AT A GLANCE

Starting January 1, 2028, Registered Investment Advisers (RIAs) must establish their own anti-money laundering (AML) programs independent of custodian coverage. FinCEN's 2024 final rule designates each RIA as a financial institution under the Bank Secrecy Act, requiring written AML policies, customer due diligence, transaction monitoring, suspicious activity reporting, independent testing, and staff training. Relying on your custodian's AML controls will no longer satisfy regulatory requirements, exposing non-compliant firms to daily fines up to $25,000, SEC enforcement actions, and reputational damage.

The regulatory landscape for Registered Investment Advisers is shifting dramatically. For years, RIAs operating under the custody rule assumed their qualified custodians' AML programs provided adequate compliance coverage. That assumption ended with FinCEN's 2024 final rule, which brings RIAs directly under Bank Secrecy Act (BSA) obligations. This change means every RIA must now own, operate, and maintain a standalone AML/CFT program tailored to advisory activities—custodian programs simply weren't designed to meet these new requirements.

This comprehensive guide explains what changed, why custodian AML programs fall short, what your RIA must implement, and how to build a robust compliance solution before the 2028 deadline.

What Is the New AML Rule for RIAs?

FinCEN's 2024 final rule explicitly designates Registered Investment Advisers and Exempt Reporting Advisers as 'financial institutions' under the Bank Secrecy Act, effective January 1, 2028. This designation requires each RIA to establish, document, and maintain its own comprehensive AML/CFT program independent of any third-party controls.

Before this rule, SEC-registered RIAs were not directly subject to BSA AML obligations. Many relied on their custodians—banks or broker-dealers already subject to AML requirements—to handle compliance. The new rule eliminates this gap by imposing direct, standalone obligations on RIAs themselves.

The rule mandates seven core components:

  1. Written AML/CFT policies and procedures tailored to the firm's risk profile
  2. Risk-based customer due diligence (CDD) including beneficial ownership identification
  3. Ongoing transaction monitoring covering all advisory-related financial flows
  4. Suspicious Activity Report (SAR) filing procedures for transactions over $5,000
  5. Independent testing conducted annually or bi-annually depending on risk
  6. Ongoing AML training for all advisory personnel
  7. Designation of an AML compliance officer responsible for program oversight

This represents a fundamental shift from relying on custodian controls to owning compliance end-to-end. RIAs must now monitor not just custody assets but all advisory activities including fee payments, client onboarding, investment recommendations, and cross-platform transactions.

What Is RIA Custody and Why Does It Matter?

RIA custody refers to an investment adviser's possession or control of client funds or securities, as defined under the Investment Advisers Act Rule 206(4)-2 (the 'Custody Rule'). An RIA has custody when it holds client assets directly, has authority to withdraw funds or securities from client accounts, or acts as trustee or general partner with access to client assets.

The Custody Rule exists to protect client assets from theft, misuse, or misappropriation. When an RIA has custody, the rule requires them to:

  • Use a qualified custodian (bank, broker-dealer, or registered futures commission merchant)
  • Provide clients with account statements directly from the custodian
  • Undergo an annual surprise examination by an independent public accountant

Why this matters now: Many RIAs incorrectly assumed that using a qualified custodian satisfied both custody obligations and AML requirements. The Custody Rule and FinCEN's AML rule serve different purposes. The Custody Rule protects client assets from adviser misconduct. The AML rule prevents money laundering and terrorist financing through the advisory relationship. Custodians monitor account-level transactions for their own BSA compliance—they do not monitor the adviser's broader business activities, client relationships, or advisory-specific red flags.

Understanding this distinction is critical. Your qualified custodian handles custody compliance. Your RIA must now handle AML compliance. These are separate, non-overlapping obligations.

How Do Custody Rules Differ from AML Requirements?

Custody rules and AML requirements address fundamentally different risks, impose distinct obligations, and require separate compliance programs. Conflating them is one of the most common mistakes RIAs make when preparing for the 2028 deadline.

