As we all know on August 28, 2024, FinCEN issued a final rule which added RIAs, ERAs, and private funds to the definition of financial institution, thus mandating that those firms implement an AML program.
This rule, officially named the Financial Crimes Enforcement Network: Anti-Money Laundering/Countering the Financing of Terrorism Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempt Reporting Advisers (referred to as the AML/CFT Rule in this blog), has resulted in countless questions and concerns from the industry.
And as the January 2026 deadline continues to creep closer, many firms are looking for answers.
During a recent webinar, our audience was able to hear from our in-house AML experts, asking their critical questions regarding the rule, its requirements, and more.
In this blog, we’ll share some of those questions and the answers from our experts.
The FinCEN AML/CFT Rule: Questions and Answers
Given the current regulatory landscape and the new executive administration, what is the likelihood that the FinCEN rule will be delayed, rescinded, or unwound before January 2026, especially considering the SEC’s delay in finalizing the CIP rule and other rules being re-evaluated?
Currently, we do not anticipate material changes to the AML/CFT Rule, including changes to timelines and implementation. We believe more information on the proposed CIP rule will become available following the confirmation of the new SEC Chairman.
Given the scope of requirements under the new FinCEN AML/CFT Rule, firms should be actively assessing their programs and beginning to make the necessary adjustments.
Are there any exemptions to whom this rule applies to?
The final rule adds “investment adviser” to the definition of “financial institution” under the BSA’s implementing regulations, and, with certain exclusions noted below, defines “investment advisers” as:
- investment advisers registered with or required to register with the SEC, also known as registered investment advisers (RIAs), and
- investment advisers that report information to the SEC as exempt reporting advisers (ERAs).
This means that RIAs properly registered at the state level (rather than with the SEC) are not included. Moreover, the final rule also narrowed the definition of “investment adviser” to exclude investment advisers (“excluded advisers”) that register with the SEC solely because the firm is a:
- Mid-Sized Adviser – RIA with between $25 million and $100 million in regulatory assets under management (AUM) that is neither (i) required to register as an adviser with, nor (ii) subject to an examination as an adviser by, the state where the firm maintains its principal place of business. This is focused mainly on SEC RIAs headquartered in New York (with less than $100 million AUM.
- Multi-State Adviser – RIA with less than $100 million AUM that is registered with the SEC solely because it would otherwise be required register as an RIA in at least 15 states.
- Pension Consultant – RIA that provided investment advice to employee benefit plans, governmental plans, or church plans under the Employee Retirement Income Security Act of 1974 with respect to assets having an aggregate value of $200 million or more during the prior year provides investment.
- No-AUM Adviser – RIA that does not have any AUM to report on Form ADV.
Additionally, because mutual funds were generally already subject to AML/CFT program obligations under the Bank Secrecy Act, the final rule does not impose new AML/CFT requirements for mutual funds. Bank and trust company-sponsored collective investment funds are also excluded from the new requirements, as is any other investment adviser that is advised by another covered investment adviser (e.g., a subadvisory relationship).
Does the FinCEN AML rule apply to Private Funds?
Yes, an SEC-registered investment advisory firm (including private funds) would need to comply with the final rule, including implementation of a risk-based program reasonably designed to prevent AML/CFT activities.
Will tipping off a client to the filing of a SAR be a crime and if so, how will that square with ongoing communications duties to the client of loyalty, transparency and fiduciary responsibilities?
All SAR filing MUST be treated confidentially. Hence, a client should not be notified of a SAR filing, and doing so can result in penalties.
Can RIAs rely on custodians or affiliated B/Ds for AML, SAR, and CTR compliance, and if so, to what extent, especially for advisers without custody or control over client funds, and are there any specific recordkeeping or reporting requirements that RIAs must still fulfill independently?
If a covered investment adviser has been relying on the custodian’s AML/CFT efforts, that will change. While investment advisers with affiliated broker-dealers will be subject to the final rule, such advisers would not need to establish multiple or separate AML/CFT programs so long as an accepted reliance on the affiliate’s AML/CFT program covers all of the covered adviser’s relevant advisory activities.
On the other hand, a covered investment adviser without a broker-dealer or bank affiliation will have to file its own SARs (and CTRs, as applicable) when the suspicious activity touches the investment adviser’s advisory services.
Given that the final rule is relatively recent, custodians may not yet be setup to help covered investment advisers with the adviser’s new AML/CFT obligations, so it will be important for the adviser to establish its own program (with or without a custodian’s assistance).
How will the implementation of the new AML rule be supervised, what should RIAs have in place to show compliance, and what specific requirements like KYC/EDD will be needed for existing and new clients?
