On August 28, 2024, the Financial Crime Enforcement Network (FinCEN) and the Securities & Exchange Commission (SEC) issued a final rule including Registered Investment Advisers (RIAs) and Exempt Reporting Advisers (ERAs) as financial institutions. RIAs and ERAs are now required to implement an Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) program consistent with the requirements outlined in the Bank Secrecy Act (BSA) by January 1, 2026.
The BSA requires that financial institutions, the definition of which now includes private equity, venture capital, and other private funds, implement the 5 pillars of an effective AML program. They’ll also be required to file Suspicious Activity Reports (SARs) and confirm source of funds and source of wealth for investment related transactions as part of the travel rule.
This changes the AML landscape. While fund managers may have had an AML program in place, the decision was typically driven by their banking partners or out of an abundance of caution. Fewer managers still have anything resembling the robust requirements outlined by FinCEN and detailed below. While the rule mandates the below be implemented by 2026, it does allow for fund managers to outsource their AML program to a third party for implementation and maintenance instead of developing the capabilities internally.
As we mentioned, ERAs and RIAs will need to implement the 5 pillars of an effective AML program. The pillars are as follows:
Pillar 1: Designation of an Anti-Money Laundering Compliance Officer (AMLCO)
This individual is responsible for implementing and maintaining oversight of the firm’s AML and CFT program as well as coordinating day-to-day AML responsibilities. It can be an internal employee of the firm or outsourced.
Pillar 2: Developing and implementing a system of internal controls
The firm must have policies and procedures in place to comply with regulatory requirements. It must have a risk-based approach to onboarding and monitoring counterparties and investors. They should be risk-rated and periodically reviewed based on their risk rating. For ERAs and RIAs, investors tend to be the more relevant party.
That means firms need to have a standard approach for how they determine the level of risk (i.e. low, moderate, or high), an ongoing monitoring process, and a refresh program. To determine the risk level, firms will need their investors to provide documentation that they haven’t historically had to share. While that’s likely to cause frustration for investors, that’s what the rules require.
That documentation also needs to be refreshed periodically. Low risk investors may only need to provide updated information every three years, while high risk investors may need to do so annually.
Pillar 3: Annual anti-financial crime training
Many firms already have annual training requirements in place to go over the employee handbook, compliance manual, or other compliance requirements. The rule mandates that every employee undergo training on how to prevent, detect, and report unusual and suspicious activity. The training should also account for any firm-specific risks instead of being a generic, one-size-fits-all approach.
The training isn’t limited to groups that are most exposed to AML/CFT activities like investor relations, finance, or treasury operations. Even the investment team will need to undergo it.
Pillar 4: Independent assessment of the AML and CFT program
There’s an annual audit requirement to make sure that the program accurately captures the regulatory requirements and its successful implementation and enforcement across the firm. The audit can be performed by the team or outsourced.
While the AML program must be fully implemented and in place by January 1, 2026, the firm doesn’t need to undergo any audits until 2026.
Pillar 5: Customer Due Diligence (CDD)
This means collecting appropriate documentation on investors and their beneficial owners with 25% or greater ownership in the investor. If a trust invests in a fund, then the firm will need to identify the individuals and entities that comprise the trust to the 25% threshold. Each of those owners will need to provide the appropriate documentation and identify its owners of 25% or more. This process repeats iteratively until all of the owners and controllers of that threshold have been identified. Each of those investors and beneficial owners must be screened against any link to sanctions, regulatory enforcement, and political exposure at the time of onboarding and continuously throughout the life of the fund.
Importantly, this rule is retroactive too. If fund managers haven’t screened their investors on any active fund associated with their ERA or RIA registration, then the expectation is that they will perform CDD on them now. Expect this to be frustrating for investors and time consuming to implement.
Passthrough launched a managed service KYC/AML offering two years ago where firms can outsource this to us. It’s consistent with policies and procedures that can be adopted by your firm. The only change from our current offering to what’s mandated by FinCEN is that refreshes must be included.
Besides the pillars, there are two other requirements mandated by this rule.
Suspicious Activity Reporting
The firm must investigate unusual and suspicious activity by investors. If any activity like that is detected, then they’ll have to file an initial SAR or Continuing Activity Report (CAR) for subjects that have SARs already filed on them. SARs and CARs will need to be e-filed directly through the FinCEN portal and may lead to law enforcement inquiries or FinCEN 314(a) information sharing requests that the RIA or ERA will be responsible for responding to in a timely manner.
Monitoring of transmission of funds
Capital calls and distributions must comply with the travel rule. The travel rule requires RIAs and ERAs to confirm the source of funds and source of wealth for transactions and understand where funds are being received from or distributed for any transaction by identifying if the originator and beneficiary banking details are consistent with the subscription document for investors.
Similar to Pillar 4, this rule doesn’t need to be actioned until 2026.
If this all seems like a lot, it is. We covered it in a recent webinar that you can refer to. Firms have decisions to make: do they develop capabilities internally or do they outsource? If they outsource parts of it, what will their fund administrator, law firm, or compliance consultants take? And how will they coordinate them? The decision making, let alone implementation, will take time and 2026 will be here before we know it. We recommend that firms begin tackling this now.
If you’d like to tackle it with us, Passthrough developed an AML Compliance Officer Package that meets all of the requirements outlined above. Schedule time with our Financial Crimes team.