On September 4, 2024, the U.S Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) published a final rule that expands the definition of “financial institution” to include Registered Investment Advisers (RIAs) and Exempt Reporting Advisers (ERAs) and subjects these advisers to certain affirmative anti-money laundering (AML) requirements.¹ FinCEN implemented this rule to address perceived risks regarding illicit finance and national security. Covered RIAs and ERAs must comply with the final rule, which requires implementing an AML program that includes certain specified elements, by January 1, 2026. While the final rule generally tracks the existing AML/CFT regime for other financial institutions, RIAs and ERAs had long been outside the ambit of AML/CFT regulations.

The new rules are a significant departure from current practices by most RIAs and ERAs. For ERAs in particular, the pending requirements will likely mean significant changes to current policies and practices, because ERAs are largely exempt from regulation under the main statute that regulates investment advisers generally, the Investment Advisers Act of 1940, and so they generally also have lighter compliance programs.²

AML Program

Under the final rule, RIAs and ERAs will be required to comply with certain AML obligations under the Bank Secrecy Act (BSA).³ In particular, RIAs and ERAs must develop and implement an AML program using a risk-based approach that is commensurate with an investment adviser's risk profile. Specifically, RIAs and ERAs must:

• Implement internal policies, procedures, and controls reasonably designed to prevent the investment adviser from being used for money laundering or other illicit finance activities.
• Identify exposure to money laundering risks, understand the applicable BSA requirements, and identify the risk factors relating to these requirements to inform the design of internal policies, procedures, and controls.
• Implement ongoing monitoring measures for customers, including updating customer information.
• Identify and report suspicious transactions to FinCEN.
• Appoint a compliance officer.
• Conduct independent testing to periodically assess the effectiveness of the AML compliance program.
• Provide training to employees regarding the AML program.

An RIA or ERA that is affiliated with, or a subsidiary of, another financial institution that is required to establish an AML program is not required to implement multiple or separate programs. However, such an RIA or ERA may elect to adopt a single AML program that covers all affiliated entities that are subject to the BSA requirements, provided that such a program is designed to identify and mitigate the different money laundering and other illicit finance risks posed by the different aspects of each affiliate's (or subsidiary's) business(es).

SARs Filing and Other Obligations⁴

Under the final rule, investment advisers are required to file suspicious activity reports (SARs) for “transactions conducted or attempted by, at, or through an investment adviser” where the adviser “knows, suspects, or has to reason to suspect” certain types of illicit activity.⁵

• A determination to file a SAR should be based on all the facts and circumstances relating to the transaction and the customer in question, based on all of the evidence available to the adviser.
• RIAs and ERAs are not required to “look back” to file SARs for transactions that occurred before January 1, 2026.
• The investment adviser may be required to file a SAR if it has information causing it to know, suspect, or have reason to suspect suspicious transactions by, at, or through the investment adviser that involve funds it does not advise or portfolio companies.

Generally, SARs must be filed within 30 days of initial detection. Each investment adviser or financial institution involved in the same transaction that gives rise to a SAR filing must file a SAR, but joint filings are permitted. Investment advisers must collect and maintain supporting documentation relating to each SAR, which must be made available to FinCEN, law enforcement authorities, and other examining federal agencies. SARs and related information may be shared among entities within the adviser’s corporate structure and self-regulatory organizations (SROs). Filing a SAR grants safe harbor against civil liability for filing parties. There is no regulatory expectation or obligation to file a certain minimum number of SARs per year.

Why Now?

