How RIAs can build strong foundation for FinCEN AML rule

RIAs should act now to comply with the final anti-money laundering rule, even if it is altered or extended past its current enforcement deadline of Jan. 1, 2028.

Processing Content

The rule from the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) will subject thousands of SEC-registered investment advisors to the full range of anti-money laundering requirements that now apply to banks and broker-dealers.

READ MORE: Treasury enlists RIAs for front line in money-laundering fight

The two-year extension (the previous enforcement date was Jan. 1, 2026) may seem like a long time, but for the thousands of firms facing a raft of new regulations to heed and suspicious activity reports to file, getting ahead of the rule is a no-brainer.

RIAs should focus their efforts on preventing illegal activity altogether, or failing that, detecting and thwarting it early. Below are the core elements of a strong AML foundation.

Put a formal AML policy in place

A comprehensive, clearly written AML policy will guide employees. It will also be the first thing SEC examiners review.

The policy should align with FinCEN’s Bank Secrecy Act, be customized to your firm’s risk profile and be approved by senior management.

The document should focus on these areas:

• Conduct risk reviews: Include a risk assessment of your client base, products and services, transaction activity and geographic reach.
• Define clear procedures: Spell out the steps your firm takes to meet its core AML obligations, including customer due diligence, ongoing monitoring, suspicious activity reporting and recordkeeping.
• Integrate AML policies with daily operations: Detail how AML responsibilities are integrated into employees’ everyday workflows and assign clear roles across advisors, operations and compliance.
• Clarify how information is shared: Outline how transaction information is dispersed among other financial institutions, with an emphasis on how the “travel rule,” which requires custodians, broker-dealers and other financial institutions to share information in certain funds transmittals, is met.

READ MORE: Industry groups warn money laundering rules could impose staggering burden

Designate an AML compliance officer

Ideally, the designated compliance officer should be the chief compliance officer or another senior professional. Their responsibilities typically include maintaining policies, overseeing risk assessments, monitoring due diligence and high-risk onboarding, filing reports and liaising with regulators.

Institute internal controls and ongoing monitoring

Effective AML programs rely on strong internal controls to prevent, detect and report suspicious activity. Establish clear due diligence procedures when onboarding new clients to verify identity and build a risk profile. Apply enhanced due diligence to higher-risk clients, such as politically exposed persons, using deeper verification, ongoing reviews and senior approvals.

Monitoring protocols should be put in place for red flags such as large or unusual transfers, repeated transactions, “just under” thresholds or activity involving high-risk jurisdictions. Define escalation steps and ensure alerts are resolved and documented promptly. To streamline these monitoring processes, RIAs may employ outside firms or build them in-house.

Emphasize employee training

The best AML program will fail without a highly trained staff. AML procedures tailored to the firm’s business model and risks should be provided to all relevant employees and cover the procedures and red flags discussed above. Roles and responsibilities should be clearly defined, and training protocols should be reviewed regularly as regulations and risks evolve.

Schedule regular independent audits

Required independent audits test an RIA’s AML program and provide objective assurance to the firm and to regulators that the program works. It may be conducted by certain members of the firm’s staff or by an outside party.

Perform such audits regularly, ideally annually. Assess whether policies are effective and followed in practice across due diligence, monitoring, reporting, training and recordkeeping. Document all findings and remediate gaps promptly.

These core pillars position firms to meet regulatory requirements and set them up for full compliance with the incoming RIA AML mandate. Most importantly, adhering to them protects against the misuse of an RIA’s services by bad actors.