AML regulations for US investment advisers: A 2025 update

Thanks to a new rule introduced by the Financial Crimes Enforcement Network (FinCEN), investment advisers in the US are now regulated for anti-money laundering and countering the financing of terrorism (AML/CFT) purposes. 

With FinCEN turning its attention to the sector in light of recently identified risks, investment advisers should act now to create effective compliance programs that fulfill their obligations while supporting continued business growth. 

This article explains the new requirements for US investment advisors, the key steps in implementing an AML compliance program, and the critical role of advanced data and technology. 

What are the latest rules for investment advisers?

In a final rule published on September 4, 2024 (89 FR 72156), FinCEN significantly broadened AML and CFT obligations for investment advisers. The rule aims to mitigate illicit financial activities, such as money laundering, terrorist financing, and fraud, which have been identified as posing substantial risks to the investment adviser sector, including through links to foreign corruption and sanctioned entities.

The final rule primarily extends the definition of “financial institution” (FI) under the Bank Secrecy Act (BSA) to encompass certain Registered Investment Advisers (RIAs) and Exempt Reporting Advisers (ERAs). This is estimated to impact approximately 15,000 RIAs managing in excess of $120 trillion in assets, and approximately 6000 ERAs with an excess of $5 trillion in assets.

Foreign-located investment advisers – defined as RIAs and ERAs whose principal office and place of business is outside the US – are also subject to the rule. However, the requirements apply only to their advisory activities that:

• Occur within the US, including through the involvement of US personnel or an agency, branch, or office within the US.
• Provide advisory services to a US person (as defined in 17 CFR 230.902(k)).
• Provide advisory services to a foreign-located private fund with a US person investor. For such funds, the adviser must determine if any US person is an investor, potentially requiring a “look through” certain entities formed for investment purposes.

This targeted application to foreign-located advisers aligns with FinCEN’s approach to other foreign-located FIs with a US overlap and is consistent with the BSA’s intelligence and national security objectives.

What are the exemptions to the rule?

FinCEN has introduced several exemptions to ensure illicit finance risk mitigation does not come with an excessive regulatory burden, especially for smaller entities. The final rule therefore does not apply to the following categories of investment advisers:

• State-registered investment advisers: These advisers are generally smaller, have fewer customers, and operate locally. FinCEN’s risk assessment found fewer instances of their involvement in illicit finance, and their exclusion aims to prevent disproportionate costs, although FinCEN will continue to monitor their activities.
• Certain SEC-registered investment advisers (RIAs) who register solely for specific reasons, including: 
  • Mid-sized advisers: Those with $25 million to $100 million in assets under management (AUM) who are not required to register or are not subject to examination in their state. 
  • Multi-state advisers: Those with less than $100 million in AUM but who would otherwise be required to register in more than 15 states. 
  • Pension consultants: Advisers to certain employee benefit plans under the Employee Retirement Income Security Act of 1974 (ERISA), advising at least $200 million in assets. 
  • RIAs that report zero AUM on Form ADV: These advisers typically provide non-discretionary services (such as financial planning) and are less likely to possess information on customer fund sources or be used as an entry point for illicit proceeds.
• Foreign private advisers and family offices: These entities are statutorily exempt from SEC registration under the Advisers Act and generally present lower illicit finance risks due to their limited US ties or restricted client bases (i.e. family members only, for family offices).

The rule also permits investment advisers to exclude from their AML/CFT programs activities related to:

• Mutual funds.
• Collective investment funds sponsored by a bank or trust company already subject to AML/CFT requirements.
• Other investment advisers (per the rule) that they advise, particularly in subadvisory relationships where the primary adviser is already covered by the rule.

The State of Financial Crime 2025

With expert insights based on a survey of more than 600 global compliance leaders, read our state-of-the-industry report to get actionable AML strategies to future-proof your business.

Download your copy

Key compliance requirements for investment advisers

The rule’s expansion of AML/CFT regulation to investment advisers represents a significant shift for many firms, and existing programs may no longer suffice given the new rule requirements.

Covered investment advisers must establish robust, risk-based AML/CFT programs. These programs must meet several minimum standards, mirroring those for other FIs, in critical areas including: 

