An Anti-Money Laundering Rule for Investment Advisors in the US: Is it Coming?

As we approach the 20th anniversary of the first proposed anti-money laundering (AML) rule for investment advisors (IAs) next year, we reflect on whether an IA rule may finally be passed, and what firms can do to prepare.

 

Current State of Anti-Money Laundering (AML) Regulation for US Securities and Exchange Commission (SEC) Registered Investment Advisors

Currently, there is no AML Program Rule in the US for SEC Registered Investment Advisors (RIAs) or their administrators. Custodians such as banks and broker-dealers do have a program requirement that has been in place for some time, and many advisors voluntarily comply in the interest of maintaining such relationships or as part of a broader enterprise AML Program. Furthermore, broker-dealers dully registered as RIAs may also implement AML Programs across their businesses for enterprise risk management.

Is a Formal Rule for RIAs Coming?

The idea of a formal rule for RIAs has been part of political discourse since May 2003, when the Financial Crimes Enforcement Network (FinCEN) issued a proposed rule for IAs1, which never came to fruition. Twelve years later, in September 2015, FinCEN published a notice of proposed rulemaking that would require RIAs to have an AML Program and file reports on suspicious activity.  Given past unsuccessful attempts to finalize an AML rule for this industry, what makes us think one may actually be implemented in the future? Let’s take a look at the signs that suggest more formal regulation is gaining momentum.

A series of key events beginning in 2016 signaled an increased likelihood of a final rule: 

In April 2016, the International Consortium of Investigative Journalists (ICIJ)  published its investigation into leaked documents from the Panamanian law firm Mossack Fonseca. Dubbed the “Panama Papers” investigation, it highlighted the amount of wealth managed in offshore banking jurisdictions. The ICIJ later published investigations into similar leaks, the Paradise Papers in November 2017 and the Pandora Papers in October 2021. The investigations identified corporate structures established for several politicians, royals, and business executives.

In December 2016, the Financial Action Task Force (FATF) published its Mutual Evaluation of the U.S. FATF determined that “the regulatory framework has some significant gaps, including minimal coverage of certain institutions and businesses (IAs, lawyers, accountants, real estate agents, trust and company service providers, other than trust companies),” and specifically that “[i]nvestment advisors (a part of the securities industry which manages over USD 67 trillion in assets) are not directly covered by BSA obligations.” FATF concluded that the US should extend reporting requirements to investment advisors and notes that FinCEN has proposed regulations that would extend AML/Combatting the Financing of Terrorism (CFT) requirements explicitly to all IAs.

In March 2020, FATF issued a re-rating of the US, which suggested that the US government was taking steps to evaluate how to close the gaps identified in 2016. In the section devoted to recommendations partially compliant (PC) or not compliant (NC), FATF references sectors not covered by regulation:

“The US has reported progress on other Recommendations rated PC/NC, such as R.1, R.12, R.16, R.20, R.24, R.25, and R.28. Actions underway include, among others, undertaking a systemic review of its AML/CFT system to more effectively address identified risks, including with respect to some sectors currently uncovered.”

In June 2020, an FBI bulletin released as part of a leak of confidential documents dubbed “BlueLeaks” assessed with “high confidence” that “[t]hreat actors use the private placement of funds, including investments offered by hedge funds and private equity firms” to reintegrate dirty money into the legitimate global financial system. The report identifies gaps on AML coverage for private equity (PE) firms and hedge funds. The report cites real-world examples of large schemes conducted to launder money and evade sanctions, with the underlying commonality that both PE firms and hedge funds do not require the disclosure of beneficial owners.

On October 8, 2021, a bill was introduced in the US House of Representatives titled the Establishing New Authorities for Businesses Laundering and Enabling Risks to Security (ENABLERS) Act. The ENABLERS Act broadens the definition of a “financial institution” under the Bank Secrecy Act (BSA) to include certain “gatekeepers,” such as investment advisors, attorneys, and accountants. If signed into law, the ENABLERS Act would require the US Treasury Secretary to promulgate rules for the newly covered entities to report suspicious transactions, establish AML programs, identify and verify account holders, and establish due diligence programs, among other requirements.

