Registered Investment Advisers (RIAs) in the United States are facing new anti-money laundering (AML) requirements under the Financial Crimes Enforcement Network (FinCEN) final rule. This rule, finalized in August 2024, mandates that RIAs implement comprehensive AML programs by January 1, 2026. With enforcement of the Bank Secrecy Act (BSA) expanding to investment advisers, firms must act quickly to establish compliant programs. This article provides a step-by-step guide for U.S. RIAs to build an AML/BSA compliance program aligned with FinCEN’s rule. We’ll cover the five core program elements, FinCEN and SEC guidance, transaction monitoring systems, customer due diligence best practices, and a practical AML compliance checklist – all tailored to RIA AML compliance needs. Recent U.S. enforcement trends underscore the importance of getting this right, but with the right approach (and the right technology partner), RIAs can achieve fast, low-friction compliance.

Overview of FinCEN’s AML Rule for Investment Advisers (Effective 2026)

FinCEN’s final rule extends Bank Secrecy Act obligations to investment advisers for the first time. Previously, most RIAs were not explicitly required to maintain AML programs, which created a regulatory gap. The new rule closes that gap by adding SEC-registered RIAs (and certain exempt reporting advisers) to the BSA’s definition of “financial institution”. Covered RIAs must now implement the same fundamental AML measures long required of broker-dealers and banks. Key points of the FinCEN rule include:

  • Who is Covered: SEC-registered RIAs and Exempt Reporting Advisers (typically advisers to private funds) fall under the rule. State-registered advisers, foreign private advisers, and family offices are not covered at this time. However, FinCEN signaled it will monitor those excluded sectors and could expand coverage in the future.
  • Compliance Deadline: AML programs must be in place by January 1, 2026. This gives firms a short window to design, approve, and implement all program elements.
  • Regulatory Expectations: FinCEN emphasizes a risk-based approach – there is no one-size-fits-all template. Each RIA must assess its own money laundering and terrorist financing risks and craft procedures to address those risks. The rule aims to prevent illicit actors (e.g. sanctioned individuals, corrupt officials, fraudsters) from exploiting the investment adviser industry to launder fundsfincen.gov. It also responds to cases where foreign adversaries used private funds via advisers to circumvent controls
  • Examination and Enforcement: FinCEN has delegated examination authority to the SEC for these new requirements. In practice, this means the SEC’s Division of Examinations will review RIA AML compliance during routine exams. RIAs should anticipate SEC examiners applying standards similar to those used for broker-dealers and mutual funds. Early enforcement trends suggest regulators will look for programs that are tailored and effective. Even before the rule’s effective date, the SEC has taken action against an RIA for misrepresenting its AML policies – penalizing the firm $150,000 for claiming it verified investors’ identities when it had not. The clear message: regulators expect truthful disclosures and robust AML controls, and they will act against firms that fail to meet these standards.

Five Core Elements of an RIA AML Program

The foundation of an AML program for investment advisers is built on five core elements required by FinCEN. These mirror the traditional “pillars” of AML compliance in the U.S., adapted to the RIA context. RIAs should ensure their program addresses each of the following components in writing and in practice:

1. Written AML Program (Policies and Procedures)

Every RIA must develop a written AML/CFT compliance program that is approved by senior management and tailored to the firm’s risks. This written program is essentially the roadmap for how the firm complies with the BSA. Key considerations for a written AML program include:

  • Risk-Based Policies: The program should start with a risk assessment covering the types of clients you serve, the services/products offered, transaction volumes, and geographic exposures. Using that assessment, draft policies and procedures that allocate the greatest controls to higher-risk areas (for example, extra scrutiny for clients from high-risk jurisdictions or for complex private fund structures). FinCEN expects each adviser to “identify its exposure to money laundering [and] terrorist financing… and design internal policies, procedures, and controls” to mitigate those risks.
  • Procedures for Core Obligations: The written program must outline how the firm will meet all required AML obligations – including customer due diligence, ongoing monitoring, suspicious activity reporting, and recordkeeping. For instance, it should detail steps for onboarding new clients (what information is collected and how it’s verified), how transactions will be reviewed for red flags, and how potential suspicious activity is escalated and investigated. Transaction monitoring procedures (discussed more below) are a critical part of these internal controls.
  • Integration with Firm Operations: AML policies shouldn’t exist in a vacuum. The program should specify roles and responsibilities across the organization (client advisors, operations, compliance staff, etc.) to embed AML controls into day-to-day processes. For example, if your RIA uses custodians or broker-dealer partners to execute transactions, your procedures should explain how information flows between the RIA and those entities to ensure compliance (such as obtaining necessary data for the Travel Rule on funds transfers). The end goal is a set of written guidelines that employees can follow to prevent and detect money laundering through the adviser’s services.

A well-documented program not only guides employees but will be the first thing SEC examiners review. Common pitfalls to avoid include using off-the-shelf or generic policies that aren’t aligned with your actual business. In fact, SEC enforcement has cited firms for “relying on general AML policies not tailored to the specific business”. Instead, take the time to customize your written program to your firm’s unique risk profile.

