On 15 January 2025, K2 Integrity hosted a webinar that featured Justina Rousseau, senior managing director at K2 Integrity; Aseel Rabie, counsel at Debevoise & Plimpton LLP; and Sarah Runge, executive managing director at K2 Integrity, discussing the complexities of the Investment Adviser BSA/AML Rule and what steps firms should be undertaking. View a recording of the session here.
Overview
The Investment Adviser (IA) regulation introduces a comprehensive suite of AML requirements including compliance with Bank Secrecy Act (BSA) and all underlying AML regulations. These requirements apply to certain SEC-registered investment advisers (RIAs) and exempt reporting advisers (ERAs) serving private and venture capital funds, entities that are duly registered with the SEC as brokers and investment advisers, advisers that are chartered as banks, and advisers that are subsidiaries of banks or affiliated with other financial institutions with AML program requirements. RIAs that do not manage clients’ assets as part of their advisory activities and are not required to report any assets under AUM to the SEC on Form ADV; RIAs that register with the SEC solely because they are (i) mid-sized advisers, (ii) multi-state advisers, or (iii) pension consultants; state-registered advisers; family offices; and some foreign private advisers are excluded due to their limited risk profiles.
Key Requirements
The regulation mandates that RIAs and ERAs must:
- Implement a reasonably designed, risk-based AML/CFT program, to include risk-based internal policies, procedures, and controls reasonably designed to prevent the IA from being used for money laundering (ML) or terrorist financing (TF) or other illicit finance activity. These include:
- File certain reports—specifically, Suspicious Activity Reports (SARs) to FinCEN,[5] Currency Transaction Reports (CTRs) for receipt of more than $10,000 in currency and certain negotiable instruments,[6] and Foreign Bank and Financial Accounts (FBAR) reports.
- Keep records such as those relating to the transmittal of funds (i.e., comply with the Recordkeeping and Travel Rules).
- Apply information-sharing provisions between and among FinCEN, law enforcement, government agencies, and certain financial institutions (i.e., sections 314(a) and 314(b) of the USA PATRIOT Act).
- Fulfill other obligations applicable to financial institutions subject to the BSA and FinCEN’s implementing regulations, including special due diligence requirements for correspondent and private banking accounts and special measures under section 311 of the USA PATRIOT Act and Section 9714(a) of the Combating Russian Money Laundering Act.
Broader Regulatory Considerations
The IA regulation does not exist in isolation; it intersects with concurrent initiatives that add complexity to compliance efforts. However, there is no reliance on the finalized publication of the other pending rulemakings; therefore, covered IAs should start preparing for implementation of the FinCEN AML Program Rule for Investment Advisers.
- Customer Identification Program (CIP) Rule: The CIP rule, proposed jointly by the SEC and FinCEN, mandates that IAs identify and verify the identities of their clients. Although not yet finalized, its anticipated alignment with the IA regulation underscores the importance of robust CDD measures.
- AML Program Rule: The broader AML Program Rule, which remains in development, could introduce additional requirements for financial institutions, including IAs. Firms should monitor developments closely, as these rules may necessitate further adjustments to compliance programs.
Strategic Preparation for Compliance
To meet the regulation’s requirements, firms should first conduct a comprehensive gap assessment. This process involves reviewing all advisory services and operational workflows to identify areas that may fall short of the regulation’s standards. Special attention should be given to client onboarding, Know Your Customer (KYC) (CDD and EDD) processes; the filing of certain reports, such as SARs and CTRs; keeping certain records, such as those related to the transmittal of funds (i.e., compliance with the Recordkeeping and Travel Rules); and fulfilling certain other obligations applicable to financial institutions subject to the BSA and FinCEN’s implementation regulations such as 314(a) and 314(b) information sharing, special due diligence, and special measures; as well as oversight mechanisms for third-party relationships.
Governance structures must also be enhanced to support compliance efforts. Boards or similar governing bodies must formally approve AML programs and allocate adequate resources for their implementation. Advisers should ensure that their programs are aligned with the regulation’s requirements, including governance elements such as program oversight and resource allocation.
Investing in technology is another critical step for achieving compliance. Advanced tools for CDD, transaction monitoring, data management, and SAR filing can streamline processes and help advisers meet regulatory expectations. Early resource allocation and budgeting are essential to ensure readiness by the January 2026 deadline.
Enforcement Landscape and Risks
Noncompliance with the IA regulation carries significant risks, including financial penalties, reputational damage, and potential criminal liability. Regulators are expected to adopt a phased approach to enforcement, initially focusing on firms’ efforts to implement foundational measures with subsequent years bringing heightened scrutiny, particularly in high-risk areas such as sanctions compliance and third-party oversight. While the January 2026 deadline looms, early preparation can mitigate risks and position firms for success.
[1] In determining which internal policies, procedures, and controls to implement, the Final Rule requires IAs to review the types of advisory services they provide and the nature of the customers they advise in order to understand their particular ML/TF and other illicit finance risks.
[2] CDD must include two core elements: understanding the nature and purpose of customer relationships in order to develop a customer risk profile and conducting ongoing monitoring to identify (and report) suspicious transactions and to maintain (and update) customer information.
[3] EDD should be performed on higher-risk entities based on customer-level risk rating.
[4] This can be performed by the IA’s personnel or a qualified outside party, but must be independent from the personnel performing the function being tested.
[5] The final rule requires IAs to file a SAR with FinCEN for any suspicious transaction (or pattern of transactions) conducted or attempted by, at, or through the IA that involves or aggregates at least $5,000 in funds or other assets.
[6] The CTR filing obligation replaces the obligation to file a Form 8300.