FinCEN maintains that the beneficial effects of this rule will include enhancing law enforcement's access to crucial information for complex financial crime investigations, improving transparency and integrity in the U.S. financial system, and aligning with international financial standards to foster international regulatory cooperation and information sharing among allies.⁶ Relatedly, FinCEN has asserted that there is a national security risk associated with foreign states, such as China or Russia, using private investment funds, including venture capital funds, to gain access to sensitive technology and services by investing in early-stage companies. Imposing SAR filing obligations on RIAs and ERAs could, in FinCEN’s view, facilitate identification of these attempts by foreign adversaries to invest in early-stage companies with sensitive technologies.⁷ However, FinCEN clarified that it is not requesting that venture capital advisers file SARs to supplement notices or declarations submitted to CFIUS.⁸

Compliance Date and Exceptions

RIAs and ERAs are required to comply with the obligations set forth in the final rule by January 1, 2026.⁹ FinCEN has delegated examination authority to the SEC.

Certain RIAs or ERAs have curtailed obligations under the final rule. For RIAs or ERAs that have a principal office and place of business outside of the United States, the final rule only applies to certain advisory activities with a U.S. nexus, which includes advisory activities that take place within the United States or services provided to a U.S. person or a foreign-located private fund that has an investor who is a U.S. person. Additionally, RIAs that report $0 in assets under management (AUM) or register solely as mid-sized advisers, pension consultants, or multi-state advisers are exempt. Additional exceptions also may apply.¹⁰

The final rule could have a material impact on compliance costs and the screening procedures that investment advisers use when onboarding potential customers. The change might be particularly burdensome for smaller investment advisers and could represent a significant barrier for new investment advisers seeking to launch.

Violations of the BSA, depending on severity and repeat offenses, may result in civil and criminal liability, including imprisonment. In addition, violations may result in the imposition of operational restrictions by the SEC, and reputational harm as a result of public enforcement actions.

For more information on this rule or any related matter, please contact any member of Wilson Sonsini’s national security practice or fintech and financial services practice.

---

[1] RIAs are investment advisers who register or are required to register with the SEC (with certain exemptions);

ERAs are investment advisers who are exempt from registration but still must report certain information to the SEC. Both RIAs and ERAs are required to submit the Uniform Application for Investment Adviser Registration (Form ADV) and update it on an annual basis with the SEC. 89 FR 72215.

[2] In fact, a recent attempt by the Securities and Exchange Commission (SEC) to subject ERAs to additional substantive regulation was vacated by the U.S. Court of Appeals for the Fifth Circuit in June, on the basis that Congress has not authorized the SEC to impose such regulation. It is unclear whether FinCEN’s new rules would be vulnerable to a similar challenge, given that the policy considerations and underlying statute involved are different.

[3] 31 U.S.C. § 5311 et seq.

[4] RIAs and ERAs, when applicable to their activities, are also under an obligation to obtain and retain originator and beneficiary information and pass on this information to the next financial institution for certain transactions under the Recordkeeping and Travel rules, which apply to transmittals of funds that equal or exceed $3,000.

[5] 89 FR 72200. There is also an obligation to file a currency transaction report (CTR) for transactions involving $10,000 or more in currency (generally coin and paper money) regardless of whether the transaction is suspicious and also triggers a SAR filing.

[6] 89 FR 72224.

[7] 89 FR 72225.

[8] Despite FinCEN’s acknowledgement of investment advisers’ limited involvement in and visibility into the operation of their portfolio companies, an adviser may be required to file a SAR on a portfolio company, such as where the adviser (i) is approached by a limited partner or other investor in a fund about unusual access to particular technology or processes being developed by a portfolio company; (ii) becomes aware that such a limited partner or investor has reached out to a portfolio company for such information; or (iii) is asked to obscure participation by an investor in a particular transaction to avoid notification to government authorities. The rule indicates that FinCEN may consider such activity to be potentially relevant to a possible violation of law or regulation or otherwise indicative of suspicious activity.

[9] The compliance date for the SEC’s potential final CIP rule will align with this date.

[10] There are also a few broad exceptions that allow covered investment advisers to exclude mutual funds and bank or trust-company sponsored collective investment funds from its AML program. This exclusion is “permissive and not mandatory”; an investment adviser could opt to include them in its AML program. Advisers that provide only advisory services that do not involve the management of customer assets are also exempt, but not when the adviser also manages client assets.