2. Designated AML Compliance Officer

FinCEN’s rule requires each firm to appoint a designated AML compliance officer responsible for implementing and overseeing the program. For RIAs, this person will typically be a senior compliance manager or the Chief Compliance Officer (CCO) already in place under SEC rules. Best practices for this role include:

  • Authority and Resources: The AML compliance officer should have sufficient authority within the organization to carry out their mission. This means direct access to top management or the board and the ability to effect changes. FinCEN guidance stresses that the officer must be empowered and independent – they need to be free to raise concerns and enforce policies across departments. Ensure this individual has adequate staffing, budget, and technology to administer the program (e.g. access to compliance software, training resources, and perhaps external consultants for expertise).
  • Expertise: The designated officer should be well-versed in AML regulations and red flags relevant to investment advisers. If your firm’s CCO wears multiple hats, consider additional training or support so they understand BSA requirements deeply. Many RIAs are exploring outsourced AML officer services or hiring dedicated AML staff to bolster expertise, especially if the existing compliance team has not handled BSA obligations before.
  • Accountability: Clearly define the AML compliance officer’s responsibilities in the written program and job description. Typical duties include maintaining and updating the AML policies, coordinating firm-wide risk assessments, monitoring day-to-day compliance (such as reviewing due diligence files or approving high-risk client onboarding), filing required reports (e.g. Suspicious Activity Reports), and liaising with regulators. Documenting these duties helps ensure nothing falls through the cracks. Remember that regulators can hold the firm (and sometimes individuals) accountable for AML failures, so this role is critical. Providing support and even indemnification for the compliance officer (as some firms do) can enable them to perform their job confidently.

3. Internal Controls and Ongoing Monitoring

“Internal controls” refers to the mechanisms and processes that enforce your AML policies on a daily basis. In an RIA’s AML program, internal controls should be designed to prevent, detect, and report suspicious activity. Key components include:

  • Client Due Diligence Processes: Establish a standard Customer Due Diligence (CDD) procedure for onboarding new clients and investors. Even though FinCEN’s final rule does not yet impose a formal Customer Identification Program (CIP) requirement (that is expected in a separate rulemaking), RIAs should still collect and verify identifying information for their clients as a matter of sound practice. This means gathering information like name, date of birth, address, government ID for individuals, and organizational documents for entities. Identify any beneficial owners of entity clients (generally those owning 25% or more, and one control person), and verify their identities as well. These steps are fundamental to “knowing your customer.” Your internal procedures should also cover understanding the nature and purpose of the client relationship – why is the client seeking your services, what is the source of their funds, what types of transactions do they expect to conduct? FinCEN requires ongoing CDD procedures to include developing a customer risk profile based on this information.
  • Enhanced Due Diligence (EDD) for Higher Risk Clients: For clients that pose elevated risk (for example, politically exposed persons, clients from high-risk countries or those with complex trust structures), your controls should mandate enhanced due diligence. EDD may involve obtaining additional information (like detailed source of wealth, references, or explanations for unusual account activity), more frequent reviews of the relationship, and senior management sign-off to accept or continue the client. If an RIA manages private funds, investors who are offshore or obscured through multiple layers might warrant EDD. The program should outline what factors trigger EDD and what additional measures are taken in response.
  • Transaction Monitoring Controls: Implement a system for transaction monitoring for RIAs that fits your business model. Unlike banks, RIAs may not handle daily deposit/withdrawal activity, but they do facilitate movement of client assets – for example, capital contributions and distributions in funds, wire transfers of investment proceeds, transfers between client accounts, etc. Your internal controls should specify how such transactions will be monitored for red flags. Many firms use software-based transaction monitoring systems that automatically flag unusual patterns (more on this in the next section). At minimum, define thresholds or scenarios that would prompt a manual review. Examples: a sudden large redemption or transfer over a certain dollar amount, a series of transfers just under $10,000, payments to or from high-risk jurisdictions, or any transaction inconsistent with a client’s known profile. Clear procedures should state how staff are to escalate and investigate alerts. A common regulatory finding is firms “flagging accounts for AML review but never resolving the underlying verification failures” – ensure your process requires timely resolution of alerts and documentation of outcomes (e.g. cleared as legitimate or escalated to file a SAR).
  • Separation of Duties and Approvals: Robust internal controls often involve checks and balances. For instance, the person who opens a new client account shouldn’t be the only one verifying the client’s identity – a second pair of eyes (like compliance) should confirm due diligence is completed. Similarly, if an automated monitoring system flags a transaction, a compliance analyst should review it independently from the front-office staff who initiated the transaction. Requiring managerial approval for high-risk decisions (like onboarding a PEP or filing a SAR) is another best practice. These measures prevent conflicts of interest and ensure potential issues get proper scrutiny.

In summary, internal controls operationalize your AML program. They include everything from written procedures, automated software rules, checklists, approvals, to record-keeping systems. Regulators expect RIAs to have internal controls that are reasonably designed to detect and report suspicious activities and to ensure compliance with all applicable BSA requirements. As you design these controls, leverage industry guides (such as the SEC and FINRA AML examination modules for broker-dealers) and adapt them to the adviser context. Consistency and follow-through are key – it’s not enough to have good written procedures if employees don’t actually follow them.

4. Ongoing Employee Training

Even the best-written program will falter if your team is not properly trained. Ongoing training is a core pillar of AML compliance, and FinCEN requires RIAs to implement training for appropriate personnel. What does effective AML training look like for an investment adviser?