In December 2021, pursuant to presidential order, the White House issued the “United States Strategy on Countering Corruption.” One pillar of the strategy, titled “Curbing Illicit Finance,” states that “lines of effort” will be focused on prescribing minimum reporting standards for investment advisors and other types of equity funds. Specifically, the report highlights a concern that corrupt actors can invest their ill-gotten gains in the US financial system through hedge funds, trusts, private equity funds, and other advisory services or vehicles offered by investment advisors that focus on high-value customers. Additionally, the lack of regulatory oversight of these industries means that, as the Treasury stated in its 2015 Notice of Proposed Rulemaking (NPRM), “[I]t [is] possible for money launderers to evade scrutiny more effectively by operating through investment advisors rather than through broker-dealers or banks directly.” It further stated the Treasury will re-examine the 2015 NPRM. The Treasury will further consider whether to cover private placement funds, including investments offered by hedge funds and private equity firms.

In February 2022, the Treasury Department published the US National Money Laundering Risk Assessment. The assessment focused in part on the vulnerability of the IA sector due to the segmentation inherent in the business. In addition to the lack of an AML program requirement, it states:

“The use of third-party custodians by RIAs separates the advisory functions of an RIA’s business from the actual movement or transfer of client funds. The use of third-party custodians, when combined with the practice of pooling customer funds into omnibus accounts for trading and investment, can impede transparency, which is core to AML/CFT effectiveness. The 2015 FinCEN RIA NPRM stated, for example, that “[w]hen an advisor orders a broker-dealer to execute a trade on behalf of an advisor’s client, the broker-dealer may not know the identity of the client. When a custodial bank holds assets for a private fund managed by an advisor, the custodial bank may not know the identities of the investors in the fund.”

The assessment, supported by a handful of case studies, further states that fund administrators are often “located in offshore financial centers where private funds are routinely registered, usually for tax or other commercial or non-AML/CFT regulatory advantages” and qualified custodians can be subject to varying levels of oversight.

On May 13, 2022, The US Treasury Department issued its 2022 National Strategy for Combating Terrorist and Other Illicit Financing (2022 Strategy). As part of the 2022 Strategy, the document outlines the need to assess further “action,” which suggests more concrete steps will be taken. Specifically Supporting Action #3 states: 

“Assess Need for Additional Action on Sectors Not Subject to Comprehensive AML/CFT Measures Certain types of financial intermediaries, gatekeepers, and other professions or sectors are not covered by comprehensive and uniform AML/CFT obligations, and face varying levels of illicit finance risk exposure. These include financial intermediaries, such as investment advisors advising private investment funds and gatekeepers such as Trust or Company Service Providers that facilitate the creation of, and provide services for, certain legal entities. This uneven AML/CFT coverage can create opportunities for regulatory arbitrage.” 

The 2022 Strategy sets out benchmarks for progress to be evaluated in 2024 that include taking action to “reinvigorate” the efforts to finalize a rule, or document why a rule is not necessary.

Most recently, in June 2022, the ENABLERS Act described above was included in the National Defense Authorization Act for fiscal year 2023.

If an AML Program Rule is on the horizon, what should RIAs be doing to prepare? The answer depends on your current risk management program, and the depth and breadth of your operations.

What You Should Already Be Doing for Good Governance and Sound Risk Management

Some RIAs are already indirectly covered through affiliations with banks, bank holding companies, and broker-dealers, when they implement groupwide AML rules or in case of outsourcing arrangements. These institutions may voluntarily comply with program requirements in the interest of maintaining relationships with banks or broker-dealers as part of a broader enterprise AML program.

For RIAs that do not, even absent an AML rule, you should consider these risks and those germane to your business, e.g., are investments in areas subject to corruption, is the strategy long or short term (the latter being more attractive to launderers); do you have lockups, and are you monitoring investors that redeem despite such lockups and any associated penalties? It is a crime to be willfully blind to facilitating money laundering, even without a regulatory obligation to implement a compliance program.

AML Program Framework

Many investment advisors and asset managers have designed and implemented an AML compliance program in the absence of a regulatory requirement. These institutions will be ahead of the game. Furthermore, the Department of Justice (DOJ) guidance regarding the Evaluation of Corporate Compliance Programs states that an adequate and effective compliance program is a factor that the DOJ uses to determine whether to bring charges, negotiate pleas, or other agreements. Accordingly, RIAs may wish to consider proactively assessing if they have an appropriately risk-based program to detect and prevent money laundering, terrorist financing, and other financial crimes.

