Over the past 12 months, banks and investors have enhanced anti-money laundering (AML) and know your customer (KYC) due diligence requirements, in response to increased enforcement by regulators and implementation of the 2016 Financial Crimes Enforcement Network’s (FinCEN) final rule.
As a result, many U.S. registered investment advisers (RIAs) have been asked to provide additional diligence information to custodian financial institutions and, increasingly, prospective investors. Even though RIAs’ AML and sanctions compliance program obligations have not legally changed, heightened diligence expectations have subjected RIAs to additional compliance burdens.
RIA Compliance Requirements
The Bank Secrecy Act (BSA), as amended by the USA PATRIOT Act, requires “financial institutions” (which include banks, broker-dealers, and mutual funds) to establish and maintain AML compliance programs that include, at minimum: (1) a system of internal controls; (2) independent testing; (3) a designated compliance officer; and (4) ongoing employee training.
In 2015, FinCEN published a proposed rule that would require certain RIAs to establish AML compliance programs and to report suspicious activity to FinCEN. At present, RIAs are not required to comply with the AML compliance program requirements of the BSA, although it is foreseeable that FinCEN will implement mandatory AML compliance program requirements for RIAs at a future date (and RIAs are required to comply with U.S. criminal AML laws).
By contrast, all firms subject to U.S. jurisdiction—including RIAs—must comply with the economic sanctions administered by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC).
OFAC historically has declined to articulate minimum compliance program requirements, instead encouraging firms to adopt “risk-based” compliance strategies that account for their individual risk profiles. However, as U.S. sanctions are a strict liability regime, failure to implement a compliance program can result in catastrophic consequences.
Effective May 11, 2018, the CDD Rule requires covered financial institutions, inter alia, to establish risk-based procedures for conducting ongoing customer due diligence and to conduct ongoing monitoring to identify and report suspicious transactions (31 C.F.R. § 1020.210(b)(5)). Although FinCEN’s view is that ongoing diligence “already [was] implicitly required for covered financial institutions to comply with their suspicious activity reporting requirements,” CDD Rule at 29,398, implementation of the CDD Rule rendered ongoing customer due diligence an explicit regulatory requirement (with possible penalties for failure to comply).
In parallel, U.S. regulators have ratcheted up enforcement of AML laws, resulting in multi-million dollar penalties against several financial institutions. Similarly, OFAC has aggressively pursued financial and nonfinancial firms for violations of U.S. sanctions, announcing nine enforcement actions that have yielded over $1.2 billion in penalties this year to date.
Against this backdrop, financial institutions and investors have begun to seek additional comfort—in the form of diligence questionnaires, compliance covenants, enhanced KYC requirements, and side letters—that their relationships with RIAs do not present material money laundering or sanctions risk.
Can I Push Back?
It depends. Certain aspects of the CDD Rule, such as the identification and verification of beneficial owners of entities that open new accounts, are mandatory, and therefore cannot be waived or modified by covered financial institutions. (Although RIAs are exempt from the CDD Rule’s beneficial ownership requirements, pooled investment vehicles advised by RIAs are not clearly excluded.)
With respect to existing relationships, neither the CDD Rule nor OFAC guidance specifies exactly what level of monitoring is required. Although this lack of specificity—in theory—leaves room for negotiation, FinCEN guidance makes clear that financial institutions may choose to implement stricter procedures than are required under applicable regulations.
This means that, in negotiating with financial institutions, RIAs cannot point to the CDD Rule as a maximum set of diligence requirements.
Further, in practice, it can be challenging to persuade personnel charged with collecting KYC information to deviate from institutional requirements (particularly as doing so typically requires multiple levels of approval).
Similarly, RIAs resisting sanctions-focused diligence inquiries may be hard-pressed to overcome the counterargument that all U.S. firms must comply with OFAC sanctions. For many RIAs, the cost of resistance may ultimately not be worth the return.
Although RIAs currently are not subject to AML and sanctions compliance program requirements, the regulatory trajectory is undeniably moving in that direction. And, even absent a regulatory requirement, OFAC would likely treat the lack of an existing compliance program as an aggravating factor in determining the appropriate penalty, if an inadvertent violation were to occur.
Accordingly, RIAs should consider revisiting (or establishing, as the case may be) their AML and sanctions compliance programs. Delay in addressing evolving counterparty and regulatory expectations could result in loss of commercial opportunities, or even regulatory enforcement.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Ama A. Adamsis a litigation and enforcement partner in the Washington, D.C. office of Ropes & Gray LLP.
Brendan C. Hanifin is litigation and enforcement counsel in the Chicago office of Ropes & Gray LLP.
Emerson A. Siegle is a litigation and enforcement associate in the Washington, D.C. office of Ropes & Gray LLP.