  • Firm-Wide Training Program: Provide AML training to all relevant employees at least annually. This typically includes anyone who interacts with clients, handles transactions, or has compliance responsibilities. The training should cover the basics of money laundering and terrorist financing, the firm’s specific AML policies, how to identify red flags, and what their duty is in reporting suspicious activity. Front-office staff should know their role in initial customer due diligence and spotting anomalies, whereas operations staff might need to focus on transaction monitoring and recordkeeping details.
  • Tailored Content: Make the training as relevant as possible to the RIA’s business. For example, if your firm primarily advises private equity funds, include scenarios on private fund subscription risks, secondary transfers of fund interests, etc. If you manage separately managed accounts for individuals, training should cover detecting suspicious wire requests or changes in account behavior. Regulators have criticized “one-size-fits-all” training that isn’t specific to a firm’s business lines. Tailor your program with examples that resonate with your staff’s day-to-day experience.
  • Keep Staff Updated: The financial crime landscape evolves, so update training materials to include emerging risks and regulatory developments. For instance, new sanctions programs (like those related to Russia in 2022) or trends like cryptocurrency use in laundering should be incorporated so staff remain alert to current red flags. Given the rule is brand new for RIAs, initial trainings in 2025 should cover the specifics of FinCEN’s requirements and the firm’s new procedures under the AML program.
  • Document Attendance and Results: Track who has completed the training and when. It’s wise to include a short quiz or acknowledgment to ensure comprehension. During examinations, the SEC will likely ask for evidence of your training efforts. Maintaining logs or certificates of completion for each employee will demonstrate compliance. Also, encourage feedback – if employees are confused about any aspect of AML duties, use that input to refine future sessions or clarify your procedures.

A strong culture of compliance starts with knowledgeable employees. Ongoing training reinforces that AML compliance is everyone’s responsibility, not just the compliance department’s. It empowers employees to act as the first line of defense against suspicious activity and helps embed a “culture of vigilance” within your organization.

5. Independent Testing and Audit

Regular independent testing of your AML program is the fifth core element. FinCEN requires an independent audit function to periodically test the effectiveness of the AML program. For RIAs, especially smaller firms, this doesn’t necessarily mean hiring a Big Four auditor – but it does mean you need a qualified, objective reviewer:

  • Frequency and Scope: At minimum, conduct an AML program test annually (FINRA rules for broker-dealers require yearly independent testing in most cases, and it’s a good benchmark for RIAs). The tester should review all aspects of your program: the risk assessment, sample client files for CDD completeness, transaction monitoring alerts and how they were handled, SAR filings, training records, and compliance with recordkeeping rules. They should evaluate whether your policies are being followed in practice and whether those policies are adequate. For example, an independent test might find that certain high-risk clients were onboarded without senior approval per policy – a gap to fix. Or it might find your transaction monitoring rules are not detecting some obvious patterns, indicating a need to fine-tune scenarios.
  • Independence: “Independent” means the tester is not involved in the day-to-day AML compliance operations. You can use an internal audit team if your firm has one (and they haven’t been running the AML program), or outsource to a consultant or law firm with AML expertise. The person performing the test should have sufficient knowledge to assess compliance. Many mid-size advisers are likely to engage external consultants for this annual AML review, at least initially, to benefit from their experience with similar firms.
  • Documentation of Findings: Ensure the results of the independent test are documented in a written report. The report should outline any identified deficiencies or weaknesses and provide recommendations for improvement. Regulators will want to see not just that you did a test, but that you addressed any issues found. For instance, if the 2025 independent test (before the rule’s effective date) flags that employees aren’t consistently collecting beneficial ownership info, management should update procedures or training to close that gap well before 2026.
  • Management Response and Follow-Up: Treat the independent audit findings seriously. Develop a remediation plan for any problems uncovered. It’s a best practice to have the AML compliance officer report the audit results and remediation steps to senior management or the board. This demonstrates top-level oversight. By completing a testing cycle and fixing issues prior to January 2026, you’ll be in a much stronger position for your first SEC examination of AML compliance.

Independent testing is essentially a quality assurance step for your program. It provides an objective check that your AML compliance efforts are working as intended. Firms that neglect this element risk blind spots – many enforcement cases have revealed that issues went unnoticed because no independent party was checking. On the flip side, having audit reports and documented improvements will show regulators that your RIA is proactive and committed to AML compliance.

Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) Best Practices

A critical piece of any AML program for investment advisers is a robust Customer Due Diligence process. CDD is woven throughout the core elements above, but it’s worth focusing on concrete best practices given the particular challenges RIAs may face with client due diligence. Unlike banks, RIAs often deal with indirect customers (e.g. investors in a fund the RIA advises) and complex legal entities. Here’s how RIAs can approach CDD and EDD:

