How to Build an RIA AML/BSA Compliance Program Aligned with FinCEN’s 2028 Rule

AT A GLANCE

Registered Investment Advisers (RIAs) must implement AML programs by January 1, 2028, under FinCEN's final rule. This marks the first time SEC-registered RIAs face Bank Secrecy Act obligations. Programs must include five core elements: written policies, a designated compliance officer, internal controls with transaction monitoring, employee training, and independent testing. Firms face SEC enforcement and penalties up to $150,000 or more for non-compliance.

What Is FinCEN's AML Rule for Investment Advisers?

FinCEN’s August 2024 final rule extends Bank Secrecy Act obligations to investment advisers for the first time, introducing new anti-money laundering (AML) requirements. Previously, most RIAs operated without explicit AML obligations, creating a regulatory gap.

Who must comply:

• SEC-registered investment advisers
• Exempt Reporting Advisers to private funds

Who is excluded (for now):

• State-registered advisers
• Foreign private advisers
• Family offices

The rule responds to cases where illicit actors exploited advisers to launder funds, including sanctioned individuals using private funds to circumvent controls. FinCEN signaled it will monitor those excluded sectors and could expand coverage in the future. The new rule closes that gap by adding SEC-registered RIAs (and certain exempt reporting advisers) to the BSA’s definition of “financial institution”.

What Are the Five Pillars of a BSA/AML Compliance Program?

The foundation of an AML program for investment advisers is built on five core elements required by FinCEN.

1. What Should Be Included in a Written AML Program?

Your written AML program must be comprehensive, risk-based, and approved by senior management.

Essential components:

• Risk assessment covering client types, services, transaction volumes, and geographic exposures
• Core procedures for customer due diligence, identity verification, transaction monitoring, SAR filing, and recordkeeping
• Roles and responsibilities across departments with clear approval hierarchies
• Operational integration showing how AML controls embed into daily workflows

Common pitfall: Using generic templates. The SEC has cited firms for "relying on general AML policies not tailored to the specific business." Customize everything to your firm's risk profile.

2. Who Should Be the AML Compliance Officer?

Appoint a designated individual responsible for implementing and overseeing your entire program. For most RIAs, this is the Chief Compliance Officer.

Requirements:

• Direct access to senior management or board
• Authority to implement changes across departments, they need to be free to raise concerns and enforce policies across departments
• Sufficient budget, staffing, and technology resources
• Expertise in BSA/AML regulations and money laundering red flags

Document responsibilities including policy maintenance, risk assessments, CDD reviews, SAR filings, training coordination, and regulatory liaison.

3. What Internal Controls Does an RIA Need for AML Compliance?

Internal controls enforce your RIA’s AML program daily and must prevent, detect, and report suspicious activity.

Customer Due Diligence (CDD):

• Collect and verify identifying information (name, DOB, address, government ID)
• Identify beneficial owners (25% ownership threshold plus one control person)
• Understand relationship nature and expected activity
• Develop customer risk profile

Enhanced Due Diligence (EDD) for high-risk clients:

• Politically exposed persons (PEPs)
• Clients from high-risk jurisdictions
• Complex ownership structures
• Unclear source of funds

EDD measures include detailed wealth documentation, background checks, frequent reviews, and senior management approval.

Transaction Monitoring:

• Monitor wires, fund subscriptions/redemptions, capital movements
• Flag patterns like structuring, transfers to high-risk countries, or inconsistent activity
• Investigate alerts and document findings
• Use automated systems where possible

4. What AML Training Is Required for RIA Employees?

Provide ongoing training to all relevant personnel at least annually.

Effective programs include:

• Money laundering basics and terrorist financing
• Firm-specific policies and procedures
• How to identify red flags in your business context
• Individual reporting duties and escalation procedures
• Updates on emerging risks and regulatory changes

Tailor content to your business model, whether Fund Management, RIAs, private funds, or separately managed accounts, using real-world scenarios. Maintain completion records, quiz results, and attendance logs for SEC examination readiness.

5. How Often Must RIAs Test Their AML Program?

Conduct independent testing at least annually. The tester must be qualified and independent from day-to-day AML operations.

Testing scope:

• Review risk assessment accuracy
• Sample customer due diligence files
• Evaluate transaction monitoring for RIAs effectiveness
• Assess SAR filing quality and timeliness
• Verify training completion
• Check recordkeeping compliance

Results must be documented with identified deficiencies, recommendations, and management's remediation plan.

How Should RIAs Conduct Customer Due Diligence?

What Information Must RIAs Collect During Onboarding?

For individuals:

• Full name, date of birth, address
• Government-issued photo ID
• Social Security Number
• Occupation and expected activity

For entities:

• Legal name and formation documents
• Business address and tax ID
• Beneficial ownership information
• Nature of business

Verify all information using government documents, third-party databases, or electronic verification services.

