SEC and FinCEN Propose Customer Identification Program Requirements for Certain Investment Advisers
I. Introduction
On May 13, 2024, the US Securities and Exchange Commission (“SEC”) and the US Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) issued a joint notice of proposed rulemaking (the “CIP Proposal”) that would apply customer identification program (“CIP”) obligations to SEC registered investment advisers (“RIAs”) and exempt reporting advisers (“ERAs,” and collectively with RIAs, “SEC Advisers”).1
The CIP Proposal complements—and was foreshadowed by—FinCEN’s February 2024 proposal to impose anti-money laundering (“AML”) compliance program obligations on SEC Advisers (the “AML Proposal”). As we discussed in a prior Legal Update, the AML Proposal would expand the definition of “financial institution” under the Bank Secrecy Act (“BSA”) and its implementing regulations to include SEC Advisers and would impose, among other things, AML compliance obligations requiring SEC Advisers to (1) adopt a risk-based AML compliance program; (2) monitor customer activity and report suspicious activity to FinCEN; and (3) establish certain recordkeeping and client due diligence protocols. FinCEN had deferred inclusion of CIP obligations in the initial AML Proposal, opting instead to issue a proposal jointly with the SEC as the federal functional regulator for SEC Advisers, as required by the BSA. The CIP Proposal would incorporate CIP requirements into the broader AML compliance framework proposed by the AML Proposal.
In this Legal Update, we provide background on recent efforts by the US government to expand the scope of AML compliance obligations to new markets and market participants, a summary of the CIP Proposal, and a discussion of key takeaways from the CIP Proposal and FinCEN and the SEC’s invitation for public comment on its contents.
Comments on the CIP Proposal are due on or before July 22, 2024.
II. Background
Over the last few years, the US anti-money laundering regime has undergone meaningful change. The US government, through amendments to statute, new regulations, updated official guidance and expansive use of existing authorities, has sought to expand the scope of the BSA and the AML compliance obligations imposed by it to new markets and new market participants. For example, FinCEN has promulgated regulations (which we discussed in a Legal Update) requiring nearly all US legal entities and foreign entities registered to do business in the United States to report beneficial ownership information, which will be maintained by FinCEN for the benefit of law enforcement and certain financial institutions. FinCEN has also proposed rules that would require reporting of certain non-financed real estate transactions on a nationwide basis. (Read our analysis in this April Legal Update.) The purpose of these efforts is to prevent access to the US financial system by illicit actors seeking to abuse the US financial system for money laundering, public corruption and sanctions evasion activities, as well as other illicit financial activity.
With respect to the investment advisory industry in particular, FinCEN has cited to, among other things, the US Department of the Treasury’s 2024 Investment Adviser Risk Assessment (the “IA Risk Assessment”), which identifies potential illicit finance threats involving investment advisers. In particular, the IA Risk Assessment notes that (a) investment advisers have served as an entry point into the US market for illicit proceeds associated with foreign corruption, fraud and tax evasion; (b) investment advisers and their advised funds (particularly venture capital funds) are being used by foreign states to access certain technologies and services with long-term US national security implications through their investments; and (c) investment advisers have defrauded clients and stolen funds. Additionally, the international Financial Action Task Force has criticized the United States for failing to apply comprehensive AML compliance requirements, including a CIP requirements, to investment advisers.2
Ultimately, the AML Proposal, together with the CIP Proposal, is meant to establish a cohesive, consistent AML compliance regime for SEC Advisers. This regime is intended to extend and harmonize AML compliance obligations to apply to SEC Advisers (but not all investment advisers) in order to limit bad actors’ access to the US financial system through financial market “gatekeepers” not subject to the same AML requirements as other market participants, such as banks or broker-dealers, and to mitigate the illicit finance risks allegedly posed by the investment advisory industry, including as discussed in the IA Risk Assessment.
