AML/CFT Requirements for RIAs and ERAs: The countdown has started

The financial advisory sector is facing a transformative period, particularly involving Registered Investment Advisors (RIAs) and Exempt Reporting Advisers (ERAs). Today, RIAs and ERAs are only subject to the Advisers Act and various Securities and Exchange Commission (SEC) rules and regulations thereunder that govern, among other things, marketing practices, disclosures to clients, best execution of client transactions, transparency in disclosing conflicts of interest, and reporting of Assets Under Management (AUM), among others.The lack of comprehensive Anti Money Laundering/Counter Financing Terrorism (AML/CFT) regulations applicable to investment advisers means they are not currently required to understand their customers’ ultimate sources of wealth or identify and report potentially illicit activity to law enforcement.This year, on August 28, the Financial Crimes Enforcement Network (FinCEN) issued a final rule adding part of the segment of RIAs and ERAs to the definition of “financial institution”, prescribing minimum standards for AML/CFT programs to be established by such entities, requiring them to report suspicious activity to FinCEN, and delegating supervisory authority to the SEC.The rule will be effective as of January 1, 2026, and covered organizations must be ready to implement its requirements. For this reason, Chaindots gathers in this article the essential information you need to comply with this final rule: 

1. Regulatory shift and rule motivation

2. Entities reached by the final rule

FinCEN’s final rule now includes “investment adviser” in the “financial institution” definition, reaching RIAs and ERA. However, some RIAs are explicitly excluded from the definition. Specifically, the rule does not apply to RIAs categorized as:

• Mid-Sized Advisers,
• Multi-State Advisers,
• Pension Consultants, and
• RIAs that do not report Assets Under Management (AUM) on Form ADV.

 Additionally, foreign-based RIAs are exempt from these requirements if they provide advisory services exclusively to foreign-located persons and all personnel involved in these services are outside the United States.In total, there are approximately 19,900 entities subject to the final rule. 

3. Scope of the new FinCEN regulations

AML/CFT programEach investment adviser shall develop and implement a written AML/CFT program that is risk-based and reasonably designed according to its business. This program must be approved in writing by its board of directors or trustees, or if it does not have one, by its sole proprietor, general partner, trustee, or other persons with similar responsibilities to a board of directors. Additionally, the investment advisers must designate a person or persons responsible for implementing and monitoring the internal policies, procedures, and controls of the adviser’s AML/CFT program.Minimum requirements of the AML/CFT program:(i) Establish internal policies, procedures, and controls reasonably designed to prevent the investment advisers from being used for money laundering, terrorist financing, or other illicit financial activities and to achieve compliance with applicable provisions of the BSA and implementing regulations. (ii) Provide for independent testing of compliance, to be conducted by the covered investment advisers’ personnel or a qualified outside party. (iii) Designate a person or persons responsible for implementing and monitoring the operations and internal controls of the program. (iv) Provide ongoing training for appropriate persons. (v) Implement appropriate risk-based procedures for conducting ongoing customer due diligence, including, but not limited to:

• Understanding customer relationships’ nature and purpose to develop a risk profile.
• Conducting ongoing monitoring to identify and report suspicious transactions and maintain and update customer information on a risk basis.

 It is important to note that FinCEN allows the delegation of certain aspects of the AML/CFT program to third-party providers, though the adviser remains legally responsible for compliance.File SARs and CTRsUnder the final rule, RIAs and ERAs must file a report with FinCEN for any transaction that may involve suspicious activity or a possible violation of law. Additionally, investment advisers are now required to report all currency transactions exceeding $10,000. Previously, RIAs and ERAs used Form 8300 for these reports, but the final rule mandates that covered financial advisers now use Currency Transaction Reports (CTRs) instead. This shift to CTRs brings consistency to reporting standards and aligns RIAs and ERAs with broader financial institution practices under the BSA.Recordkeeping and travel rulesThe final rule requires RIAs and ERAs to gather and maintain detailed information on both originators and beneficiaries for certain transactions. For certain fund transmittals that involve multiple financial institutions, investment advisers must also pass along this information to the next institution in the chain. This enhanced recordkeeping obligation will allow regulators to trace fund flows more effectively and prevent potential misuse of funds for illicit purposes across institutions.Special due diligence measures for correspondent and private banking accountsUnder the final rule, investment advisers are required to implement due diligence policies, procedures, and controls that are reasonably designed to identify and monitor any suspicious or potentially illegal activity associated with correspondent and private banking accounts. These requirements apply specifically to accounts established or maintained within the United States for foreign financial institutions. Advisers must monitor these accounts and report any known or suspected money laundering activity to FinCEN as part of their ongoing compliance efforts.Respond to section 314(a) requestsFinCEN’s regulations under Section 314(a) allow law enforcement to request assistance from financial institutions in locating accounts and transactions associated with individuals or entities suspected of terrorism or money laundering. Through these requests, FinCEN shares with financial institutions identifying information, such as names and addresses, enabling them to search their records for relevant accounts and transactions. The final rule extends this mechanism to investment advisers, thereby including RIAs and ERAs in a collaborative effort to combat illicit finance and support national security objectives.

