FinCEN's rule extending BSA/AML obligations to SEC-registered investment advisers and exempt reporting advisers became effective January 1, 2026

As of January 1, 2026, FinCEN's new rule extending Bank Secrecy Act obligations to investment advisers is in effect. The rule applies to SEC-registered investment advisers and exempt reporting advisers with a sufficient U.S. connection. If your advisory firm falls into either category and has not yet implemented a compliant AML program, you are not in a gray area — you are in non-compliance with a federal regulation that has already taken effect.

The five required program elements are: written AML policies and internal controls, a designated AML compliance officer, annual employee training, customer due diligence with beneficial ownership procedures, and SAR filing capability

This is worth stating plainly because a significant number of advisory firms spent the past two years watching the rule and hoping it would be delayed, modified, or withdrawn before its effective date. It was not. FinCEN finalized the rule in August 2024, the effective date of January 1, 2026 was not moved, and the firms that assumed otherwise are the ones scrambling right now. The window to get compliant proactively — before an examination, before a banking partner asks for evidence of your program, before a regulator walks in — is still open, but it is narrowing.

The written AML program must be risk-based — calibrated to your firm's specific client base, investment strategies, and geographic footprint, not a generic template

The rule has a specific scope. It applies to investment advisers registered with the Securities and Exchange Commission under the Investment Advisers Act of 1940, and to exempt reporting advisers that report to the SEC. State-registered advisers are not currently covered by the federal rule, though the direction of regulatory travel suggests that may change. If you are an SEC-registered investment adviser or an exempt reporting adviser with U.S. clients or U.S.-based operations, the rule applies to you regardless of the size of your firm, the nature of your investment strategy, or whether you have ever previously had AML obligations.

Entity clients require beneficial ownership identification: any LLC, LP, trust, or other legal entity onboarded as a client requires identification of the individuals who ultimately own or control it

What does the rule actually require? The structure maps directly onto the five-pillar BSA framework that applies to other covered financial institutions — which means RIAs are now expected to build programs to the same structural standard as banks, money services businesses, and broker-dealers. The five required elements are a written AML program covering internal controls, a designated AML compliance officer, annual training for appropriate personnel, a customer due diligence program including beneficial ownership procedures, and a suspicious activity reporting capability. Each of these elements has specific content requirements, and the absence of any one of them is a program deficiency.

SAR filing is a new obligation for most RIAs — firms must have documented procedures for identifying suspicious patterns, escalating internally, and filing within the required timeline

The written AML program is the starting point. It must be risk-based — meaning it must be calibrated to the specific money laundering risks your firm faces, not modeled on a generic template. The risk profile of an RIA is genuinely different from that of a bank or a money transmitter. Your AML program must reflect your specific client base, your investment strategies, the jurisdictions where your clients are located, and the transaction types your firm facilitates. A policy that describes generic AML procedures without grounding them in your firm's actual risk profile is not a risk-based program. It is a document that will not hold up when an examiner asks specific questions about why your controls are calibrated the way they are.

Examination risk is real and accelerating — FinCEN coordinates with the SEC, which already has established examination authority over registered investment advisers

The designated AML compliance officer requirement is not a formality. The officer must have actual authority to implement and enforce the program, actual knowledge of the BSA requirements applicable to investment advisers, and actual time allocated to compliance responsibilities. For small RIAs with lean staffing, this is often the element that requires the most honest internal conversation. The CCO of a two-person advisory firm who is also responsible for investment management, client relations, and operations does not have the capacity to meaningfully manage an AML program on top of those responsibilities. That does not mean the role cannot be satisfied at a small firm — it means the firm needs to be honest about whether the person designated has genuine capacity, and if not, whether outside compliance support is appropriate.

The compliance infrastructure investment for a small to mid-sized RIA is modest relative to the regulatory risk of non-compliance

Annual training for appropriate personnel is another element that is frequently underestimated. The BSA's training requirement is not satisfied by distributing a document and asking staff to acknowledge receipt. Training must be instruction — content that is appropriate for the specific responsibilities of each employee category, delivered through a medium that actually conveys the material, and documented in a way that demonstrates it occurred. For RIAs, this means training that covers the money laundering risks specific to investment advisory activity: red flags in client onboarding, source-of-funds indicators, beneficial ownership verification, and SAR filing triggers in the context of investment management. Generic AML training content designed for bank tellers is not appropriate for advisory firm staff.

