On May 13, 2024, the US Securities and Exchange Commission (SEC) and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) jointly issued a notice of proposed rulemaking that would require investment advisers to establish, document and maintain written customer identification programs (CIPs). Both SEC-registered investment advisers (RIAs) and SEC-exempt reporting advisers (ERAs) would be subject to the rule, while state-registered advisers, state-exempt reporting advisers and non-US advisers that are not RIAs or ERAs would not be subject to the rule.
The proposed rule follows a FinCEN proposal issued earlier this year that would expressly include RIAs and ERAs in the definition of a “financial institution” under the Bank Secrecy Act (BSA) and subject them to the same anti-money laundering (AML)/countering the financing of terrorism (CFT) requirements of such financial institutions – including implementing and maintaining a risk-based AML/CFT program (AML/CFT proposed rule). The new proposed rule would require covered investment advisers to incorporate a CIP into their AML/CFT programs. The proposed rule would require the CIP to be appropriate for an adviser’s size and business, taking into consideration various risk factors applicable to the adviser.
Application to venture capital and other private funds
As proposed, the rule would apply to RIAs and ERAs, including with respect to their private funds, but not with respect to investors in those private funds. Under the proposed rule, a “customer” would be any person who opens a new account with an investment adviser, and an “account” would be any contractual or other business relationship between a person and an investment adviser under which the adviser provides investment advisory services.[1] The proposing release states that “customers” does not include investors in a private fund. Therefore, while the requirements would apply to RIAs and ERAs with respect to a private fund customer, the information advisers would need to collect would be the identifying information of the private fund, rather than the information of those invested in such fund.
CIP requirements
The proposed rule would require a CIP to contain, at a minimum, identification verification procedures, recordkeeping, comparison with government lists and customer notices.
Identity verification
Similar to CIP requirements for other types of financial institutions under the BSA, the proposed rule would require a covered adviser to obtain, for each customer, the customer’s name, date of birth or date of formation, address and an identification number (tax identification or another government-issued identification), and verify this information so that it can form a reasonable belief that it knows the true identity of the customer. Verification would need to be completed within a reasonable time before or after account opening.
An adviser would be able to verify a customer’s information through documentary and nondocumentary means – or a hybrid of the two. For information verified with documentary evidence, an adviser would review documents, such as unexpired government-issued identifications evidencing nationality or residence and bearing a photograph or similar safeguard, certified articles of incorporation, or a government-issued business license. The adviser would not need to verify that a document was validly issued. For information verified with nondocumentary evidence, an adviser might contact the customer, obtain financial statements, compare the identifying information against fraud or bad check databases, or check references with other financial institutions. Where customers that are not individuals pose a heightened risk of not being properly identified, the CIP would need to prescribe additional measures that may be used to obtain information about individuals with authority or control over such accounts to verify the customer’s identity.
In addition, the CIP must set forth a policy to follow when an adviser ultimately cannot form a reasonable belief of a customer’s true identity. At minimum, the policy for these scenarios must address:
- When the adviser should not open an account.
- The terms under which the adviser may provide advisory services to the customer while the adviser attempts to verify the customer’s identity.
- When the adviser should close an account after attempts to verify a customer’s identity fail.
- When the adviser should file a suspicious activity report in accordance with applicable law and regulation.
An adviser would not need to reverify an existing customer’s identity each time they open a new account, so long as the adviser has reason to believe it knows the true identity of the customer based on previous verification.
Recordkeeping
The proposed rule would require the CIP to include procedures for making and maintaining a record of all information obtained pursuant to the verification process. All customer identifying information must be retained for five years after the customer closes the account. Any documents or nondocumentary evidence collected, as well as any discrepancies discovered during verification, also must be kept for five years after the record was made.
Comparison with government lists
The proposed rule would require that an investment adviser’s CIP include reasonable procedures for determining whether a customer appears on any federal government lists of known or suspected terrorists or terrorist organizations and following all federal directives related to such lists. The rule would not create an affirmative duty on investment advisers to seek out federal government lists of known or suspected terrorists; the relevant federal agencies – in conjunction with the Treasury Department – would instead notify investment advisers concerning which lists to consult.
Customer notice
Under the proposed rule, customers would need to be given notice in advance of opening an account that the adviser will request information to verify their identities. The notice would need to describe the identification requirements set out in the proposed rule and be reasonably designed to ensure that a prospective customer will view it. The proposed rule includes a sample notice, which is very similar to the sample notice for other financial institutions with CIP requirements, such as banks and broker-dealers.
Reliance on another financial institution
In certain circumstances, an investment adviser would be permitted to rely on the performance of some or all of the adviser’s CIP by another regulated financial institution, though the adviser would remain responsible for actively monitoring the operation of the CIP and ensuring compliance. The adviser’s reliance would need to be reasonable, the other institution would need to be regulated by a federal functional regulator and subject to the BSA’s AML/CFT requirements, and the other institution would need to contract with the adviser to annually certify its implementation of an AML/CFT program and performance of the adviser’s CIP program. If these requirements are met, the adviser would not be held responsible for the failure of the other financial institution to adequately fulfill the adviser’s CIP responsibilities.
Compliance date and comment submission
Under the proposed rule, covered investment advisers would be required to comply with the rule on or before six months from the final rule’s effective date, but no sooner than the compliance date of the AML/CFT proposed rule, if adopted. Comments on the proposed rule will be due on July 22, 2024.
[1] “Customer” also would include an individual who opens a new account for either another individual that lacks legal capacity (e.g., a minor) or an entity that is not a legal person (e.g., a civic club), but would exclude certain financial institutions, government entities, publicly listed companies and existing accountholders. “Account” would exclude accounts that an adviser acquires through acquisition, merger, purchase of assets or assumption of liabilities.