Aspect Custody Rule AML Rule
Primary Risk Asset theft or misappropriation by adviser Money laundering, terrorist financing, fraud
Regulator SEC FinCEN
Scope Client assets held or controlled by adviser All advisory-related transactions and relationships
Key Obligation Use qualified custodian; annual surprise audit Written AML program; CDD; SAR filing; testing
Can Delegate? No—RIA responsible if they have custody No—RIA must own and operate AML program

The critical takeaway: Using a qualified custodian satisfies the Custody Rule but does nothing for your AML obligations. These are parallel, independent requirements enforced by different agencies with different penalties for non-compliance.

Why Can't RIAs Rely on Custodian AML Programs Anymore?

Custodian AML programs were never designed to cover RIA-specific compliance obligations, and four fundamental gaps make relying on them inadequate under FinCEN's 2024 rule.

1. Scope Misalignment

Custodians monitor transactions that occur on their platforms—primarily deposits, withdrawals, and securities transfers within custody accounts. They do not see or monitor:

  • Advisory fee payments processed outside the custodian
  • Client onboarding and due diligence conducted by the adviser
  • Investment recommendations and suitability assessments
  • Cross-platform transactions where clients hold assets at multiple custodians
  • Third-party payment flows or referral fee arrangements
  • Advisory-specific red flags like sudden changes in investment strategy, atypical client requests, or inconsistent risk profiles

FinCEN's rule requires RIAs to monitor all advisory-related flows, not just custodied assets—not just what happens in custody accounts. If suspicious activity occurs outside the custodian's view, the custodian cannot and will not detect it.

2. No Written AML Program for RIAs

Custodians maintain AML programs to satisfy their own Bank Secrecy Act obligations as banks or broker-dealer, that itself is subject to U.S. AML obligations. Those programs address custodian-level risks such as account opening, wire transfers, and platform-based transactions. They are not written to cover the specific customer due diligence, suspicious activity reporting, independent testing, or training requirements that now apply to RIAs.

Before January 1, 2028, there was no risk-based AML program rule for SEC-registered RIAs. Some broker-dealer affiliates voluntarily extended AML coverage to their RIA subsidiaries, but this was a courtesy, not a regulatory requirement. FinCEN's new rule eliminates any ambiguity: each RIA must have its own written, board-approved AML/CFT program tailored to its business model, client base, and risk profile.

Custodians will not rewrite their programs to cover RIAs. The responsibility rests entirely with the adviser.

3. Separate Reporting Obligations

Suspicious Activity Reports (SARs) must be filed by the party with direct knowledge of the suspicious activity. If an RIA identifies red flags in a client relationship—such as unusual trading patterns, conflicts between stated investment objectives and actual behavior, or inconsistent source-of-funds explanations—only the RIA can file the SAR.

Custodians file SARs based on their own transaction monitoring. They cannot and will not file SARs on behalf of RIAs for activity the custodian did not observe or flag. If the RIA sees suspicious behavior but fails to file, the RIA is in violation—regardless of what the custodian does or does not do.

This creates a direct, non-delegable obligation. RIAs must establish SAR escalation workflows, train staff to recognize red flags, and maintain documentation supporting each filing decision.

4. Independent Testing and Training

FinCEN requires RIAs to conduct independent audits or reviews of their AML programs at least annually, or every two years for lower-risk firms. The auditor must be someone not involved in the day-to-day operation of the AML program.

Custodians audit their own AML programs. They do not audit RIA programs, and they do not have visibility into RIA-specific policies, procedures, or staff training. The same applies to training: custodians train their own employees on custodian risks. RIAs must train advisory personnel on advisory-specific red flags such as:

  • Clients who are politically exposed persons (PEPs)
  • Sudden, unexplained wealth or changes in asset levels
  • Reluctance to provide beneficial ownership information
  • Requests for complex structures inconsistent with client sophistication
  • Unusual patterns of deposits or withdrawals around advisory fee billing

No custodian provides this level of tailored testing or training for RIAs. The adviser must build it internally or engage a third-party provider.

What Must RIAs Include in Their AML Program?

Every RIA must implement a written, risk-based AML/CFT program approved by senior management or the board. The program must include these seven mandatory components:

1. Risk-Based Customer Due Diligence (CDD)

CDD procedures must be tailored to each client's risk profile. At a minimum, RIAs must:

  • Verify client identity using government-issued identification
  • Identify and verify beneficial owners (individuals owning 25% or more of an entity)
  • Understand the nature and purpose of the client relationship
  • Screen clients against OFAC sanctions lists and PEP databases
  • Conduct enhanced due diligence for high-risk clients (e.g., foreign PEPs, clients in high-risk jurisdictions)

Ongoing CDD requires periodic reviews to ensure client information remains current. For high-risk clients, reviews should occur annually or whenever red flags emerge.