  • Identify and Verify All Clients/Investors: Make sure you clearly define who is considered the “customer” for your services. For an RIA managing a fund, FinCEN’s expectation is that the fund itself and the investors in the fund are subject to due diligence. If you manage separate accounts, the accountholder is the customer. In all cases, collect identifying information on the customer and verify it using reliable documents or electronic methods. Even though the formal CIP rule is pending, use the standards that banks follow: for individuals, obtain a government-issued photo ID (e.g. driver’s license, passport) and confirm details; for entities, get formation documents (like articles of incorporation or trust instruments) and confirm beneficial ownership information. Verifying identity might involve databases, third-party services, or document inspection. The goal is to know exactly who you are dealing with and ensure they are who they claim to be.
  • Beneficial Ownership and Control Persons: For entity clients (companies, partnerships, trusts, etc.), identify the individuals behind the entity. A common threshold is identifying any individual who owns 25% or more of the entity, and at least one individual who controls the entity (such as an executive or general partner). Collect these persons’ names, dates of birth, addresses, and identification documents. FinCEN’s 2018 CDD Rule (applied to banks and others) uses this 25% threshold, and RIAs are wise to follow it as a guideline. If an entity is owned by other entities, drill down to find the ultimate human owners. Document the ownership structure in your files. This beneficial ownership collection is vital — an SEC case in 2025 (Navy Capital) underscored that failing to verify beneficial owners can lead to serious consequences, such as inadvertently taking on a sanctioned individual as an investor. Don’t skip this step: it provides transparency into who benefits from the assets under your management.
  • Risk Profiling at Onboarding: As part of CDD, assess the risk profile of each client at onboarding. Develop a checklist or questionnaire to capture risk factors like: the customer’s occupation or industry, expected account activity (types of transactions, size and frequency of contributions or withdrawals), countries of origin or investment, whether the customer or any beneficial owner is a politically exposed person (PEP), any adverse media or criminal history, etc. Using this information, assign a risk rating (e.g. low, medium, high). This customer risk profile is required as part of ongoing CDD procedures. It will determine the level of scrutiny and monitoring the customer gets going forward. For example, a high-net-worth individual from a stable background investing in a standard portfolio might be low risk, whereas a Cayman Islands trust with complex layers investing in a private fund might be high risk, warranting more due diligence.
  • Enhanced Due Diligence Triggers: For high-risk customers, implement EDD as noted earlier. Common triggers for EDD in the RIA context include: a customer or beneficial owner who is a PEP or senior foreign political figure, customers from countries with weak AML regimes or sanctions, clients involving shell companies or intermediaries that obscure ownership, customers dealing in novel assets (like crypto assets), or any situation where source of funds is unclear. EDD measures can involve requiring detailed source of funds and source of wealth documentation (such as bank statements, financial statements, or affidavits explaining how the person acquired their wealth), performing independent background checks or intelligence research, and ongoing monitoring at a heightened frequency. If a client is a PEP, for instance, you might conduct media searches or use a screening service to see if they’ve been implicated in corruption, and you might require annual re-certification of their information.
  • Ongoing Monitoring and Updates: CDD is not a one-and-done exercise – it must continue through the life of the client relationship (hence FinCEN’s emphasis on “ongoing” CDD). Establish procedures to keep customer information up to date. This could include periodic refreshes (e.g. request customers to update information every 1-2 years for higher risk, every 3-5 years for lower risk) or event-driven updates (e.g. if a client’s account behavior changes significantly or negative news arises, revisit their profile). Screen customers against sanctions and watchlists regularly, not just at onboarding. For example, run your client and investor names through OFAC sanctions lists, politically exposed person lists, and adverse media databases at onboarding and perhaps on a monthly or quarterly basis thereafter. Automated solutions can help with this ongoing screening. If anything changes (say a previously normal client gets indicted for fraud, or a new beneficial owner comes into an entity), that should trigger a re-evaluation of risk and potentially EDD.
  • Documentation and Record-keeping: All CDD and EDD steps should be documented thoroughly. Keep copies of the identification data and verification steps in your files. If you consulted any external sources (e.g. an investigative report on a client), keep those on record. FinCEN requires that records of identification obtained (like copies of IDs) and beneficial ownership information be retained for at least five years after the account is closed or the customer relationship ends. Good record-keeping of CDD files will be crucial in demonstrating your compliance during an audit or examination. Additionally, document your rationale for risk ratings and any decisions around accepting high-risk clients – this shows a thoughtful, risk-based process.

By implementing these CDD and EDD best practices, RIAs create a strong front-line defense against illicit money. They help ensure you only accept legitimate clients and that you understand their financial dealings well enough to catch suspicious activity. As a practical tip, many RIAs are now revisiting all their existing clients from an AML perspective. Before 2026, perform retroactive due diligence on your current customer base – verify you have the necessary information on file for legacy clients, and remediate any gaps (e.g. collect missing beneficial owner info or update expired documents). FinCEN’s rule essentially expects that by the effective date, even pre-existing clients have been brought up to the new CDD standards. Prioritize reviewing higher-risk relationships first. This catch-up effort is essential for a smooth transition to full compliance.

Transaction Monitoring and Suspicious Activity Reporting (SAR)

A centerpiece of any AML program is the ability to monitor transactions and report suspicious activity. Transaction monitoring for RIAs may present different challenges compared to banks, but it is nonetheless crucial. RIAs must file Suspicious Activity Reports (SARs) with FinCEN for any suspect transactions, just as other financial institutions do. Here’s how to build an effective transaction monitoring and SAR reporting process:

Implementing a Transaction Monitoring System

What to monitor: RIAs should identify the types of transactions that flow through their business and set up controls to review them. Common transactions in the investment adviser context include: wires or ACH transfers of funds into and out of client accounts, movement of money between a client’s accounts or between a client and third parties, subscriptions and redemptions in funds, fee payments, and in some cases, transfers of securities or other assets. Even though RIAs may use qualified custodians to actually hold and move client funds, the RIA is in a position to observe and know the purpose of those transactions, making monitoring a shared responsibility.

