New Customer Identification Rules for Investment Advisors

On May 13, 2024, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) and the U.S. Securities and Exchange Commission (SEC) issued a joint Notice of Proposed Rule Making¹ (NPRM or proposed rule) that would require Registered Investment Advisors (RIAs) and Exempt Reporting Advisers (ERAs) to establish and maintain written Customer Identification Programs (CIPs). The CIP proposed rule builds on FinCEN’s February 2024 proposed rule that would define as financial institutions and impose Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) program and Suspicious Activity Report (SAR) filing requirements on RIAs and ERAs. Under the Bank Secrecy Act, FinCEN and the SEC, as the federal functional regulator for certain Investment Advisors (IAs), are obligated to issue regulations defining the minimum standards for CIPs for RIAs and ERAs once they are included in the definition of financial institutions. The proposed CIP requirements for RIAs and ERAs are generally consistent with existing rules for other financial institutions, such as broker-dealers, mutual funds, and banks, and seek to realize efficiencies in instituting CIPs for IAs with existing relationships with other financial institutions.

Requirements

Under the proposed rule, both RIAs and ERAs would be required to:

1. Establish, document, and maintain a written CIP as part of an IA’s AML/CFT program.

2. Implement reasonable, risk-based procedures to verify the identity of customers seeking to open and hold an account, including obtaining, at a minimum, a customer’s:

• Name, 
• Date of birth for an individual or date of formation for entities, Address, and 
• Identification number such as taxpayer identification number.

3. Maintain and retain records associated with customer identity verification as follows:

• Customer identifying information while the account remains open and for five years after the date the account is closed, and
• Records regarding the identify verification process for five years after the record is made.

4. Determine whether a customer appears on any federal government list of known or suspected terrorists and terrorist organizations; and

5. Provide customers with adequate notice of an IA’s identity verification procedures.

The proposed rule requires that the CIP include risk-based procedures to identity verification to enable the IA to “form a reasonable belief that it knows the true identity of each customer.”² This risk-based approach to the CIP should be informed by an IA’s risk assessment and designed to adequately mitigate identified risks. This means that, consistent with its risk assessment, an IA may need to take additional steps to verify the identity of a customer that is not a natural person, such as obtaining supplemental information about the individuals with control or authority over the account or reviewing the account in connection with customer due diligence (CDD) procedures described in the February 2024 NPRM.³

The CIP NPRM notes there is a limitation to this risk-based approach when verifying the identity of non-natural person customers. Under the proposed rule, a private fund that is an IA customer would be subject to risk-based identity verification procedures, including identifying the individuals with authority or control over the fund, while the identities of the fund’s customers would not be subject to these procedures.⁴ By extension, this exclusion appears to apply to funds-of-funds where a fund’s customer that is also a fund, not to mention their customers, would similarly not be subject to identity verification procedures. This exclusion seems to be an accepted gap at this time, even though FinCEN noted in the February NPRM that illicit actors sometimes employ such funds and funds-of-funds as a mechanism in their money-laundering strategy.⁵ It remains to be seen if the regulators will address this gap in the final AML/CFT, CIP, or CDD rules. At the least, funds will need to execute a robust risk assessment to identify those higher risk individual investors, or higher risk funds that will require additional due diligence.

The proposed rule provides IAs with a degree of flexibility in designing and establishing a CIP in acknowledgment of the variation in IA company profiles, account opening circumstances, and customer profiles. The proposed rule allows IAs to:

1. Rely on another financial institutions for components or the entirety of their CIP, provided:

• The reliance is reasonable under the circumstances,
• The other financial institutions is subject to AML/CFT requirements, and 
• The parties enter into a contract requiring the FI to certify annually to the IA that the financial institution implemented its AML/CFT program and that the financial institution will perform specified CIP requirements for the IA.

2. Conduct customer identity verification before or after the account is opened, within a reasonable time.

3. Use a combination of official and non-official documentary methods of identity verification, as delineated in the IA’s CIP.