2. Transaction Monitoring for RIAs

Transaction monitoring must cover all advisory-related financial flows, not just custodied assets. This includes:

  • Advisory fee payments (whether deducted from accounts or paid separately)
  • Asset transfers into or out of advisory relationships
  • Third-party payments to or from client accounts, including remittances.
  • Subscription and redemption activity in pooled investment vehicles
  • Cross-border transfers, especially to or from high-risk jurisdictions

Transaction Monitoring for RIAs can be automated using software platforms or conducted manually through periodic reviews, depending on firm size and transaction volume. The key is consistency: establish thresholds, document monitoring frequency, and investigate any anomalies.

3. Suspicious Activity Reporting (SAR)

RIAs must file SARs with FinCEN for any transaction (or pattern of transactions) totaling $5,000 or more that the RIA knows, suspects, or has reason to suspect:

  • Involves funds derived from illegal activity
  • Is designed to evade BSA requirements (structuring)
  • Has no business or lawful purpose
  • Uses the RIA to facilitate criminal activity

RIAs must file SARs within 30 days of detecting the suspicious activity. The program must include clear escalation procedures, designate who has filing authority, and maintain secure, confidential records. Importantly, RIAs cannot tip off clients that a SAR has been filed.

4. Independent Testing

RIAs must conduct independent reviews or audits of their AML programs:

  • Annually for higher-risk firms
  • Every two years for lower-risk firms

The reviewer must be independent—someone not responsible for the AML program's day-to-day operation. This can be an internal audit team, a third-party consultant, or an independent compliance firm. The review must assess program effectiveness, identify gaps, and recommend improvements.

5. Ongoing Staff Training

All personnel with client-facing or compliance responsibilities must receive AML training tailored to their roles. Training should cover:

  • AML/CFT risks specific to RIAs
  • Red flags for suspicious activity (e.g., structuring, PEPs, unusual transactions)
  • SAR reporting procedures and confidentiality requirements
  • Watchlist screening and beneficial ownership identification
  • Consequences of non-compliance for the firm and individuals

Training must occur upon hire and at least annually thereafter. RIAs must track completion and update training materials as regulations or risks evolve.

6. Written Policies & Controls

The AML program must be documented in writing and approved by senior management or the board. Written policies should address:

  • Risk assessment methodology
  • CDD and enhanced due diligence procedures
  • Transaction monitoring thresholds and investigation triggers
  • SAR escalation and filing workflows
  • Recordkeeping requirements (5 years for most AML records)
  • Independent testing schedule and scope
  • Staff training curriculum and tracking

Policies must be updated whenever regulations change, the firm's risk profile shifts, or testing identifies gaps.

7. AML Compliance Officer

Each RIA must designate an AML compliance officer responsible for implementing and overseeing the program. This individual should have sufficient authority, resources, and knowledge to ensure compliance. The officer is the point of contact for regulators and is accountable for program effectiveness.

How Must RIAs Protect Client Assets If They Have Custody?

RIAs that have custody of client assets must comply with the SEC's Custody Rule (Rule 206(4)-2) by using a qualified custodian and following specific safeguards to prevent asset misappropriation.

Under the Advisers Act, an RIA has 'custody' if it holds client funds or securities, has authority to withdraw assets from client accounts, or serves as trustee or general partner with access to client assets. To protect these assets, RIAs must:

  • Maintain client assets with a qualified custodian (bank, broker-dealer, or registered futures commission merchant)
  • Ensure clients receive account statements directly from the custodian at least quarterly
  • Undergo an annual surprise examination by an independent public accountant to verify that client assets are properly held
  • Notify clients in writing that the custodian sends account statements, and urge clients to compare adviser reports with custodian statements

For RIAs advising pooled investment vehicles (like hedge funds or private funds), additional requirements apply, including annual audited financial statements distributed to investors.

