert on FinCEN’s proposed customer identification program rule.

In general terms, the BSA requires RAIs/ERAs to gather sufficient information on customers and transactions to apply a risk profile that can function as a baseline against which to make SAR-related decisions.

Designation of one or more AML compliance officers.
Independent testing/auditing of the AML program’s effectiveness (internally or by a qualified external adviser).
Ongoing AML training for relevant personnel.

Risk-based procedures for customer due diligence (CDD). 

CDD outsourcing: Optional reliance on/delegation to third parties for CDD purposes, albeit that responsibility remains with the firm.

Reporting requirementsReporting: The BSA requires suspicious activity reports (SARs) for certain specific types of transactions “conducted or attempted by, at, or through” the RIA/ERA, and excludes non-advisory services provided to clients. This makes the reporting requirement much narrower than those of the UK and EU AML regimes, which require SARs when a firm knows, suspects, or has reasonable grounds to suspect that a transaction may be linked to money laundering/terrorist financing.
Record-keeping requirements

Data privacy: In the EU, data privacy is a fundamental right, and the collection, processing, and transfer of personal data is protected and regulated by the strict requirements of the EU’s General Data Protection Regulation (EU GDPR). 

The UK incorporated the EU GDPR into domestic law (known as the ‘UK GDPR’) ahead of Brexit. The U.S. has no federal equivalent to the EU/UK GDPR and a variety of sectoral and state privacy laws apply instead. Compliance with applicable data privacy/data protection regulation is a critical and typically complicated aspect of any AML compliance program.  

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Key takeaways

Compliance deadline:

1 January 2026

What you should consider:

  • For RIAs/ERAs with no existing AML program: 
    • Develop and implement an AML program to meet the BSA AML Obligations; and
    • Ensure that such an AML program is specifically tailored to the AML risks identified in its business and operations.
  • For RIAs/ERAs with existing, voluntarily established AML programs: 
    • Review and update the AML program, to ensure that it meets the strict requirements of the BSA AML Obligations.
  • For RIAs/ERAs operating in multiple jurisdictions, who already have group-wide AML compliance programs in place to meet demands outside of the U.S.:
    • Ensure that any changes made for the purposes of complying with the BSA AML Obligations will not cut across or cause non-compliance with any aspects of the other AML regimes to which they are subject. This will require complex analysis of the nuances and differences in the detailed requirements in each jurisdiction. 

The Final Rule will necessitate change and require careful consideration and planning. RIAs/ERAs have been given a long lead time for this purpose. While the changes may be somewhat easier to implement for global RIAs/ERAs who already have UK or EU AML policies in place, it is advisable to use the time wisely. Prudent RIAs/ERAs will want to take stock of what the Final Rule means, its impact in the very specific context of their businesses and any existing AML program, and work through how any planned changes may play out in the years to come, rather than rushing to make quick changes that may be costly to adjust or countermand later. 

Subscribe to Ropes & Gray Viewpoints by topic here.