Treasury proposes new anti-money laundering rule for investment advisers: Top points

On February 13, 2024, the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) announced a Notice of Proposed Rulemaking (NPRM). This would, for the first time, require SEC-Registered Investment Advisers (RIAs) and Exempt Reporting Advisers (ERAs) to create and implement risk-based anti-money laundering and countering the financing of terrorism (AML/CFT) programs, file suspicious activity reports (SARs) with FinCEN, and comply with certain other recordkeeping and notification rules.

The Proposed Rule is scheduled to be published February 15, 2024, in the Federal Register, with public comments due by April 14, 2024. The draft NPRM is available here.

Background

The Bank Secrecy Act (BSA) is intended to “prevent the laundering of money and the financing of terrorism through the establishment by financial institutions of reasonably designed risk-based programs to combat money laundering and the financing of terrorism.” 31 U.S.C. § 5311(2) (emphasis added). The BSA defines a financial institution to include securities brokers, dealers, investment bankers, and investment companies. However, in interpreting and applying the BSA, FinCEN has not included RIAs or ERAs within the definition for purposes of its rulemaking – until now.

Concurrent with the Proposed Rule (PR), FinCEN is withdrawing a 2015 proposed rule that would have applied AML program, SAR filing, and other AML/CFT requirements to RIAs.

Proposed rule overview

In a February 13, 2024 press briefing, Brian Nelson, Treasury Under Secretary for Terrorism and Financial Intelligence, discussed the need for AML/CFT regulation of investment advisers (IAs) to prevent money laundering and terrorism financing, noting that IAs are a key entry point to the US financial system, but are not currently subject to comprehensive regulations applicable to financial institutions under the BSA.

Nelson announced that, in parallel with the PR, Treasury published an Investment Adviser Risk Assessment (IA Risk Assessment) noting that IAs are responsible for overseeing the investment of tens of trillions of dollars into the US economy and providing examples of bad actors exploiting the sector, including sanctioned individuals, corrupt officials, tax evaders, and foreign adversaries who may “shop around” for IAs which do not have strong AML/CFT compliance programs.

The PR would add both RIAs and ERAs, but not State-registered IAs, to the list of businesses classified as financial institutions under FinCEN regulations interpreting the BSA. Non-US IAs may also be covered by the rule. Addressing this seemingly uneven playing field, Treasury noted that some IAs have already implemented AML/CFT programs either because they are dually registered, or in conjunction with a SIFMA No-Action Letter from 2018 that allowed financial institutions to rely on customer identification programs of IAs when onboarding new customers if the IA follows an AML/CFT program consistent with the BSA.

Nelson indicated that the rule is designed to minimize business burden and is risk-based, considering certain investments (such as mutual funds) where IAs are already regulated as financial institutions. Additionally, the rule will allow smaller advisers to adopt simpler policies and procedures, consistent with their organizational structures and a risk-based approach to compliance.

Treasury’s Investment Adviser Risk Assessment

In parallel with the PR, Treasury published an IA Risk Assessment – which was coordinated with staff from relevant Treasury offices and bureaus as well as the Federal Bureau of Investigation, the Department of Justice’s Criminal Division, and the Securities and Exchange Commission (SEC). The IA Risk Assessment further emphasizes the administration’s whole-of-government approach to combating money laundering and terrorist financing across industries.

The IA Risk Assessment highlights key risks and areas of vulnerability unique to IAs, including (among others):

• IAs becoming an entry point into the US market for illicit proceeds derived from foreign corruption, fraud, and tax evasion, including funds controlled by Russian oligarchs and/or their associates.
• IAs being used by foreign states (most notably China and Russia) to access certain technology and services with long-term national security implications through investments in early-stage companies. This is especially relevant to their advised funds, particularly venture capital funds.
• An unfair playing field that allows for bad actors to access the US financial system through IAs with weak or non-existent AML/CFT controls who do not inquire into their source of wealth, as a result of the current patchwork of disparate regulations.
• Segmented advisory business activities across intermediaries and national borders which may create information asymmetry: to the extent AML/CFT obligations apply, the regulated entities working with an IA may not have a direct relationship with the client or underlying fund investor.
• Certain preferred business practices promote the secrecy of client or investor identity and information, and the outsourcing of key compliance responsibilities.