III. Overview of the CIP Proposal
In addition to the AML compliance requirements set forth in the AML Proposal, the CIP Proposal would impose CIP obligations on SEC Advisers that generally mirror those already required of other financial institutions, including banks, broker-dealers and mutual funds.3 At a high level, the CIP Proposal would require SEC Advisers to establish, document and maintain, as part of the SEC Adviser’s AML compliance program, a written CIP that contains, at a minimum:
- Risk-based procedures for identifying and verifying customer identities: Procedures must enable the SEC Adviser to form a reasonable belief that it knows the true identity of each customer,4 and must be based on the relevant risks (based on the SEC Adviser’s assessment of such risks) and must include, at a minimum:
-
-
- obtaining, prior to opening an account, certain customer identification, including name, date of birth or formation,5 address and identification number;
- verifying, within a reasonable time before or after an account is opened, the customer’s identity through documentary or non-documentary methods (or a combination of the two) and additional risk-based verification for legal entity customers; and
- responding to circumstances in which the SEC Adviser cannot form a belief that it knows the true identity of a customer.
-
-
- Procedures for making and maintaining records of identification and verification of customer identities: Procedures must provide for recordkeeping that includes, at a minimum, (a) all identifying information obtained about a customer under the CIP; (b) descriptions of any documents (including type, number, etc.) relied upon; (c) descriptions of verification methods used; and (d) descriptions of the resolution of any substantive discrepancies discovered during verification. SEC Advisers are required to retain records of identifying information for five years following the date the relevant account is closed, and other records for five years following the date the records are made.
- Reasonable procedures for determining whether a customer appears on certain government lists: Procedures must address any list of known or suspected terrorists or terrorist organizations that is both (i) issued by a US federal government agency; and (ii) designated as such by the US Department of the Treasury in consultation with federal functional regulators (e.g., the SEC).6 Procedures must require a determination within a reasonable period of time after the account is opened, or earlier if required by federal law or directives in connection with the applicable list. Procedures must also require the SEC Adviser to comply with federal directives in connection with such lists.
- Procedures for providing customers with adequate notice that the SEC Adviser is requesting information to verify customers’ identities: Adequate notice requires that the SEC Adviser generally describe the identification requirements required by the CIP Proposal and provide such notice in a manner reasonably designed to ensure that a prospective customer is able to view the notice, or is otherwise given notice, before opening an account. The CIP Proposal includes a sample notice that generally mirrors the sample notices for other types of financial institutions with CIP obligations.
As with the CIP rules for other financial institutions, the CIP Proposal generally applies to “customers,” which are defined under the CIP Proposal generally to include a “person that opens a new account.” In turn, “account” is defined as “any contractual or other business relationship between a person and an investment adviser under which the investment adviser provides investment advisory services.” This definition of account is a notable deviation from the approach taken with banks, which explicitly excluded “business relationships” to avoid the implication that an institution’s general business dealings (e.g., related to its operations) were subject to a CIP requirement.7
Under these definitions, a SEC Adviser would not be required to “look through” a trust or similar account to its beneficiaries, and would only be required to verify the identity of the named accountholder. With respect to legal entity customers, the “customer” definition would not include individuals with authority or control over accounts where the named accountholder was a legal entity; however, such individuals may be subject to additional scrutiny under the CIP’s risk-based verification requirements for legal entity customers. FinCEN and the SEC have sought comment on a variety of questions related to the scope of “customer” and “account,” including whether certain types of accounts should be exempt and the scope of “investment advisory services” that would constitute opening a new account for purposes of the CIP Proposal.8
Finally, as with the CIP rules for other financial institutions, the CIP Proposal would allow a SEC Adviser to rely on another financial institution’s performance of customer identification and verification under its own CIP for a similar account relationship, provided that (a) such reliance is reasonable under the circumstances; (b) the other financial institution is subject to AML program requirements under the BSA and is regulated by a federal functional regulator; and (c) the other financial institution enters into a contract with the SEC Adviser requiring it to certify annually to the SEC Adviser that it has implemented its AML program and that it will perform the specified requirements of the SEC Adviser’s CIP. Similarly, the SEC Adviser may deem its own CIP obligations satisfied with respect to any mutual fund advised by the SEC Adviser that has developed and implemented a CIP that complies with the existing CIP rule applicable to mutual funds. Ultimately, a SEC Adviser that reasonably relies on another financial institution to perform its CIP is still responsible for compliance with the rule.
