The New AML Rules

Implications for private fund managers

Originally published in the September 2015 issue

On 25 August 2015, the Financial Crimes Enforcement Network (FinCEN) issued for public comment a proposed rule (the Proposed Rule)[1] requiring investment advisers registered with the SEC (RIAs) to establish anti-money laundering (AML) programmes and report suspicious activity to FinCEN pursuant to the Bank Secrecy Act (BSA).

The long-anticipated Proposed Rule arrives nearly seven years after FinCEN withdrew earlier proposed AML rules, published in 2002 and 2003, directed at investment advisers, unregistered investment companies and commodity trading advisors.[2] In issuing the current Proposed Rule, FinCEN noted that there have since been significant changes in the relevant regulatory framework for investment advisers, in particular the requirement, as part of the Dodd-Frank Act of 2010, that advisers to private investment funds, including hedge funds and private equity funds, register with the SEC. According to FinCEN, there were 11,235 RIAs as of June 2014, managing a reported $61.9 trillion in assets. As long as these investment advisers are not subject to AML programme and suspicious activity reporting requirements, FinCEN stated, “money launderers may see them as a low-risk way to enter the US financial system.”

In the wake of FinCEN’s previously proposed AML rules in the early 2000s, many investment advisers have developed AML programmes and screening measures as part of an AML best practice to “Know-Your-Investor.” But there is a substantial difference between such voluntary programmes and being legally required to maintain an effective AML programme — which will mean oversight by the SEC and could trigger penalties and enforcement actions if that programme is ineffective. In addition, the Proposed Rule includes requirements that may be unfamiliar to many RIAs, most notably the obligation to report suspicious activity. This Alert explains the Proposed Rule in more detail and considers some of its most significant implications, focusing on 15 of the most important practical questions it raises for investment advisers.

When will the proposed rule take effect?
The Proposed Rule first must undergo a public comment period. The Proposed Rule was published in the Federal Register on 1 September 2015, and comments are due 60 days thereafter, or by 2 November 2015.3 After the close of the public comment period, the Proposed Rule will be subject to additional review and revision before it is finalized by FinCEN.

Under the Proposed Rule, RIAs will need to put an AML programme in place conforming to FinCEN’s requirements within six months after the effective date of the final rule, if and when it is adopted. A firm’s obligation to file suspicious activity reports will not take effect until after its AML programme has been implemented. Accordingly, the earliest that RIAs might have to comply with the new rule is sometime in mid-2016. Given the need to ensure compliance upon the effective date, however, RIAs are well advised to begin analyzing now what changes will be necessary upon the Proposed Rule becoming final.

Who will the proposed rule apply to?
The Proposed Rule will apply to “[a]ny person who is registered or required to register with the SEC” under Section 203 of the Investment Advisers Act of 1940, as amended (the “Advisers Act”). It thus will not apply to investment advisers that fall within an exemption from SEC registration, such as firms that rely on the exemption for venture capital fund advisers under Advisers Act Section 203(l), the exemption for private fund advisers managing less than $150 million from a place of business in the U.S. under Section 203(m), the exemption for foreign private advisers under Section 203(b)(3), family offices relying on Rule 202(a)(11)(G)-1, or commodity trading advisers whose business is not predominantly securities-related advice.[4] However, FinCEN cautions that “future rulemakings” may include other types of investment advisers found to present AML risks.

Some investment advisers are registered with the SEC even though they are not legally required to do so, for example, RIAs with U.S. investors, but no offices in the United States. Such RIAs will have to comply with the Proposed Rule, which applies to all SEC-registered firms.

The Proposed Rule recognizes that some RIAs are dually registered with the SEC as a broker-dealer or affiliated with a financial institution that is already required to establish an AML programme. Such RIAs do not need to establish a separate AML programme, so long as the RIA is subject to an existing AML programme that covers all of the entity’s activities subject to the BSA and is designed to addressthe different money laundering risks posed by the different businesses, including the investment advisory business.

