The U.S. Financial Crimes Enforcement Network (“FinCEN”) recently amended its anti-money laundering rules (the “New AML Rules”) to require most investment advisers registered with the SEC (“RIAs”), and all private fund managers that report to the SEC as exempt reporting advisers (“ERAs”), to adopt written AML Programs for the first time. In addition, FinCEN and the SEC have jointly proposed rules (the “Proposed CIP Rules”) that would require these RIAs and ERAs (“Covered Advisers”) to adopt formal Customer identification programs (“CIP”) similar to the KYC requirements currently imposed on banks and broker-dealers. In today’s Client Alert, we provide a brief overview of the New AML Rules and the Proposed CIP Rules and suggest best practices that every investment adviser should consider. This alert does not cover all of the requirements of the Bank Secrecy Act and the FinCEN rules, and before you implement your AML Program, you should consult with qualified legal counsel.

Covered Advisers

While the New AML Rules apply to most RIAs and ERAS, FinCEN has created exemptions for certain advisers, including: (i) state-registered investment advisers; (ii) foreign private advisers; (iii) family offices; (iv) mid-sized and multi-state RIAs; (v) pension consultants; (vi) SEC-registered advisers with no reportable AUM; and (vii) advisers exclusively serving mutual funds or other regulated investment vehicles already subject to AML rules.

New AML Program Requirements 

Each Covered Adviser must develop a written, risk-based AML Program designed to detect and prevent money laundering and terrorist financing by January 1, 2026. If you are a Covered Adviser, your AML Program must include:

• Internal Policies and Controls: Detailed procedures to monitor, detect, and report suspicious activity.
• Employee Training: Regular training programs that ensure your personnel understand red flags and the protocols for reporting unusual or suspicious activity.
• Designation of AML Compliance Officer: Appointment of a dedicated compliance officer responsible for the AML Program. The AML Compliance Officer can be the same person as your Chief Compliance Officer.
• Independent Testing: Routine independent audits of your AML Program to assess its effectiveness and adherence to regulatory requirements, which may be performed either by independent internal personnel (personnel not involved in managing or implementing the AML Program), or by a qualified third party. If a third party is used for independent testing, it cannot be the same third party that is performing AML services.
• Risk-Based Customer Due Diligence: Performing customer due diligence (“CDD”) on your clients and private fund investors (collectively, “Customers”), including (i) developing a Customer risk profile, (ii) conducting ongoing monitoring to identify and report suspicious Customer transactions to FinCEN, and (iii) maintaining and updating Customer information.

FinCEN Reporting Requirements

In addition, your AML Program must include procedures to:

• Report Suspicious Activity: File Suspicious Activity Reports (“SARs”) with FinCEN for transactions (or attempted transactions) of at least $5,000 when there is a reasonable basis to suspect illicit activity.
• Report Currency Transaction: File Currency Transaction Reports (“CTRs”) with FinCEN each time you receive more than $10,000 in currency (cash) or negotiable instruments from a Customer.
• Maintain Records: Keep records of each SAR and CTR and supporting documentation.

Proposed Customer Identification Rules

While the New AML Rules require basic Customer due diligence, they do not require a full CIP at this time. However, under the Proposed CIP Rules, Covered Advisers would be required to implement a formal CIP. Key aspects of the Proposed CIP Rules include:

• Identity Verification Procedures: Covered Advisers would be required to adopt risk-based procedures to allow you to form a reasonable belief that you know the true identity of each Customer at onboarding by using documentary or non-documentary methods. Covered Advisers would be required to collect at least the following information on each Customer: (1) name; (2) date of birth for an individual or the date of formation for any person other than an individual; (3) address; and (4) a government-issued identification number.
• Record Maintenance: Covered Advisers would need to retain detailed records of the identifying information used to verify each Customer’s identity and maintain these records for a prescribed period.
• Watch List Screening: Covered Advisers would be required to check customer identities against government and international watch lists (e.g. OFAC lists), ensuring that high-risk individuals or entities are promptly flagged.

