On May 21, 2024, the Securities and Exchange Commission (SEC) and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) jointly published a notice of proposed rulemaking (NPRM) that would require investment advisers registered under the Investment Advisers Act of 1940 (RIAs) and exempt reporting advisers (ERAs) (collectively, “investment advisers”) to maintain customer identification programs (CIPs). Many types of U.S. financial institutions are required to maintain CIPs as part of their anti-money laundering (AML) compliance program and must, as part of the CIP rules, collect, verify, and retain certain identifying information about customers. Importantly, the NPRM does not yet have the force and effect of law, but indicates how FinCEN and the SEC intend to implement more specific AML requirements for investment advisers, subject to written comments from the public before a final rule is promulgated.

The NPRM follows a February 2024 FinCEN proposal to designate RIAs and ERAs as “financial institutions” under the so-called Bank Secrecy Act (BSA), subjecting them to AML and countering the financing of terrorism (CFT) program requirements that are similar to those imposed on other types of U.S. financial institutions, including broker-dealers of securities. Although the February 2024 proposed rule was issued solely by FinCEN, as required by the USA PATRIOT Act of 2001 and the BSA, as amended, for CIPs, FinCEN is publishing this NPRM jointly with the SEC, the federal functional regulator for investment advisers.

These proposals follow a Treasury risk assessment finding that the investment adviser industry has served as an entry point into the U.S. market for illicit proceeds associated with foreign corruption, fraud, tax evasion, and other criminal activities. They are also part of a broader U.S. agenda to patch up potential gaps in regulations designed to counter illicit finance.

Key Takeaways

  • The NPRM would require investment advisers to implement a customer identification program to obtain information about customers and verify their identity.
  • Many investment advisers may already collect some or all of this CIP information on a voluntary basis or because they are required to by partner financial institutions, including broker-dealers. However, other investment advisers may face a more significant adjustment to comply with the requirements.
  • The NRPM’s CIP rules would be substantially similar to the CIP requirements imposed on many other types of financial institutions, but implementation in the investment adviser context may present certain unique challenges.
  • As with other CIP rules, investment advisers may rely on other BSA regulated U.S. financial institutions to implement some or all of the CIP requirements, provided certain conditions are satisfied.

Scope

The CIP requirements apply to “customers” of investment advisers. The term “customer” generally includes any person that opens an “account.” The term person includes both natural persons and legal entities. The NPRM sets forth different rules for verifying the identity of certain types of natural person as compared to legal entity customers.

An account includes “any contractual or other business relationship between a person and an investment adviser under which the investment adviser provides investment services.” Notably, the CIP requirements are applicable to accounts opened for the purpose of participating in an employee benefit plan established pursuant to the Employee Retirement Income Security Act of 1974 (ERISA), despite the fact that the CIP rules applicable to mutual funds exclude ERISA accounts.

The CIP requirement for investment advisers would not extend to financial institutions regulated by a federal functional regulator, a bank regulated by a state bank regulator, certain government entities, certain persons (other than banks) that are publicly listed on U.S. securities exchanges, or persons that have an existing account with the investment adviser, provided that the adviser reasonably believes it knows the true identity of that person. It also excludes accounts acquired through acquisition, merger, purchase of assets, or assumption of liabilities.

Consistent with other CIP rules, investment advisers would not generally be required to look through their customer to collect information on their customer’s customers. However, in certain circumstances, investment advisers may be expected to ensure their customers have in place appropriate controls to mitigate risks that may arise from not looking through the customer.

Requirements

As published in the NPRM, each investment adviser would be required to establish, document, and maintain a written CIP as part of the overall AML/CFT program. The CIP must include risk-based procedures for verifying the identity of customers “to the extent reasonable and practicable” with verification occurring within a reasonable time before or after the customer’s account is opened. Investment advisers need not verify the identity of repeat customers if previously verified, provided that (1) it was verified to the extent required, and (2) the investment adviser reasonably believes it knows the true identity of the customer based on the previous verification. The risk-based verification procedures should consider relevant risks, including: risks based on the account type, the various methods of opening an account provided by the adviser, the adviser’s size, location, and customer base, and the types of money laundering and terrorist financing present in the jurisdiction.

