The BSA’s Expansion & How Investment Advisers Can Leverage Existing AML Compliance Programs in the Cayman Islands To Comply With the BSA

*This article was co-authored by EisnerAmper's Louis Bruno and Isatou Smith.

Introduction

On Aug. 28, 2024, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a final rule (the Final Rule) extending the scope of the Bank Secrecy Act (BSA) and its amendments by requiring certain registered investment advisers (RIAs) and exempt reporting advisers (ERAs) registered with the Securities and Exchange Commission (SEC) (collectively with RIAs, Investment Advisers)¹ to comply with the BSA’s anti-money laundering (AML) and countering the financing of terrorism (CFT) requirements.² Investment Advisers that are now subject to the BSA under the Final Rule have until Jan. 1, 2026, to implement and operationalize the BSA compliance program (the Compliance Date).³

The Final Rule allows Investment Advisers to outsource some or all of the AML/CFT program to third-party service providers. This article provides an overview of the Final Rule, the role of an Investment Adviser’s AML compliance officer, and factors that the Investment Advisers must consider when deciding whether to outsource such compliance requirements. Part II of this article series will examine how Investment Advisers can outsource components of their AML/CFT program to third-party service providers in the Cayman Islands.

1. Scope of the Final Rule

The Final Rule’s expansion of the definition of “financial institution” to include Investment Advisers aims to address and prevent money laundering, terrorist financing, and other illicit finance activity by requiring certain Investment Advisers to comply with the BSA’s AML/CFT compliance program. However, this expanded definition has its limitations.

Excluded from the Final Rule’s definition of “financial institution”⁴ are U.S. state-registered investment advisers and the following types of RIAs:⁵

• RIAs that register with the SEC solely as any of the following:
  • Midsize advisers
  • Multistate advisers
  • Pension consultants
• RIAs that do not report any assets under management on their Form ADV, i.e., they do not manage client assets as part of their advisory activities

These excluded RIAs will not be subject to the BSA under the Final Rule unless an excluded RIA changes status in such a way that renders it no longer exempt. In that case, the RIA will become subject to the BSA as of its next annual Form ADV filing. For Investment Advisers with a principal place of business outside the U.S., the BSA will apply only to activities that (A) take place within the U.S. (including through involvement of employees of the Investment Adviser who are U.S.-based) or (B) provide advisory services to a U.S. client. Notably, if a non-U.S. private fund has one or more direct or indirect U.S. investors, then the BSA will apply to that fund even if the Investment Adviser is a non-U.S. Investment Adviser. Regarding ERAs specifically, the Final Rule only includes ERAs subject to Sections 203(l) and 203(m) of the Investment Advisers Act of 1940.

1. New BSA Requirements for Investment Advisers Under the Final Rule

The Final Rule requires in-scope Investment Advisers to comply with the following BSA requirements, discussed in detail below: (a) establish a BSA-compliant AML/CFT program; (b) file suspicious activity reports (SARs) when necessary; (c) comply with certain recordkeeping provisions; and (d) comply with the BSA’s information sharing provisions.

1. Establish a BSA-compliant AML/CFT program

The Final Rule significantly expands the Investment Advisers’ AML/CFT program obligations, bringing the Investment Advisers’ obligations more in line with the requirements of other financial institutions subject to the BSA. In doing so, the Final Rule now requires covered Investment Advisers to implement or expand their current AML/CFT program, as needed, to conform to the BSA’s regulatory requirements, which include the implementation of a written AML/CFT compliance program that is both risk-based and reasonably tailored to prevent the Investment Adviser from being exploited by money launderers and other illicit actors.

To meet the BSA’s regulatory requirements, as a baseline, the AML/CFT program must include the following elements–the so-called five pillars: (1) policies, procedures, and internal controls designed to counter money laundering and terrorist financing; (2) independent testing of the AML/CFT program by a qualified internal or external party on a periodic basis; (3) designation of a person(s) responsible for implementing and monitoring the AML/CFT program; (4) provisions for ongoing training for applicable individuals employed or contracted by the Investment Adviser; and (5) ongoing consumer due diligence (CDD) of customers and transactions as required by the USA PATRIOT Act⁶ (the “CDD Rule”), which includes requirements under the Customer Identification Program (CIP). FinCEN notes in the Final Rule that AML/CFT programs are expected to vary based on the size and complexity of each Investment Adviser’s business. At a minimum, Investment Advisers will need to implement and operationalize an AML/CFT program by the Compliance Date.

1. CIP requirements under the CDD Rule

Regarding the CIP requirements under the CDD Rule, the Final Rule references the joint notice of proposed rulemaking issued by FinCEN and the SEC on May 13, 2024, detailing the CIP requirements for Investment Advisers (the CIP NPRM).⁷ FinCEN makes clear that the requirements pursuant to the CIP NPRM are not intended to be a separate program, but rather are to be incorporated into the Investment Adviser’s overall AML/CFT program.