How does the proposed rule differ from FinCEN’s earlier proposals?
The biggest change, and the one likely to attract the most attention, is the Proposed Rule’s requirement that RIAs file suspicious activity reports (“SARs”) (discussed further below). Under the BSA, banks and many types of non-bank financial institutions (e.g., broker-dealers, mutual funds, money service businesses and insurance companies) have long been required to file SARs. But, although some investment advisers have voluntarily filed SARs, and others are subject to mandatory suspicious activity reporting in foreign jurisdictions such as the Cayman Islands and Ireland, many will not have previously encountered this requirement.

Other differences result from FinCEN’s decision to include RIAs within the general definition of “financial institution” under the BSA’s implementing regulations. This will (as discussed further below) require RIAs to comply with the BSA’s Recordkeeping and Travel Rule and to file Currency Transaction Reports (CTRs), and will also subject RIAs to information sharing requests under Section 314 of the USA PATRIOT Act (and allow RIAs to make such requests).

The required elements for an AML programme in the Proposed Rule are not materially different from FinCEN’s prior proposals. Notably, although FinCEN last year proposed a rule imposing Customer Due Diligence (CDD) requirements on banks, broker-dealers and certain other financial institutions,[5] the Proposed Rule does not require RIAs to conduct any specific type of CDD or to develop a customer identification programme (CIP). Nevertheless, Know-Your-Investor procedures will remain an important aspect of any investment adviser’s AML programme, and the Proposed Rule states that FinCEN anticipates addressing this issue in the future through joint rulemaking with the SEC. Moreover, many RIAs whose programmes are implemented by administrators may already have developed a CDD or CIP programme.

What are the required elements of an AML programme?
The Proposed Rule outlines four minimum standards that an effective AML programme must meet. Generally known as the “four pillars” of an effective AML programme, these requirements are as follows:

  1. The AML programme must be embodied in written policies, procedures and internal controls. The AML programme must be “reasonably designed to prevent the investment adviser from being used for money laundering or the financing of terrorist activities and to achieve and monitor compliance with” the BSA. What that will mean to regulators in the context of an investment adviser (as opposed to a bank or other financial institution) is yet to be seen, but it will likely turn on how the investment adviser addresses the specific risks presented by its business. In other words, regulators want to see a “risk-based” approach in the design of the programme.
  2. The AML programme must provide for independent testing. Such testing, designed to ensure that the programme is functioning as intended, may be conducted by a qualified outside party, but alternatively may be conducted by employees of the RIA, provided those employees are not involved in the operation or oversight of the programme. The Proposed Rule requires testing on a “periodic basis,” explaining that the frequency of testing will depend upon the RIA’s assessment of the risks posed.
  3. The AML programme must designate a compliance officer. The RIA must designate an individual or committee responsible for implementing and monitoring the operations and internal controls of the programme, who is “knowledgeable and competent” regarding the regulatory requirements and the RIA’s money laundering risks. Depending on the RIA’s size and type of services, the compliance officer need not be dedicated full time to BSA compliance, but “should be an officer of the investment adviser.”
  4. The AML programme must provide ongoing training. Here again, the Proposed Rule does not dictate a one-size-fits-all approach. Rather, the nature, scope and frequency of training would be determined by the employees’ responsibilities and the extent to which their functions bring them into contact with the BSA’s requirements and possible money laundering.

The AML programme must be approved in writing, by the RIA’s board of directors or other governing body (e.g., general partner). Some RIAs may also seek approval of the AML programme by the board of the offshore fund even though the Proposed Rule does not require it.

May AML compliance be delegated to an administrator?
The Proposed Rule will allow RIAs to delegate contractually the implementation and operation of aspects of its AML programme. But importantly, the RIA, not the third party administrator, remains responsible for the effectiveness of the programme as well as responding to requests from regulators like FinCEN and the SEC.

This means that to the extent that an RIA delegates AML functions to an agent or service provider, such as a third party administrator, it still bears the burden of ensuring that the third party administrator is effectively carrying out the AML programme. The Proposed Rule specifically addresses the independent testing and training requirements in the context of service providers, noting that: (1) service providers may conduct independent testing so long as the employees who conduct the testing are not involved in the operation of the programme and are knowledgeable of the BSA’s requirements; and (2) employees of an agent or third party service provider must be trained in BSA requirements relevant to their functions and in recognizing possible signs of money laundering that could arise in the course of their duties.
The Proposed Rule does not, however, appear to allow RIAs to delegate the role of the AML compliance officer to a third party administrator; as noted above, it states that the person designated “should be an officer of the investment adviser.”