Identity Verification Requirements

The CIP rule would require the investment adviser to obtain, at a minimum, the name, date of birth, address, and identification number of the account holder. Investment advisers must also collect any additional information necessary to enable the investment adviser to form a reasonable belief that it knows the true identity of each customer or, if the customer is not an individual, if additional information needs to be obtained about the individuals with authority over the customer’s account.

In keeping with other CIP rules, the NPRM provides two methods for verification of identifying information: documentary and non-documentary. An investment adviser’s CIP should address both methods and describe when either, or a combination of both, should be used. Documentary verification includes verification through an unexpired government-issued identification evidencing nationality or residence and bearing a photograph or similar safeguard. It may also include documents showing the existence of an entity, such as certified articles of incorporation, a government-issued business license, a partnership agreement, or a trust instrument. Non-documentary verification includes verification through contacting a customer, obtaining a financial statement, or comparing the identifying information to fraud and bad check databases or other third-party sources like credit reports.

The CIP should also include procedures for circumstances in which the investment adviser cannot form a reasonable belief that it knows the true identity of the customer. These procedures should describe (1) when the investment adviser should not open an account, (2) the conditions under which the investment adviser may provide adviser services to the customer while attempting to verify identity, (3) when the investment adviser should close an account after attempts to verify identity fail, and (4) when the investment adviser should file a SAR.

As with other CIP rules, the NPRM would require investment advisers to have reasonable procedures in place to determine “whether a customer appears on any list of known or suspected terrorists or terrorist organizations issued by any Federal Government agency and designated as such by Treasury in consultation with the Federal functional regulators.”

Recordkeeping & Notice Requirements

In addition to identity verification procedures, the CIP must include recordkeeping requirements for maintaining records related to identity verification. Investment advisers would be required to retain the information collected about a customer for the duration of time the account remains open, plus an additional five years after the date it is closed. Information regarding the verification of a customer’s identity need only be maintained for five years after the record is made. Finally, the NPRM also proposes that investment advisers must give notice to customers of the verification procedures.

Note on CDD Rule

While the CIP rules apply to both individual and entity customers, FinCEN maintains a separate customer due diligence (CDD) rule that contains more detailed and robust requirements for legal entity customers, particularly with respect to: (1) beneficial individual owners exceeding at least 25% or more of the equity ownership and (2) an individual with significant responsibility for managing the legal entity customer. The NPRM does not propose to extend the CDD rule to investment advisers (broker-dealers are subject to the CDD rule). However, FinCEN is planning to revise the CDD rule to further implement the Corporate Transparency Act and so investment advisers should be mindful of potential changes to the CDD rule, to the extent applicable.

Reliance Agreements

As with other CIP rules, the NPRM proposes that reliance on another financial institution to perform some or all of the CIP procedures is permitted if a customer of the investment adviser has already opened an account with the financial institution and provided that: (1) reliance is reasonable under the circumstances, (2) the other financial institution is subject to AML/CFT compliance program per the Bank Secrecy Act and is regulated by a federal functional regulator, and (3) the other financial institution enters into a contract with the investment adviser requiring it to certify annually that it has implemented an AML/CFT program and will perform the specified requirements. If these requirements are met, the investment adviser would not be held responsible for the failure of the other financial institution to adequately fulfill the adviser’s CIP responsibilities.

The Path Ahead

The NPRM proposes that the rule would become effective 60 days after the date the final (or interim final) rule is published in the Federal Register. An investment adviser would be required to develop and implement a compliant CIP on or before six months from the effective date of the final regulation, but no sooner than the compliance date of the proposed investment adviser AML program rule proposed in February 2024. Comments on the NPRM are due by July 22, 2024.

For assistance in submitting a comment or preparing to implement a CIP please contact a member of our Anti-Money Laundering Practice.

Special thanks to Summer Associate Joanna Griffin for her assistance in preparing this post.