What Registered Investment Advisers Need to Know About New FinCEN Money-Laundering Rule

As of January 1, 2026, registered investment advisers (RIAs) and exempt reporting advisers (ERAs) will face new regulatory obligations under the Financial Crimes Enforcement Network’s (FinCEN) final rule on anti-money laundering (AML) and countering the financing of terrorism (CFT).[1] This landmark rule brings many investment advisers under the Bank Secrecy Act’s definition of “financial institution”, imposing direct requirements for establishing AML/CFT programs, conducting customer due diligence, and filing suspicious activity reports (SARs) for potentially illicit transactions.

This rule, long in development, is intended to mitigate the risks posed by money laundering, terrorist financing, and other illicit activities in the investment advisory industry, even though that industry rarely maintains custody of client funds. With increasing regulatory scrutiny on the financial services industry and concerns over money laundering vulnerabilities, this rule will affect how RIAs engage with clients, manage risks, and uphold compliance.

This alert covers the essential aspects of the new rule, what it means for RIAs, and how to prepare for the January 2026 compliance deadline.

Background

Since 2004, and most recently renewed in December 2022, the SEC’s Division of Trading and Markets has permitted broker-dealers to rely on RIAs to fulfil certain AML compliance obligations, even though RIAs are not subject to an independent AML compliance obligation.[2] This relief allows broker-dealers to rely on RIAs for customer identification program (CIP) requirements, so long as the RIA implements its own AML program, conducts due diligence aligned with the broker-dealer’s CIP, and promptly reports suspicious activity. Broker-dealers are, in turn, responsible for ensuring that any RIA they rely on for AML compliance has policies in place to meet these requirements, and is registered with the SEC. This reliance model places the primary compliance responsibility on broker-dealers, with RIAs acting as supporting agents rather than direct subjects of AML/CFT regulations.

When the new FinCEN rule takes effect on January 1, 2026, this arrangement will change significantly from the perspective of RIAs. RIAs will be independently responsible for implementing their own AML/CFT programs, filing SARs, and conducing CIPs directly. This will mean that RIAs will no longer operate under broker-dealer oversight for AML/CFT compliance, but will instead face direct regulatory accountability.

Implications of Being Designated a “Financial Institution” Under the BSA

The reclassification of certain RIAs and ERAs as “financial institutions” under the Bank Secrecy Act (“BSA”) will subject them to direct AML compliance examinations by the SEC. Furthermore, RIAs and ERAs will become directly responsible for any failures to meet applicable BSA standards.[3] Key requirements under the new rule include the implementation of a comprehensive AML/CFT program, tailored to the adviser’s specific risk profile, that covers customer due diligence and the identification of high-risk clients. This AML program must include policies and procedures for identifying and mitigating potential money laundering risks associated with each client relationship, particularly for high-net-worth individuals and complex investment structures.[4]

Additionally, RIAs will soon be responsible for filing SARs directly with FinCEN. Under the proposed rule, a SAR must be filed for any transaction involving $5,000 or more that raises suspicions of illegal activity, such as money laundering, tax evasion, or other forms of financial crime.[5] RIAs will also be subject to enhanced recordkeeping obligations, which will require them to maintain detailed logs of customer identities, transaction histories, and any findings from their due diligence processes. These records will have to be securely maintained, and RIAs will have to make them available to regulators upon request.[6] At a later date, RIAs are likely to become subject to know-your-customer (already proposed in the CIP rulemaking) and know-your-customer’s beneficial owner requirements (to be proposed).

These requirements aim to standardize AML/CFT practices across the investment advisory sector, enhancing accountability and aligning RIAs’ compliance standards with those of other financial institutions subject to the BSA. This shift demands significant operational adjustments, as RIAs must establish compliance frameworks that not only detect and report suspicious activity, but also protect client information and demonstrate to the SEC that they meet the new regulatory expectations.

Effective AML/CFT Programs

The BSA’s standards for AML/CFT programs require that programs include, at a minimum, the development of internal policies, procedures, and controls, the designation of a compliance officer, ongoing employee training, and an independent audit function to test the efficacy of the programs.[7]

Developing policies and procedures that align with AML/CFT standards and integrate with existing compliance frameworks is essential to meet regulatory requirements and maintain operational consistency. Effective policies start with a comprehensive risk assessment that evaluates the RIA’s client base, geographic footprint, and services. Based on this risk profile, policies should clearly outline client onboarding procedures, transaction monitoring protocols, and suspicious activity reporting (SAR) processes. Automated transaction monitoring tools can help identify unusual client behavior by setting thresholds for review, while escalation protocols can be set to ensure SARs are filed promptly with FinCEN when needed.