The Proposed Rule also allows RIAs to delegate their SAR reporting responsibilities to a third party service provider. Here again, the RIA remains responsible for its compliance with the SAR reporting requirement, including the requirement to maintain SAR confidentiality. It is not clear if an RIA may delegate SAR reporting responsibilities to a service provider that is not a financial institution under the BSA.

Under what circumstances will a SAR have to be filed?
The purpose of a SAR is to report suspicious transactions that could suggest criminal activity, particularly money laundering and terrorist financing, but also other criminal activity such as fraud, to regulators and to law enforcement. Under the Proposed Rule, an RIA will be required to file a SAR for transactions involving at least $5,000 conducted or attempted by, at or through the RIA where the RIA knows, suspects or has reason to suspect that the transaction:

  • Involves funds derived from illegal activity or is intended or conducted in order to hide or disguise funds or assets derived from illegal activity;
  • Is designed to evade the BSA or it implementing regulations;
  • Has no business or apparent lawful purpose or is not the sort of transaction the particular customer would normally be expected to engage in, and the RIA knows of no reasonable explanation for the transaction after examining the available facts; or
  • Involves use of the RIA to facilitate criminal activity.

In issuing the Proposed Rule, FinCEN offers several examples of money laundering “red flags” that might qualify as SAR-worthy events for an investment adviser. These include:

  • A client who exhibits unusual concern regarding the adviser’s compliance with government reporting requirements or is reluctant to provide information on its business activities.
  • A client who appears to be acting as the agent for another entity declines, evades or is reluctant to provide responses to questions about that entity.
  • A client’s account has a pattern of inexplicable or unusual withdrawals inconsistent with the client’s investment objectives.
  •  A client’s request that a transaction be processed in a manner to avoid the adviser’s normal documentation requirements.
  • A client exhibits a total lack of concern regarding performance returns or risk.

In the context of an investment adviser, the obligation to file a SAR could arise in a myriad of ways. For example, an RIA could be required to file a SAR on a prospective investor whom it ultimately rejects due to AML or OFAC concerns, or an existing investor who cleared all AML checks but about whom negative information is learned post-investment (e.g., an arrest or criminal investigation).

In addition to filing a SAR, the Proposed Rule requires RIAs to immediately notify an appropriate law enforcement authority by telephone in situations “involving violations that require immediate attention,” such as suspected terrorist financing or “ongoing” money laundering schemes.

When and how must a SAR be filed?
Under the Proposed Rule, an RIA generally must file a SAR “no later than 30 calendar days after the date of the initial detection by the reporting investment adviser that may constitute a basis for filing a SAR.” This language mirrors the SAR filing requirement for other financial institutions. Previously issued guidance by FinCEN states that a financial institution is required to file a SAR within 30 days after it “reaches the conclusion” that the activity under review meets one or more of the definitions of suspicious activity, and that this period does not begin “until an appropriate review is conducted and a determination is made that the transaction under review is ‘suspicious’ within the meaning of the SAR regulations.”[6]

RIAs will need to electronically file SARs, using FinCEN’s BSA E-Filing system (available at Supporting documentation must be made available to FinCEN, the SEC and any law enforcement agency, and must be maintained by the RIA for a period of five years from the date of filing the SAR.

Must SARs be kept confidential?
RIAs must maintain the confidentiality of a SAR. Disclosing a SAR, or even information that would reveal the existence of a SAR, can constitute a crime under federal law. The rule bars disclosure to parties implicated in the suspicious activity, but also extends to other parties (both inside and outside the firm) who may have an interest in addressing the suspicious activity, such as other financial institutions, investors or victims of a suspected crime, and even applies to demands for documents made in the course of civil litigation.

Under the Proposed Rule, RIAs will not be permitted to disclose SARs within their corporate organizational structure. This would appear to mean, for example, that an RIA could not share this information with the board of directors of the fund, which is a separate entity. FinCEN has, however, specifically invited comment on this aspect of the Proposed Rule. Other financial institutions are permitted to share SAR information within their organizational structure.