• Internal policies, procedures, and controls: Firms must develop and implement internal policies, procedures, and controls designed to prevent their use for money laundering, terrorist financing, or other illicit activities, and to ensure BSA compliance. These policies should be tailored to the adviser’s specific services, customer types, investment products, distribution channels, and geographic locations.
• Appointing an AML/CFT officer: Each firm must appoint one or more individual(s) responsible for implementing and overseeing the AML/CFT program. This officer must be knowledgeable, competent, and possess sufficient authority, independence, and access to resources. While the specific title is not prescriptive, the officer must be an employee of the adviser or its affiliate.
• Employee training: Comprehensive and continuous training programs are required for all appropriate employees. This training should cover AML/CFT requirements relevant to their functions and equip them to recognize suspicious activity. The nature, scope, and frequency of training should align with employee responsibilities and risks.
• Independent testing: AML/CFT programs must undergo regular, independent testing to assess their effectiveness. This can be conducted by internal personnel (as long as they are independent of the function being tested) or by a qualified external party.
• Risk-based due diligence: Advisers must implement reasonable risk-based procedures to support know your customer (KYC), customer due diligence (CDD), and enhanced due diligence (EDD) requirements. To support compliance and effective AML/CFT risk management, advisers should:
  • Screen clients against data sources such as sanctions lists and adverse media.
  • Understanding the nature and purpose of each customer relationship to develop a customer risk profile, which serves as a baseline for identifying unusual or suspicious transactions.
  • Conducting ongoing monitoring to detect and report suspicious transactions and to maintain and update customer information on a risk basis.
  • Inform a risk-based approach to initial and ongoing due diligence by carrying out risk scoring.

Beyond these high-level program requirements, covered investment advisers should also:

• Report suspicious activity: Advisers must file Suspicious Activity Reports (SARs) for transactions involving at least $5000 in funds or assets if they know, suspect, or have reason to suspect the transaction involves illegal activity, is designed to evade reporting, lacks a clear business purpose, or facilitates criminal activity. SARs offer protection from liability (also known as “safe harbor”) for reporting.
• File Currency Transaction Reports (CTRs): RIAs and ERAs will now be required to report cash transactions exceeding $10,000, replacing the previous Form 8300 requirement for these entities.
• Keep transaction records and comply with the Travel Rule: Advisers must create and retain records for funds transmittals of $3000 or more, and ensure that certain customer information “travels” with the transmittal to the next FI in the payment chain.
• Share information with FinCEN: According to Sections 314(a) and 314(b) of the USA PATRIOT Act, advisers must respond to FinCEN’s requests for information to aid law enforcement in identifying accounts and transactions linked to money laundering or terrorist financing. They are also permitted to participate in voluntary information-sharing arrangements with other FIs.
• Implement special due diligence and special measures: Advisers are required to have special due diligence measures in place for correspondent and private banking accounts, and comply with special measures issued by FinCEN under section 311 of the USA PATRIOT Act and related legislation.

Timelines for implementation 

Initially due to come into effect January 1, 2026, FinCEN’s final rule now has an anticipated deadline of January 1, 2028, according to a press release from the regulator. By this date, investment advisers will need to have fully implemented their AML/CFT programs, commenced filing SARs where required, and begun complying with all other reporting and recordkeeping obligations outlined in the final rule.

This gives firms both a clear deadline for compliance, and time to consider how to implement an AML program that sets them up for long-term success across both risk management and business growth. 

The crucial role of data and technology in compliance

FinCEN’s final rule requires investment advisers to adopt a risk-based approach to AML – a north star for compliance practitioners from the Financial Action Task Force (FATF) down to national and local regulators. 

A risk-based approach involves tailoring your compliance program to your specific risks and operations. This enables you to manage compliance obligations without introducing unnecessary friction for your customers, either during onboarding or over the course of the business relationship as they carry out transactions. 

The role of high-quality data in managing these risks across CDD and ongoing monitoring is critical. Understanding customer relationships and risk and identifying suspicious transactions fundamentally depends on comprehensive and accessible customer data. 

Robust screening, scoring, and monitoring technology, meanwhile, is paramount for effective and efficient compliance. In particular, artificial intelligence (AI) and machine learning (ML) have a range of use cases across compliance, from automatically refreshing risk data, to entity resolution that optimizes the accuracy of screening alerts, to analyzing transactions at scale to surface previously undetected risks. 

Advanced AML compliance solutions for investment advisers 

As you think about the life-cycle of managing financial crime risk in the context of the FinCEN final rule, you should think about where data and technology can support your compliance obligations and your business goals. 

Solutions that make use of these are now cost-effective and rapidly deployed in securely hosted, highly available models. ComplyAdvantage helps FIs around the world deploy scalable, efficient compliance programs with: 

• Real-time risk data: Our market-leading, proprietary data helps you screen customers against the latest sanctions lists, watchlists, politically exposed person (PEP) information, and adverse media. We use automated systems for 24/7 monitoring, meaning you receive updates without delay and reduce your customer risks. 
• Fully integrated data and platforms: With ComplyAdvantage, compliance analysts can access all the details they need to make swift case decisions on a single screen, rather than wasting time and increasing the chance of error by toggling between siloed datasets and systems. 
• AI-enhanced alert prioritization: To support an effective risk-based approach, our solutions use AI to prioritize alerts generated from ongoing monitoring, allowing your team to deal with the highest-risk cases first.