The final AML/CFT Rule is, for better worse, not prescriptive on “how” to meet a covered investment adviser’s AML/CFT obligations, stating instead that such firms must:
- implement a risk-based and reasonably designed AML/CFT program;
- file certain reports, such as Suspicious Activity Reports (SARs), with FinCEN;
- keep certain records, such as those relating to the transmittal of funds (i.e., comply with the Recordkeeping and Travel Rules); and
- fulfill certain other obligations applicable to financial institutions subject to the BSA and FinCEN’s implementing regulations, such as special information sharing procedures.
The key language is that first bullet point: risk-based and reasonably designed. FinCEN has delegated enforcement authority to the SEC, so it is quite possible that the SEC will begin examining those AML/CFT programs once the January 1, 2026, effective date comes.
In terms of preparing for compliance with the final rule, covered investment advisers should:
- Educate personnel via webinars, articles, and other training
- Adopt new AML/CFT policies and procedures
- Appoint a qualified AML/CFT Compliance Officer
- Arrange for independent testing
- Consider various methods of documenting ongoing compliance (e.g., compliance calendar activities, compliance checklists, memoranda to file, etc.) since there is no prescribed, mandatory manner of evidencing compliance (beyond requisite books and records requirements)
Can a CCO (who may also already hold other titles within the firm) take on the role of AML Officer?
There is nothing precluding an investment adviser’s existing Chief Compliance Officer (CCO) from assuming the AML/CFT compliance officer role so long as that individual has adequate knowledge, authority, time, and resources to execute the responsibilities and perform both functions.
Regarding the independent audit requirements, who qualifies as an independent auditor, and can they be an internal individual?
The Release specifically states, “The AML/CFT officer or any party who directly, and in some cases, indirectly reports to the AML/CFT officer, or an equivalent role, generally would not be considered sufficiently ‘‘independent’’ for these purposes. Any individual conducting the testing, whether internal or external, would be required to be independent of the function being tested in the investment adviser’s AML/CFT program, including its oversight. Investment advisers with less complex operations, and lower money laundering, terrorist financing, or other illicit finance activity risk profiles may consider utilizing a shared resource as part of a collaborative arrangement with similarly less complex and lower risk profile advisers to conduct testing, as long as the testing is independent.”
Does the $10,000 transfer limit apply only to cash transactions, or does it include other forms of money movement such as bank transfers, EFTs, and wiring of funds, and do these rules apply to offshore advisors with non-US clients?
A Currency Transaction Report (CTR) is a mandatory report that U.S. financial institutions must file with the Financial Crimes Enforcement Network (FinCEN) for each deposit, withdrawal, exchange of currency, or other payment or transfer that involves a transaction in currency valued at more than $10,000.
The $10,000 threshold applies specifically to transactions involving currency, which includes coin and paper money of any country that is designated as legal tender. It does not apply to non-currency transactions such as checks or electronic transfers like wire and ACH/EFT.
Regarding recordkeeping and travel rule, if an RIA does not accept cash and does not affect transfers distributions on its own, what recordkeeping requirements apply?
Regardless of the activity, all of the recordkeeping requirements applicable to the AML/CFT rule are enforced.
Does COMPLY have/will you be providing solutions to support firms in the implementation of this program?
Yes, COMPLY will be crafting AML/CFT Policies and Procedures, preparing written materials, providing consultative guidance, and offering AML/CFT testing.
As firms begin to prepare for the varied AML/CFT Rule requirements, we suggest taking a step back and assessing what kind of support, systems, and processes you will need to be successful.
The technology: Given the scope of the rule, as well as the countless other tasks and to-dos compliance professionals already have on their plate, teams may look to implement robust technology systems to better support new requirements.
Our advice?
Find the right partner that allows you to manage the requirements of this rule alongside the rest of your compliance program. In short, don’t just rely on a point solution.
By looking holistically at your compliance program and investing in a solution (like COMPLY Program Management) that gives you a 360-dgree view of risk and compliance across your entire program, you’ll be well-equipped to not only take on the FinCEN requirements, but any other new rule that may come to pass.
Features of COMPLY Program Management include:
- Compliance Calendar: Featuring calendar entries tailored to your policies and procedures populate and update automatically with best-practice recommendations as new rules are passed – including the AML/CFT rule.
- Dynamic Policy and Procedure Builder: Allows firms to create an AML manual along with new Policies and Procedures to address this rule. Firms can work alongside compliance consultants, who will provide guidance as they develop their AML manual or leverage best-practices and questionnaires to create their own policies. All with a full audit trail.
COMPLY Services and Consulting
For many firms, this rule represents one of the most significant compliance shifts in the last five years. And with that comes a lot of time on your end digging through the rule to gain a clear perspective on exactly what is being asked of you and when.
But the good news?
You don’t have to do it alone. With the support of third-party consultants (like our experts here at COMPLY) you can rest easy at night knowing you’ve got it all covered.
And when it comes time for the independent audit, we’ll be right here to help.
Interested in learning more about how your peers are currently leveraging COMPLY technology and services to prep for the new FinCEN Rule? Let’s talk.