How Do You Identify Beneficial Owners?

Follow the 25% rule: Identify individuals owning 25% or more of an entity, plus at least one control person (executive, trustee, general partner).

For complex structures, drill through entity layers to find ultimate human owners. Document the complete ownership chain. A 2025 SEC case (Navy Capital) highlighted how failing to verify beneficial owners led to inadvertently accepting a sanctioned investor.

What Is Enhanced Due Diligence (EDD)?

EDD is heightened scrutiny for higher-risk customers. Triggers include PEPs, high-risk jurisdictions, complex structures, or unclear fund sources.

EDD measures:

• Detailed source of wealth documentation
• Independent background checks
• More frequent account reviews
• Senior management approval for relationship

How Often Should Customer Information Be Updated?

CDD is ongoing, not one-time. Update based on risk:

• High-risk clients: Annually
• Medium-risk: Every 2-3 years
• Low-risk: Every 3-5 years

Also update when account behavior changes, negative news emerges, or structures change. Screen customers against sanctions and watchlists regularly, including continuous screening against OFAC sanctions lists on a monthly or quarterly basis.

When Must RIAs File a Suspicious Activity Report (SAR)?

File a SAR when you know, suspect, or have reason to suspect a transaction:

• Involves funds from illegal activity
• Hides or disguises illicit funds
• Evades reporting requirements (structuring)
• Has no lawful purpose
• Involves at least $5,000

What Is the SAR Filing Process?

1. Investigation: Gather facts and determine if activity meets SAR threshold
2. Filing deadline: Within 30 days (60 days if suspect unknown)
3. Prepare narrative: Include who, what, when, where, why with specific details
4. Submit: File electronically through FinCEN's BSA E-Filing System
5. Maintain confidentiality: Never inform the client
6. Retain records: Keep SAR and supporting docs for 5 years

Example narrative:

"Client wired $1M to [Country] one day after depositing from an unrelated third party, inconsistent with investment objectives. Due diligence couldn't verify the fund source. This raises money laundering concerns."

What Other BSA Obligations Apply to RIAs?

What Is the Travel Rule?

The Travel Rule requires funds transfers of $3,000+ to include originator and beneficiary information (name, address, account number) in payment instructions.

Work with custodians to ensure wire transfers include required details. Retain records for five years.

What Are FinCEN 314(a) Information Requests?

FinCEN periodically issues lists of suspected terrorists or money launderers. RIAs must:

• Search customer databases for matches
• Respond via FinCEN's secure system if found
• Complete within two weeks
• Document all searches

Designate your compliance officer to receive FinCEN notifications (typically bi-weekly).

How Long Must RIAs Retain BSA Records?

Five years for:

• Customer due diligence files
• Beneficial ownership information
• Transaction records over $3,000
• SAR and CTR filings
• 314(a) search results
• Training materials and attendance
• Independent testing reports

What Is the Recommended RIA AML Compliance Timeline?

Months 1-6: Assessment and Design

• Conduct comprehensive risk assessment
• Draft written AML program covering all five pillars
• Designate RIA AML compliance Officer
• Secure senior management approval

Months 6-12: Resource Allocation

• Allocate budget for technology and staffing
• Select and deploy AML software
• Line up independent auditor

Months 12-24: Implementation

• Apply CDD to all new clients
• Conduct retroactive review of existing clients (prioritize high-risk)
• Deploy transaction monitoring system
• Complete firm-wide training

Months 24-30: Testing and Refinement

• Conduct first independent test
• Remediate identified gaps
• Fine-tune monitoring rules
• Prepare for SEC examinations

Post-2028: Ongoing Operations

• Annual training and testing
• Monitor regulatory updates
• Continuous program improvement

How Can Technology Help RIAs Achieve Compliance Faster?

What Should RIAs Look for in AML Software?

Essential features:

• Rapid deployment: Cloud-based, no-code platforms deploying in days
• AI-driven monitoring: Machine learning that reduces false positives and detects anomalies
• Integrated screening: OFAC sanctions, PEP databases, adverse media
• Case management: Alert workflows, documentation, audit trails
• RIA customization: Pre-built rules for adviser-specific scenarios
• Reporting support: SAR preparation, automated filing assistance

Why Choose AI-Powered Solutions?

AI enhances compliance through:

• Smarter pattern detection that traditional rules miss
• 60-80% reduction in false positives
• Faster investigations with automated data gathering
• Scalability for small teams managing large volumes

Flagright provides AI-native AML compliance platform with quick deployment, no-code configuration, and comprehensive coverage (screening, monitoring, case management). Recognized as #1 overall AML compliance solution in industry rankings. Flagright has been recognized as an innovative solution in this space, even being “awarded #1 overall AML compliance solution” according to industry rankings. Often, the efficiency gained and the improved detection capability more than justify the investment in a modern AML compliance solution.

