FinCEN final rule on AML/CFT requirements for investment advisers, effective January 1, 2026 

By Richard Casciani, Managing Director, U.S. 

On September 4, 2024, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a final rule (the “Final Rule”) mandating certain anti-money laundering (AML) and countering the financing of terrorism (CFT) requirements for most investment advisers registered with the U.S. Securities and Exchange Commission (SEC) (registered investment advisers, or RIAs) and investment advisers that report to the SEC as exempt reporting advisers (ERAs). The Final Rule has a compliance date of January 1, 2026 and requires those in scope to adopt AML/CFT compliance programs and monitor for and report suspicious activity to FinCEN. 

Which investment advisers are covered by or exempt from the Final Rule?

The Final Rule applies to SEC RIAs and SEC ERAs with a few exceptions. The following advisers are exempt:  

• Mid-size advisers 
• Multi-state advisers 
• Pension consultants 
• Family offices 
• Advisers of sub-advised funds only 
• RIAs that are not required to report any assets under management (AUM) to the SEC 

With respect to foreign private advisers, the Final Rule applies to activities that take place in the U.S. (i.e. through U.S. employee(s) or office(s)/branch(es)) or with respect to a U.S. fund or U.S. investors. 

What is required for an AML/CFT program?

1. Establish and implement policies and procedures

Covered advisers must adopt and implement a risk-based and reasonably designed AML/CFT program.  Covered advisers with existing “best practice” AML programs will likely need to enhance their policies and procedures. 

Key points to note: 

• The program must be approved in writing by the covered adviser’s board of directors, sole proprietor, general partner, trustee or similar party 
• It must be “risk-based and reasonably designed to prevent the investment adviser from being used for money laundering, terrorist financing, or other illicit finance activities” 
• “Risk-based” means the program will vary depending on the size of the adviser and risk level of its advisory activities and customers 
• Consider things such as: types of advisory services provided, nature of customers, investment products being offered, intermediaries used, and geographic location of customers and investments 

2. Conduct independent compliance testing

Covered advisers will be required to arrange for independent testing to be conducted by a qualified outside party or an internal function not involved in the operation and oversight of the AML/CFT program.  The frequency of testing is not specified but is determined based on risk. Annually is likely sufficient for low or mid-level risk profiles.  Due to the strict requirement that this testing be conducted by an independent party, it’s likely that a third party (i.e. compliance consultant or administrator) will need to be engaged for this provision. 

3. Designate an AML officer

Covered advisers must designate a responsible person or persons (including in a committee) to implement and monitor the operations and internal controls of the AML/CFT program. The person must be an employee of either the covered adviser or an affiliate; the AML officer cannot be an external party.  Such person(s) should be knowledgeable and competent regarding AML requirements, the adviser’s policies, and relevant risks. 

Additionally, the AML officer should have sufficient authority, decision-making capability, independence, and access to compliance resources.  While it is permissible for the Chief Compliance Officer to also serve as AML Officer, covered advisers should be mindful of the independent testing requirement. 

4. Provide ongoing training

Covered advisers will be required to conduct training addressing AML/CFT requirements and illicit finance risks as well as job-specific guidance tailored to particular employees’ roles and functions. The Final Rule does not prescribe a particular model for the training – sessions can be virtual, web-based, led by external party, etc.  Generally, annual training sessions are sufficient, and upon hire for any new employees. 

5. Conducting ongoing customer due diligence

The Final Rule requires covered advisers to conduct ongoing customer (i.e. investor) due diligence, which includes creating a “customer risk profile” for each investor.  Covered advisers must gather information such as the reason the investor is seeking advisory services, net worth, domicile, citizenship, principal occupation or business, status as a politically exposed person (PEP) and the source of funds.  For entities, covered advisers should consider information including the type of entity, the jurisdiction in which it is domiciled and the regulatory regime of that jurisdiction. 

There is no requirement to obtain beneficial ownership for entities, but advisers must look at the entity investor’s risk profile and determine if obtaining such data is necessary.  FinCEN may consider a subsequent rule imposing such a requirement. 

