On Aug. 25, 2015 the Financial Crimes Enforcement Network (FinCEN) released the long-anticipated proposed rule to extend the definition of a financial institution and Bank Secrecy Act (BSA) requirements to investment advisers. FinCEN’s goal is to align compliance requirements for investment advisers with those already in place for entities such as banks, insurance companies and broker-dealers. The requirements include establishing an anti-money laundering (AML) compliance program, reporting of suspicious activity, and new recordkeeping and reporting requirements related to transaction activity. The proposed rule applies to investment advisers required to register with the Securities and Exchange Commission (SEC), which includes those with at least $100 million in regulatory assets under management, with some exceptions. The SEC is the federal agency responsible for conducting compliance examinations.
The notice acknowledges that investment advisers generally work with financial institutions already subject to the BSA to execute trades and transfer assets; however, the financial institution may not always have adequate information to properly monitor transaction activity. The investment advisers’ greater proximity to their customers and the advisory nature of their services allows for better understanding and monitoring of customer risks. This extension of BSA/AML requirements to investment advisers is consistent with a trend of increasing regulatory emphasis on anti-money laundering and counter-terrorism financing compliance since the passage of the USA PATRIOT Act in 2001 this trend accelerated in the wake of the Great Recession. In addition to enhanced requirements on banks, the definition of financial institution has extended to a number of non-bank firms such as virtual currency dealers, pre-paid product companies, and off-shore and virtual money transmitters.
What should a BSA/AML program include?
Similar to existing regulations applicable to investment advisers, the BSA will require investment advisers to establish a written AML compliance program. The firm’s board of directors must approve and is ultimately accountable for the execution of the program. The proposed rule will align the requirements for registered investment advisers with current requirements of banks, broker-dealers, mutual funds, insurance companies and other covered financial institutions. There are four minimum requirements, commonly referred to as the four pillars of a BSA program:
- System of internal controls: This includes written policies, procedures and processes implemented to ensure compliance with BSA requirements.
- Designated person or persons responsible for implementing and executing the program: an individual (the BSA officer) or committee that is responsible for implementation, day-to-day operations and updating of the program. This may or may not be a full-time responsibility, depending on the size and complexity of the firm and program.
- Independent testing: Periodic testing, generally every 12 to 18 months, must be performed. The party performing the testing may be outsourced or part of the firm as long they are not involved in oversight and operation of the program and have sufficient knowledge of BSA requirements.
- Ongoing training: BSA compliance training should be provided to new employees upon hire and all employees annually. The training should include general BSA requirements and training tailored to the employee’s function and to the firm’s specific risks and policies.
The BSA requires compliance programs to be risk-based, but other than the basic requirements, is not highly prescriptive. A BSA/AML risk assessment is not explicitly required, but is generally expected by regulators in order to document the firm’s risks related to products, services, customers and geography. A risk assessment also provides a road map to developing the firm’s risk-based BSA program. The notice points out several categories of investment advisers that may have higher or lower risk levels.
Categories that may present special or elevated risks include:
- Non-pooled investment vehicle clients
- Wrap fee programs
- Certain private funds and unregistered pooled investment vehicles
Entities that may pose lower risks include:
- Registered open-end fund clients
- Registered closed-end fund clients
- Certain private funds and unregistered pooled investment vehicles
The notice also points out that dual-registered firms that are affiliated with a financial institution already subject to the BSA should extend the existing program to the investment advisor for a single enterprise-wide program, rather than implement a separate program.
Suspicious activity reports
The proposed rule would also require firms to monitor transaction activity and report unusual or suspicious activity of $5,000 or more by filing a Suspicious Activity Report (SAR) with FinCEN. The firm would be required to implement a risk-based process for suspicious activity monitoring. This could include manual or automated transaction monitoring processes and employee referrals of potentially suspicious activity. Investment advisers would be allowed to file joint SARs with another financial institution to avoid filing duplicate SARs on the same activity; however, the proposed rule at this point does not allow for sharing SARs with parent companies or affiliates.
Information sharing requirements
The proposed rule imposes the information sharing requirements of USA PATRIOT Act Section 314 on investment advisers. Section 314(a) requires financial institutions to perform one-time searches of their customer and transaction records upon receipt of a request from FinCEN and to provide information responsive to the request within 14 calendar days. Section 314(b) provides a voluntary information sharing system under a safe harbor between financial institutions that choose to register for the program.
Additional reporting and recordkeeping requirements
The proposed extension of the definition of financial institution to include investment advisers brings with it several reporting and recordkeeping requirements. One is the requirement to file Currency Transaction Reports (CTRs) for cash transactions exceeding $10,000 by or on behalf of a party in a business day. Investment advisers would no longer be required to file Form 8300 Report of Cash Payments Received. This is not expected to be a significant burden on investment advisers since cash transactions are rare.
Investment advisers would also be subject to BSA rule [31 CFR 103.33(g)], often referred to as the Travel rule. This relates to the retention of transaction records and transmission of required information to other financial institutions for certain transactions. The Travel rule applies to transactions of $3,000 or more and requires collection and retention of information on the transaction parties. Note that the Travel rule exemption for transactions between certain financial institutions would also be applied to investment advisers, excluding some, if not all transactions from the Travel rule. Investment advisers would also be required to retain records of extensions of credit and cross-border transfers of $10,000 or more for at least five years. The recordkeeping and travel rule requirements may not require additional effort for many firms since this information may already be captured and retained under existing policies and regulations.
What’s not included
The notice specifically states that the proposed rule does not require a customer identification program (CIP), customer due diligence (CDD) or enhanced due diligence (EDD) requirements specific to foreign corresponding banks and private banking customers. However, there is an outstanding FinCEN notice of proposed rulemaking to require specific customer due diligence standards including identification of beneficial owners. It would not be surprising if CIP and CDD requirements applied to investment advisers through an additional rule or revision of the proposed rule. The regulatory trend has been for increased due diligence on customers, not less. Furthermore, the proposed rule includes language requiring firms to understand their customers’ risks. It is difficult to see how firms would be required to effectively assess customer risk or monitor for suspicious activity without an implicit or explicit requirement to identify and perform risk-based due diligence on their customers.
To conclude, here are some final thoughts on the proposed rule. First, don’t panic. The rules are risk based and some, if not many of the requirement may be fulfilled though existing infrastructure and resources. Furthermore, the proposed rule could change between now and the issuance of the final rule. FinCEN solicited comments on the rule and in some cases may alter the proposed rules as a result of industry, regulatory and political feedback. The timetable for finalization of the rule is uncertain and could take many months to finalize. Firms will have six months from the effective date of the rule to implement most of the requirements. In the meantime it would be worthwhile to examine your firm’s current procedures and resources, identify gaps and determine the additional processes, technology and human resources that would be needed to implement the rule. Compliance officers should begin a conversation with senior management and their board of directors to develop an action plan to implement if or when the rule is finalized. Advance planning will lead to a more effective and less expensive implementation process than scrambling to put a program in place at the last minute.