Policies should also aim to incorporate requirements from other regulatory areas, like Know Your Customer (KYC) rules. Under FinCEN’s proposed CIP rule, RIAs will be required to confirm the identity of all clients. While the final rule will not require RIAs to immediately begin verifying beneficial ownership for entities, FinCEN has indicated that it will address the issue in subsequent rulemaking.[8]

CIP procedures must include the collection of key identifiers such as the client’s full name, date of birth, and Social Security number (for individuals), or business registrations and government-issued identifiers (for companies). Verification of beneficial ownership is especially relevant for legal entity clients, as RIAs eventually will need to identify any individuals holding a 25% or greater interest or exercising control. The incorporation of KYC policies into AML/CFT programs will help to streamline compliance efforts across the firm, especially when it comes to the CIP rule.

Employee training is another critical element of a successful AML/CFT program. Regular and role-specific training should cover the basics of AML/CFT compliance, indicators of suspicious activity, and the steps required to escalate concerns. Furthermore, independent audits should be conducted regularly by a third party or an internal team not involved in AML operations in order to identify gaps or areas for improvements.[9]

Risk-Based Customer Due Diligence (CDD)

FinCEN’s final rule requires that an investment adviser implements appropriate risk-based procedures for conducting ongoing CDD.[10] While RIAs are will not yet be required to verify beneficial ownership for entity clients, the final rule outlines FinCEN’s expectation that RIAs will use a heightened approach when assessing the risks of entity clients such as unregulated operating companies or private holding companies. FinCEN states that, despite the fact that RIAs will not be required to collect beneficial ownership information on all legal entity clients, RIAs should nevertheless collect “sufficient information such that they are able to detect and report suspicious activity” from entity clients.[11]

Risk-based CDD tailors the level of scrutiny to a client’s unique risk profile. It is essential for identifying, assessing, and monitoring the risks associated with each client. RIAs will be expected to evaluate clients’ profiles, including their sources of wealth, expected transaction patterns, and any relevant connections to higher-risk jurisdictions. The Financial Action Task Force (FATF) has provided guidance regarding the implementation of risk-based CDD procedures in internal AML/CFT programs.[12] FATF recommends that, at the outset of a client relationship, RIAs should conduct a thorough assessment to determine the inherent risks posed by each client. Factors considered in this assessment should include geographic risk, customer type, and transaction patterns. High-net-worth clients, clients with complex organizational structures, or those connected to high-risk jurisdictions may be considered high risk. For clients classified as higher risk, enhanced due diligence and stricter monitoring measures are recommended. To verify the legitimacy of a client’s finances, RIAs should document the source of wealth and funding, especially for high-net-worth individuals and complex business entities. RIAs should also require high-risk clients to provide additional documents, such as tax returns, business registrations, or contracts, to verify their identity and business activities accurately. Meanwhile, standard CDD procedures can be maintained for lower-risk clients, allowing advisers to allocate resources efficiently and focus on high-priority areas.

Additionally, ongoing monitoring is vital. Effective AML/CFT programs continuously monitor and re-assess clients to capture any changes that could affect their risk profile, such as significant shifts in transaction patterns or changes in the beneficial ownership or management structure of legal entities. Clients should also regularly be screened against public sanctions lists and politically exposed persons (PEP) databases.

Suspicious Activity Reporting (SAR) and Safe Harbor Provisions

Under the new FinCEN rule, RIAs and ERAs are now required to file SARs for any client transactions that could indicate potential financial crimes. The final rule stipulates specific conditions and procedures for SAR filing that RIAs must now integrate into their compliance frameworks.

According to the rule, RIAs are required to file a SAR if they suspect or have reason to suspect that a transaction of $5,000 or more involves funds derived from illegal activity, is intended to evade AML laws, appears to lack a legitimate business purpose, or could be associated with criminal financing, such as terrorism. Common red flags include clients using complex, layered transactions, transferring large sums of money to high-risk jurisdictions, or maintaining accounts that show sudden, unexplained changes in transaction volume or behavior. Additional triggers may include attempts by clients to avoid due diligence questions or cases where a client’s financial activity conflicts with their stated wealth source.

