On September 1, 2015, the U.S. Treasury's Financial Crimes Enforcement Network (FinCEN) published a notice of proposed rulemaking (the Proposed Rule) prescribing anti-money laundering (AML) requirements for investment advisers that are registered or required to be registered (RIAs) with the Securities and Exchange Commission (SEC).1 The requirements include establishing an AML program and reporting suspicious activity. In addition, FinCEN proposes to include RIAs within the general definition of "financial institution," in rules implementing the Bank Secrecy Act (BSA) which would require them to, among other things, file currency transaction reports and maintain records relating to the transmittal of funds. The authority to examine RIAs for compliance with these AML requirements would be delegated to the SEC.
The Proposed Rule addresses concerns that money launderers and other illicit actors seeking to access the U.S. financial system may attempt to gain entry through an investment adviser because it is subject to fewer AML controls than other financial institutions, such as broker-dealers and banks. The Proposed Rule would subject RIAs to rules similar to those affecting other financial institutions under the BSA and would make it more difficult for criminals to evade scrutiny by operating through RIAs.
The Proposed Rule does not include a customer identification program (CIP) requirement or the customer due diligence requirements for financial institutions proposed on August 4, 2014.2 These issues, as well as other potential AML requirements, are anticipated to be addressed by FinCEN in subsequent rulemakings, with the CIP requirements addressed in a joint rulemaking with the SEC. Comments on the Proposed Rule are due on or before November 2, 2015.
This Sidley Update describes the basic requirements of the Proposed Rule and discusses some of the issues on which FinCEN has solicited comments. RIAs should consider the changes they might need to make to their existing AML programs if the Proposed Rule is adopted as proposed. In addition to adding sections to cover new requirements, such as responding to Section 314(a) information requests from FinCEN, significant enhancements may be necessary in the areas of suspicious activity monitoring and reporting, employee training, independent testing and client risk assessments. RIAs that have delegated AML functions to third-party service providers may also need to re-evaluate whether these outsourced functions are being performed up to FinCEN standards.
FinCEN is authorized to issue regulations to implement the Bank Secrecy Act, as amended by the USA PATRIOT Act, that would impose AML compliance obligations on financial institutions.3 Pursuant to this authority, on May 5, 2003, FinCEN published a proposed rule requiring certain investment advisers to establish AML programs (First Proposed Investment Adviser Rule).4 This rule followed another FinCEN proposed rule published on September 26, 2002, requiring unregistered investment companies to establish AML programs (Proposed Unregistered Investment Companies Rule). These two proposed rules were eventually withdrawn by FinCEN in November 2008 due to the amount of time elapsed after the initial proposal of the rules and to allow FinCEN to take a fresh look at potentially applicable BSA regulation.
Since then, the regulatory landscape for investment advisers has changed. As a result of the Dodd-Frank Act amendments to the Investment Advisers Act of 1940, formerly unregistered advisers to hedge funds, private equity funds and other private funds must now register with the SEC. Therefore, FinCEN believes that the two-prong approach of the prior withdrawn proposed rules is no longer necessary. Most of the issuers captured under the Proposed Unregistered Investment Companies Rule would now be included in the AML programs of RIAs under the new single Proposed Rule.
Adding Investment Advisers to the Definition of "Financial Institution"
The BSA and its regulations do not expressly list "investment adviser" among the entities that fall within the definition of "financial institution."5 However, the Secretary of the Treasury may include additional types of business within the definition of "financial institution" if they engage in any activity similar or related to, or a substitute for, any of the listed entities. In that regard, investment advisers offer services that are similar or related to those offered by broker-dealers, banks and insurance companies, which are BSA-defined financial institutions. Such activities include, among others, sponsoring and providing advisory services to mutual funds, advising clients on the sale or purchase of mutual fund shares, advising on annuities offered by insurance companies or broker-dealers and, offering asset management services. The close relationship between investment advisers and other BSA-defined financial institutions is further evidenced by the fact that investment advisers are often dually registered as broker-dealers or affiliated with them. Accordingly, under the Proposed Rule, FinCEN proposes to add "investment adviser" to the list of entities within the general definition of "financial institution" set forth in the FinCEN regulations.6 "Investment adviser" would be defined as any person who is registered or required to be registered with the SEC under section 203 of the Investment Advisers Act of 1940 (RIAs), including both primary advisers and subadvisers.7
Generally, large advisers with US$100 million or more in regulatory assets under management are required to register with the SEC unless an exemption from registration is available. Mid-sized advisers with US$25 million or more but less than US$100 million, and small advisers with less than US$25 million in regulatory assets under management are generally prohibited from registering with the SEC and are instead regulated by the States; however, some mid-sized advisers are required to register with the SEC. Therefore, large advisers are generally included in the Proposed Rules definition of "investment adviser" and mid-sized and small advisers are generally excluded from the definition. Of course, FinCEN may consider future rulemakings that expand the application of the BSA to state-regulated investment advisers or investment advisers that are exempt from SEC registration.