Monitoring system components: A good transaction monitoring system typically includes the following components:

  • Rule-Based Alerts: Establish rules or scenarios that flag potentially suspicious transactions. For example, generate an alert if multiple transfers just under $10,000 occur (possible structuring to avoid reporting thresholds), if a client suddenly sends a large wire to a high-risk country, or if an investment redemption is requested sooner than would be expected (possibly indicating an illicit source trying to quickly withdraw). Rules should be tailored to your firm’s activity – too many generic rules can overwhelm you with false positives, but too few can miss risks. Start with known red flags from regulatory guidance (FinCEN advisories, SEC and FINRA lists of red flags) and calibrate them to realistic thresholds based on your customers. For instance, a $5,000 transfer might be ordinary for one RIA but significant for another; set thresholds that make sense for your average transaction sizes.
  • Risk-Based Segmentation: Incorporate customer risk into monitoring. Higher-risk clients or accounts should be subject to more sensitive alert triggers. If you’ve rated certain clients as high risk (say a private fund with offshore investors), you might lower the dollar threshold that triggers an alert for their transactions. This ensures you cast a wider net where risk is greater, while not overburdening the system on low-risk routine flows.
  • Automated Tools: Given the data-driven nature of monitoring, many RIAs will leverage software solutions. AML software for investment advisers can automate the detection of suspicious patterns in transactions and even perform anomaly detection using advanced analytics. Modern AI-driven transaction monitoring systems (such as those offered by Flagright and others) allow firms to configure rules quickly and use machine learning to spot out-of-pattern transactions that rules might miss. For example, an AI system could learn what “normal” trading or transfer behavior looks like for a particular client and flag deviations without a pre-set rule. Automation is especially helpful as your volume of transactions grows – it provides continuous oversight in near real-time. It’s no surprise many firms are seeking AML software for investment advisers that is easy to deploy and comes with pre-built rule libraries and machine learning capabilities.
  • Case Management Workflow: Monitoring doesn’t stop at generating alerts. Your system (or manual process for smaller firms) should include a case management component to investigate alerts. When an alert fires, a compliance analyst should review the details: what is the transaction, does it have a reasonable explanation, is there matching against any negative news or sanctions lists for the parties involved? The analyst may need to reach out to the relationship manager or even the client for clarification (taking care not to tip off the client if it’s truly suspicious). Each alert review should be documented with the findings and a clear disposition: either “cleared” (found to be explainable) or escalated for potential SAR filing. A good case management tool will track these steps and maintain an audit trail.
  • Continuous Tuning: After you go live with a monitoring system, plan to periodically tune the rules and models. You may find in the first few months that certain rules are generating too many false positives and need adjustment, or that you encountered a suspicious case that wasn’t flagged by any rule – indicating a new scenario to add. Regulators appreciate when firms refine their systems based on experience, as it shows a commitment to effective detection (versus a “set and forget” approach). Document any changes to your monitoring procedures or thresholds as part of your program updates.

In sum, a transaction monitoring system is how you operationalize the detection of suspicious activity. It fits into the RIA AML program as a key internal control (part of the “detect” function of your program). While RIAs might see fewer transactions than a retail bank, the high-dollar nature of investments means each transaction could be significant. Thus, having an appropriate monitoring capability is essential. Many of the enforcement cases in the broker-dealer world have involved failures in monitoring – such as not investigating flagged activities or ignoring obvious red flags. RIAs should learn from those and build a responsive monitoring process from the start.

Suspicious Activity Reporting Obligations

When a transaction or client activity cannot be explained and appears indicative of illegal activity, the RIA may need to file a Suspicious Activity Report. Under FinCEN’s rule, RIAs are required to file SARs for any suspicious transaction involving at least $5,000 in funds or assets. The obligation is very similar to what banks and broker-dealers do:

  • When to file a SAR: A SAR must be filed if the adviser “knows, suspects, or has reason to suspect” that a transaction (or attempted transaction) involves funds derived from illegal activity, is intended to hide funds or assets from illegal activity, evades regulations (like structuring to avoid reporting requirements), or has no business or apparent lawful purpose. In practice, after investigating an alert, if you conclude that the activity has no plausible legitimate explanation or involves a known bad actor, it’s SAR time. Common scenarios for RIAs might include: a client suddenly wiring out a large sum to a secrecy-haven country with no good reason, an investor in a fund who is discovered to be using stolen identity information, a series of contributions and immediate withdrawals that look like layering of funds, or any situation where the RIA is used as a pass-through for funds rather than for bona fide investment purposes.
  • SAR Filing Process: SARs are filed electronically with FinCEN (through the BSA E-Filing system). Your AML compliance officer will typically take charge of SAR filings. A SAR must be filed within 30 calendar days of determining that the activity is suspicious (you can take a bit longer, up to 60 days total, if you can’t identify a suspect right away). It’s good practice to draft the SAR narrative carefully, including the who, what, when, where, and why of the suspicious activity. Be detailed: regulators have criticized firms for filing SARs with minimal or generic information that doesn’t adequately explain the suspect transactions. For example, rather than saying “customer appeared suspicious,” detail how: e.g., “Client X wired $1 million to [Country] one day after depositing funds from an unrelated third party, which is inconsistent with the client’s investment objectives; our due diligence could not verify the source of funds, raising money laundering concerns.” The SAR narrative should tell the story clearly to law enforcement.
  • SAR Confidentiality: Remember that SARs are confidential – you must not inform the client or any unauthorized party that you filed a SAR. Internally, SAR information should be tightly held (generally known only by the compliance team and perhaps senior management or legal counsel on a need-to-know basis). Breaching SAR confidentiality is a serious violation of federal law.
  • Post-SAR Actions: Filing a SAR is not the end of your duty. Depending on the situation, the firm should consider whether it needs to take further action, such as reviewing whether it wants to continue the relationship with the client (if the risk is too high or the activity continues, many firms will exit the relationship). Also, continue to monitor the client closely going forward; sometimes suspicious activity is an isolated incident, other times it’s part of a pattern. If additional suspicious transactions occur, you may need to file follow-up SARs (and there is a requirement to file continuing activity SARs if the activity persists over 90-day periods). Keep law enforcement requests in mind as well – occasionally after filing, law enforcement might reach out for more information or issue a subpoena. Be prepared with well-organized documentation (another reason your case management and recordkeeping are important).
  • Record-keeping: For each SAR filed, retain copies of the SAR and all supporting documentation for at least five years. Supporting docs might include account statements, transaction records, emails or communications related to the activity, and analysis you did. If an examiner or FinCEN asks, you must be able to produce these records to show why the SAR was filed. Treat these files securely due to their sensitive nature.