Key Compliance Considerations for RIAs and ERAs

While this NPRM is contingent on the finalization of the February 2024 NPRM, the industry should anticipate a final rule for both proposed rules in the upcoming years. IAs can begin to prepare to comply with the CIP NPRM by considering the following:

Evaluate the Program You Have — Many RIAs and ERAs may already have an established AML/CFT program, or elements thereof, of which CIP may be a component. Additionally, IAs may already obtain certain identifying information to comply with the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctions, U.S. export controls where applicable, and non-U.S. regulations. What existing processes and procedures can you leverage when designing and implementing your CIP? How and, importantly, where in the process will you integrate these requirements? It is important to evaluate to what extent your existing program complies with the new regulatory requirements, is adequately risk-based, adequately implemented, and sustainable.

Develop and Enhance Your CIP — For those IAs that do not have a CIP or one that meets the regulatory requirements outlined in the NPRM, now is the time to develop, enhance, and implement your program. The proposed rule requires covered IAs to comply with the finalized CIP regulations on or before six months from the final rule’s effective date.

Although the February NPRM and the CIP proposed rule are separate rules, they have a clear nexus—consider both proposed rules when developing and enhancing your program. Also, consider your end-to-end customer onboarding process and the parties involved. Are responsible team members knowledgeable about AML and CFT? Which counterparties are considered “customers” under the rule, and how are they onboarded? How will data and documents be housed? How will your AML/CFT and customer identification programs impact the process for exams? Consider updating staffing assessments, job descriptions, training, and escalation pathways to appropriately address new tasks.

Guidehouse advises that firms inform their board and start developing and enhancing both your customer identification and AML/CFT programs now, since it will take time to design and implement the program, onboard technology or vendors, train staff, and fine-tune your program to appropriately address risk factors identified in your risk assessment. 

Conduct or Refresh Your Risk Assessment — Under the proposed rule, IAs are required to establish and implement a risk-based CIP appropriately tailored to mitigate potential risks associated with an IA’s profile and complexity, their existing and potential customers, and financial and investment advisory services provided. To comply with the CIP proposed rule, Guidehouse advises IAs to conduct or refresh your risk assessment and corresponding methodology to ensure your customer identity verification and AML/CFT programs are informed by your current risk profile.

Consider How CDD Fits Into Your Program — The NPRM acknowledges that CDD procedures are a critical component to an IA’s overall compliance program to verify the identity of individuals with authority or control over accounts for legal entity customers, as defined in the proposed rule, and to adequately screen customers to comply with U.S. sanctions, OFAC, and export controls laws, among others. Additionally, once defined as a financial institution, RIAs and ERAs will need to implement CDD procedures to comply with the Financial Action Task Force (FATF) recommendations and FinCEN’s forthcoming revised CDD Rule. Precisely how the revised CDD rule will apply remains to be seen. Guidehouse advises IAs to incorporate implementing CDD processes to determine the identity of investors, beneficial owners, and the source of their funding—similar to the process at banks dealing with high-net-worth clients—into the design and enhancement of an IA’s customer identification and AML/CFT programs as a critical element necessary to comply with both proposed rules and the forthcoming revised CDD rule.

How Guidehouse Can Help

Guidehouse experts have decades of experience in the IA and securities industry. To ensure compliance with the proposed CIP and AML/CFT rules, Guidehouse has a team of experts who are well-positioned to help entities in the IA industry with the following:

• Customer Identification, AML/CFT, and Sanctions Program Design, Execution, and Management
• Staffing Assessment and Designing Target Operating Models
• Customer Identification, AML/CFT, and Sanctions Program Assessments and Remediation
• KYC Risk Profiling, Risk Appetite, and File Remediation
• Program Risk Management
• Enterprise Risk Assessments
• Strategic Planning
• Vendor Sourcing and Governance
• CIP, AML/CFT, and Sanctions Training
• AML/CFT and KYC Technology Implementation and Validation