Federal regulators are on the brink of finalizing proposed anti-money laundering (“AML”) regulations for Securities and Exchange Commission (“SEC”)-registered investment advisers (and those investment advisers required to register with the SEC) (“RIAs”). Announced in September 2015 by the Financial Crimes Enforcement Network (“FinCEN”), the Proposed Rule will require RIAs to establish robust AML programs similar to the ones that banks and broker-dealers employ and to file suspicious activity reports (“SARs”). RIAs will have only six months after the Proposed Rule is finalized to implement controls and come into compliance.
Under the Proposed Rule, RIAs will be treated as financial institutions under the Bank Secrecy Act (“BSA”) and USA PATRIOT Act. The Proposed Rule requires RIAs to implement an AML program with certain core features, including: (1) written policies and procedures reasonably designed to prevent the adviser from being used for money laundering or terrorist financing; (2) periodic independent testing of the program; (3) designation of people responsible for monitoring the operations and internal controls of the program; and (4) ongoing training of appropriate personnel.
Monitoring and reporting are also required under the Proposed Rule. First, RIAs will have an obligation to monitor client and investor accounts for suspicious activity. RIAs must then make SARs in accordance with the technical requirements, such as providing a complete narrative of the suspicious activity and providing accurate responses for fields of critical value on the form. Second, RIAs must report any transactions completed in cash.
The Proposed Rule will also subject RIAs to Section 314 of the USA PATRIOT Act, which permits certain institutions to share information with each other in order to identify and report to the federal government activities that may involve money laundering or terrorist activity. FinCEN will have the ability to order RIAs to search their records and provide information; however, under a safe harbor provision that precludes liability, the Proposed Rule will enable RIAs to share certain information with other institutions for the purpose of facilitating the identification and reporting of money laundering and terrorist activities.
Under the Proposed Rule, FinCEN will delegate the authority to examine RIAs for compliance to the SEC’s Office of Compliance Inspections and Examinations (“OCIE”). Enforcement authority will remain with FinCEN, as it can investigate suspected violations of the Proposed Rule’s obligations and impose civil penalties for identified violations.
Tips To Prepare
The Proposed Rule will hold RIAs to high expectations and subject them to close scrutiny. Because it is uncertain when the Proposed Rule will be finalized and because the subsequent window for compliance will be only six months, RIAs should begin to develop their AML programs now so compliance with the Proposed Rule is achieved before OCIE begins examinations. RIAs should consider taking the following actions to be prepared for the implementation of the Proposed Rule.
- Ensure that the written policies and procedures of the AML program are consistent with the risk levels of money laundering and terrorist financing. While developing AML programs, RIAs should consider the following factors that affect the risk levels of money laundering and terrorist financing: investor base profile, involvement of third parties, jurisdiction of residence and organization, applicable regulatory and statutory regimes, and the type of corporate entity. Quantifying these factors will enable RIAs to formulate tailored written policies and procedures that are reasonably designed to prevent the adviser from being used for money laundering or terrorist financing.
- Engage in independent testing under the Proposed Rule, which includes testing:
- whether know-your-customer documentation is adequate, complete, up to date, and consistent with the firm’s procedures;
- interactions among investor relations, finance, and compliance teams regarding transfer and redemption requests so that you can correct any identified weaknesses or gaps among the teams; and
- your ability to promptly produce documents, as this will evidence preparedness for an OCIE examination.
- Designate people responsible for the AML program. Providing such people with ongoing training will be critical for compliance with the Proposed Rule. Part of this training should include the facilitation of communication across different groups of the compliance program and the business in order to centralize investor relations and onboarding functions, ensure sufficient coordination among personnel, and decrease the chance of missing any red flags. In addition, all RIA personnel should be provided with training that facilitates a general awareness of BSA requirements, money laundering issues, and money laundering risks. Also, ensure that personnel who have specific responsibilities under the AML program receive more detailed and targeted training.
- Examine current monitoring and reporting procedures with a view to taking significant steps toward strengthening and formalizing them, as required by the Proposed Rule. Robust monitoring is contingent upon procedures and training for recognizing suspicious activity and resolving potential issues. RIAs must therefore adopt procedures that ensure that suspicious activity is promptly identified, alerted to the AML compliance officer, investigated, and escalated to senior management if appropriate. For example, linking accounts that share common features or involve related entities would help to uncover any suspicious patterns during the monitoring process. Compliance with monitoring requirements would also include evaluating the business purpose of particular transactions, comparing transactions with the typical behavior of clients or accounts, and aggregating relevant information for personnel responsible for SARs.
- Review monitoring and reporting policies relating to the transmittal of funds in order to ensure that the policies comply with the Proposed Rule. Under the Proposed Rule, RIAs will need to address several requirements imposed by the BSA relating to monitoring and reporting. For one, RIAs must update their books and records policies to comply with BSA requirements for records relating to the transmittal of funds. Additionally, RIAs who act as intermediaries transmitting or receiving funds on behalf of investors must implement processes to ensure that required information travels with the transmission to the next financial institution in the chain.
- Evaluate procedures for record retention and retrieval to ensure and facilitate compliance with the information-sharing provisions under Section 314 of the USA PATRIOT Act. Doing so will enable RIAs to remedy any gaps and promptly respond to government requests under Section 314. The ability to produce documentation of any prior AML program audit is also a critical aspect of record retention and retrieval.
- Audit relationships with third-party administrators, if applicable. Although RIAs may delegate AML responsibilities to certain third parties, such as third-party administrators, RIAs will ultimately remain fully responsible for the effectiveness of the AML program. As such, RIAs who choose to delegate AML responsibilities to an administrator must audit its relationship with the administrator and the administrator’s implementation of the AML program. The administrator audit should include a review of two areas, at a minimum: first, a comparison of the administrator’s AML policies and procedures against the administration agreement and the RIA’s AML procedures; second, a review of investor account documentation that includes high-risk investors, investors from jurisdictions with greater known risk of money laundering, large investors, and investors that have had activity in their accounts during the review period. These reviews will ensure that the files are complete and that the administrator has complied with the terms of the administration agreement and its own AML procedures. Overall, the reviews should provide a reasonable basis for the RIA to rely on the administrator to perform the delegated AML duties. Furthermore, in order to meet the obligations of the Proposed Rule, RIAs must tailor the testing of the AML program to functions conducted internally and functions conducted externally by an administrator.
Keep in mind that customer-identification programs and customer due-diligence requirements are not covered by the Proposed Rule. However, further proposals addressing such matters are contemplated in the future. In addition, RIAs who are also regulated in Europe will be familiar with the customer-identification checks because European Union-regulated investment advisers are currently subject to these rules.