Suspicious activity reporting is one of the most important outputs of your AML program – it’s how your firm contributes to the broader fight against financial crime. FinCEN and law enforcement rely on SAR filings to spot trends and build cases. RIAs should aim for quality in their SAR process: timely detection, thorough investigation, prompt filing, and robust narratives. By doing so, you not only comply with the law but also protect your firm from potentially being an unwitting conduit for criminal funds. And as noted, regulators will be looking closely at whether RIAs identify and report suspicious activities; failures to file when required can lead to hefty penalties.

Record-keeping Requirements and Additional BSA Obligations

Alongside programmatic elements and reporting, the BSA brings a host of recordkeeping requirements that RIAs must integrate into their compliance program. Here are key recordkeeping and related obligations under FinCEN’s rule:

  • Currency Transaction Reports (CTR) and $10,000 Records: If an RIA receives or distributes cash (in any form, including currency or certain monetary instruments) over $10,000 in one transaction or a series of related transactions, it is required to file a Currency Transaction Report. In practice, most RIAs do not handle physical cash – large investments typically come via wire or check through banks. However, if your firm were to, say, receive $15,000 in cash as part of a fee or an investor contribution (perhaps unlikely but not impossible), you must file a CTR within 15 days. Even outside of CTR filings, RIAs should keep records of any transaction over $10,000 involving monetary instruments or transfers. For example, if a client gives you a cashier’s check for $50,000 to invest, you should record the details of that instrument and transaction (date, amount, involved parties) and retain it for at least five years. These records ensure an audit trail for large transactions.
  • Funds Transfer Recordkeeping and Travel Rule: The “Travel Rule” requires that certain information “travels” with a funds transfer of $3,000 or more. Under FinCEN regulations, financial institutions initiating or transmitting funds transfers must include identifying information on the originator and beneficiary (name, address, account number, etc.) in the payment instructions, and retain records of that information. For RIAs, this typically means working with your custodial banks or prime brokers to ensure wire transfers related to advisory accounts include the required details. Your AML program should outline how you will comply: for instance, by providing the necessary client information to the sending bank when you instruct a transfer, and by retaining records of payment orders. If your RIA directly transmits funds (less common), you’ll need procedures to add and keep the required information. The Travel Rule is about transparency in payment chains, and even though an RIA might be a step removed, you are now responsible for ensuring the rule is met in transactions you initiate. Document the required details and store them for five years per the rule.
  • Section 314(a) Information Requests: Under USA PATRIOT Act Section 314(a), FinCEN periodically issues lists of individuals or entities suspected of terrorism or money laundering and requires financial institutions to search their records for any matches. Banks and broker-dealers have formal 314(a) procedures to check these FinCEN requests (usually sent bi-weekly) against their customer accounts. RIAs will now need a process as well. FinCEN’s rule mandates that RIAs comply with 314(a) requests, meaning when you receive a request, you must search your client and account databases for any listed names and respond via the secure FinCEN system if you find a match. Ensure someone (often the compliance officer) is signed up for FinCEN’s notifications and executes these searches in a timely manner (generally within two weeks of the request). Document your search results for each 314(a) request.
  • Section 314(b) Information Sharing: Section 314(b) allows financial institutions to share information with each other about individuals or transactions for the purposes of identifying and reporting money laundering or terrorist activity, provided they register with FinCEN and follow certain procedures. FinCEN’s rule permits RIAs to participate in 314(b) voluntary information sharing. While not a requirement, this can be a useful tool. For example, if you detect suspicious activity with a client that involves another institution (say a bank), you can reach out under 314(b) to that institution to gather more information, which might strengthen your understanding of the activity. To do this, your firm must file a registration with FinCEN and have a policy to only use the information for AML purposes and keep it confidential. Including a provision in your AML program that the firm may engage in 314(b) sharing (and how you’ll handle it) is advisable.
  • Special Measures and Sanctions Compliance: FinCEN’s regulations also mention that RIAs must be capable of adhering to any special measures (Section 311 of the USA PATRIOT Act) and certain targeted rules like the Combating Russian Money Laundering Act. These are less common scenarios where FinCEN might impose specific prohibitions or due diligence requirements on dealings with certain jurisdictions or entities of primary money laundering concern. For completeness, know that if any such measures apply, your program must incorporate them. In general, OFAC sanctions compliance is outside of FinCEN’s rule (sanctions are overseen by Treasury’s OFAC), but in practice, your AML program should dovetail with sanctions screening. Ensure you screen clients and transactions against OFAC sanctions lists, since facilitating a prohibited transaction could lead to separate penalties. Many AML software tools combine sanctions screening with transaction monitoring for convenience.
  • Retention Period: As a rule of thumb, retain all BSA-related records for five years. This includes CDD files, transaction records, SAR filings and support, CTR filings, 314(a) search documentation, training materials and attendance logs, independent test reports, etc. It’s wise to organize these records systematically (perhaps electronically in a secure folder structure or compliance software) so that you can retrieve anything needed during an examination. The SEC exam teams will likely ask for samples of these records to test your compliance.