The CIP NPRM would require Investment Advisers to implement a risk-based CIP with reasonable procedures appropriate for the Investment Advisers’ size and business to enable the Investment Advisers to identify and verify the identity of their customers (i.e., maintain a written CIP as part of the AML/CFT program).⁸ The CIP NPRM would define “account” as any contractual or other business relationship between a person and an investment adviser under which the investment adviser provides advisory services."⁹ “Customer” would be defined as “a person–including a natural person or a legal entity–who opens a new account with an investment adviser.”¹⁰

When implementing a risk-based CIP, the CIP NPRM would require Investment Advisers to collect the customer’s name, date of birth or date of formation, address, and identification number, all of which are standard CIP requirements of financial institutions (e.g., registered broker-dealers and banks).¹¹ Under certain circumstances, Investment Advisers may be required to collect additional information where necessary to verify the true identity of a customer.¹² Investment Advisers would also be required to verify their customers “within a reasonable time before or after the customer’s account is opened” and confirm that customers do not appear on any lists of known or suspected terrorists maintained by the Department of the Treasury.¹³ Lastly, the CIP NPRM would require Investment Advisers to retain documents and information related to a customer’s identifying information while the account is active and for five years following the date the account is closed.¹⁴

Fortunately, the CIP NPRM would allow Investment Advisers to rely on another financial institution’s CIP for its customers if the customer is opening or has established a relationship with that financial institution. The Investment Adviser may rely on the financial institution’s CIP when all the following factors apply: (a) reliance is reasonable under the circumstances; (b) the financial institution is subject to the AML/CFT program requirements under the BSA; and (c) the financial institution, pursuant to a contractual obligation, certifies that it has implemented an AML/CFT program through a reliance letter or other similar documentation.¹⁵

The CIP NPRM provides that the Investment Adviser will not be held responsible for the failure of the other financial institution’s CIP as long as the above factors are satisfied.¹⁶ In practice, such reliance may occur where the Investment Adviser’s customers are coming through a private bank or broker-dealer channel and it would be reasonable for the Investment Adviser to accept representations from that BSA-compliant financial institution in lieu of conducting customer identification verification on each customer coming across such a sales channel. Investment Advisers may also choose to leverage existing custodian and/or administrator relationships to fulfill their CIP obligations. However, those choosing to do so should note that while most custodians are subject to the BSA and are capable of managing CIPs, some administrators are not subject to the BSA and therefore could not be relied on for CIP purposes.

When the final rule related to the CIP NPRM is issued, FinCEN intends for it to also be effective as of the Compliance Date. FinCEN has estimated that six months is sufficient time to develop and implement a CIP, so the CIP final rule is anticipated to be released by July 2025.¹⁷

1. Exclusions to the AML/CFT program

The Final Rule excludes any activities that the Investment Adviser undertakes in advising mutual funds from the above baseline AML/CFT program requirements. Thus, Investment Advisers will not need to verify that the mutual fund has implemented an AML/CFT program. In addition, the Final Rule expanded the exclusion to also include bank- or trust company-sponsored collective investment funds that meet certain requirements and any Investment Adviser also subject to the Final Rule that is advised by another in-scope Investment Adviser.

In the Final Rule, FinCEN reiterated that any Investment Adviser that is already subject to the BSA through a different licensing scheme may rely on the preexisting AML/CFT program if that program comprehensively covers the relevant activity of the Investment Adviser. Similarly, where an Investment Adviser is a subsidiary or an affiliate of a financial institution subject to the BSA, such financial institution can elect to extend its existing AML/CFT program to all affiliated Investment Adviser entities now subject to the BSA if the existing program addresses the Investment Advisers’ relevant activity.

1. File SARs

The Final Rule requires Investment Advisers to file SARs for any suspicious activity that could demonstrate violation or attempted violation of applicable laws and regulations. Namely, the Investment Adviser will now have to file a SAR for any transaction involving (or a group of transactions aggregating to) at least $5,000 by, at, or through the Investment Adviser that the Investment Adviser knows, suspects, or has reason to suspect involves funds from illegal activity or is potentially structured to avoid transaction reporting. Common red flags that may be indicative that a SAR filing is required include, but are not limited to, lack of evidence of a legitimate business activity, large numbers or volumes of wire transfers (especially repetitive patterns), and bursts of activity in short periods of time.

The SAR filing obligation is only applicable after the Compliance Date, and Investment Advisers are not required to perform a retroactive investigation of activity that occurred prior to the Compliance Date. Significantly, SAR filings are, and will remain, strictly confidential and must be handled on a limited need-to-know basis within the organization making the SAR filing. Indeed, there are potential criminal consequences for “tipping off” the party subject to the SAR filing.

1. Comply with certain recordkeeping provisions

The Final Rule now requires Investment Advisers to comply with the Recordkeeping and Travel Rules¹⁸ codified by the BSA. These rules require keeping records of any fund transmissions (e.g., documentation indicating name, address, and other information about the transmitter, recipient, and transaction) equal to or exceeding $3,000. The same exemptions that apply to other BSA-compliant entities also apply to Investment Advisers, including where a customer has a direct account relationship with a qualified custodian that is subject to the BSA’s AML/CFT requirements. The Final Rule also now requires Investment Advisers to report transactions in currency over $10,000 using a Currency Transaction Report instead of Form 8300.