Frequently Asked Questions

According to the SEC's risk alert, what must firms do to ensure their AML policies and procedures are effective?

Firms must conduct annual independent testing of their AML program. Testing should comprehensively review whether policies are followed in practice, whether they adequately address risks, and identify any deficiencies. The SEC expects documented results, prompt remediation, and continuous improvement.

What are the five pillars of BSA/AML compliance?

The five core elements are: (1) written policies approved by senior management, (2) designated AML compliance officer, (3) internal controls including customer due diligence and AI-driven transaction monitoring, (4) ongoing employee training annually, and (5) independent testing or audit annually.

What is enhanced due diligence in BSA compliance?

Enhanced Due Diligence (EDD) is heightened scrutiny for higher-risk customers. Triggers include PEPs, high-risk jurisdictions, complex structures, or unclear fund sources. EDD measures include detailed source of wealth documentation, background checks, frequent reviews, and senior management approval.

What triggers a requirement to file a SAR?

File a SAR when you know, suspect, or have reason to suspect a transaction involves illegal funds, hides illicit assets, evades reporting, or has no lawful purpose, and involves at least $5,000. Common triggers: unexplained transfers to high-risk countries, identity fraud, rapid fund movements, structuring, or inability to explain wealth source.

How do RIAs identify beneficial owners?

Identify individuals owning 25%+ of an entity client, plus at least one control person. For multi-layered structures, drill through to ultimate human owners. Collect identifying information for all beneficial owners and document the ownership chain.

What is the BSA Travel Rule?

Funds transfers of $3,000+ must include originator and beneficiary information (name, address, account number) in payment instructions. Work with custodians to ensure compliance and retain records for five years.

When do state-registered advisers need AML compliance?

Currently, state-registered advisers are not covered. Only SEC-registered RIAs and Exempt Reporting Advisers must comply with the AML compliance checklist by January 1, 2028.. However, FinCEN may expand coverage in future rulemakings.

Can RIAs outsource their AML compliance function?

Yes, RIAs can outsource transaction monitoring, screening, testing, or even the compliance officer role. However, the RIA remains ultimately responsible. Conduct thorough due diligence on providers, maintain oversight, and document the arrangement.

What are common red flags for suspicious activity?

Key red flags: unwillingness to provide information or false information; unclear fund sources; unusually complex structures obscuring owners; transactions inconsistent with objectives; requests to transfer to unrelated third parties or high-risk countries; resistance to due diligence; early redemptions suggesting layering; involvement with sanctioned persons.

What is the penalty for failing to comply?

The SEC has penalized RIAs $150,000 for misrepresenting AML policies. Potential consequences include civil money penalties (hundreds of thousands to millions), enforcement actions, reputational damage, and potential criminal liability in severe cases.

Key Compliance Tips

Tip #1: Start Early

Don't wait until 2027. Follow a structured project plan with clear milestones reaching the January 1, 2028 deadline.

Tip #2: Customize Everything

Generic policies draw regulatory criticism. Tailor your risk assessment, monitoring rules, and training to your specific clients and services.

Tip #3: Invest in Technology

AI-powered platforms deploy quickly and reduce compliance workload by 60-80%. The ROI justifies the investment for most firms.

Tip #4: Document Thoroughly

Create audit trails for every decision: why you rated a client high-risk, cleared an alert, or filed a SAR. Documentation demonstrates your risk-based approach.

Tip #5: Build a Compliance Culture

Effective AML requires participation from advisers, operations, and management. Frame compliance as protecting the firm and financial system.

Tip #6: Prepare for Retroactive Work

Review all existing clients before 2028. Collect missing beneficial ownership information, update expired documents, and assign risk ratings.

Conclusion

The January 1, 2028 deadline requires RIAs to implement comprehensive AML/BSA programs for the first time and achieve full AML/BSA compliance under FinCEN’s new rule. By focusing on the five core elements, implementing robust customer due diligence and transaction monitoring, and leveraging modern compliance technology, RIAs can build effective programs that meet regulatory standards efficiently. Flagright, for instance, offers AI forensics tools that augment alert investigations

Early SEC enforcement actions ($150,000 penalties) demonstrate regulators expect truthful disclosures and robust controls. Success requires executive support, adequate resources, and treating AML as a strategic initiative rather than a checkbox exercise.

With proper planning, appropriate technology, and commitment to excellence, RIAs can achieve fast, low-friction compliance that protects clients, safeguards the firm, and contributes to financial system integrity.

Schedule a demo to see how Flagright's AI-powered platform can help you achieve 2028 compliance faster.