Investment Advisers Begin Critical Year of AML Compliance Planning

After decades of debate and attempts to hold registered advisers and private funds accountable for anti-money laundering (AML) programming requirements, FinCEN’s recent approval of final rules serves as a potential wake-up call for registered advisers and exempt reporting advisers required to establish risk-based AML programming requirements by the beginning of next year.

Advisers should not take AML programming requirements lightly. They would be wise to look closely at regulatory enforcement imposed on other financial institutions with an eye toward not making similar mistakes when establishing risk-based programming. Indeed, there are several key areas advisers should pay attention to before they establish AML programming.

One hurdle facing advisers in establishing risk-based AML programming will involve addressing what “suspicious activity” will need to be identified and reported under the new rules. The final rule provides that the advisers must implement a risk-based AML program. 

Advisers should look at the type of transaction monitoring they decide to use. While FinCEN stated that the rule does not require advisers to implement automated transaction monitoring systems, depending on the type of transactions and size of the firm, it seems unlikely manual monitoring would be deemed reasonable for all advisers. The key factor in assessing reasonable transaction monitoring lies with the investment adviser’s risk profile. Each investment adviser’s risk profile will be different, so out-of-the-box technology solutions may not work for all advisers. FinCEN expects that the adviser has “reasonable internal policies, procedures, and controls to monitor and identify unusual activity, and adequate resources to identify, report, and monitor suspicious activity.”

In certain situations, delegation of certain aspects of transaction monitoring may be reasonable for advisers. For example, qualified custodians that custody customer funds may have existing transaction monitoring systems that can be leveraged by the adviser. Advisers leveraging such technology, however, remain responsible for such transaction monitoring, and, if applicable, reporting to FinCEN on suspicious transactions identified through such monitoring.

Customer information and suspicious activity

Specifically, the final rule will require an adviser’s AML program to implement appropriate risk-based procedures for conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. 

See more : Hartford Foundation kicks off centennial year with new $2.9M investment

As a result, regulators will expect advisers to “perform ongoing monitoring, drawing on customer information, as well as to file suspicious activity reports (SARs) in a timely manner in accordance with their reporting obligations.” Specifically, FinCEN clarified that “the obligation to update customer information will generally only be triggered when the adviser becomes aware of information relevant to assessing the potential risk posed by a customer; it does not impose a categorical requirement to update customer information on a regularly occurring, pre-determined basis.” New information identified by an adviser regarding a customer may result in potentially suspicious activity that may require a SAR filing. Furthermore, while FinCEN clarified that advisers are not categorically required to “perform media searches or … screenings for all customers,” it seems difficult to imagine how to manage a risk-based monitoring program without conducting “risk-based monitoring of such reports and events.” What this means is that advisers will essentially need to run continuous nightly batch searches on customers/investors to avoid missing potential red flags related to investors/customers, which could result in the need to file a SAR.

Notably, FinCEN is clear that “the ongoing monitoring obligation is intended to apply to ‘all transactions by, at, or through the financial institution,’ and not just those that are made by direct customers of the financial institution.” FinCEN made this statement with legal entity customers that are pooled investment vehicles in mind. Importantly, FinCEN contends that the “level of risk posed by a customer relationship with a legal entity customer that is a pooled investment vehicle should be a factor influencing the decision to request information regarding underlying investors[.]” How that pooled investor responds not only informs how the adviser should adjust the risk profile of that legal entity customer but also whether such failure to respond and/or provide that information requires a SAR filing as suspicious activity related to the transaction. 

Transaction activity that may be suspicious

FinCEN has provided several examples of the types of suspicious activities certain advisers may need to identify and report. As a result, advisers should look at these examples to assess whether they could apply to their business, as it is evident regulators will expect advisers to monitor for these types of risks, if they apply.

• “Transactions designed to hide the source or destination of funds and fraudulent activity.”
• For private funds, “an investor in such a fund requesting access to detailed non-public technical information about a portfolio company the fund is invested in that is inconsistent with a professed focus on economic return, in a potential case of illicit technology transfer in violation of sanctions, export controls, or other applicable law.”
• Even though “private fund advisers may have limited involvement in and visibility into the operation of their portfolio companies, including ‘material non-public technical information,’” suspicious activity on a portfolio company may be reportable “where the adviser: (i) is approached by a limited partner or other investor in a fund about unusual access to particular technology or processes being developed by a portfolio company, (ii) becomes aware that such a limited partner or investor has reached out to a portfolio company for such information, or (iii) is asked to obscure participation by an investor in a particular transaction to avoid notification to government authorities[.]”
• “A money launderer also could engage in placement and layering by funding a managed account or investing in a private fund by using multiple wire transfers from different accounts maintained at different financial institutions or requesting that a transaction be processed in a manner to avoid funds being transmitted through certain jurisdictions.”
• “[U]nusual wire activity that does not correlate with a customer’s stated investment objectives; transferring funds or other assets involving the accounts of third parties with no plausible relationship to the customer, transfers of funds or assets involving suspicious counterparties—such as those subject to adverse media, exhibiting shell company characteristics, or located in jurisdictions with which the customer has no apparent nexus[.]”
•  “[T]he customer behaving in a manner that suggests that the customer is acting as a ‘proxy’ to manage the assets of a third party[.]”
• “[A]n unusual withdrawal request by a customer with ties to activity or individuals subject to U.S. sanctions following or shortly prior to news of a potential sanctions listing.”
• “[P]otential fraud and manipulation of customer funds directed by the investment adviser.”
• “[I]nsider trading, market manipulation, or an unusual wire transfer request by an investment adviser from a private fund’s account held for the fund’s benefit at a qualified custodian.”