Overview of NPRM

If the rule is adopted in its current form, IAs will need to (among other things):

1. Design and implement risk-based policies, procedures, and internal AML/CFT controls. These are designed to prevent money laundering, terrorist financing and other illicit finance activities. Practically, this means that FinCEN will expect IAs to ensure they have a tailored, risk-based AML program in place, as they do with broker-dealers and other entities viewed as “financial institutions” under the BSA. IAs will be expected to conduct a risk assessment to determine the risks presented by the different types of advisory services they provide, the types of accounts offered (managed accounts), the types of customers opening such accounts, the geographic location of such customers, and the sources of wealth for customer assets.
2. Periodically independently test for internal compliance and efficacy of the program. Testing can be done independently via the company’s internal audit function or by a qualified outside party.
3. Designate a person or persons responsible for implementing and monitoring the operations and internal controls of the AML/CFT Program. The person(s) should be knowledgeable and competent regarding AML/CFT requirements, the IAs policies, procedures, and controls, and the IAs money laundering, terrorist financing, and other illicit risks; must have full authority and responsibility to develop and implement the program; and must have established channels of communication with senior management.
4. Provide ongoing training for appropriate persons.
5. Conduct ongoing customer due diligence (CDD). This will require IAs to “perform effective [CDD] so that they understand who their customers are and what type of transactions they conduct” to monitor, identify, and, where appropriate, report suspicious activity, and on a risk-weighted basis maintain and update customer information.

Opportunity for comment

FinCEN’s PR will be published on February 15, 2024. IAs and other industry participants are invited to provide comments due by April 14, 2024. Key issues that will likely receive significant attention include:

• Whether the definition of an IA should apply to non-US IAs registered or required to register with the SEC or who report to the SEC on Form ADV. Importantly, FinCEN anticipates that the PR will apply to IAs located outside of the US, consistent with longstanding SEC practice and guidance interpreting registration requirements for IAs. Unless subject to an exemption, IAs located abroad generally must register with the SEC if they “make use of the mails or any means or instrumentality of interstate commerce in connection with [their] business as an [IA].”
• Whether ERAs should be excluded from the definition of IA under the rule and whether there are different risks associated with ERAs who advise private funds versus those that advise venture capital funds.
• Helping FinCEN understand the process and structures that IAs use for customers who wire funds and how IAs work with custodians to maintain separate accounts to manage customers’ funds for wire transfers.
• Whether specific services provided by IAs, such as advisory services that do not involve management of client assets or sub-advisory services, should be excluded from the PR’s coverage, and circumstances where using sub-advisers may present greater risk.
• Recognizing that AML/CTF obligations arise under the BSA when a financial institution establishes a customer relationship, whether and to what extent investors in funds are customers of an investment adviser advising the fund.

Key takeaways

The FinCEN PR would, for the first time, bring RIAs and ERAs within the BSA requirements, filling a gap Treasury has identified for illicit actors and illicit funds.

• The PR and IA Risk Assessments further demonstrate the administration’s whole-of-government approach to combatting money laundering and terrorist financing, including by malign actors and countries that could threaten both the US’s financial system and its national security.
• Together with the Corporate Transparency Act and relevant beneficial ownership reporting rules in December 2023, and the use of the USA PATRIOT Act to combat virtual asset “mixers” in October 2023, Treasury appears to be taking well-timed and aggressive steps to address vulnerabilities and blind spots in the current AML/CFT landscape.
• If the rule is adopted, the SEC will likely prioritize examination and investigative resources to identify potentially deficient compliance programs, as the SEC has recently done in the context of brokers’ AML-related obligations under Securities Exchange Act of 1934 Rule 17a-8.
• FinCEN acknowledges that the IAs that currently present the highest level of risk of money laundering and terrorist financing include (a) ERAs who advise private funds exempt from SEC registration, (b) RIAs who advise private funds, and (c) RIAs who are not dually registered as, or affiliated with, a broker-dealer (or is, or affiliated with, a bank). These are also the entities that may need to devote significant resources to building and implementing written, management-vetted, risk-based AML programs by the time the PR goes into effect.
• FinCEN appears to understand that many smaller IAs use fund administrators and other third-party compliance vendors to perform AML, customer onboarding, and sanctions screening functions (among others), and appears open to allowing such third parties to continue to provide these critical services, with appropriate diligence and oversight of such vendors. However, FinCEN will likely consider fund administrators, particularly those outside the US to present a higher risk profile and is therefore likely to monitor these providers closely, as will prudential financial regulators such as the Office of the Comptroller of the Currency, Federal Reserve, and the Federal Deposit Insurance Corporation where applicable.

While the PR is still under development, IAs should begin to consider whether they will be subject to the new rule if the NPRM passes in its current, or close to current form, and what steps they may need to take to come into compliance with FinCEN’s expectations. At a minimum, IAs may expect expanded recordkeeping and notification requirements and are advised to consider their ability to respond.

For more information, please contact any of the authors or a member of DLA Piper’s White Collar or Investment Funds practices.