1. Comply with the BSA’s information sharing provisions

The Final Rule requires Investment Advisers to comply with the information sharing provisions of the BSA, i.e., Sections 314(a) and 314(b) of the USA PATRIOT Act. These provisions require Investment Advisers to share information in real time regarding suspected terrorist or money laundering activities with law enforcement and voluntarily share information with other covered financial institutions, with a safe harbor from liability. In particular, USA PATRIOT Act Section 314(a) enables U.S. federal, state, and local and foreign law enforcement agencies to contact Investment Advisers through FinCEN and request information on clients that may be involved in terrorism or money laundering. The Investment Adviser’s cooperation and participation in response to such requests are compulsory and for information gathering purposes only. Section 314(a) allows law enforcement agencies to gather the lead information noted above only and is not a substitute for a subpoena required to obtain documentation.

• The Role of the Investment Adviser’s AML Compliance Officer

The Investment Adviser’s AML compliance officer plays a critical role in developing, implementing, and maintaining an effective AML/CFT program tailored to the specific risks and business model of the Investment Adviser. The AML compliance officer’s responsibilities include, but are not limited to: (a) becoming designated and qualified in AML/CFT compliance or being part of a compliance committee; (b) overseeing the implementation and maintenance of the Investment Adviser’s risk-based AML/CFT program and the procedures for conducting ongoing CDD; (c) ensuring that the AML/CFT program includes internal policies, procedures, and controls appropriate for the specific risks faced by the Investment Adviser; (d) coordinating independent testing of the AML/CFT program; (e) managing the ongoing employee training program on AML/CFT program matters; (f) ensuring compliance with SAR requirements, including filing a SAR when necessary; (g) facilitating compliance with the information sharing provisions under Sections 314(a) and 314(b) of the USA PATRIOT Act; (h) ensuring the Investment Adviser meets the Final Rule’s recordkeeping requirements; (i) staying informed about and incorporating FinCEN’s most recent AML/CFT priorities into the Investment Adviser’s risk assessment and AML/CFT program; and (j) for Investment Advisers with a principal office outside the U.S., ensuring compliance with the Final Rule for U.S.-based activities or services provided to U.S. persons.

Importantly, the AML compliance officer must be able to perform their duties without undue influence from the Investment Adviser’s business lines and should be able to identify and report issues to senior management and the board of directors as needed.

            Stay tuned for Part II of this series, where we examine how Investment Advisers can strategically leverage elements of their newly required AML/CFT compliance program with third-party service providers in the Cayman Islands while remaining fully compliant with the BSA’s requirements. The forthcoming article will unpack the legal framework, due-diligence considerations, and practical steps necessary to ensure robust BSA compliance.

¹ As defined by the Investment Advisers Act of 1940, 31 U.S.C. 80b-1 et seq.
² “FinCEN Issues Final Rules to Safeguard Residential Real Estate, Investment Adviser Sectors from Illicit Finance,” available at https://www.fincen.gov/news/news-releases/fincen-issues-final-rules-safeguard-residential-real-estate-investment-adviser. For the full Final Rule, see https://www.federalregister.gov/public-inspection/2024-19260/anti-money-launderingcountering-the-financing-of-terrorism-program-and-suspicious-activity-report. 
³ Industry advocacy groups and trade associations have written to FinCEN and the SEC requesting an extension of the Compliance Date given the facts that the proposed joint FinCEN-SEC rules related to customer identification programs have not been finalized and that the industry groups seek to reopen the comment periods for both the Final Rule and the proposed customer identification program rule. See, e.g., Alternative Investment Management Association Letter to Andrea Gacki, Apr. 17, 2025, and Investment Advisers Association Letter to Andrea Gacki, Jan. 31, 2025. Notably, none of the industry trade associations and advocacy groups have asked for a wholesale repeal of the Final Rule. Importantly, as of the date of this article, FinCEN has not granted an extension of the Compliance Date, and therefore Investment Advisers should proceed with implementing a BSA compliance program such that the program can be fully operational as of the Compliance Date.
⁴ See 31 CFR §1010.100(t).
⁵ Id. at fn 1.
⁶ Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001, Public Law 107-56.
⁷ See “SEC, FinCEN Propose Customer Identification Program Requirements for Registered Investment Advisers and Exempt Reporting Advisers,” May 13, 2024, available at https://www.fincen.gov/news/news-releases/sec-fincen-propose-customer-identification-program-requirements-registered
⁸ See “Fact Sheet: Customer Identification Programs,” May 13, 2024, available at https://www.sec.gov/files/bsa-1-fact-sheet.pdf.
⁹ CIP NPRM at 9.
¹⁰ Id. at 10.
¹¹ Id. at 15-16.
¹² Id. at 16
¹³ Id. at 15, 26.
¹⁴ Id. at 25.
¹⁵ Id. at 28.
¹⁶ Id. at 29.
¹⁷ Id.
¹⁸ 31 CFR 1010.410(e)-(f).