SEC AML/BSA Requirements for Investment Advisers

SEC AML/BSA requirements for investment advisers require covered advisers to build and run a risk-based AML/CFT program and file Suspicious Activity Reports (SARs) once FinCEN’s investment adviser rule becomes effective. Start now by scoping coverage, performing an adviser-specific risk assessment, and building the five-pillar program with evidence-ready workflows. ¹

Key takeaways:

• Covered RIAs and ERAs must implement a written AML/CFT program with core program elements plus customer due diligence. ¹
• Expect SEC examination focus as FinCEN delegated exam authority for these adviser AML obligations to the SEC. ²
• Enforcement already targets “paper programs,” poor tailoring, and inaccurate AML disclosures to investors. ³

If you’re a CCO or GRC lead at an investment adviser, the operational question is simple: “What do we need in place so we can defend our AML program design and execution in an SEC exam?” The answer is a risk-based program that matches your actual advisory business, not a bank or broker-dealer template, and that can produce evidence on demand.

FinCEN issued a final rule that adds certain investment advisers to the Bank Secrecy Act (BSA) regime and requires an AML/CFT program and SAR filing, effective January 1, 2028. ¹ The SEC has signaled this is an examination priority area once effective, and Treasury has publicly documented illicit finance risk channels in the adviser sector, especially private funds, complex structures, and foreign investors. ⁴

This page translates the sec aml/bsa requirements for investment advisers requirement into requirement-level steps, artifacts, and exam-ready controls you can implement without guessing.

Regulatory text

Regulatory excerpt (as provided): “SEC AML/BSA Requirements for Investment Advisers.”

Primary rule references for operations

• AML program requirement: 31 C.F.R. § 1032.210. ¹
• SAR filing requirement: 31 C.F.R. § 1032.320. ¹
• Statutory foundation for AML program pillars: Section 352 of the USA PATRIOT Act. ⁵

What the operator must do (plain-English interpretation) You must (1) adopt a written, risk-based AML/CFT program reasonably designed for your advisory business, (2) appoint an AML officer, (3) train relevant personnel, (4) independently test the program, and (5) implement customer due diligence that fits your client and investor risk. You must also build the capability to identify and report suspicious activity through SARs once the rule is effective. ¹

Who it applies to (entity + operational context)

You should scope applicability across:

• SEC-registered investment advisers (RIAs) and exempt reporting advisers (ERAs) that are “covered” under the FinCEN final rule. ¹
• Dual registrants and complex organizations (e.g., an adviser alongside a broker-dealer, fund complex, or bank parent). SEC enforcement has criticized programs that were not tailored to the relevant business line. ⁶
• Private funds and alternative strategies where onboarding occurs through subscription documents and ownership can be layered. Treasury identifies adviser-specific vulnerabilities tied to complex structures and non-U.S. clients. ⁷

Operationally, this touches onboarding, investor relations, portfolio operations (capital calls/redemptions), finance/treasury, and compliance surveillance, plus third parties such as administrators and transfer agents where you depend on them for identity and transaction data.

What you actually need to do (step-by-step)

Treat this as a build plan for an SEC-examinable control system.

Step 1: Confirm scope and document your coverage decision

1. Determine whether each advisory entity is covered under the final rule and document the rationale. ¹
2. Map products and client types (managed accounts, private funds, sub-advisory, SMAs, offshore feeders) to where money moves and where you can observe activity. Tie this to the Treasury risk channels for advisers. ⁷
3. Assign accountable owners (CCO/AML Officer, operations, fund admin oversight) and record decisions in governance minutes.

Artifact to retain: “AML/BSA Applicability & Scope Memo” with entity list, product list, and data/third-party dependencies.

Step 2: Build an adviser-specific AML/CFT risk assessment

1. Identify inherent risks aligned to adviser realities:
   • Foreign investors and opaque ownership structures. ⁸
   • Private fund structures and alternatives. ⁷
2. Assess control coverage you already have (KYC performed by administrator, sanctions screens, subscription checklists) and identify gaps where you cannot evidence execution.
3. Set risk ratings at the client/investor level (low/medium/high) based on geography, PEP indicators, ownership transparency, expected flows, and strategy.

Artifact to retain: “AML/CFT Risk Assessment” plus a risk-rating methodology and a sample output showing risk-rated clients/investors.

Step 3: Draft and approve the written AML/CFT program (tailored)

Build the program so it is defensible as “reasonably designed” for your advisory business. SEC enforcement penalized firms that copied a program designed for a different business and failed to calibrate monitoring to actual activity. ⁶

Minimum content to include:

• Internal policies, procedures, and controls tied directly to your risk assessment. ¹
• Customer due diligence (CDD) procedures that explain what you collect, who collects it (you vs. administrator), and how exceptions are handled. ¹
• Suspicious activity escalation + SAR decisioning workflow (triage, investigation, documentation, approvals, filing, confidentiality). ¹
• Third-party oversight for any delegated onboarding/monitoring functions (fund admin, transfer agent). If you rely on them, your program must specify how you oversee them and obtain evidence.