To file a SAR, RIAs must first document their reasons for suspicion clearly and thoroughly. SAR filings require detailed descriptions of the transaction in question, the nature of the suspicion, and any supporting evidence of observations that led to the filing. FinCEN requires that SARs be submitted electronically through the BSA E-Filing System within 30 days of detecting suspicious activity, allowing an additional 30 days if more information is needed. FinCEN recommends that RIAs include as much specific detail as possible, such as transaction dates, account numbers, and the identity of any parties involved. RIAs are further advised to maintain separate, secure records of all SAR-related documents to facilitate regulatory audits and ensure compliance. Such records must be retained for a minimum of five years from the date of the filing of the SAR. [13]

The BSA includes important legal protections, known as “safe harbor” provisions, that protect advisers from liability when filing SARs in good faith.[14] These provisions mean that, provided an RIA files a SAR according to FinCEN guidelines and with reasonable suspicion, it will be protected against lawsuits or claims from clients whose activities have been reported. Furthermore, BSA regulations prohibit RIAs from disclosing to clients or other parties that a SAR has been filed, in order to ensure confidentiality in the reporting process. By following these guidelines and maintaining confidentiality, RIAs can fulfill their regulatory obligations without fear of legal repercussions, provided that their SAR filings are made responsibly and with adequate documentation.

Regulatory Oversight and Penalties for Non-Compliance

Under FinCEN’s new rule, RIAs now fall under more stringent regulatory oversight, with both FinCEN and the SEC responsible for ensuring compliance. FinCEN has delegated examination authority to the SEC due to the agency’s established regulatory role with the investment advisory industry. This means that, moving forward, SEC examiners will assess RIAs’ adherence to the BSA’s AML/CFT requirements as part of their regular examinations. The SEC will be responsible for inspecting and evaluating each RIA’s AML/CFT program, scrutinizing the effectiveness of risk-based customer due diligence, transaction monitoring, and SAR protocols. As outlined in the final rule, SEC examiners will look for clear, consistent documentation of AML practices, effective internal controls, and accurate recordkeeping. RIAs that fail to meet these standards could face enforcement actions.

The consequences for non-compliance with AML/CFT obligations are substantial and can extend beyond immediate regulatory penalties. According to the BSA, penalties for AML non-compliance can include significant fines, legal sanctions, and even criminal charges in cases of severe negligence or willful misconduct. Financial penalties can vary based on the nature and scope of the violation, but are designed to act as a deterrent against lapses in AML/CFT compliance.[15]

Beyond fines, RIAs that fail to comply with AML/CFT regulations risk reputational damage, which can be even more damaging than financial penalties. An enforcement action or publicized AML/CFT violation can harm an RIA’s credibility and client trust, potentially leading to a loss of business and market standing.

For advisers, the stakes are high. FinCEN’s delegation of examination authority to the SEC underscores the importance of AML/CFT compliance in the investment advisory sector. RIAs now face dual oversight from FinCEN and the SEC, with examinations focusing on the practical application of AML policies and the thoroughness of compliance protocols. In an era of heightened regulatory scrutiny and sophisticated financial crime, RIAs must engage a proactive and robust approach to AML/CFT compliance to meet regulatory expectations and protect their reputations in the market.

ENDNOTES

[1] Federal Register :: Financial Crimes Enforcement Network: Anti-Money Laundering/Countering the Financing of Terrorism Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempt Reporting Advisers

[2] SEC No-Action Letter 12/09/2022

[3] The Bank Secrecy Act | FinCEN.gov

[4] 31 U.S.C. 5318(h)(1)-(2)

[5] Frequently Asked Questions Suspicious Activity Reporting Requirements for Mutual Funds | FinCEN.gov

[6] Frequently Asked Questions Suspicious Activity Reporting Requirements for Mutual Funds | FinCEN.gov

[7] 31 U.S.C. 5318(h)(1)-(2).

[8] Federal Register :: Financial Crimes Enforcement Network: Anti-Money Laundering/Countering the Financing of Terrorism Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempt Reporting Advisers

[9] Federal Register :: Financial Crimes Enforcement Network: Anti-Money Laundering/Countering the Financing of Terrorism Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempt Reporting Advisers

[10] 31 CFR 1032.210(b)(5)

[11] Federal Register :: Financial Crimes Enforcement Network: Anti-Money Laundering/Countering the Financing of Terrorism Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempt Reporting Advisers