Preparing for the AML Rule: What Investment Advisers Need to Know

Many investment advisers (IAs) have some familiarity with anti-money laundering (AML) concepts through indirect exposure, including through relationships with custodians, banks, broker-dealers, and fund complexes. However, the new AML Program rule will introduce direct regulatory obligations on certain IAs. Under the final rule, these IAs must implement AML/countering the financing of terrorism (CFT) programs by January 1, 2026, that include filing suspicious activity reports (SARs). This marks the first phase of AML requirements for investment advisers.

The second phase, which would impose customer identification program (CIP) obligations, has been proposed by the Financial Crimes Enforcement Network (FinCEN) and Securities and Exchange Commission (SEC) and was anticipated to follow issuance of a revised customer due diligence rule for financial institutions. While the compliance date for the first phase may be delayed due to either a shift in regulatory priorities or to align both phases into a single implementation, firms should not delay preparation. In the absence of definitive guidance, IAs should assess the AML/CFT risks specific to their business; leverage existing compliance infrastructure where feasible; identify and formalize roles, responsibilities, and escalation paths with third parties within their ecosystem; and avoid implementing overly manual or inefficient processes.

Why This Rule Requires a Different Approach

Unlike broker-dealers or banks, IAs typically do not custody client assets or process client funds directly. Nonetheless, regulators have identified increasing AML/CFT risks within the advisory space: indirect influence over fund flows; complex private fund structures; exposure to alternative investments; and relationships with non-US clients, particularly with respect to sanctioned individuals investing via shell companies and complex organizational structures, and those investing in sensitive technologies with the aim of gathering information for use in the investor’s home country. These characteristics underscore the need for a tailored approach to AML/CFT compliance.

1. Develop a Risk Assessment Tailored to the IA Business Model

A standardized AML/CFT risk assessment designed for banks or broker-dealers will not meet the needs of investment advisers. IAs must adopt a risk assessment framework aligned with their specific business models—whether discretionary portfolio management, separately managed accounts, or advisory roles in pooled investment vehicles.

Key risk factors include:

• • Customer base: Evaluate geographic risk (e.g., non-US clients and investors), legal structures (LLCs, foundations, and trusts), and investor types (high-net-worth individuals versus institutional clients).
  • Products and services: Consider the risk profile of private placements, digital assets, and other illiquid or alternative investments, including lock-up periods and redemption rights, as well as whether the IA allows for third-party transfers
  • Transaction influence: IAs may not initiate transactions but often play a significant advisory role, including with approval of clients and investors. IAs will need to consider mechanisms to detect unusual fund flows or transactions involving high-risk jurisdictions.

Importantly, risk should drive controls—not the reverse. While the rule imposes new expectations, many requirements can be addressed by adapting existing compliance processes. For example, information collected during the investor subscription process can inform risk-based know your customer (KYC) procedures. Many IAs already contract with fund administrators to provide AML/KYC support. These arrangements should be reviewed and documented to ensure they meet applicable regulatory standards and that appropriate escalation processes are in place and working effectively, but a complete overhaul may not be necessary.

Perhaps the most significant change will be the obligation to file SARs under the Bank Secrecy Act (BSA). Detecting and reporting suspicious activity—whether through manual exception monitoring, first-line-of-defense escalations, or automated alerts—must be proportionate to your firm’s transaction volume, client base, and services offered. IAs are already reviewing subscription and redemption activity; going forward, this process must be enhanced with a view toward identifying anomalies and determining whether a SAR filing is warranted—and by whom.

2. Independent Testing: A Strategic Compliance Tool

Independent testing is a cornerstone of an effective AML program—not merely a regulatory requirement but a valuable opportunity to assess whether controls are fit-for-purpose or unnecessarily complex. Testing also provides a financial institution the ability to catch a potential concern before it results in a significant lookback or regulatory issue.

Key considerations include:

• • Who conducts the testing: Independence does not necessarily require outsourcing. Internal teams may conduct the review, provided they are functionally separate from those responsible for implementing and overseeing the AML/CFT program and understand AML/CFT requirements and risks. However, mid-market IAs may benefit from engaging external professionals with specific expertise in investment adviser AML compliance.
  • Testing must align with risk: Off-the-shelf templates designed for banks or broker-dealers are unlikely to uncover gaps specific to the IA model—such as onboarding deficiencies, gaps in fund advisory oversight, or lack of visibility into third-party service providers.
  • Document and act on findings: Testing should be thoroughly documented with clear findings, remediation plans, and accountability. IAs should track remediation and implement mechanisms to follow-up on action plans.

Time to Act: The Compliance Date Is Closer Than It Appears

Although final implementation dates may shift, the regulatory direction is clear. FinCEN has repeatedly attempted to extend AML obligations to investment advisers, and the current rule remains on track. Beginning now—with a risk-based strategy and an actionable plan for independent testing—positions firms to be prepared, rather than play catch-up.

How BRG Can Help

Our team of experts have hands-on experience with implementing new regulations, and specifically with designing and implementing AML/CFT programs. BRG experts have worked across industries, including in the IA space, and understand how the financial crime risks in this ecosystem fundamentally differ from other types of financial institutions.