By staying on top of these record-keeping and reporting obligations, RIAs not only comply with the letter of the law but also create a paper trail that demonstrates a diligent compliance program. These requirements may seem technical, but they significantly enhance transparency in the financial system and provide law enforcement with crucial data.

AML Compliance Checklist and Timeline for RIAs (2024–2025)

Building an AML program from scratch can be daunting. RIAs should approach this as a structured project. Below is a practical AML compliance checklist with a suggested timeline to get your firm from today to the January 1, 2026 deadline:

  1. Initial Risk Assessment (Q2 2024 – Q3 2024): Immediately kick off a comprehensive risk assessment of your advisory business. Identify how money laundering or terrorist financing could potentially occur given your clients, products, and geographies. Review your existing compliance policies to find gaps. (Many RIAs in 2024 have no formal AML policy – this is your starting gap to close.) Begin educating senior management on the new requirements. If needed, engage external consultants or legal counsel to guide you on obligations specific to RIA AML compliance. Output: A written risk assessment and a list of gap areas to address (e.g. need to draft AML procedures, need to choose software, additional staff required, etc.).
  2. Design AML Program and Policies (Q4 2024): Develop the core AML program for investment advisers in writing. Draft the AML compliance manual covering all five pillars: internal controls, customer due diligence procedures, SAR reporting process, training plan, independent audit plan. Include detailed procedures for CDD/EDD, transaction monitoring, and recordkeeping as discussed above. Circulate drafts among key stakeholders (compliance, legal, operations, executive leadership) for input. Designate your AML Compliance Officer if not already done – formally assign the role and update their job description now. If you have affiliated entities (e.g. a broker-dealer arm), decide whether to integrate programs or keep them separate, ensuring nothing falls through the cracks. Output: A finalized Written AML/CFT Compliance Program, ready for approval.
  3. Secure Approvals and Resources (Q1 2025): Present the written program to your firm’s senior management or board for approval (document this approval in meeting minutes or a signed resolution). Use this period to also allocate budget and resources: acquire any needed AML software or tools, and plan for hiring or outsourcing to fill gaps. For example, evaluate transaction monitoring systems for RIAs that fit your business scale. Solutions like Flagright’s AI-driven platform can be deployed quickly and configured with RIA-specific rules, providing a low-friction, fast deployment option for compliance technology. Choosing a technology partner early will help automate much of your program. Additionally, line up an independent auditor/consultant for the future testing phase (or ensure your internal audit has capacity). Output: Management-approved AML program and the necessary tools and personnel in place to execute it.
  4. Implement Customer Due Diligence Processes (Q2 2025): Begin applying your CDD procedures to new clients going forward and start retrofitting existing clients. Create or update client onboarding forms to capture all required information (beneficial owners, expected activity, etc.). Train client-facing teams on the new onboarding requirements and review all new client files for completeness. Simultaneously, start reviewing your backlog of clients: prioritize high-risk or large clients for immediate re-diligence. By mid-2025, you should have made substantial progress in collecting any missing data from current customers. This phase is labor-intensive – consider leveraging compliance interns or temporary analysts if needed to hit the deadline. Output: Updated CDD files for a significant portion of clients and a clear tracker for remaining ones; new clients being onboarded under the AML standards.
  5. Training Rollout (Q3 2025): Develop training materials customized to your policies. Schedule firm-wide training sessions (or e-learning modules) on the new AML program for all employees. Emphasize practical guidance: walk through how to spot suspicious activity, how to escalate issues, and each person’s responsibilities. Include scenario exercises for advisors and operations staff. Make training interactive if possible (Q&A, case studies) to ensure engagement. By the end of Q3 2025, every relevant employee should have completed an initial AML training session. Output: Training completion records for staff, and increased awareness across the firm.
  6. Test Your Systems and Controls (Q4 2025): As 2025 winds down, conduct an initial independent test or audit of your in-place program. If your program is largely implemented by early Q4, you can hire an outside expert to perform a mock audit. Alternatively, do an internal audit if independence criteria are met. This test should check: are all required pieces implemented (e.g. do we have SAR filing capability? Are we properly logging transactions? Are employees following procedures?). Also, run scenarios through your transaction monitoring system to ensure alerts are triggering as expected. Address any findings immediately. It’s better to discover and fix weaknesses now than to have the SEC find them in 2026. Output: An audit report or testing memo identifying any gaps, and documentation that those gaps were remediated (e.g. revised procedures, additional training, fine-tuned rules).
  7. Final Adjustments and Go-Live (Late Q4 2025): In the final weeks of 2025, wrap up any loose ends. Ensure all existing clients have gone through at least a basic level of due diligence refresh. Complete any pending SAR filings that need to be sent in (don’t go into 2026 with a backlog). Have the AML Compliance Officer do a final check that all required elements (policies, officer, training, testing, reporting, recordkeeping) are in place. If your firm has a board or committee, consider an end-of-year briefing on AML readiness. Also, prepare an AML onboarding kit for new clients in 2026 (so that your client onboarding team has everything ready for Day 1 compliance for any new accounts opened after the rule is effective). Output: Certification (even if just internal) that the firm is AML compliant as of Jan 1, 2026.
  8. Post-Implementation Monitoring (2026 and beyond): As the rule takes effect, be ready for regulatory scrutiny. The SEC may include AML compliance in their examinations early in 2026 to gauge industry implementation. Continue to refine your program: gather feedback from staff on any challenges, monitor regulatory updates (e.g. if the joint SEC/FinCEN Customer Identification Program rule is finalized in 2025, be prepared to implement those requirements too). Keep training new hires and perform your next independent test in 2026 on schedule. Think of the program as an evolving process – maintain an ongoing compliance calendar to stay on top of periodic duties (SAR filings, 314(a) checks, annual training, audit, etc.). Output: Sustainable AML compliance operations integrated into business-as-usual.