The Proposed Rule acknowledges that in some cases, an RIA andanother BSA-covered institution, such as a bank, may file a SAR on the same suspicious transaction, and in such cases will only require that one institution file a SAR. In these cases, the facts, transactions and documents underlying a SAR may be shared for the preparation of a joint SAR. But this too requires careful coordination and planning given the requirements of SAR confidentiality.

The Proposed Rule also provides RIAs and its directors, officers, employees and agents with the same “safe harbor” that protects other financial institutions from civil liability for filing SARs and supporting documentation with the appropriate authority under the BSA. The BSA protects these parties from liability under federal and state law, as well as under contracts or other legally enforceable agreements (including arbitration agreements), for such disclosure to the authorities, or failure to provide notice of such disclosure, to the subject of a SAR or persons otherwise identified by the disclosure. The safe harbor applies to SARs filed within the required reporting thresholds as well as to SARs filed voluntarily on any activity for which the rule does not explicitly require reporting, such as transactions below the $5,000 threshold.

Will RIAs be expected to monitor potentially suspicious activity?
The Proposed Rule requires RIAs to “evaluate client activity and relationships for money laundering risks and design a suspicious transaction monitoring programme that is appropriate for the particular investment adviser in light of such risks.”

Transaction monitoring is a critical tool for other financial institutions that are required to file SARs, such as banks, broker-dealers and money service businesses, which process thousands or millions of individual transactions on a daily basis. The utility of transaction monitoring for an investment adviser, which typically engages in very few transactions with its clients, is less clear. It may be feasible for the AML officer (or his or her designee) to review all such transactions for potential suspicious activity. The Proposed Rule discusses certain scenarios that an RIA should be on the lookout for, including an investor subscribing through “multiple wire transfers from different accounts maintained at different financial institutions.”

What does section 314 of the Patriot Act provide?
The Proposed Rule will expand voluntary information sharing under Section 314(b) of the USA PATRIOT Act to include RIAs. Section 314(b) allows (and in fact encourages) financial institutions and some related entities in the United States to share information for the purpose of identifying and reporting money laundering or terrorist activity, with specific protection from civil liability. Although there are requirements that an RIA must follow to take advantage of Section 314(b)’s safe harbor, it provides a potentially valuable tool for investment advisers to gather information on investors and other relevant parties where needed. RIAs could reach out to banks and other financial institutions with requests, and go beyond public source information as part of their Know-Your-Investor due diligence where needed.

But as the Proposed Rule makes clear, Section 314 is a two-way street. RIAs can also be on the receiving end of Section 314(b) requests made by other financial institutions seeking information about the RIA’s clients. Because information sharing under Section 314(b) is voluntary, the RIA will not be required to comply with such requests, but an RIA’s willingness to provide information to a particular financial institution may also affect its ability to obtain information from that institution.

In addition, under the Proposed Rule, RIAs will be subject to government requests for information under Section 314(a). Section 314(a) authorizes law enforcement agencies to request, through FinCEN, that financial institutions search their records to determine whether they have maintained an account or conducted a transaction with a person that law enforcement has certified is suspected of engaging in terrorist activity or money laundering. Compliance with a Section 314(a) request is not voluntary; financial institutions must provide identifying information for the accountholder or transaction in question. Furthermore, financial institutions must maintain adequate procedures to protect the security and confidentiality of Section 314(a) requests.

What are the recordkeeping and travel rules?
The Proposed Rule will also subject RIAs to the BSA’s Recordkeeping and Travel Rules, which impose several requirements on financial institutions with regard to funds transfers and certain other transactions.

First, financial institutions must obtain and retain records for transmittals of funds in excess of $3,000. The information to be obtained and retained includes the name and address of the transmittor, the payment instructions received from the transmittor, and information provided about the recipient.[8] The record retention period is five years, which is consistent with most RIAs’ existing record retention practices. Records must be filed or stored in such a way as to be accessible within a reasonable period of time, and retrievable by the transmittor’s financial institution by reference to the name of the transmittor.

