The Treasury Department has proposed new anti-money laundering regulations for investment advisers. If accepted, these rules become effective in 2016. The following information is being provided as a direct and straightforward guide to assist RIAs in complying with these new regulations.

Do the new rules apply to my firm?

You are considered “covered” and required to follow the new AML rules if your RIA is:

  • SEC registered (or required to be SEC registered)
  • State registered located in Wyoming; or a
  • Mid-sized adviser (AUM of $25-$100 million) located in New York

I am a “covered” adviser; what do I need to do to comply?

1)  Designate a person with overall responsibility for your firm’s AML compliance program (often referred to as the “AML       Compliance Officer”).

2)  Adopt a written AML policies and procedures manual (see below).

3)  Establish internal processes and controls in order to ensure adherence to your AML manual and industry regulations.

4)  Schedule an independent audit (see below).

Where can I obtain an AML policies and procedures manual?

Firms can develop their own AML manual; however, due to the time and expertise required, most RIAs elect to purchase one developed by a qualified third party.

Regardless of whether your manual is developed internally or created with outside assistance, ensure the manual addresses the four critical areas for each requirement:

1)Who is responsible

2)What policies and procedures must be followed

3)When each procedure should be performed (e.g., monthly, annually, within 10 days, as requested by law enforcement)

4)How the firm will document that its procedures were followed (e.g., signing and dating a particular report, maintaining a log)

TIP   Beware of the following when purchasing a manual from a third party:

A “one-size-fits-all” solution. RIAs differ based on many characteristics, including size, investment products, strategies, employees, locations, custody, brokerage arrangements, customer types and locations, regulatory history, affiliates, technology, and other factors. Although many firms may seem similar, no two are exactly alike and, therefore, no two manuals should be the same.

Wishy-washy language (e.g., “the firm may review XYZ report periodically” versus what regulators want to see: “the firm will conduct a monthly review of the XYZ report.”).

Manuals for other types of institutions. Do not purchase a manual designed for a broker-dealer or bank. There are differences in the requirements, regulators, and manner in which these firms are examined. If you adopt the wrong type of manual, there is a good chance you will be subjecting your firm to additional rules that do not apply or are not relevant.

How do I satisfy the audit requirement?

Frequency:   We recommend the first audit is completed within 12 months of the Rule’s effective date. While the rules do not specifically require so, if testing is postponed and material deficiencies are discovered, firms are risking not identifying weaknesses early on and having their AML program being cited as deficient. Depending on the firm’s AML risk and results of the first AML audit, a determination may be made that the frequency of testing can be less frequent than annual.

Auditor Selection:   Testing may be conducted by internal personnel only if the auditor is qualified and independent. Qualified means someone knowledgeable in AML regulations and the Bank Secrecy Act. In addition to knowledge, a qualified person should understand industry best practices for conducting audits—which includes sampling methodologies, interview strategies, and evaluating automated solutions and technology platforms in order to identify gaps. Practically speaking, most RIAs who do not have an experienced internal auditor, or other qualified person who is completely isolated from the day-to-day business responsibilities, find that they are not able to satisfy these requirements. Independent means the person does not have any AML responsibilities and does not report to the AML Officer, or have other material conflicts of interest.

When evaluating a third party, other than the consideration of price (pricing can vary as indicated below), be sure to evaluate:

1) Proposed scope of testinG.  An effective AML test will evaluate the following areas:

  • Written AML policies and procedures manual, to ensure:
    • It covers all elements required by the SEC, Treasury/FinCEN and Bank Secrecy Act relative to investment advisers.
    • It is customized to the firm’s business, taking into account types of customers, transactions, operations, supervisory structure, and monitoring processes.
  • Process of onboarding new customers and sampling of documentation
  • Customer activity monitoring, including the use of automated systems and reports
  • Red flag monitoring, escalating, and reporting
  • Identification and reporting of suspicious activity
  • Mandatory filings, including SARs, CTRs, and FBARs
  • Government lists and reporting, including OFAC and FinCEN 314(a)
  • Security of confidential AML information and sharing with other institutions
  • Reliance on third parties performing AML duties
  • AML training program for employees
  • Prior regulatory examination findings and resolution
  • Books and records retention

2) Qualifications and IndependencE.  We recommend these questions are asked as part of auditor due diligence:

  • How many AML audits has the consultant conducted? (Don’t be misled by the “firm’s” experience; you want to know the experience of the consultant assigned to your audit.)
  • Is the consultant familiar with your business model? For example, a different approach should be employed to evaluate onboarding and monitoring of individual investors versus institutions, private funds, or ERISA plans. Additionally, risks relating to investment products and management strategies may vary, and evaluating non-discretionary equity trading activity is different from algorithm-based portfolio management (e.g., robo-advisors).
  • What type of training has the consultant completed?
  • Has the consultant or firm performed other services for the firm that could be deemed a conflict of interest? (For example: It may be viewed as a conflict if your firm’s AML policies and procedures have been drafted by the same person/firm that performs your AML audit.)

3) Reporting.  It is extremely important to obtain a detailed report in order to evidence you have satisfied the requirement. Keep in mind, you will most likely need to provide this during your next regulatory examination. And if the report is only a few pages, then it is most likely not robust enough. Reporting should clearly outline the areas reviewed, details of records examined, results of testing (i.e., deficiencies), and enough information about the auditor so the regulators can make a determination concerning independence and qualifications.

What are the costs to comply?

Costs will depend on various factors such as the number of the firm’s employees, clients, and changes necessary to the firm’s technology infrastructure. The immediate costs will include the following:

AML manual:   The cost of purchasing an AML policies and procedures manual will vary, and depend partly on whether you are hiring the third party to assist with customization of the manual. If the manual is written in a straightforward manner with guidance, firms can easily customize it themselves. It is expected that the cost will begin at $500 for smaller firm templates and increase depending on the level of customization.

AML audit:   Most AML auditors begin pricing at approximately $1500 for smaller firms. Factors such as the number and types of clients, transaction volume, and number of employees will increase audit time and cost.

AML training:   Firms can develop their own training content and may find several public sources helpful, including FinCEN, SEC, and law enforcement actions and case studies. Training should be customized to each firm’s business and some may find it useful to create position-specific training depending on an employee’s role. Third party training program costs are usually based on the number of participants and generally cost at least $200-$300.

Other internal costs:   It is difficult to anticipate and estimate all other costs, as different firms utilize different types of technology, client forms, and internal processes. However, it is recommended that firms begin by investing time in evaluating two processes which are likely to be affected more than others:    customer onboarding and activity monitoring. These processes are critical to each firm’s AML program. By spending the appropriate time on customizing your AML program up front, you will increase the chances of avoiding additional costs and regulatory issues later.

ITA COMPLIANCE, LLC, provides consulting and independent testing services to registered investment advisers, broker-dealers, and transfer agents. We are offering a complimentary 15-minute phone consultation to discuss these regulatory changes and answer your firm-specific questions. To schedule a call, or inquire about our services, complete the form (above) or contact us at 617-854-7500 or

ITA Compliance Can Help

I am interested in:

Complimentary phone call about new regulations
ITA Compliance quote for services
Other (explain in box below)