The addition of RIAs to the definition of financial institution would subject RIAs to BSA regulatory requirements generally applicable to financial institutions, including currency transaction reporting, maintaining records relating to the transmittal of funds and other recordkeeping requirements, and special information sharing procedures with government agencies and other financial institutions, as described below.
Currency Transaction Reporting. All investment advisers are currently required to file Form 8300 to report the receipt of more than US$10,000 in cash and negotiable instruments. The Proposed Rule replaces this requirement for RIAs with a requirement to file Currency Transaction Reports (CTRs). A CTR would be filed for any transaction involving a payment or transfer of more than US$10,000 in currency by, through or to the RIA during any one business day. Multiple transactions must be treated as a single transaction if the financial institution knows that the transactions are conducted by or on behalf of the same person. RIAs would no longer be required to report applicable transactions involving certain negotiable instruments reportable on Form 8300.
Transmittals of Funds and Other Recordkeeping Requirements. The BSA imposes on financial institutions certain recordkeeping and travel rules applicable to transmittals of funds that equal or exceed US$3,000 (the Recordkeeping and Travel Rules). Under the Proposed Rule, RIAs must create and retain certain records regarding each transmittal of funds of US$3,000 or more, and ensure that certain information "travels" with the transmittal to the next financial institution in the payment chain. The information required to be collected and retained depends on the financial institution's role in the particular funds transfer (e.g., the transmittor's financial institution, an intermediary financial institution, or the recipient's financial institution). A "transmittal of funds" includes funds transfers processed by banks, as well as similar payments where one or more of the financial institutions processing the payment is not a bank.
In addition, the Proposed Rule would require RIAs to create and retain records for extensions of credit and cross-border transfers of currency, monetary instruments, checks, investment securities and credit in amounts exceeding US$10,000.
Information Sharing with Government and Other Financial Institutions. The Proposed Rule subjects RIAs to special information sharing procedures to detect money laundering or terrorist activity pursuant to Sections 314(a) and 314(b) of the USA PATRIOT Act. Upon receiving a Section 314(a) request from FinCEN, RIAs are required to search their records to identify accounts or transactions of named persons suspected by law enforcement agencies of engaging in money laundering or terrorist financing. Section 314(b) allows financial institutions to voluntarily share information with other financial institutions subject to an AML program requirement in order to identify and report activities that may involve money laundering or terrorist activity. A financial institution that shares such information receives protections from civil liability, and must file an annual notice of sharing with FinCEN.
Anti-Money Laundering Program Requirement
The Proposed Rule requires RIAs to establish a written AML program reasonably designed to prevent the RIA from being used for money laundering or terrorist financing and to achieve and monitor compliance with applicable provisions of the BSA and its regulations. The program must be approved in writing by the board of directors or trustees and, if there is no such board, by the sole proprietor, general partner, trustee or other persons with functions similar to a board of directors. The program must also be made available to FinCEN or the SEC upon request.
There are four minimum elements of an AML program:
(1) Policies, procedures and internal controls reasonably designed to prevent the RIA from being used for money laundering or terrorist financing activities and to achieve and monitor compliance with applicable provisions of the BSA and its implementing regulations. The RIA must review, among other things, the types of advisory activities it provides and the nature of its clients to identify its vulnerabilities to money laundering and terrorist financing activities. The policies, procedures and internal controls must then be developed based on the results of the review in order to manage and mitigate the identified risks.
(2) Independent testing for compliance conducted by the RIA's personnel or by a qualified outside party. Independent testing of the program should occur on a periodic basis to ensure that there is compliance with the Proposed Rule and the program is functioning as designed. The frequency will depend on the RIA's assessment of its risks. Employees of the RIA, its affiliates, or unaffiliated service providers may perform the independent testing, as long as they are knowledgeable regarding BSA requirements and are not involved in the operation and oversight of the program. Any recommendations issued from the independent testing should be promptly implemented or submitted to senior management for consideration.
(3) Designated person or persons responsible for implementing and monitoring the operations and internal controls of the program. An RIA may designate a single person or committee that is knowledgeable regarding FinCEN's regulatory requirements and the RIA's money laundering risks to have full responsibility for developing and enforcing appropriate risk-based policies and procedures. A designated compliance officer should be an officer of the RIA. The need for a dedicated full-time BSA compliance officer will depend upon the size and type of services the RIA provides and the clients it serves.