Second, financial institutions must ensure that certain information pertaining to the transmittal of funds in excess of $3,000 “travel” with the transmittal to the next financial institution in the payment chain.[9] This applies when the financial institution is transmitting funds or receiving funds as an intermediary financial institution to be transmitted to another institution. The information that must be made part of the chain includes the name, address and account number of the transmittor and information provided about the recipient.

The Proposed Rule notes that investment advisers would fall within an existing exception to the Recordkeeping and Travel Rules that is designed to exclude transmittals of funds in which certain categories of financial institutions are the transmittor, originator, recipient or beneficiary, including banks, brokers or dealers in securities, futures commission merchants, introducing brokers in commodities and mutual funds.[10] However, this exception applies only where the financial institution is the interested party in the transaction, not when it is acting as a financial institution sending or receiving funds on behalf of another party.

Third, financial institutions are required under the Recordkeeping and Travel Rules to retain records for extensions of credit and cross-border transfers of funds, currency, monetary instruments, checks, investment securities, and credit, where the transactions exceed $10,000.[11]

What is the obligation to file CTRs?
The Proposed Rule will require RIAs to file CTRs for transactions involving more than $10,000 in currency. This change is unlikely to have a substantial impact on RIAs, most of which do not deal in cash (and may have policies prohibiting cash transactions). Moreover, RIAs are already required to report such transactions on a different form, known as a Form 8300. In fact, in the Proposed Rule FinCEN acknowledges that “investment advisers rarely receive from or disburse to clients significant amounts of currency,” and are therefore “less likely to be used during the initial ‘placement’ stage of the money laundering process than other financial institutions.”

Will RIAs needto update their disclosure documents?
RIAs will want to review their private placement memorandum and subscription documents to assess whether updating amendments will be required as a result of the new rules. Many of these offering documents refer to AML requirements (including SAR reporting requirements) in offshore jurisdictions (e.g., Cayman Islands) and some offering documents will refer to the investment adviser’s authority to freeze accounts or refuse to pay redemption proceeds in certain circumstances. However, many of these documents may need to be updated to refer to the investment adviser’s SAR reporting and other obligations under US law as well.

RIAs may also want to consider explaining their obligations under Sections 314(a) and 314(b) of the USA PATRIOT Act in their offering materials because it impacts when they can or must share information about their clients under US law.

What government agency would be responsible for enforcing the rule?
Although the Proposed Rule does not clarify what agency would be responsible for bringing civil enforcement actions against RIAs for failure to comply with the AML programme requirements, FinCEN (which is a bureau of the U.S. Department of Treasury) has previously enforced its AML requirements against other financial institutions by imposing a civil money penalty, and in those rare cases where the institution objects to the penalty, has enlisted a United States Attorney’s Office to bring a civil federal case seeking to reduce that civil money penalty to a judgment against the financial institution.

FinCEN has proposed to delegate to the SEC its authority to examine RIAs for compliance with the new BSA requirements. Accordingly, if the Proposed Rule becomes final, AML compliance is sure to become a topic addressed in examinations conducted by the SEC’s Office of Compliance Inspections and Examinations, which could potentially lead to SEC deficiency letters and possible enforcement actions.

What are the potential penalties for violating the rule?
Because the Proposed Rule would require RIAs to maintain an effective AML programme, it will also mean that RIAs are subject to the same civil and criminal penalties that banks and other financial institutions face when the government believes they have fallen short of their AML obligations.

On the civil side, the government can enforce the BSA by bringing actions for civil money penalties.[12] These penalties vary based on what provision of the BSA was violated, and whether that violation was “willful.” In a civil enforcement action under the BSA, the government can establish that a financial institution “willfully” violated the BSA simply by acting with either reckless disregard or willful blindness to its requirements.[13] Willful violations are subject to a penalty of not more than the greater of the amount (not to exceed $100,000) involved in the transaction (if any), or $25,000. A separate violation occurs for each day the violation (including the obligation to file SARs and to maintain an effective AML programme) continues and at each office, branch, or place of business at which a violation occurs or continues. The government can obtain lesser penalties,[14] depending on the violation, for non-willful violations.[15]

On the criminal side, the government can prosecute a financial institution for violating the BSA where the entity willfully evades the BSA’s requirements, including failing to maintain an effective AML programme or failing to file a SAR as required.[16] The statutory maximum criminal penalties for a BSA violation are a fine of up to $250,000 and up to five years in prison, or where the conduct includes the violation of another law or a pattern of criminal activity, a fine of up to $500,000 and up to 10 years in prison.

