Registered investment advisers may have it a little easier than their banking brethren when complying with long-awaited anti-money laundering rules just proposed by the US Treasury’s Financial Crimes Enforcement Network (FinCEN), but they shouldn’t feel too relieved.
They will still have to go through most of the same hoops to ensure their clients are not engaged in money-laundering or funding terrorist activities. FinCEN also wants to expand the scope of the advisers affected and make additional operational requirements compulsory relatively soon. Although the proposed rules, published on September 1, don’t apply to exempt reporting advisers or non- US advisers that are not registered with the Securities and Exchange Commission, FinCEN asked for feedback on whether the rules should apply to those advisers as well.
AML experts contacted by FinOps Report warn that many affected RIAs — those registered with the SEC as having more than $100 million in regulatory assets under management — will be investing a lot of money and working through many sleepless nights to implement the rules, when effective. Even RIAs that have already implemented voluntary AML programs could find themselves deficient.
“The rules will force RIAs to register under FinCEN, retain additional staff, acquire training and external subject matter expertise around the compliance function as well as provide existing employees supplemental training and responsibilities,” says Aaron Kahler, managing director of AML Compliance Advisors in New York. “RIAs must also implement new policies and procedures and determine where operational functions need to be added.”
The proposed rules for AML compliance by RIAs were first floated by FinCEN more than a decade ago. However, FinCEN withdrew them in 2008 reportedly because it was not comfortable with enforcement procedures at the time. The US Treasury unit is now ready to draft the final rules after considering the industry feedback received during a 60-day comment period ending on November 2. Enforcement will be left to the SEC. RIAs will have six months after rules become effective to implement their AML programs.
Here is what RIAs will need to do if the proposed regulations are adopted: establish an AML program that is approved by its board of directors or persons with similar functions, designate an AML officer, provide ongoing training to appropriate personnel, conduct independent testing of the AML program, and establish independent policies, procedures and internal controls to comply with the applicable provisions of the Bank Secrecy Act (BSA). Other requirements will include filing currency transaction reports for cash transactions over US$10,000, and suspicious activity reports (SARs).
RIAs must also create and retain records about the entities sending and receiving transmittals of funds over US$3,000 and ensure that information related to those funds “travel” to the next financial institution in the payment chain. The so-called “travel” rules are designed to help law enforcement agencies detect, investigate and prosecute money laundering and other financial crimes by preserving an information trail about persons sending and receiving funds through the fund transfer systems. The newly detailed transmittal information must be stored for five years.
FinCEN’s suggested rules cover a wide range of RIA services, including not only investment advisory, but also research and reports. One of the open questions in the proposed rules is whether or not RIAs servicing mutual funds, hedge funds, private equity, separately managed accounts and wrap accounts will be exempt.
Beyond the apparent exemption for smaller IRAs and those with particular client types, the most glaring difference between the proposed RIA compliance regime and that imposed on other financial firms is the suggestion that they will not have to do additional due diligence on their clients for AML purposes. Currently RIAs are expected, as part of their fiduciary obligations, to create know-your-customer profiles on their clients to match investment decisions to criteria such as personal goals and risk tolerance. AML profiles are likely to require additional data elements to determine client risk in terms of financial crime.
Some experts are surprised by the breaks being given to RIAs. “Although FinCEN categorized RIAs as financial institutions, subject to AML rules, it decided to treat RIAs very lightly for inexplicable reasons,” asserts Ross Delston, a Washington, D.C. attorney and AML compliance specialist. “The risk of financial crime exists at all levels and for other financial institutions — banks, credit unions, broker-dealers, mutual funds, and money services companies– the same AML rules apply regardless of size.”
Time and Money
Of the five compliance managers of RIA shops contacted by FinOps Report, three medium-sized firms with $500 million to $1 billion under management said they are now reviewing how they stack up against FinCEN’s proposed requirements and already reaching out to consultants and external legal counsel for advice on implementing and documenting an AML program. The same three are adding the role of AML director to their current responsibilities and getting ready to hire more AML staff. The other two compliance managers, which work in larger firms, are each searching for senior AML officers to oversee the program, as well as scouting for firms that may help them establish and test their AML programs. “We know that setting this up and running it is going to be expensive, but at this point we don’t know how expensive,” says one compliance manager.
