On May 13th, the Financial Crimes Enforcement Network (FinCEN) and the Securities Exchange Commission (SEC) issued a joint notice of proposed rulemaking (NPRM) that would require SEC-registered investment advisers (RIAs) and exempt reporting advisers (ERAs) to establish a customer identification program (CIP). This joint NPRM is the second recent rulemaking effort aimed at investment advisers. In February, FinCEN issued a separate NPRM amending the definition in the Code of Federal Regulations of “financial institution” under the Bank Secrecy Act (BSA) to include investment advisers, which would require implementation of an anti-money laundering/countering terrorist financing (AML/CFT) compliance program. In this earlier NPRM, FinCEN alluded to a future joint rulemaking regarding CIP requirements for investment advisers.
The NPRM highlights that CIPs are long-standing, foundational components of an AML program. The NPRM requires a CIP similar to existing CIP requirements for other financial institutions, as FinCEN and the SEC want to ensure “effectiveness and efficiency” for investment advisers that are affiliated with other financial institutions, including banks, broker-dealers, or open-end investment companies that are already subject to CIP requirements.
Background
Investment advisers have not been previously subject to CIP requirements, unless they were also a registered broker-dealer, a bank, or an operating subsidiary of a bank, and therefore already covered separately by the BSA. In many cases, investment advisers already voluntarily comply with CIP requirements, or their functional equivalent.
This joint NPRM implements section 326 of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (the “USA PATRIOT Act”). Section 326 requires the Secretary of the Treasury to promulgate regulations setting forth the minimum standards for “financial institutions” regarding the identity of their customers in connection with the opening of an account at a financial institution. More specifically, and as the NPRM notes, the BSA defines “financial institution” to include, in a catch-all provision, “any business or agency which engages in any activity which the Secretary of the Treasury determines, by regulation, to be an activity which is similar to, related to, or a substitute for any activity in which any business described in this paragraph is authorized to engage[.]” That is the statutory authority upon which this NPRM and the earlier NPRM rest. If FinCEN’s proposed amendment to the regulatory definition of “financial institution” is finalized and survives any legal challenges, investment advisers will be required to implement and maintain a CIP, as well as AML programs.
Key Definitions
As proposed, the definition of an “account” is any contractual or other business relationship between a person and an investment adviser under which the investment adviser provides investment advisory services. The definition includes accounts opened for the purposes of participating in employee benefit plans established under the Employee Retirement Income Security Act of 1974 (ERISA). An exclusion exists for any account acquired through an acquisition, merger, purchase of assets, or assumption of liabilities.
The term “customer” is any natural person or legal entity who opens a new account with an investment adviser (i.e., the accountholder). Investment advisers are not required to look through a trust or similar account to the beneficiaries and are only required to verify the identity of the named accountholder. A customer does not include any person who may have control or authority over an account, but is not an accountholder. Nor would the definition cover any person who fills out account opening paperwork but is not an accountholder.
Similar to existing CIP requirements for other financial institutions, the definition of “customer” does not include:
- A financial institution regulated by a Federal functional regulator or a bank regulated by a State bank regulator;
- Certain government entities;
- Certain person that are publicly listed on the U.S. securities exchanges or certain subsidiaries of persons listed on U.S. securities exchanges; or
- Persons that have an existing account with the investment adviser, provided the adviser has a reasonable belief that it knows the true identity of the customer.
Minimum Program Requirements
In general, investment advisers must establish, document, and maintain a written CIP as part of their AML/CFT program. The CIP must be appropriate for the size and business, and must include risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable. The procedures must enable the investment adviser to form a reasonable belief that it knows the true identity of each customer. Risk assessments should include the types of accounts maintained, the methods of account opening, the types of identifying information available, and the investment adviser’s size, location, and customer base.
Investment advisers must obtain the following information prior to account opening:
- Name;
- Date of birth (for individuals) or date of formation (for non-individuals);
- Address; and
- Identification number.
For a U.S. person, an identification number is a taxpayer identification number. For non-U.S. persons, the identification number may be a taxpayer identification number, passport number and country of issuance, alien identification card number, or number and country of issuance of any other government-issued document evidencing nationality of residence and bearing a photograph or similar safeguard. For non-U.S. persons that are not individuals, the investment advisor must request alternative government-issued documentation certifying the existence of the person.
Identity Verification
The program must include identify verification procedures and the methods used. Identity verification must occur within a reasonable time before or after the customer’s account opening. This affords investment advisers some flexibility in terms of verifying identity. Investment advisers may use documentary methods, non-documentary methods, or a combination of both.
The NPRM provides a list of “suitable” documents such as certified articles of incorporation or a government-issued business license. Non-documentary methods may include contacting a customer or obtaining a financial statement. Given the increase in identity theft, the NPRM encourages investment advisers to use non-documentary methods even if they receive identification documents from the customer.
The NPRM highlights heightened risks of not having a reasonable belief of the customer’s true identity for certain types of accounts opened. For example, accounts opened in the name of a corporation, partnership, trust, or accounts that conduct substantial business in jurisdictions designated as primary money laundering concerns or are considered high-risk for money laundering or terrorist financing.
The procedures also must include circumstances in which the investment adviser, based on their risk assessment, will obtain information about individuals with authority or control over accounts opened by a customer that is not an individual.
Recordkeeping
The program must include procedures for making and retaining records. Records must include the identifying information about each customer and a description of any document that the investment adviser relied on for verification, as well as a description of the resolution of substantive discrepancies in verifying identity. Investment advisers must keep records while the account is open and for a five-year period after the account is closed.
Comparison with Government Lists
The program must include reasonable procedures for determining whether a customer appears on any list of known or suspected terrorists or terrorist organizations provided by any government agency. Specifically, any list provided by or circulated by Treasury in consultation with the Federal functional regulators. At this time, Treasury and the Federal functional regulators have not designated any lists for this purpose. The NPRM notes that many investment advisers already have procedures in place to check Treasury’s Office of Foreign Assets Control (OFAC) lists.
Consumer Notice
Investment advisers must provide customers with adequate notice that the firm is requesting information to verify the customer’s identity.
Adequate notice must: (1) include a general description of the identification requirements; and (2) be given in a manner reasonably designed to ensure that a prospective customer views the notice or is otherwise given notice, prior to account opening.
Investment advisers have flexibility in providing the required notice, such as including the notice on their website, including the notice in account opening applications, or providing the notice in any other written or oral form. The NPRM provides a sample notice to customers.
Reliance on Other Financial Institutions
The NPRM notes that there may be circumstances where an investment adviser may rely on another financial institution for some or all of its CIP program requirements.
Ultimately, the investment adviser is responsible for ensuring compliance with the CIP requirements and would need to actively monitor the operation of its CIP and assess its effectiveness. An investment adviser may rely on another financial institution for CIP only where the customer of the investment adviser is opening or has an existing account with the other financial institution. The other financial institution must be subject to AML/CFT compliance program requirements under 31 U.S.C. 5318(h) and regulated by a Federal functional regulator, and the parties must enter into a contract (or reliance letter or similar documentation) requiring the other financial institution to certify annually that it has implemented an AML/CFT program and will perform the investment adviser’s CIP. Investment advisers will not be held to be responsible for the failures of the other financial institution to fulfill CIP requirements if the investment adviser can establish that reliance was reasonable and that they obtained a contract or other certification of compliance.
FinCEN and the SEC are currently taking comments on the NPRM which lists 18 separate questions for comment. The comment period closes July 22, 2024. FinCEN and the SEC expect an effective date 60 days after publishing the final rule.
If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.