Notably, the Proposed CIP Rules stop short of requiring Covered Advisers to collect information on the beneficial owners of a legal entity Customer, but FinCEN has hinted that such requirements could be imposed on Covered Advisers in the future, and in the meantime, Covered Advisors should make a risk-based determination regarding the need to collect beneficial ownership information based on a customer’s risk profile.

Risk-Based Programs

Both the New AML Rules and the Proposed CIP Rules emphasize a risk-based approach, meaning that the extent of the AML/CIP Program may vary based on the risk profile of your Customer base. For example, an RIA that only advises U.S. institutional investors would not need to have as robust an AML Program as an RIA that advises foreign persons or offshore funds.

While the New AML Rules do not require Covered Advisers to implement full CIP procedures at this stage, as a best practice, you should begin to integrate these procedures to ease the transition when the Proposed CIP Rules are finalized based on the risk profile of your Customers.

Recent SEC AML Enforcement Action  

Despite the fact that Covered Advisers are not subject to the New AML Rules until the beginning of 2026, the SEC recently brought an enforcement action against a private fund manager for misrepresenting the extent of its AML Program. The SEC alleged that Navy Capital Green Management LLC (“Navy Capital”), a private fund manager, made material misrepresentations regarding its AML policies and procedures to its investors. These misrepresentations included claims that the firm had implemented sufficient internal controls and investor due diligence measures that were either not in place or not being followed. The SEC’s allegations highlighted a series of internal failures—ranging from inadequate employee training and insufficient Customer due diligence, to the lack of independent testing of the AML Program. These failures resulted in an investor using an offshore account to launder money through the Navy Capital fund. 

The SEC instituted cease and desist proceedings against Navy Capital and entered an order imposing sanctions and a $150,000 civil penalty. This case illustrates that having a written AML Program is insufficient if it is not effectively implemented and monitored and underscores the need for continuous training, periodic independent audits, and clear, enforceable internal controls.

Best Practices for Compliance

To comply with the New AML Rules — and to prepare for the Proposed CIP Rules—Covered Advisers should take the following steps:

1. Assess AML Risk Profile:
   • Determine if your firm would be subject to the New AML Rules and the Proposed CIP Rules or if it meets an exemption.
   • Conduct a detailed risk assessment focusing on Customer types, geographical exposure, and transaction patterns.
2. Review and Update Any Existing AML Policies:
   • Perform a gap analysis comparing your current AML policies, if any, to FinCEN’s new AML requirements and the anticipated CIP provisions.
   • Update written policies to include internal controls, employee training, independent testing, and procedures for Customer due diligence and identification.
3. Enhance Due Diligence and Onboarding:
   • Revise onboarding procedures to collect and verify identification documents and screen new Customers against relevant watch lists.
   • Incorporate enhanced due diligence measures for Customers from high-risk jurisdictions, particularly politically exposed persons.
4. Define and Monitor Delegation Arrangements:
   • If any AML functions are outsourced (e.g., to a fund administrator), update your service provider contracts to ensure clear delegation of responsibilities.
   • Establish oversight mechanisms to monitor third-party performance and compliance with AML standards.
5. Implement Training and Staffing Initiatives:
   • Appoint a dedicated AML compliance officer and build a cross-functional team responsible for AML oversight.
   • Develop a comprehensive training program that includes both the policies and procedures required by the New AML Rules and, as a best practice, the Proposed CIP Rules.
6. Conduct Independent Testing:
   • Schedule periodic independent reviews of your AML Program to confirm its effectiveness and identify areas for improvement.
   • Use lessons from enforcement actions (e.g., the Navy Capital settlement) as benchmarks for strengthening internal controls.
7. Monitor Regulatory Guidance and Enforcement Trends:
   • Stay up to date on further guidance and rules from FinCEN and the SEC, including the finalization of the Proposed CIP Rules, and adjust policies accordingly.
   • Learn from recent enforcement actions to avoid misrepresentations and compliance gaps that can lead to significant penalties and loss of investor confidence.

All investment advisers and private fund managers should promptly take measures to implement or update their AML Program in anticipation of the effective date of the New AML Rules and in preparation for your next visit from the SEC or investor due diligence questionnaire.