FinCEN and SEC Propose CIP Requirements for Investment Advisers

On May 13, 2024, the U.S. Securities and Exchange Commission (SEC) and U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) published a joint notice of proposed rulemaking (Joint NPRM) that would require certain investment advisers to establish, document, and maintain a written customer identification program (CIP), with verification procedures that will allow the investment advisers to form a reasonable belief as to the true identity of their customers.

The Joint NPRM is the latest step in the federal government’s sustained efforts to counter illicit finance in the investment adviser industry. On February 13, 2024, the Department of the Treasury released the 2024 Investment Adviser Risk Assessment, which identified investment advisers “as an entry point into the U.S. market for illicit proceeds associated with foreign corruption, fraud, and tax evasion, as well as billions of dollars ultimately controlled by Russian oligarchs and their associates.” The same day, FinCEN announced a proposed rule (AML/CFT Program and SAR Proposed Rule) which was published in the Federal Register on February 15, 2024, that would add certain investment advisers to the definition of “financial institution” for purposes of the Bank Secrecy Act (BSA) and impose certain of the BSA’s requirements on them, including that they adopt anti-money laundering and countering the financing of terrorism (AML/CFT) programs and report suspicious activity to FinCEN by filing Suspicious Activity Reports (SARs). The Joint NPRM’s proposed requirement that certain investment advisers implement a written CIP is a logical outgrowth of this rule proposed earlier this year, as a CIP is a foundational component of an effective AML program.¹

Although the Investment Advisers Act of 1940 (Advisers Act) covers a wide range of investment advisers, the two recent NPRMs apply only to a subset of investment advisers: those registered or required to be registered with the SEC (registered investment advisers, or RIAs), and those exempt from registration (exempt reporting advisers, or ERAs).

Some investment advisers impacted by the proposed rules may already maintain AML programs — particularly if they are licensed as banks, registered as broker-dealers, or have advised mutual funds — but currently no federal or state regulations mandate that investment advisers do so. The two recent NPRMs would create such a requirement and delegate examination authority to the SEC.

This Advisory provides a brief overview of the proposed CIP requirements. We also highlight several requests for comment in the Joint NPRM that may be of particular interest to those potentially impacted by the Joint NPRM.

Customer Identification Programs Generally

Existing CIP requirements prescribe the minimum standards for financial institutions in confirming the identity of their customers “in connection with the opening of an account.” At a minimum, financial institutions are required to:

• Verify the identity of any person seeking to open an account to the extent reasonable and practicable.
• Maintain records of the information used to verify the person’s identity, including name, address, and other identifying information.
• Consult lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency to determine whether a person seeking to open an account appears on any such list.

These CIP requirements constitute longstanding components of a BSA/AML program. As such, the Joint NPRM is generally consistent with existing CIP rules, reflecting a “harmonization of CIP requirements,” according to the SEC and FinCEN. Moreover, the Joint NPRM contemplates that the proposed CIP requirements will be incorporated into an investment adviser’s overall AML/CFT program, as would be required by the AML/CFT Program and SAR Proposed Rule.

Notably, the CIP requirements would be deemed satisfied for mutual fund clients of an investment adviser if the mutual fund has developed and implemented a compliant CIP. As a practical matter, the SEC and FinCEN have determined, through the Joint NPRM, that “any CIP requirement imposed on an RIA to a mutual fund is already addressed by the existing CIP requirements imposed on the mutual fund itself.”

Proposed CIP Requirements for Investment Advisers

The Joint NPRM would require investment advisers to establish, document, and maintain a written, risk-based CIP appropriate for each investment adviser’s size and business. At a minimum, CIPs must include procedures for obtaining from each customer that opens a new account:

• The name of the person or entity opening the account
• Date of birth (if an individual) or date of formation (if an entity)
• Address
• An identification number (e.g., a taxpayer identification number, which could be a social security number for an individual)

The Joint NPRM also would require risk-based procedures for verifying the identity of each customer. These procedures must “enable an investment adviser to form a reasonable belief that it knows the true identity of each customer,” based on the investment adviser’s assessment of relevant risks. Investment advisers subject to the proposed rule would be required to maintain written procedures that describe when they would use documentary, non-documentary, or a combination of both verification methods. For situations involving verification of a new account by a customer that is not an individual, the CIP would be required to address how “an investment adviser [would] obtain information about individuals with authority or control over such account” should the investment adviser be unable to verify the true identity of the customer using the standard verification methods set forth in the Joint NPRM. A CIP would also be required to include procedures for situations in which an investment adviser could not form a reasonable belief that it knows the true identity of a customer, such as when it will decline to open the account or close an already opened account.

Record Retention

The Joint NPRM would require RIAs and ERAs to retain information obtained about a customer while the account remains open, as well as for a period of five years after the date the account is closed, which mirrors the requirements of existing CIP provisions. This five-year period is also generally consistent with the retention period under the Advisers Act.

Request for Comments

Through the Joint NPRM, FinCEN and the SEC have specifically sought comment on, among other topics, the following issues:

• Are there types of accounts that should be exempted from CIP obligations?
• To what extent do RIAs and ERAs already require customer identification and verification, or otherwise have procedures in the manner proposed in the course of regular business or under other, existing regulatory obligations?
• To what extent do the customer identification and verification procedures currently implemented by RIAs and ERAs resemble or differ from those required by the Joint NPRM?
• Are there other categories of entities that, like mutual funds, should be exempted from an investment adviser’s CIP program?
• Should closed-end registered funds, wrap fee programs, or other types of accounts advised by investment advisers be, on a risk-basis, exempted from an investment adviser’s CIP program?

Written comments must be submitted within 60 days after the date of publication of the Joint NPRM in the Federal Register, by July 12, 2024.

Key Takeaways

Investment advisers should consider whether they would be subject to this recent proposed rulemaking, and ensure that they are taking steps now to have appropriate policies and controls in place, including with respect to CIPs. To the extent the AML/CFT Program and SAR Proposed Rule passes in close to its current form, as is expected, RIAs and ERAs will be required to create and implement risk-based AML programs no later than 12 months from passage of the final rule. In other contexts, these same requirements have been onerous for financial institutions and the subject of regulatory and enforcement activity. As the AML/CFT Program and SAR Proposed Rule, as well as the Joint NPRM, would create a mechanism for the SEC to examine investment advisers, an investment adviser’s failure to know its clients may lead to costly and time-consuming enforcement actions.

For more information about how this earlier proposed rulemaking and the Joint NPRM impact your business, please contact any of the authors of this Advisory or your usual Arnold & Porter contact. The firm’s Financial Services and Securities Enforcement & Litigation teams would be pleased to assist with any questions about the proposed rulemaking, how it impacts your AML/CFT framework for compliance, or financial or securities regulation more broadly.

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.