As a practical matter, in many cases financial institutions have settled both civil and criminal cases with the government, paying very large monetary penalties in an effort to avoid further liability or obtain a resolution that does not involve a criminal conviction.[18]

In some instances, individual employees of financial institutions, including AML compliance officers, have been charged with civil and criminal violations of the BSA, arising from the firm’s failure to maintain an effective AML programme.[19] These enforcement actions are part of a larger trend to hold individuals responsible for corporate conduct, leaving AML compliance officers especially vulnerable, given their role and function at financial firms. Because the Proposed Rule would require that the designated AML compliance officer also be an officer of the RIA, investment advisers should be alert to these liability risks, even where third party administrators are responsible for carrying out day-to-day AML compliance measures.

Although there is no clear tipping point at which isolated AML compliance deficiencies render an AML programme “ineffective” under the BSA, the government has frequently pointed to the failure to file SARs, or a more general failure to monitor and detect transactions relating to money laundering or other criminal activity, as evidence that an AML programme is ineffective under the BSA. Given the Proposed Rule’s mandatory AML programme requirement, as well as the new requirement to file SARs, RIAs should be keenly aware of their duties in this area and ensure that their AML practices are fully up to date to comply with the law.


1. Links to the Proposed Rule and FinCEN’s accompanying press release may be found in our Aug. 25, 2015 Alert, “New Anti-Money Laundering Rules for Registered Investment Advisers Proposed by FinCEN.”
2. See our Oct. 31, 2008 Alert, “FinCEN Withdraws Proposed Anti-Money Laundering Rules for Unregistered Investment Companies, Commodity Trading Advisors and Investment Advisers.”
3. See NPRM, Anti-Money Laundering Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers, 80 Fed. Reg. 52680 (Sept. 1, 2015).
4. To the extent a commodity trading advisor does provide predominantly securities-related advice, it may be required to register with the SEC and thus falls within the scope of the Proposed Rule.
5. See our Aug. 8, 2014 Alert, “FinCEN’s Much-Anticipated Proposed Rule on Customer Due Diligence Is Finally Here.”
6. See FinCEN, The SAR Activity Review – Trends, Tips & Issues, Issue 10, May 2006, available at:
7. 31 U.S.C. § 5318(g)(3).
8. 31 C.F.R. § 1010.410(e).
9. 31 C.F.R. § 1010.410(f).
10. 31 C.F.R. § 1010.410(e)(6).
11. 31 C.F.R. §§ 1010.410(a)-(d).
12. 31 U.S.C. § 5321; 12 U.S.C. §§ 1818(i) and 1786(k).
13. The government need not show that the entity (or individual) had knowledge that the conduct violated the BSA, or otherwise acted with an improper motive or bad purpose.
14. 31 U.S.C. § 5321(a)(1).
15. 31 U.S.C. § 5321(a)(6).
16. 31 U.S.C. § 5318.
17. 31 U.S.C. § 5322(a).
18. See, e.g., United States v. JPMorgan Chase Bank, N.A., No. 14 Cr. 007 (S.D.N.Y. Jan. 4, 2014) (deferred prosecution agreement included a $1.7-billion forfeiture); United States v. HSBC Bank, N.A., 12 Cr. 763 (JG) (E.D.N.Y. Dec. 11, 2012) (deferred prosecution agreement included forfeiture of $1.256 billion, and civil regulatory penalties exceeding $665 million); United States v. Moneygram Int’l, Inc., 12 Cr. 291 (M.D. Pa. Nov. 9, 2012) (deferred prosecution agreement included a $100-million forfeiture, and FinCEN continues to seek a $1 million civil monetary penalty against Moneygram compliance officer, Thomas Haider).
19. See our Feb. 20, 2015 Alert, “Federal and State Regulators Target Compliance Officers.”