 

4. The cost of compliance

The implementation of this final rule will require substantial financial investment, particularly for smaller firms. These costs will encompass the development and maintenance of AML/CFT programs, including policy creation, ongoing staff training, independent audits, and regular updates to align with regulatory requirements.To meet these compliance obligations, RIAs and ERAs may need to expand their compliance teams, potentially hiring dedicated compliance officers or assigning specific personnel to AML responsibilities. They will also need to establish comprehensive staff training programs covering topics such as identifying suspicious activities, filing SARs, and staying updated on regulatory expectations. Some firms may consider outsourcing compliance duties to specialized providers to reduce the burden and leverage their expertise.Moreover, effective AML/CFT compliance in the modern era relies heavily on advanced technology. Investment advisers must invest in robust systems to conduct Customer Due Diligence, monitor ongoing transactions, analyze large volumes of data, and safeguard client information.The cost assessment section of the final rule outlines the key expenses associated with AML/CFT compliance for RIAs and ERAs. It focuses on the financial requirements needed to meet FinCEN’s new regulations. Below are ten key insights related to these costs:

1. Initial program setup costs: Small RIAs and ERAs may face around $48,000 in the first year to establish compliance, especially if they have limited AML/CFT measures currently in place.
2. Annual compliance costs: Following the initial setup, small entities can expect recurring annual costs of approximately $40,000, covering activities like recordkeeping, SAR filings, and ongoing due diligence.
3. SAR filing costs: SAR reporting is a significant component with an estimated annual cost of $9,000 for small entities. This includes identifying, documenting, and filing reports on suspicious transactions.
4. Customer Due Diligence updates: The cost will depend on the entity’s current procedures. Entities with limited AML/CFT procedures need to allocate additional resources to update their customer information. Relatively higher costs are assumed in the first three years due to the compliance burden associated with data collection activities to develop a customer risk profile for existing and new customer accounts.
5. Software licensing for AML/CFT: Investment advisers must invest in AML/CFT software, averaging around $12,400 annually, to monitor and report suspicious transactions effectively.
6. Independent testing requirements: FinCEN mandates independent testing of AML/CFT programs, which is anticipated to add approximately $17,000 annually for each adviser without existing testing protocols.
7. Compliance Costs as a Revenue Percentage: For small entities, the estimated annualized compliance burden could represent about 4.7% of their annual revenue, highlighting a substantial financial impact on smaller firms.
8. Human Resource Allocation for Compliance: FinCEN estimates that small firms, on average, require around 120 hours of compliance labor during the first year to develop policies and internal controls for AML/CFT, decreasing to about 10 hours annually for updates.
9. Training Costs for Employees: Training is an essential part of compliance. Small firms can expect to spend $11,000 annually on training programs to ensure staff understand and adhere to BSA requirements.

5. Compliance checklist for RIAs and ERAs for 2026

AML/CFT program development

• Risk assessments: Conduct comprehensive risk assessments that cover all client interactions, evaluating factors like source of funds and client location.
• Policy creation: Develop policies that address specific business risks and regulatory expectations, and obtain board approval.
• Internal controls: Establish adequate internal controls for your firm’s risk profile, ensuring periodic reviews and updates as regulations evolve.

 Due diligence

• Due diligence procedures: Implement due diligence procedures to investigate, verify, and evaluate customers’ risk before establishing a formal business relationship or engaging in transactions.
• Enhanced due diligence: Implement thorough detailed due diligence for high-risk clients, verifying the source of funds, beneficial ownership, sanction screening, negative media, and any other measure necessary to determine the customer’s inherent risk.
• Ongoing monitoring: Conduct regular reviews and updates for high-risk clients, adjusting their risk scores according to new information, risk indicators, or changes in regulatory standards.

 SAR filing and record-keeping

• Documentation standards: Maintain high standards for documentation of SAR filings, ensuring accuracy and compliance with the regulator’s requirements.
• Reporting timelines: Ensure all SARs are filed within designated timelines, following clear internal processes.
• Tracking mechanisms: Implement tracking systems for SAR submissions and regulatory reviews to simplify audits.

 Internal audits, monitoring, and independent testing

• Regular audits: Plan and conduct regular audits to assess program effectiveness and address potential gaps.
• Review mechanism: Create mechanisms for continuous compliance improvement, allowing for real-time policy adjustments.
• Independent testing: Plan regular independent reviews of the AML/CFT program.

 Training

• Staff training programs: Schedule regular training sessions on AML/CFT protocols, suspicious activity identification, and SAR filing.
• Role-specific awareness: Plan training programs for various roles within the organization, ensuring every employee whose duties require knowledge of the BSA requirements understands their compliance responsibilities.
• Ongoing updates: Implement a process to keep staff informed of regulatory updates.

6. Consequences of non-compliance

Failure to comply with AML/CFT requirements can result in significant fines and penalties. Between 2023 and 2024, federal regulators issued more than 45 enforcement actions against financial institutions for failing to develop and maintain a reasonably designed BSA/AML program. In the same period, civil monetary penalties imposed on financial institutions amounted to more than $4 billion.For RIAs and ERAs, understanding the cost of non-compliance is essential to effectively allocate the resources needed for implementing robust AML/CFT programs.Moreover, the financial advisory industry is particularly reputation-sensitive. Non-compliance incidents, especially those that become public, can harm a firm’s reputation and potentially lead to loss of clients. Maintaining an adequate compliance record protects firms from regulatory scrutiny and builds trust with clients, who increasingly prioritize transparent advisory services. 

7. Conclusion: Proactive compliance for RIAs and ERAs