As of January 1, 2028, Registered Investment Advisers (RIAs) can no longer rely on their custodians’ anti-money laundering (AML) controls to meet regulatory requirements. FinCEN’s 2024 final rule brings RIAs under the Bank Secrecy Act and mandates that each firm establish its own, standalone AML/CFT program with written policies, ongoing transaction monitoring, customer due diligence, suspicious activity reporting, independent testing, and staff training. Here’s why custodian programs fall short and how RIAs must build their own robust compliance solution.
Custody Rule vs. FinCEN’s AML Rule
Custody Rule (Advisers Act Rule 206(4)-2) requires RIAs holding client funds or securities to use a “qualified custodian”, often a bank or broker-dealer, that itself is subject to U.S. AML obligations. Many RIAs assumed that custodian AML programs covered them by extension. However, FinCEN’s new rule explicitly makes each RIA a “financial institution” under the BSA, requiring its own risk-based AML program independent of any custodian’s controls. Custodian programs focus on client asset safety, not the adviser’s obligation to detect and report suspicious activity in advisory relationships.
Why Custodian Programs Don’t Suffice
- Scope Misalignment: Custodians monitor transactions on their platforms, typically fund transfers into and out of client accounts. They do not oversee the adviser’s broader activities, such as fee payments, advisory recommendations, client onboarding, or cross-platform transactions. FinCEN’s rule requires RIAs to monitor all advisory-related flows, not just custodied assets.
- No Written AML Program for RIAs: Before 2028, there was no AML program rule for SEC-registered RIAs, custodians maintained programs, and some broker-dealer affiliates extended coverage voluntarily. But custodians’ programs were never designed to meet the specific CDD, SAR filing, and independent testing requirements that now apply to RIAs.
- Separate Reporting Obligations: Suspicious Activity Reports (SARs) must be filed by the party with the suspicious activity knowledge. If an adviser identifies red flags in client behavior, beyond routine custody transactions, only the adviser can file. Custodians will not and cannot file SARs on behalf of RIAs.
- Independent Testing and Training: FinCEN requires RIAs to conduct independent audits of their AML programs and provide ongoing training to advisory personnel. Custodians do not audit advisers’ policies nor train advisers’ employees on advisory-specific red flags.
Key Elements Your RIA Must Implement
Every RIA needs a written AML/CFT program that includes:
- Risk-Based Customer Due Diligence (CDD): Tailored procedures to understand each client’s risk profile, including beneficial ownership, source of funds, and ongoing review.
- Transaction Monitoring for RIAs: Automated or manual surveillance of all advisory-related transactions, including fee payments, subscriptions, redemptions, and third-party transfers.
- Suspicious Activity Reporting: Clear SAR escalation and filing workflows covering any $5,000+ suspicious transaction.
- Independent Testing: Annual or periodic third-party reviews to ensure program effectiveness.
- Ongoing Staff Training: Regular, role-based training on AML/CFT risks, red flags, and reporting obligations.
- Written Policies & Controls: Documented procedures approved by senior management and updated as regulations or risks evolve.
The Risks of Inaction
Failing to implement your own AML program exposes your firm to:
- $25,000 Daily Fines: Civil penalties for willful non-compliance.
- SEC Enforcement Actions: The SEC will begin exam sweeps of RIA AML compliance from day one of 2028, with fines and reputational harm.
- Client Lawsuits & Loss of Trust: Investors expect advisers to safeguard against illicit finance risks. Compliance gaps erode confidence.
- Operational Disruption: Last-minute system fixes, rushed staff training, and audit failures can halt new business and strain resources.
Next Steps for RIAs
- Assess Your Current Controls: Map all advisory activities and identify gaps in custodian-based monitoring.
- Develop a Written AML Program: Define policies, procedures, and controls tailored to your firm.
- Select an AML Solution: Choose a platform designed for advisers that handles CDD, transaction monitoring, SAR reporting, and independent testing.
- Train Your Team: Implement a training schedule and track completion.
- Schedule Independent Testing: Engage a third-party auditor before year-end 2025 to validate your program.
How Flagright Supports Your Independent AML Program
Flagright’s AI-native AML platform is built specifically for RIAs to meet FinCEN’s 2028 rule:
- No-Code Onboarding: Connect data sources via CSV or API and go live in under two weeks.
- Dynamic Risk Scoring & Monitoring: Real-time tracking of all advisory-related transactions and client risk profiles.
- Integrated SAR Workflow: Automated case management and filing templates for FinCEN.
- Comprehensive CDD Module: Sanctions/PEP screening, beneficial ownership capture, and ongoing reviews.
- Audit-Ready Reporting & Testing: Built-in logs, dashboards, and support for independent program reviews.
Don’t wait for custodians to cover you. With FinCEN’s rule looming, your RIA must own its AML responsibilities. Act now to establish a standalone AML program and protect your firm from fines, enforcement, and reputational damage. Partner with Flagright to be fully compliant, and audit-ready, by January 1, 2028.