The window to comply proactively — before an examination — remains open but is narrowing as the first examination cycle under the new rule approaches

Customer due diligence is the element that will require the most operational change for firms that are starting from scratch. The rule's CDD requirements for investment advisers include establishing and maintaining procedures to verify the identity of clients, to understand the nature and purpose of client relationships, to conduct ongoing monitoring of client activity for suspicious patterns, and — for entity clients — to identify and verify the beneficial owners of those entities. This last requirement is where advisory firms frequently underestimate the scope of their obligation. If your client base includes LLCs, limited partnerships, trusts, or other legal entities, you are required to identify the individuals who ultimately own or control those entities. Accepting an entity name on an account without understanding who is behind it is not adequate CDD.

The SAR filing requirement is new for most investment advisers, and it is the element that most directly implicates the firm's ongoing monitoring practices. Under the rule, RIAs are required to file Suspicious Activity Reports with FinCEN when they detect transactions that involve the proceeds of crime, are designed to evade reporting requirements, or have no lawful purpose. The $5,000 threshold that applies to many other covered institutions applies to investment advisers as well. For an advisory firm, SAR-triggering activity might include a client's sudden unexplained transfer of large amounts into or out of managed accounts, unusual cash-equivalent activity inconsistent with the client's stated investment objectives, or attempts by a client to structure transactions in patterns that suggest awareness of reporting thresholds. The firm must have documented procedures for identifying these patterns, escalating internally, and making filing decisions within the required timeline.

One of the practical realities of implementing an AML program for an RIA is that the compliance infrastructure investment is modest relative to the regulatory risk of non-compliance. A well-designed AML program for a small to mid-sized advisory firm does not require a dedicated compliance department. It requires a risk assessment that accurately documents your firm's exposure, a written policy that maps to that assessment, a compliance officer designation with genuine authority and adequate time, training that covers your specific risk environment, CDD procedures that are actually followed at onboarding, and a documented process for SAR evaluation. These elements are achievable for firms of any size. The cost of building them properly is a fraction of the cost of remediation after an examination finding.

The examination risk for RIAs is real and is likely to accelerate. FinCEN coordinates closely with the SEC, and the SEC has existing examination authority over registered investment advisers. Now that RIAs have explicit AML obligations under the BSA, examination teams have a clear regulatory basis for evaluating AML program quality alongside their existing investment adviser examination procedures. The firms most at risk are not the ones that tried to build a program and came up short — they are the ones that made no genuine effort to implement one before the January 1, 2026 effective date. Those firms face examination exposure that compounds over time.

The firms we are seeing act quickly right now are the ones that recognized the effective date and are moving to close their compliance gap before the first examination cycle under the new rule. The conversation at those firms typically starts with an honest assessment of where they stand: do they have a written AML policy that is specific to their business? Have they designated a compliance officer with real capacity? Have they trained their staff? Have they updated their client onboarding procedures to collect and document beneficial ownership information for entity clients? For most firms that have not previously had AML obligations, the answer to most of these questions is no. That is not a catastrophe — it is a starting point.

The practical path forward for an advisory firm that needs to get compliant is sequential. Start with the risk assessment. Document your client base, your investment strategies, the jurisdictions where you operate, and the specific money laundering risks that apply to your firm's activity. Use that assessment to build a written policy that reflects your actual risks and your actual controls. Designate a compliance officer with documented authority and a realistic time allocation. Build a training program that covers the BSA requirements applicable to investment advisers, train your staff before the next examination cycle, and document the training. Update your client onboarding procedures to include the CDD and beneficial ownership verification steps the rule requires. Implement a documented process for SAR evaluation. And schedule an independent review of your program within the next 12 months to confirm that what you built is examination-ready.

The question we hear most often from advisory firms at this stage is whether the rule will be rolled back or modified before enforcement intensifies. The honest answer is that this is not a productive posture. The rule is in effect. FinCEN has examination authority. The SEC has examination authority. The firms that get compliant now are the ones that will be positioned well regardless of what happens next in the regulatory environment. The firms that continue to wait are taking on compounding risk with no corresponding upside.

If your advisory firm needs to build a compliant AML program quickly, this is solvable. The window to do it quietly, before an examination, is still open. After an examination finding, that window closes — and the cost and complexity of remediation under a regulator's timeline is materially higher than the cost of building a program proactively on yours.