Following this timeline, RIAs can systematically build up to full compliance without a last-minute scramble. The key is to start early and tackle the project in phases. By breaking it down into these steps, you transform a complex mandate into manageable tasks.

Leveraging Technology and Choosing the Right Compliance Partner

Implementing an AML program in a short timeframe is challenging, but technology can significantly ease the burden. Many RIAs are turning to specialized AML software for investment advisers to automate customer screening, transaction monitoring, and case management. The right technology can help you achieve compliance faster and with fewer dedicated personnel, which is especially attractive for smaller compliance teams. When evaluating solutions, look for:

  • Speed of Deployment: With the deadline approaching, a solution that can be up and running in days or weeks (not months) is ideal. Cloud-based, no-code platforms allow quick configuration of rules and workflows without lengthy IT projects. For example, Flagright’s platform advertises the ability to “monitor transactions, configure rules in minutes, and detect suspicious activity with a no-code, customizable monitoring system. Such rapid deployment means you can start testing your transaction monitoring and screening processes well before the 2026 deadline.
  • AI-Driven Insights: Modern AML solutions increasingly incorporate artificial intelligence and machine learning. AI-driven transaction monitoring can adapt to your data, reduce false positives, and highlight anomalies that a static rule might miss. Flagright, for instance, offers AI forensics tools that augment alert investigations and improve decision-making, as noted by compliance officers who have used it to “revolutionize the way we approach compliance today.” For RIAs dealing with complex investment transactions, this intelligence can be a force multiplier – allowing a small team to oversee large volumes of activity efficiently.
  • Integrated Screening and Case Management: Ideally, your system will not only monitor transactions but also handle sanctions/PEP screening of clients and provide a case management module to track investigations and SAR filings. An integrated platform means all your compliance data (customer profiles, risk scores, alerts, investigator notes, filing history) lives in one place – making it easier to manage and to provide evidence to examiners. It also helps with the “auditability” of your program, since you can pull reports on what was reviewed and when.
  • Customization for RIA Business Models: Ensure the vendor understands the RIA space, not just retail banking. The scenarios that matter for an RIA (e.g. unusual private fund subscriptions, rapid in-and-out movements, misuse of managed account for transfers) may differ from those in a consumer bank. A good compliance technology partner will have pre-built rules or templates for investment advisers and be willing to work with you to refine them. Check if they have other RIA or asset management clients, or if they offer specific modules (some platforms list Fund management” or “RIAs as a supported industry in their materials).
  • Regulatory Reporting Support: Does the software assist in generating SARs or other reports? Some platforms can auto-populate SAR fields from your case data and even e-file them to FinCEN directly or through integration, which can save time and reduce errors. Likewise, keeping digital records for 5 years is easier if your system automatically archives all alerts and documentation.

One example of a compliance technology partner is Flagright – an AI-native AML compliance platform known for quick deployment and comprehensive features. Flagright has been recognized as an innovative solution in this space, even being awarded #1 overall AML compliance solution according to industry rankings. For RIAs needing to get an AML program running with minimal friction, partnering with a provider like Flagright can be ideal. Flagright provides pre-built transaction monitoring rules, automated customer risk scoring, and case management, all specifically designed to meet BSA requirements.

Of course, technology alone is not a silver bullet – it must be combined with competent staff and sound procedures. But choosing a strong tech partner can greatly reduce the manual burden and help flag issues that humans might miss. As you build your AML program, consider performing a cost-benefit analysis of software vs. purely manual processes. Often, the efficiency gained and the improved detection capability more than justify the investment in a modern AML system. Plus, regulators tend to view the use of reputable compliance tools as a positive sign of a firm’s commitment to robust controls.

Conclusion

The countdown to January 1, 2026 is underway for RIAs to achieve full AML/BSA compliance under FinCEN’s new rule. By focusing on U.S. regulatory requirements and learning from past enforcement cases, investment advisers can avoid common pitfalls and establish a program that not only meets the rule’s minimum standards but truly safeguards their business from abuse. In summary, firms should ensure they have a written AML program with strong internal controls, a knowledgeable compliance officer at the helm, ongoing training for staff, regular independent audits, and thorough customer due diligence processes from onboarding through monitoring and reporting. Each of these pillars is essential – neglecting any one of them could expose the firm to regulatory action or financial crime risk.

Schedule a demo to see Flagright in action.