Importantly, these custody safeguards do not satisfy AML obligations. The Custody Rule protects against adviser theft; the AML rule protects against money laundering. RIAs with custody face both sets of obligations and must implement parallel compliance programs to address each risk.

What Are the Risks of Non-Compliance?

Failing to implement your own AML program by January 1, 2028 exposes RIAs to severe financial, regulatory, and reputational consequences.

Civil Money Penalties

FinCEN can impose civil penalties of up to $25,000 per day for willful violations of BSA requirements. For a mid-sized RIA, even a few weeks of non-compliance could result in hundreds of thousands of dollars in fines. Willful failures to file SARs carry even steeper penalties.

SEC Enforcement Actions

The SEC will conduct compliance examinations of RIA AML programs starting in 2028. Deficiencies identified during exams can lead to enforcement actions, censures, fines, and mandatory remediation. Firms with inadequate programs may face registration revocation in extreme cases.

Client Lawsuits and Loss of Trust

Investors increasingly expect advisers to implement robust compliance programs. Public disclosure of AML failures or SAR violations can erode client confidence, trigger withdrawals, and expose the firm to litigation. Clients may argue that inadequate AML controls allowed illicit activity that harmed their assets or reputation.

Operational Disruption

RIAs that delay implementation until late 2027 risk operational chaos: rushed technology deployments, incomplete staff training, and failed independent audits. Last-minute fixes often fail to meet regulatory standards, forcing firms to halt new client onboarding or suspend advisory activities until compliance gaps close.

How to Choose an AML Compliance Solution for Your RIA

Building an AML program from scratch is complex, resource-intensive, and error-prone. Most RIAs benefit from a purpose-built AML case management that automates CDD, transaction monitoring, SAR workflows, and testing.

When evaluating AML solutions, prioritize these features:

  • RIA-specific design: The platform should be built for advisers, not banks or broker-dealers. Look for advisory-focused risk scoring, fee monitoring, and support for pooled vehicles.
  • No-code implementation: Avoid solutions that require months of IT integration. The best platforms connect via CSV upload or API in days, not quarters.
  • Real-time monitoring: Transaction alerts should trigger immediately, not after month-end batch processing. Speed is critical for identifying and escalating suspicious activity.
  • Integrated SAR filing: Look for platforms with built-in SAR templates, FinCEN submission workflows, and secure case management to streamline reporting.
  • Comprehensive CDD tools: Sanctions screening (OFAC, UN, EU), PEP databases, beneficial ownership tracking, and automated ongoing reviews should be included.
  • Audit-ready reporting: Dashboards, audit logs, and documentation exports must support independent testing and regulatory exams.
  • Training and support: The vendor should provide AML training materials, implementation guidance, and regulatory updates as rules evolve.

Avoid generic financial crime platforms designed for banks. RIAs need advisory-specific tools that understand fee-based business models, discretionary authority, and the nuances of investment management.

How Flagright Supports Your Independent AML Program

Flagright's AI-native AML platform is purpose-built for RIAs to meet FinCEN's 2028 rule with minimal disruption and maximum effectiveness, with AI Forensics that speeds investigations and strengthens audit-ready documentation.

No-Code Onboarding: Connect your data sources via CSV upload or API integration and go live in under two weeks. No IT team required.

Dynamic Risk Scoring & Monitoring: Real-time tracking of all advisory-related transactions, including fee payments, subscriptions, redemptions, and third-party transfers. AI-powered risk models adapt to each client's behavior.

Integrated SAR Workflow: Automated case management with FinCEN SAR filing templates, secure escalation workflows, and confidential documentation.

Comprehensive CDD Module: Sanctions screening (OFAC, UN, EU), PEP identification, beneficial ownership capture, and automated ongoing reviews tailored to RIA risk profiles.

Audit-Ready Reporting & Testing: Built-in audit logs, compliance dashboards, and support for independent program reviews. Export documentation for SEC exams in one click.

Don't wait for custodians to cover you. With FinCEN's rule taking effect January 1, 2028, your RIA must own its AML responsibilities. Act now to establish a standalone AML program and protect your firm from fines, enforcement, and reputational damage.

Frequently Asked Questions

What is notable about the new AML/CFT program rule and SAR filing requirements for registered investment advisers?