Artifact to retain: Board/management approval record, version-controlled AML program, and a crosswalk from risk assessment → controls.

Step 4: Appoint the AML Officer and define authority

1. Designate an AML Officer in writing with job duties, escalation authority, and resourcing expectations. ¹
2. Set reporting lines so the AML Officer can raise issues to senior management without friction.
3. Define decision rights for onboarding approvals, EDD sign-off, and SAR filing decisions.

Artifact to retain: AML Officer designation letter, role description, and governance cadence (e.g., periodic reporting package template).

Step 5: Implement investor/client risk profiling and EDD

1. Integrate risk scoring into onboarding (subscription package checklist + required documents by risk tier).
2. EDD triggers (examples):
   • Non-U.S. investors or complex ownership.
   • Adverse media or potential sanctions exposure.
   • Activity inconsistent with known source of funds/wealth. ⁷
3. Ongoing review: refresh risk when ownership changes, new jurisdictions appear, or unusual redemption patterns occur.

Artifacts to retain: Completed onboarding files, EDD memos, adverse media notes, and approvals.

Step 6: Implement sanctions screening and match-handling

Treasury highlights sanctioned persons as a relevant threat channel for the sector. ⁷

1. Screen investors and beneficial owners (where collected) at onboarding and periodically.
2. Define false positive resolution and true-hit escalation to compliance/legal.
3. Document the audit trail: search inputs, date/time, results, disposition.

Artifacts to retain: Screening logs, case notes, and escalation outcomes.

Step 7: Build suspicious activity monitoring + SAR readiness

Even if your transaction visibility is partial (common in private funds), you still need a process that uses what you do see: subscription funding, redemption requests, bank wires you instruct, administrator reports, and investor communications. SEC enforcement has focused on failures to investigate alerts and to file SARs on time in other financial institutions, and exam staff will test your ability to keep up with volume and growth. ⁹

Implement:

• Alert sources: admin reports, cash movement requests, exception reports (third-party payees, rapid in/out).
• Case management: ticketed workflow, aging, documented rationale for “file” vs “no file.”
• Capacity planning: metrics for backlog, aged cases, and escalation when thresholds are exceeded.

Artifacts to retain: Alert log, investigation memos, SAR decision memos, and management reporting.

Step 8: Training and independent testing

1. Role-based training for onboarding staff, IR, operations, and portfolio personnel. Tailor content to adviser red flags and your workflow. ¹
2. Independent testing that actually samples onboarding files and investigations, and checks tailoring. ¹⁰

Artifacts to retain: Training materials, completion logs, test results, independent testing report, remediation tracking.

Public enforcement cases

Use these to calibrate your exam defense. They show where regulators find “paper programs” and weak operational controls.

Case	What happened	Operator lesson
In the Matter of Navy Capital Green Management, LLC	SEC charged misrepresentations about AML procedures to investors; case included foreign-based entities with opaque beneficial ownership. 11	Match disclosures (ADV, offering docs, DDQs) to actual controls and retained evidence. Treat foreign/opaque investors as a documented EDD trigger.
In the Matter of DWS Investment Management Americas, Inc.	Adviser to mutual funds used an AML program designed for a different business; monitoring not reasonably designed and alerts were not reviewed. 6	Tailor the program to the business line and validate monitoring works for your products and data sources.
In the Matter of Robinhood Securities LLC and Robinhood Financial LLC	SEC found SAR filing delays and a large alert backlog; failure to scale AML program to growth. 12	Build timeliness controls and capacity planning. Examiners test backlog management and escalation.
In the Matter of LPL Financial LLC	SEC cited CIP failures and failure to close/restrict high-risk accounts inconsistent with written policy. 13	Written policy must match actual account handling. If policy requires closure/restriction, you need workflow controls to force the outcome.

Required evidence and artifacts to retain (exam-ready list)

Organize these in a single repository with version control:

• AML/BSA scope memo and entity coverage analysis. ¹
• AML/CFT risk assessment and annual refresh history. ¹
• Written AML/CFT program, approvals, and change log. ¹
• AML Officer designation and governance materials. ¹
• Onboarding/CDD/EDD files, including ownership docs where collected.
• Sanctions screening logs and disposition notes. ⁷
• Alert/case logs, investigation memos, SAR decision memos, SAR filing records once applicable. ¹
• Training content and completion logs. ¹
• Independent testing reports and remediation tracking. ⁵

Common exam/audit questions and hangups

Expect the SEC to ask questions that test “design + operating effectiveness,” especially given stated exam focus on AML expansion to advisers. ²

• “Show me your AML risk assessment and how it drives your controls.”
• “Where do you get transaction and investor data, and what do you do when you don’t have it?”
• “Which functions are performed by third parties (administrator/transfer agent), and how do you oversee them?”
• “Provide a sample of high-risk investors and your EDD evidence.”
• “How do you ensure your public disclosures about AML match what you actually do?” ¹¹
• “How do you manage alert backlogs and timeliness?” ¹²

Frequent implementation mistakes (and how to avoid them)