In addition to the above types of suspicious activity, FinCEN expects that advisers assess the risk of their proprietary investment activity and determine the level of necessary monitoring commensurate with the risk associated with its proprietary investments.

Regulators have years of experience with AML programming and will expect advisers to have robust programming to identify all types of suspicious activity. Indeed, as part of FinCEN’s response to comments, it appears the regulators already believe many advisers have substantial programming in place. It remains to be seen whether that comment rings true.

And while certainly FinCEN expects advisers to assess their own risks, based on years of enforcement activity related to other financial institutions, it is evident that regulators have already decided other risks that are appropriate to monitor for suspicious activities beyond those listed above.

To better gauge what additional risk-based programming may need to be considered, the place to start is to look at the existing SAR form itself. There are dozens of types of activities that FinCEN already has identified as the type of suspicious activity it expects to see financial institutions identify and report and much of this activity has nothing to do with money laundering. 

Account takeovers; elder abuse/financial exploitation; two or more individuals working together; bribery; and little or no concern or product performance penalties, fees or tax consequences are just a few of the items listed on the SAR form as types of reportable suspicious activities. Advisers should consider the items listed on the existing SAR form as they embark on defining how they will address these risks to reasonably identify and report these suspicious activities. 

To further illustrate this point, advisers should look at the types of actions regulators have brought against other financial institutions to fully understand the scope of what is expected to be reported under the SAR rule. 

See more : The Transition to Net Zero: An Investment Opportunity for the Private Sector

While FinCEN explicitly stated there is no regulatory expectation or obligation that an adviser file a certain minimum number of SARs, decades of examinations conducted by federal functional regulators and/or self-regulatory organizations demonstrate having no filings may lead to many questions about the efficacy of the AML programming to identify and report suspicious activity. 

Confidentiality of SARs

FinCEN and federal functional regulators take seriously the obligation to keep SARs confidential. It will be important that advisers establish a framework that ensures the confidentiality of any SAR filings. Financial institutions have taken various approaches to safeguarding SAR filings within their organizations, including establishing limitations on who has access and information about the SAR filings. Frameworks that have SAR committees or individuals who can have access to SARs need to design the programming to ensure that the access remains limited to those constituents and that there are clear policies and procedures that reflect access and information about the SAR filing.

Training

The final rule requires that “employees of an investment adviser (and … any agent or third-party service provider that is delegated with administering any portion of the investment adviser’s [AML] program) must be trained in [AML] requirements relevant to their functions and to recognize possible signs of money laundering, terrorist financing, and other illicit finance activity that could arise in the course of their duties.” 

It appears from the final rule that regulators will expect advisers to provide training to all employees insofar as everyone at the adviser has an obligation to identify and report potentially suspicious activity to be assessed for a potential SAR filing. Moreover, the final rule also requires that training be provided to any “agents” or third-party service providers with any delegated AML programming. Put differently, for advisers using third-party service support, they will need to ensure that training is provided to those providers as well.

While the final rule allows for this training to provide a general awareness of overall AML/CFT requirements and money laundering, terrorist financing and other illicit finance risks, advisers must remember that the training should also align with their business and the risks attendant with their business.

Furthermore, the final rule also requires that advisers assess more fully those employees/agent/third-party providers that will need tailored AML/CFT training. In those instances, that training should be more job-specific guidance tailored to employee roles and functions with respect to the investment adviser’s particular AML/CFT program. Over the years, by analogy, other financial institutions have received enforcement actions related to inadequate training and/or lack of training for key employees/agents/providers who play specific roles in support of AML programming.

Importantly, individuals that have job-specific AML obligations will need to have training before AML programming becomes effective. Insofar as the final rule notes that for those employees whose duties bring them in contact with AML/CFT requirements or possible money laundering, terrorist financing or other illicit finance risks, training would have to occur when the employee assumes those duties. 

Conclusion

While the effective date for advisers’ AML programming is not until Jan. 1, 2026, establishing a reasonable risk-based AML program has many components that must be addressed sooner rather than later to create a program that meets the regulatory requirements and expectations for advisers. Whatever perception regulators may have that certain advisers already have programming in place, the reality is those programs may not be on par with what is now being required of advisers. Risk assessments and customer/investor risk profiles remain key components of a program that cannot wait to be completed as regulators view those as foundational to a reasonable AML program.