What Investment Advisers Must Know About FinCEN’s AML/CFT Requirements

Is your firm ready to comply with new anti-money laundering (AML) and countering the financing of terrorism (CFT) requirements?

In September 2024, the Financial Crimes Enforcement Network (FinCEN) issued its Final Rule designed to enhance covered advisers’ AML compliance obligations and align them with financial institutions (FIs) under section 5318(h) of the Bank Secrecy Act (BSA). While banks, credit unions, and other FIs have continually spent years honing their programs to meet AML and CFT requirements, the rule presents new challenges for covered advisers.

What exactly does the rule require? Which advisers are impacted by the rule? How can RIAs and wealth management firms improve their programs and processes to comply? Let’s dive in.

Related: Wealth Management Enforcement Action Roundup: January & February 2025

Table of Contents

• Why the AML/CFT rule matters
• Rule overview
• RIAs impacted by the rule
• The rule’s impact on third-party management
• Best practices for compliance

How we got here: Why the AML Rule matters

The passing of the new rule marked the start of a fundamental shift in the investment advisory industry for a few key reasons:

• New regulatory requirements: Over the past two decades, rules related to advisers’ AML programs, suspicious activity reporting, and customer identification program (CIP) requirements have been proposed but never passed. Since many advisers’ and firms’ voluntary programs and processes don’t meet the new requirements, they must implement new standards and designate new roles and processes to comply.
• Significant supervisory penalties: If advisers don’t comply, they’ll risk the consequences of compliance and financial risks. FinCEN can impose penalties for violations of BSA and its regulations, introducing new financial risks for advisers.  
• Evolving regulatory focus: While the compliance date has been set, a new administration brings new areas of regulatory focus, underscoring the importance of staying updated on the latest regulatory news and updates.
• Additional requirements pending: CIP requirements and revisions to the customer due diligence (CDD) rule, which requires beneficial ownership information for legal entities, may impose further changes on advisers.

Related: BSA/AML Compliance by the Numbers

AML/CFT rule overview

The rule aims to combat money laundering, terrorist financing, and other financial crimes in the investment advisory industry by focusing on a few key areas.

Written AML compliance program

The rule outlines the following minimum standards for implementing and overseeing a suitable anti-money laundering and combatting the financing of terrorism (AML/CFT) program:

1. Clearly defined policies, procedures, and controls to detect and report suspected money laundering or other suspicious activity
2. Periodic independent testing to verify whether the program is functioning effectively
3. Designation of an AML/CFT officer to oversee the program
4. Training for employees and vendors so they can perform program requirements and recognize possible signs of money laundering and other illicit financial activities
5. Ongoing customer due diligence through appropriate risk-based features to analyze and mitigate risks.

FinCEN acknowledges that the AML/CFT program requirement is “not a one-size-fits-all requirement but is risk-based and must be reasonably designed.” For example, larger firms may have the resources to assign team members or departments specific roles, such as employee training or SAR filing. At the same time, a smaller institution may integrate AML/CFT compliance with other compliance and monitoring functions.

RIAs must also receive approval from the board or others with “functions similar to a board of directors.” Every covered adviser will also be required to make its AML/CFT program available for inspection by FinCEN and the SEC.

SAR and CTR Filing

In addition to program requirements, RIAs must file Suspicious Activity Reports (SARs) when they detect potentially suspicious activities, especially when transactions involve $5,000 or more. This is part of an effort to monitor, identify, and prevent money laundering and other illegal activities. Under the rule, advisers must report any transactions within 30 days of initial detection.

RIAs and exempt reporting advisers (ERAs) are also required to file currency transaction reports (CTRs) and create and retain records for the transmittal of funds. While SARs are filed when potential illicit activity is detected, CTRs are filed to report large transactions over $10,000, regardless of whether the activity is suspicious.

Other requirements

Advisers covered under the USA PATRIOT Act must adhere to information-sharing obligations specified in Sections 311 and 314(a). This legislation mandates that advisers apply enhanced due diligence for specific accounts, particularly correspondent and private banking accounts. Additionally, they must comply with any requests from FinCEN to search for and report any specified information or accounts suspected of money laundering or terrorist activity.

Compliance Date 

RIAs must implement AML/CFT programs, file relevant SARs, and comply with other reporting and recordkeeping requirements by January 1, 2026.

Regarding Customer Identification Program (CIP) requirements, FinCEN plans to address how these apply to advisory customers in a future CIP final rule.

Related: Stay current on the latest regulations relevant to your firm with daily Ncomply updates.

Which advisers are impacted by the rule?

Advisers covered under the rule include:

• SEC-registered investment advisers (RIAs)
• Exempt reporting advisers (ERAs)
• Foreign-based RIAs and ERAs, but only to the extent of their U.S. advisory activities or advisory activities involving U.S. clients or investors

Mid-sized advisers, multi-state advisers, pension consultants, RIAs that don’t report assets under management on Form ADV, state-registered advisers, foreign private advisers, and family offices are excluded from the rule.

The rule’s impact on third-party management programs

A significant takeaway from the AML/CFT rule — and perhaps the largest lift for many RIAs — is designating an AML officer to oversee the program. As mentioned in the rule, this role cannot be outsourced. However, RIAs can use third parties to meet some obligations, including investor diligence, filing SARS, responding to 314(a) requests, and maintaining records.

It’s important to note that advisers, like FIs, remain “fully responsible and legally liable for” compliance and must provide risk-based oversight of their vendors’ activities. Performing a name check or subscribing to software that pulls information from national lists is insufficient; RIAs must ensure they conduct due diligence and ongoing monitoring to remain compliant.

Related: What Is Compliance Risk?

What’s next? How RIAs can comply with AML requirements

As you revisit your firm’s AML/CFT program and procedures, refer to these best practices to ensure you and your firm are compliance-ready by 2026:

• Conduct a gap analysis. An analysis will identify areas of improvement in your AML/CFT program. For example, gaps in knowledge or awareness among team members can inform your employee training programs to ensure staff can identify and address potential signs of illicit activity.
• Update risk assessments. BSA/AML risk assessments take the cited gaps further by identifying, evaluating, and prioritizing the risks they present and how they could impact your firm’s compliance, performance, or efficiency.
• Evaluate vendor relationships. The rule highlights that advisers are responsible for their vendors’ activities. With AML/CFT program compliance on the line, evaluate your current vendor relationships and adjust service level agreements (SLA) and contracts as needed to ensure performance requirements are met and any operational or compliance-related issues are addressed.
• Review your training program. Do your BSA and CFT training sessions need a tune-up? Evaluate your compliance training program and ensure the materials are updated. Include practical examples, hands-on discussions, and activities for engagement and understanding.
• Stay updated on regulatory news. In an ever-evolving regulatory environment, staying updated on regulators’ latest rulings, enforcement actions, and guidance is essential. Streamline your compliance process with an automated compliance management system (CMS) that sends relevant notifications based on your firm’s services, size, and geography.

FinCEN’s AML/CFT requirements represent a significant change for investment advisers, but by proactively adapting to these regulations, advisers can mitigate risks, maintain trust with clients and regulators, and stay prepared for future changes in the regulatory landscape.

AML/CFT program requirements are just one risk facing advisers and wealth management firms.

Explore more emerging risks in the securities industry in our guide.