(4) Ongoing training for appropriate persons. Employees of an RIA (and of any agent or third-party service provider) must receive training in BSA requirements and in recognizing possible signs of money laundering that could arise in the course of their duties. The nature, scope and frequency of training would be determined by the extent to which an employee's functions bring him or her in contact with the BSA and possible money laundering activity. The training program should therefore provide a general awareness of overall BSA requirements and money laundering issues, as well as more specific guidance regarding particular employees' AML-related roles and functions.
The AML program should be tailored to address the specific risks of the RIA's advisory services and clients. FinCEN expects the program to cover all advisory activities including: (1) activity that does not involve the management of client assets, such as pension consulting, securities newsletters, research reports or financial planning; (2) subadvisory services; and (3) advisory services provided to any publicly or privately offered real estate fund.
Client Risk Assessment. The RIA would need to assess the money laundering and terrorist financing risks posed by a client by evaluating the relevant risk factors. For example, if the client is an individual, relevant factors would include the source of funds and jurisdiction in which the client is located. If the client is an entity, relevant factors may include the type of entity, jurisdiction of location, and the statutory and regulatory regime of that jurisdiction. Other relevant factors, such as the RIA's historical experience with the client and references of other financial institutions, may also be considered. The policies, procedures and controls should be reasonably designed to manage clients that present higher risks.
The Proposed Rule also discusses in some detail FinCEN's expectations for risk assessments relevant to specific types of advisory clients. For example, in the case of non-pooled investment vehicle clients, the risk assessment should consider the types of accounts offered (e.g., managed accounts), the types of clients opening such accounts and how the accounts are funded. Mutual fund clients that are subject to FinCEN's rules implementing the BSA may present lower risks. Advisory services to registered closed-end funds may also present lower risks since purchases and sales of fund shares are executed through banks and broker-dealers with established BSA/AML programs. Where the RIA is the primary adviser to a private fund, the adviser is required to assess the risks presented by the underlying investors in the fund.
Comprehensive AML Programs. RIAs that are dually registered with the SEC as investment advisers and broker-dealers in securities are not required to establish multiple or separate programs, provided that a comprehensive AML program covers the entity's advisory and broker-dealer activities and the respective AML obligations. Similarly, an RIA that is affiliated with, or a subsidiary of, an entity required to establish an AML program may implement a single comprehensive AML program covering all of the activities and businesses that are subject to the BSA and its regulations.
Delegation of Duties. An RIA may contractually delegate the implementation of certain aspects of its AML program to other financial institutions that have separate AML program requirements, or to agents or third-party service providers. However, the RIA will remain fully responsible for the effectiveness of the program and for ensuring that FinCEN and the SEC have access to information and records relating to the AML program. It is not acceptable to "delegate" responsibility for an AML program in its entirety to a third party.
Compliance Date. The Proposed Rule would require RIAs to implement an appropriate AML program on or before six months from the effective date of the final regulation. Some RIAs have already implemented AML programs either voluntarily or as a result of the SEC No-Action letter that permits broker-dealers to rely on RIAs to perform some or all aspects of the broker-dealer's customer identification program obligations.8 These RIAs should ensure that their existing policies and procedures are amended where appropriate to meet the new AML program requirements.
Suspicious Activity Reporting
The Proposed Rule requires RIAs to report suspicious activity to FinCEN to provide useful information for investigations involving money laundering, terrorist financing, fraud and other financial crimes. Specifically, an RIA is required to report a transaction if (1) it is conducted or attempted by, at or through the RIA, (2) it involves or aggregates funds or other assets of at least US$5,000, and (3) the RIA knows, suspects, or has reason to suspect that the transaction (or a pattern of transactions of which the transaction is a part):
(a) involves funds derived from illegal activity or is intended or conducted in order to hide or disguise funds or assets derived from illegal activity as part of a plan to violate or evade any Federal law or regulation or to avoid any transaction reporting requirement under Federal law or regulation;
(b) is designed, whether through structuring or other means, to evade any requirements of the BSA or its implementing regulations;
(c) has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage, and the RIA knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction; or
(d) involves use of the RIA to facilitate criminal activity (e.g., fraud or terrorist financing).
In addition to such mandatory reporting, RIAs may voluntarily report a suspicious transaction even if it does not meet the criteria for mandatory reporting (for example, in the case of a transaction that is below the US$5,000 threshold). The Proposed Rule provides protection from civil liability for making either mandatory or voluntary reports of suspicious transactions.
RIAs would need to evaluate client activity and relationships and design a suspicious transaction monitoring program that is appropriate in light of their money laundering and other financial crime risks. RIAs may therefore need to assess whether their monitoring systems and processes effectively detect all types of suspicious activity that must be reported under the new requirements.