There are elements of an AML Program that an RIA should consider applying right now. 

  1. Management Oversight and Governance and AML Compliance Officer

    Perform a risk assessment to identify areas of greatest AML risk. Document escalation paths and decision-making authorities, and update your staffing assessment. Job descriptions and performance management processes should be updated to align to new responsibilities and management expectations.
  2. Know Your Customer (KYC), which includes Customer Identification Program, Customer Due Diligence, and Enhanced Due Diligence.

    Determine who your customer is, based on the services you offer, and what parties you need to perform due diligence on as a function of risk management (e.g., fund/fund of funds, investors, separately managed portfolio clients, and finders or other intermediaries).

  3. Suspicious Activity Monitoring and Reporting

    Analyze the unique aspects of the RIA business (e.g., lockups, long-term vs. short-term strategies, and differences in activity in applications and redemptions accounts vs. investment accounts) to determine what patterns of unusual activity may require additional review.  Identify red flags and typologies, such as penalties for breaking a lockup, or if an investor or client is operating through shell companies established outside the beneficial owner’s home jurisdiction. Even without an obligation to file a suspicious activity report, this information will help you identify risk in your customers’ activities for your institution’s risk management.

  4. Training and Communication

    You want your employees to say something if they see something, so you will need to identify the types of activity in your business that could indicate risk. AML training should be both general and tailored to specific roles and business lines as appropriate. Consider training the board of directors and senior management to ensure they understand the requirements and the impact on their duties for oversight and risk management.

  5. Independent Testing

    All compliance programs should be tested periodically to determine if the controls are reasonably designed and appropriately implemented. The requirement for an independent test of an AML program will be a part of any final rules. Identify whether an internal audit function exists, or if your firm will need to identify a qualified third party to review the AML program. Ensure that the independent test is completed by a department or company with experience in AML, and how the rules would apply to the RIA business.

What Additional Steps You May Need to Take  

Even without knowing specific requirements, there are preparatory actions RIAs can take to be ready to implement new requirements. Preparedness begins with having a thorough understanding of your entity’s existing risk management practices to be able to identify where gaps in coverage might surface when new regulations are enacted. 

  • Socialize the possibility with the board of directors, senior management, and key stakeholders.

    Summarize the information released to date, and identify the potential impact to your company if a rule is passed.  

  • Map your operational processes.

    Identify where third-party service providers (such as administrators and custodians) are part of your ecosystem, and consider your oversight of such third parties and the contracts you have in place with them. Focus on onboarding of both clients and investors, and the associated fund flows throughout the business. For example, if an administrator completes your KYC on your fund, do you have oversight? Do you know what they do, the procedures they follow, and if they have an audit or testing program in place? Is potentially suspicious activity or negative news escalated to you?

  • Consider your existing risk management practices.

    Determine if there are existing risk management processes and controls that can be leveraged or modified to gain efficiencies in implementation. For example, investor or transaction data that is pertinent to AML may be captured for other reasons, and systems used to capture and/or screen information may be able to be modified. Consider your existing risk management and compliance process related to sanctions, anti-bribery and corruption, anti-fraud, reputational risk, and general due diligence.

In addition to identifying economies of scope, consider economies of scale. Are there enterprise risk management considerations such as global advisor affiliates, or other covered financial institutions within the organizational structure that have an AML Program that can be leveraged?

Conclusion

Although the rules have not been finalized, RIAs can start planning now to make sure that they are ready when the time comes.

Guidehouse can help. Our team of subject matter experts has decades of experience in both AML and within the investment advisory industry. We can help guide you through the task of strategically scoping and designing your AML Program through implementation and execution.

 
Special thanks to Kristin Wenske for co-authoring this article.

1 The proposed rule in May 2003 was published following a rule for unregistered investment companies in September 2002. Visit the Federal Register website for more information. In the preamble to the 2015 proposal, FinCEN noted that, following regulations promulgated pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) in 2010, certain formerly unregistered advisors were required to register with the SEC. The 2015 rule therefore would provide substantially the same coverage as the two proposed rules promulgated prior to the passage of Dodd-Frank.

About the Experts

Back to top