Notably, the Final Rule specifies that advisers can evaluate certain lower risk relationships through consideration of “inherent or self-evident information” (i.e. basic details that can be derived from the nature and purpose of a customer relationship), including the type of customer or type of account, service or product.  While there is no requirement to update information on a regular, pre-determined basis, it may be appropriate to do so based on an investor’s risk profile.  Similarly, there’s no requirement to conduct media or screening reviews, but doing so may be appropriate based on an investor’s risk profile. 

Ongoing due diligence does not necessarily require advisers to collect “know your customer” (KYC) documents every year.  This determination would again be based on an investor’s risk profile. 

Do these requirements apply beyond the underlying investors of a private fund?

Importantly, the customer due diligence requirement of the Final Rule applies to investors and does not extend to portfolio investments or service providers.  However, the suspicious activity reporting requirement (summarized below) may apply beyond the investor level if there is a suspicious transaction at the portfolio company or investment level, which could trigger a reporting obligation for the adviser. 

What reports must be submitted?

Covered advisers will be required to comply with reporting obligations related to currency transactions or suspicious activity. 

• Suspicious Activity Reports (SARs)  

The Final Rule requires covered advisers to file SARs with FinCEN for any suspicious transaction (or pattern of transactions) conducted or attempted by, at or through the adviser that involves or aggregates at least $5,000 in funds or other assets. SARs must be filed with FinCEN no later than 30 days after initial detection of the triggering event.  

Covered advisers may need to file SARs on suspicious activity involving private fund investments (e.g. funding through multiple wires from different accounts) or portfolio companies (e.g. fund investors seeking information about a portfolio investment that could indicate illicit technology transfer concerns).  However, non-advisory activities (i.e. if an adviser’s staff maintain management roles at portfolio companies) are not in scope of an adviser’s SAR filing obligation. 

Covered advisers must ensure confidentiality of SARs; such information generally cannot be shared with external parties, including service providers.  

• Currency Transaction Reports (CTRs) 

Covered advisers will be required to file a CTR with FinCEN for certain currency transactions of more than $10,000. This will replace the existing requirement that advisers report currency-related transactions on Form 8300. 

More than one adviser may have an obligation to report the same transaction.  Such reporting can be done in one filing if the report includes the names of both advisers, states that it is a “joint filing,” and each adviser maintains a copy of the filing. 

What are the immediate action items?

In preparation for the Final Rule’s compliance deadline, covered advisers should be addressing the following items:   

• Determine budget: Covered advisers should be assessing their budgets in consideration of various factors, including software licensing (if the adviser will conduct AML checks internally) and engaging external provider(s) to: 
• Draft policies and procedures 
• Conduct testing 
• Conduct annual training 
• Conduct ongoing due diligence 
• Draft policies and procedures: Covered advisers may elect to engage a third-party provider to assist with developing (or enhancing existing) policies and procedures to ensure compliance with the Final Rule 
• Determine who will be the AML officer: Covered advisers should determine which employee will be designated the AML officer and confirm the record-keeping process if multiple parties will be involved 
• Determine who will conduct testing: Covered advisers will likely need to engage a third-party provider for testing, given the need for independent testing 
• Schedule training for existing employees before year-end: Advisers should consider adding AML requirements to existing compliance training or separately implementing such training 
• Create a customer risk profile for each investor: This requirement could potentially be the most arduous provision of the Final Rule, especially for advisers to private funds with a broad investor base.  So, advisers should prioritize accordingly.  The risk profile of each investor will determine the level of ongoing customer due diligence 
• Update service provider agreements: Covered advisers should determine if amendments are needed with service providers like fund administrators or compliance consultants 

How can IQ-EQ assist?

IQ-EQ’s compliance and AML teams can provide a range of assistance to covered advisers to prepare for and comply with the ongoing requirements of the Final Rule: 

• Drafting tailored AML policies and procedures 
• Initial AML risk analysis and testing process buildout and implementation –  reviewing advisers’ business profiles, including types of advisory services provided by the firm, the nature of its customers and the applicable customer risk profiles; assisting with the creation of customer risk profiles; designing a testing regime, which would include a review of high- versus low-risk investors and applicable ongoing monitoring 
• Conducting annual or quarterly AML testing, as required 
• Conducting recurring AML/KYC investor reviews 

IQ-EQ will continue to monitor any further developments and is ready to assist with developing policy or advising on related needs. Click here to discover our U.S. regulatory compliance services and contact our expert team today.