Conventional wisdom is that smaller RIAs or ones with overall low-risk clients just hand over the responsibility for the AML program oversight to their existing chief compliance officers. However, larger RIAs with higher-risk services or clients face the task of finding a dedicated AML officer who not only has experience in financial services and asset management regulations, but is also familiar with AML compliance. If it become too hard to find that ideal candidate, the best ones available can always rely on AML certification programs to fill the knowledge gap , while the firm relies on outside consultants to set up the program.
Advisers may also outsource the implementation of other aspects of their program to broker-dealers, banks or mutual funds that have adopted their own AML policies. Periodic testing of the program can be done by the RIA’s own employees as long as they are not involved in the operation or oversight of the AML program, explains Jay Baris, chair of the investment management practice for Morrison & Foerster in New York. Compliance managers of RIAs who spoke with FinOps say they will likely rely on external parties for testing to avoid any appearance of a conflict of interest.
Creating an effective AML program is no easy task, because it must be “reasonably designed to provide the investment adviser from being used to facilitate money laundering or financing of terrorist activities” and comply with applicable federal laws. The proposed rules do not prescribe a “one-size fits all” answer, rather a risk-based approach dependent on the nature of the advisory services and the types of customers. “The greater the risk the stronger the oversight process as reflected in customer onboarding, the frequency of monitoring and the number of dedicated AML staffers used,” explains Baris.
Just how much work the RIA will ultimately have to do will depend in large part on how much their clients are already handling on their ends. As a rule of thumb, RIAs with hedge fund clients will shoulder far more responsibility than those with mutual fund clients. However, they shouldn’t count on getting paid for the extra labor. “RIAs might have to absorb the costs or at best might be able to get away with raising their advisory fees,” one legal expert in AML regulation tells Finops. “There is no way they can send clients a separate bill for compliance services.”
Take No Chances
Andras Teleki, a partner in the investment management practice of K&L Gates in Washington DC, suggests getting busy now on creating risk assessment profiles of the clients and the services they are using. What happened to idea that RIAs don’t have to collect that information? It apparently goes up in smoke when the RIA’s responsibility for monitoring client transactions and reporting suspicious activity is considered. All of that is hard to do without an AML risk profile.
“The RIA may benefit cost-wise [by taking the exemption from due diligence in customer-onboarding], but faces the downside of missing criminal activities if its policies and procedures aren’t vigorous enough,” explains Vasilios Chrisos, principal for fraud investigation and dispute services at EY in New York. Case in point: deciding that all high-net worth individuals are low-risk clients is flawed. If they are US based there might not be anything to worry about. Not so if they reside in a country known for money laundering and terrorist activities.
How much due diligence is necessary? Delston recommends that, when onboarding clients, RIAs verify the source of their wealth particularly if the client is a high-net worth individual or resides overseas. “RIAs are already taking action to identify clients and verify their identifies,” he says. “As a practical matter, it will be difficult for any adviser to maintain a solid AML program and file SARs if it isn’t certain of a customer’s identity.”
He also suggests that investment advisers do all necessary legwork, including in-person meetings, to check out the validity of the information provided on their identities. That legwork should include scouring social media and news media outlets to determine whether any negative news has been published. Going the extra mile will not only make it far easier to prepare for the inevitable — that customer due diligence will ultimately be required by FinCEN — but also ensure that risk profiles are being used to improve the accuracy of transaction monitoring.
An incorrect client risk-profile will lead to incorrect rules on the value of transaction thresholds and frequency of monitoring. This leads to risk of SARs not being filed when they should be. “Coming up with the correct parameters for determining when conduct is suspicious and merits further investigation will likely be the most challenging aspect of the new rules for RIAs,” predicts Teleki. “Few, if any have ever filed SARs.”
Just as important is determining just how robust a transaction monitoring system should be. “RIAs with only a handful of clients and little active trading could opt for a manual process while those with a large customer base and heavy transaction volume will need an electronic transaction monitoring system,” says Chrisos.
The process of monitoring transactions will inevitably result in some activities being flagged as potentially “suspicious,” but are cleared upon further investigation eliminating the need to file a SAR. At that point it may appear the the RIA is off the hook, but not so fast. In fact, a key requirement of any investigation is to create and maintain documentation of why a SAR was or was not filed. “The SEC might disagree,” explains Teleki, “but at least the RIA can prove it made an informed decision.”