1. Copying a bank/broker template without tailoring. Write to your advisory workflows and validate monitoring based on your data. ⁶
2. Overstating AML in ADV/marketing/offering docs. Run a disclosure-to-control mapping review and keep evidence for every claim. ¹¹
3. Delegating to a third party without oversight evidence. If an administrator performs KYC, your program must specify oversight testing and document requests.
4. No capacity plan for growth. Build metrics and an escalation path for backlog and aging. ¹²
5. Policies that require closure/restriction, but operations can’t execute. Add workflow controls and exception governance. ¹³

Enforcement context and risk implications

Treasury has described adviser-sector exposure to sanctioned persons, corrupt officials, and complex structures that can conceal beneficial ownership, including national security implications tied to certain investments. ⁷ Separately, SEC actions show the agency will pursue adviser-facing issues such as misleading AML representations and weak tailoring even before the FinCEN rule’s effective date. ³ Your risk is not limited to future BSA exams; it includes present-day disclosure and supervision failures that surface during routine SEC exams.

Practical 30/60/90-day execution plan

You asked for speed. Here is a pragmatic implementation sequence you can run now to reduce execution risk well before the effective date. ¹

First 30 days: scope, ownership, and gaps

• Publish the AML/BSA scope memo (covered entities, products, third-party dependencies).
• Assign the AML Officer and document authority and escalation.
• Run a disclosure review: Form ADV, offering docs, DDQs, marketing statements about AML; create a “claim → evidence” mapping. ¹¹

Days 31–60: risk assessment and program drafting

• Complete the AML/CFT risk assessment aligned to Treasury’s adviser risk channels. ⁷
• Draft the written AML/CFT program with tailored procedures for onboarding, EDD, sanctions screening, and suspicious activity escalation. ¹
• Define third-party oversight testing if an administrator handles onboarding.

Days 61–90: implement workflows and evidence generation

• Launch risk scoring + EDD workflow in onboarding, with checklists and approvals.
• Stand up alert logging and case management (even if lightweight) so investigations and decisions are traceable.
• Deliver role-based training and collect attestations.
• Schedule independent testing (internal audit or qualified external reviewer) and predefine the sample set and deliverables. ⁵

Where Daydream fits If you need to operationalize fast, Daydream can serve as the system of record for your AML program artifacts, your control-to-evidence mapping, and your exam request readiness so you can produce consistent evidence across entities and third parties without spreadsheet sprawl.

Frequently Asked Questions

Are all investment advisers subject to BSA/AML requirements today?

The FinCEN final rule applies to covered investment advisers effective January 1, 2028. ¹ SEC enforcement still shows advisers can face actions for misleading AML disclosures or weak controls under existing SEC authorities. ¹¹

What are the “pillars” I need to implement?

The statutory foundation includes internal controls, a designated compliance officer, ongoing training, and independent testing. ⁵ FinCEN’s adviser rule adds customer due diligence as a core element of the AML/CFT program. ¹

We outsource investor onboarding to a fund administrator. Can we rely on that?

You can delegate tasks, but you still own the program. Put oversight into your written procedures and retain evidence of administrator performance and your testing of their workpapers.

What’s the biggest “quick fail” in an exam?

A written AML program that does not match your business and data reality, or disclosures that claim controls you cannot evidence. SEC enforcement has specifically targeted failures to tailor and inaccurate AML representations. ¹⁴

How should we handle foreign investors and complex ownership structures?

Treat them as documented EDD triggers, collect ownership and source-of-wealth/funds support appropriate to the risk, and retain a memo that explains the decision to onboard. Treasury and SEC matters highlight these as real adviser-sector risk channels. ⁸

Will the SEC examine this even though FinCEN wrote the rule?

FinCEN delegated examination authority for investment adviser AML requirements to the SEC, and SEC exam priorities flag the coming expansion. ²

Footnotes

1. 31 C.F.R. pts. 1010, 1032 (effective January 1, 2028)

2. SEC Division of Examinations (October 21, 2024)

3. Investment Advisers Act Release No. 6823, File No. 3-22414 (January 14, 2025); Investment Company Act Release No. 6431 (September 25, 2023)

4. SEC Division of Examinations (October 21, 2024); February 2024

5. Section 352 of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act)

6. Investment Company Act Release No. 6431 (September 25, 2023)

7. February 2024

8. February 2024; Investment Advisers Act Release No. 6823, File No. 3-22414 (January 14, 2025)

9. Exchange Act Release No. 102170, File No. 3-22405 (January 13, 2025); SEC Division of Examinations (October 21, 2024)

10. Section 352 of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act); 31 C.F.R. pts. 1010, 1032 (effective January 1, 2028)

11. Investment Advisers Act Release No. 6823, File No. 3-22414 (January 14, 2025)

12. Exchange Act Release No. 102170, File No. 3-22405 (January 13, 2025)

13. January 17, 2025 Administrative Proceeding

14. Investment Company Act Release No. 6431 (September 25, 2023); Investment Advisers Act Release No. 6823, File No. 3-22414 (January 14, 2025)