Filing and Notification Procedures. A suspicious transaction is reported to FinCEN by filing a Suspicious Activity Report (SAR) no later than 30 days after the date of initial detection by the RIA that the transaction is suspicious. If no suspect can be identified on the date of initial detection, the SAR may be delayed an additional 30 days to identify a suspect, but in no case may reporting be delayed more than 60 days after initial detection. For situations requiring immediate attention, such as suspected terrorist financing or ongoing money laundering schemes, the RIA must immediately notify an appropriate law enforcement authority in addition to filing a timely SAR. Suspicious transactions that may relate to terrorist activity may also be voluntarily reported to FinCEN's Resource Center in addition to filing a timely SAR.
Record Retention. The RIA should retain copies of filed SARs and the original (or business record equivalent) of any related supporting documentation for five years from the date of filing the SAR. Supporting documentation must be made available upon request to FinCEN, or Federal, State or local law enforcement agency, or any Federal regulatory authority that examines the RIA for compliance with the BSA.
Joint SARs. In cases where more than one RIA or another financial institution with a separate suspicious activity reporting obligation is involved in the same transaction, only one report is required to be filed. Either the RIA or the other financial institution can file a single joint report provided that it contains all relevant facts and each institution maintains a copy of the report and any supporting documentation.
Confidentiality of SARs. As a general rule, no RIA and no current or former director, officer, employee or agent of any RIA may disclose a SAR or any information that would reveal the existence of a SAR. Any person that is subpoenaed or otherwise requested to disclose a SAR or any information that would reveal its existence must decline the request and notify FinCEN. This general prohibition should not, however, be construed as prohibiting the following (as long as no person involved in the reported suspicious transaction is notified that the transaction has been reported):
(1) The disclosure of a SAR, or any information that would reveal the existence of a SAR, to FinCEN or any Federal, State or local law enforcement agency, or any Federal regulatory authority that examines the RIA for compliance with the BSA (i.e., the SEC);
(2) The disclosure of underlying facts, transactions, and documents upon which a SAR is based, including disclosure to another financial institution for the preparation of a joint SAR; or
(3) The sharing of a SAR, or any information that would reveal the existence of a SAR, within the RIA's corporate organizational structure for purposes consistent with the BSA, as determined by regulation or in guidance. The Proposed Rule does not authorize RIAs to share SARs within their corporate organizational structures, in the absence of further guidance or rulemaking by FinCEN. In prior rulemakings and guidance, FinCEN has permitted other types of financial institutions to share SARs within their corporate organizational structures, subject to certain limitations. FinCEN has therefore requested comments regarding the need for RIAs to share SARs within their organizational structures to fulfill BSA reporting obligations and facilitate more effective enterprise-wide BSA compliance.
Delegation of Requirements. RIAs are permitted under the Proposed Rule to delegate their suspicious activity reporting requirements to an agent or a third-party service provider. However, the RIA remains responsible for compliance with the suspicious activity reporting requirements, including the requirements to maintain SAR confidentiality.
Compliance Date. The suspicious activity reporting requirements would apply to transactions initiated after the implementation of the RIA's AML program. However, RIAs are encouraged to begin filing SARs as soon as practicable on a voluntary basis upon the issuance of the final rule.
Additional Issues for Comment
In addition to the aspects of the Proposed Rule discussed above, FinCEN has specifically asked for comments on certain issues, including the following:
- Whether certain types of investment advisers that are currently excluded from the proposed definition of "investment adviser" should be included, and whether certain types of investment advisers that are included in the proposed definition should be excluded;
- The drawbacks, if any, of requiring RIAs to file CTRs instead of Form 8300;
- Whether the AML program requirement should cover all advisory services of the RIA or exclude certain advisory activity;
- Whether it is appropriate to allow an RIA to delegate elements of its AML program to an entity with which the client, and not the adviser, has the contractual relationship;
- If the underlying investor in a private fund is an investing pooled entity, whether a subadviser should be required to identify and mitigate the risks of the investing pooled entity's underlying investors, sponsoring entity and/or intermediaries when there is a increased risk of money laundering or other illicit activity;
- Whether RIAs should be permitted to share SARs within their corporate organizational structure in the same way that banks and broker-dealers are permitted to share, how such sharing would be consistent with the purposes of the BSA, and how RIAs would be able to maintain the confidentiality of shared SARs; and
- Whether RIAs should be required to comply with other FinCEN rules implementing the BSA, including rules requiring customer identification and verification procedures pursuant to Section 326 of the USA PATRIOT Act, the correspondent account rules of Sections 311 and 312 of the USA PATRIOT Act, the rules against providing correspondent accounts to foreign shell banks under Section 313 of the USA PATRIOT Act, and the rules for maintaining certain records and terminating correspondent accounts of foreign banks that fail to comply with or contest a request by the Secretary of the Treasury or U.S. Attorney General under Section 319(b) of the USA PATRIOT Act.
As noted above, all comments on the Proposed Rule must be submitted to FinCEN on or before November 2, 2015.