IV. Takeaways
- This CIP Proposal is in step with regulatory trends that seek to expand the universe of market participants subject to FinCEN’s regulatory authority, which FinCEN and federal functional regulators contend will (a) stifle bad actors’ ability to use investment advisers as an entry point into the US financial system; and (b) protect advisers from being unintentionally complicit in such illicit activity. However, the CIP Proposal is potentially duplicative without necessarily improving law enforcement’s ability to identify bad actors. The instances of such illicit activity from SEC Advisers’ customers are sparse. Indeed, the IA Risk Assessment cites few examples of bad actors successfully using SEC Advisers for money laundering, perhaps implying the sufficiency of existing AML program and CIP frameworks. In one example, the adviser was actively complicit in the crime; this would not suggest that such an adviser would be saved from FinCEN’s goal of preventing accidental complicity. As SEC Commissioner Hester Peirce pointed out, other examples cited in the IA Risk Assessment suggest a similar conclusion, as existing regulation was sufficient to catch bad actors from government entities as well as foreign nationals attempting to launder money though US investment advisers.
- Many dually registered SEC Advisers (i.e., RIAs that are also registered as broker-dealers) may already have procedures similar to a CIP in place to comply with the BSA obligations applicable to broker-dealers. Nevertheless, such SEC Advisers will have to formalize any existing CIP procedures and ensure that they satisfy the requirements of the CIP Proposal.
- If the CIP Proposal is adopted, the new requirements will increase the time and resources needed to open new customer accounts and provide investment advisory services, as well as the increased costs of compliance with recordkeeping and other requirements under the CIP Proposal. As Commissioner Uyeda noted in his statement on the CIP Proposal, “[w]hile the goals of preventing money laundering and terror financing are laudable, there are legitimate questions as to whether imposing additional burdens on investment advisers will meaningfully contribute to those efforts.”
The CIP Proposal would be effective 60 days after the date a final rule is published in the Federal Register and would require compliance no later than six months from the effective date of the regulation; however, FinCEN and the SEC note that compliance would not be required sooner than the corresponding compliance date of a final rule arising out of the AML Proposal.
Unlike prior attempts to impose AML compliance obligations on investment advisers, we believe it is likely that the AML Proposal and CIP Proposal will ultimately be finalized. Accordingly, SEC Advisers and other interested parties should accept the SEC and FinCEN’s invitation to comment on the issue now, in connection with the CIP Proposal, in an effort to help shape the forthcoming rulemaking, particularly with regard to certain definitions and requirements highlighted by the SEC and FinCEN in the CIP Proposal.
For more information and advice on submitting a comment, contact us or submit a comment directly.
1 Additional information is contained in a related press release and fact sheet. See also statements from SEC Chair Gary Gensler and Commissioner Mark Uyeda.
2 FATF, Mutual Evaluation Report for the United States 197 (Nov. 30, 2016).
3 See 31 C.F.R. § 1020.220 (banks); 31 C.F.R. § 1023.220 (broker-dealers); and 31 C.F.R. § 1024.220 (mutual funds).
4 The CIP Proposal acknowledges that it uses the term “customer” consistent with other FinCEN regulations, rather than the term “client” typically used for purposes of most rulemakings under the Advisers Act, and we have used that term in this Legal Update for consistency. Because “customer” is substantially equivalent to what is normally regarded as a “client” under most circumstances, it should be noted that investors in pooled investment vehicles managed by an SEC Adviser are not themselves customers of an SEC Adviser (unless a direct client relationship otherwise exists outside of the fund).
5 Notably, other financial institutions with CIP obligations do not include a “date of formation” collection requirement for legal entities as part of the basic data elements required to be collected. FinCEN and the SEC did not elaborate on the addition of this requirement in the CIP Proposal.
6 The CIP Proposal notes that no such list has been designated for any financial institutions, even though it is common for financial institutions to screen against certain federal government lists (e.g., OFAC’s list of specially designated nationals).
7 See 68 Fed. Reg. 25,090, 25,092 (May 9, 2003) (“the reference to the term ‘business relationship’ has been deleted from the definition of ‘account.’”).
8 In contrast, the CIP rules for banks are limited to relationships involving assets (e.g., cash) and include the better understood concepts of safekeeping, custodial and trust services in the definition of an account. 31 C.F.R. § 1020.100(a)(1).