The 2024 FinCEN rule designates RIAs as financial institutions under the Bank Secrecy Act for the first time, requiring each adviser to establish an independent AML/CFT program by January 1, 2028. This includes SAR filing obligations for suspicious transactions over $5,000, which RIAs must file directly with FinCEN—custodians will not file on their behalf.

Do RIAs need AML compliance if they use qualified custodians?

Yes. Using a qualified custodian satisfies the SEC's Custody Rule but does not satisfy FinCEN's AML rule. RIAs must implement their own standalone AML programs regardless of custodian coverage, because custodian programs monitor platform transactions, not adviser-specific activities like client onboarding, fee payments, or advisory relationships.

What are AML requirements for registered investment advisors under the new rule?

RIAs must establish written AML/CFT programs that include: risk-based customer due diligence (CDD) with beneficial ownership identification, ongoing transaction monitoring of all advisory-related flows, SAR filing procedures for transactions over $5,000, independent annual or bi-annual testing, staff training on AML risks and red flags, and designation of an AML compliance officer.

Which RIA custodian firms are recognized for their effective compliance support?

While major custodians like Schwab, Fidelity, and Pershing offer strong custody compliance support, they do not provide AML program coverage for RIAs. Custodians handle their own BSA obligations and cannot substitute for an RIA's independent AML compliance program. RIAs must select third-party AML platforms or build internal programs to meet FinCEN requirements.

How do custody solutions address anti-money laundering requirements?

Custody solutions address anti-money laundering requirements by monitoring transactions on their platforms (deposits, withdrawals, transfers) as part of their own BSA obligations. However, they do not address RIA-specific AML requirements such as advisory fee monitoring, client due diligence, SAR filing for adviser-identified suspicious activity, or ongoing risk assessments of advisory relationships.

What AI compliance tools flag high-risk activities for RIAs?

AI-powered AML platforms like Flagright use machine learning to flag high-risk activities such as unusual transaction patterns, PEP relationships, sanctions hits, structuring behaviors, and mismatches between client profiles and actual behavior. These tools automate risk scoring, alert generation, and case prioritization, enabling RIAs to identify suspicious activity faster and more accurately than manual reviews.

What are the compliance risks RIA advisers should manage?

RIAs must manage compliance risks including: failure to implement AML programs by 2028 (resulting in FinCEN penalties up to $25,000 per day), inadequate SAR filing leading to enforcement actions, gaps in customer due diligence allowing illicit clients to onboard, weak transaction monitoring missing suspicious activity, insufficient staff training, and failed independent audits exposing program deficiencies.

Where can RIAs find platforms that prevent custody risk?

RIAs seeking to avoid custody status can use platforms like portfolio management software with read-only access, billing solutions that don't touch client funds, and third-party fee deduction services. However, preventing custody risk and implementing AML compliance are separate obligations. Even RIAs without custody must still establish AML programs under FinCEN's 2024 rule.

What is the difference between RIA custody rules and AML rules?

RIA custody rules (SEC Rule 206(4)-2) protect client assets from adviser misappropriation by requiring qualified custodians and surprise audits. AML rules (FinCEN's BSA requirements) prevent money laundering and terrorist financing through the advisory relationship by requiring CDD, transaction monitoring, and SAR filing. Both are mandatory but address different risks and are enforced by different agencies (SEC vs. FinCEN).

Key Takeaways for RIAs

Act Before 2028: Start building your AML program now. Implementation takes 6-12 months when done properly—waiting until 2027 creates unnecessary risk.

Custodians Won't Save You: No custodian will extend AML coverage to RIAs. You must own this obligation independently.

Technology Matters: Manual AML programs don't scale. Choose a platform built for RIAs with automated monitoring, CDD tools, and SAR workflows.

Train Your Team: AML effectiveness depends on staff awareness. Invest in role-based training that covers advisory-specific red flags.

Document Everything: Regulators will examine your written policies, testing results, and SAR decisions. Maintain meticulous records from day one.

Get Independent Testing Early: Schedule your first independent review before the 2028 deadline to identify and fix gaps while there's still time.

Partner with Flagright for a robust, audit-ready AML compliance solution that ensures your RIA is fully compliant by January 1, 2028. Protect your firm, your clients, and your reputation—act now.

Book a demo