U.S. Rules for Investment Advisers Portend Major Implications for Insurance Companies

How will new AML regulations affect large insurance companies with RIAs?

Insurance companies have long been required to comply with anti-money laundering (AML) regulations and exposed to risks inherent in their traditional insurance business. However, most large insurance companies also engage in the management of assets/investments and have a registered investment adviser (RIA) within their organizational structure. This existence of an RIA is now a critical fact given that the final rule published by FinCEN in August 2024 and the proposed rule by FinCEN and the SEC published jointly in May 2024 will directly subject RIAs to AML regulations. Those regulations will include requirements to report suspicious activity report (SAR) filing and implement a customer identification program (CIP).

The CIP requirement is particularly interesting since it is a necessary precursor for financial institutions to be covered by FinCEN’s customer due diligence (CDD) Rule. Therefore, these efforts will likely result in an RIA requirement for complete CDD and risk assessment, including the identification of beneficial ownership.

Compliance with FinCEN’s rule for AML obligations is required by January 1, 2026. The Rule will ultimately have important implications for large insurance companies, particularly those that don’t currently incorporate their RIA entity into their AML program.

Why Are Investment Advisers in the Crosshairs Now?

Several key drivers of the current regulatory attention on investment advisers (IAs) exist. The size, composition, and inherent riskiness of the industry have evolved, the U.S. regulatory gap for the IA industry remains an issue for the Financial Action Task Force (FATF), and the recent tightening of sanctions on Russia has illuminated where Russian oligarchs are parking their assets and why the IA industry is vulnerable to tainted assets.

Size of the Industry

In just the past decade, the IA industry has changed drastically, doubling in size with a greater proportion of individual investors. Risky high-net-worth individuals dominate those individual investors.

Since 2015, assets under management (AUM) with IAs in the U.S. has doubled, totaling about $130 trillion as of the end of 2023. High-net-worth individuals, typically considered high risk for AML purposes, now account for most AUM within the individual investor category.²

FATF Scrutiny

Even given the mammoth size of the industry, U.S. IAs have remained largely unregulated for AML. The FATF has called out this gap in the U.S. AML regime for some time, in its 2016 Mutual Evaluation Report calling out AML coverage of IAs as a priority action.³ The current rules would be a large step toward closing that gap.

Moreover, lack of regulatory coverage was called out as a deficiency/scope issue in nine of FATF’s Recommendations, including R1. applying a risk-based approach; R10. CDD; R12. politically exposed persons (PEPs); R20. reporting of suspicious transactions; and R35. sanctions, three of which the U.S. was rated partially compliant.⁴

Revelations as a Result of Tightened U.S. Sanctions

According to the U.S. Treasury’s IA risk assessment, IAs and the private funds they advise have served as an entry point into the U.S. financial system for wealthy Russians seeking to obscure their ownership of U.S. assets.⁵ U.S. SARs filed between January 2019 and June 2023 identified more than 20 U.S. IAs advising private funds where the adviser was identified as having significant ties to Russian oligarch investors or Russian-linked illicit activities.⁶ Those SARs identified an additional 60 U.S. IAs who managed private funds in which Russian oligarchs have invested, although there was no indication the IA was engaged in any illicit activity.⁷

According to the IA risk assessment, often, a member of the Russian elite or their trusted proxy invests in a public or private U.S. company with the assistance of a wealth management firm, which is usually located in an offshore jurisdiction such as Bermuda, the Cayman Islands, or Cyprus, but services primarily Russian customers. Wealth management firms invest that money in dollars through the U.S. financial system, often into U.S. technology companies in fields such as biotechnology and AI. The scale of these investments is significant and may include billions of dollars invested for a single Russian oligarch. These investments are sometimes made directly by the foreign wealth management firm and, in other instances, through a U.S.-based RIA or ERA. In other instances, funds may be routed through a consulting firm or other entity acting as an IA but not registered with or reporting to the SEC or a state regulator.⁸

What entities and activities are covered under the rules?

Generally, IAs required to register or report to the SEC are covered by the rules. However, the rules do not cover state-registered IAs, but FinCEN intends to continue to monitor the risks in that state-registered sector, so the scope of the rules could change in the future. Specifically, the rules cover:

IAs registered or required to be registered with the SEC under Section 203 of the U.S. Investment Advisers Act of 1940, except IAs that register with the SEC solely on the basis that they are Mid-Sized Advisers, Multi-State Advisers, pension consultants, and advisers who report zero AUM on Form ADV.
IAs that meet an exemption from SEC registration under Section 203(l) or Section 203(m) of the Investment Advisers Act of 1940 and report to the SEC as an ERA—there are about 5,800 ERAs in the U.S.

IAs Located Outside the U.S.

FinCEN’s rule extends to “foreign located IAs,” whose principal office and place of business is outside the U.S. But the Rule only covers those advisory activities that (i) take place within the U.S., including through involvement of U.S. personnel of the investment adviser, such as the involvement of an agency, branch, or office within the U.S., or are (ii) provided to a U.S. person or a foreign-located private fund with an investor that is a U.S. person.

IAs Dually Registered or Affiliated with a Broker-Dealer

IAs dually registered as broker-dealers or IAs affiliated with a broker-dealer through the same financial group, where the broker-dealer already has an AML program in place, would not need to establish a separate AML program for the IA if the existing AML program covers the IA’s business. However, this may still require an extension of the existing broker-dealer program to cover the IA’s business.

What Are the New Requirements for IAs?

FinCEN’s AML/CFT Program Rule

Under FinCEN’s new rule, IAs would be defined as “financial institutions” under the U.S. Bank Secrecy Act. Specifically, FinCEN’s rule for AML/CFT programs will require IAs to:

Implement an AML/CFT program, including the five pillars
Monitor for suspicious activity and file SARs & Currency Transaction Reports (CTRs)
Comply with the Recordkeeping & Travel Rule
Comply with “Special Measures” pursuant to Section 311 of the PATRIOT Act
Comply with Section 312 of the PATRIOT Act and conduct due diligence or enhanced due diligence on private bank accounts held by foreign persons and foreign correspondent accounts
Receive 314(a) requests
Allow for participation in the 314(b) program

The rule permits IAs to contractually delegate the implementation and operation of aspects of their AML/CFT programs to a third party. However, the IA would remain fully responsible and legally liable for, and need to demonstrate, the program’s compliance with regulations. IAs should carefully consider whether and what elements of their program to delegate, as that delagation could create issues around a proper risk-based approach.

Joint FinCEN-SEC CIP Rule

The joint FinCEN-SEC proposed rule for a CIP will require IAs to develop a CIP that is appropriate for the size and type of business and sufficient to form a reasonable belief that the IA knows the true identity of each customer. Specifically, the proposed rule requires:

Implementation of risk-based procedures for customer identification and verification
- Permits “reliance”: IAs may rely on another financial institution for CIP requirements if specific criteria are met, which is particularly helpful in reducing burden.
Definition of “customer” and “account”
- Interestingly, the current proposed rule does not include investors in funds as customers of IAs. Rather, the account holder or “customer” is the person who enters into the advisory relationship with the adviser, which often is the adviser’s fund. This definition makes sense in the context of purely CIP. Still, it may be too narrow a definition as it pertains to CDD and identification of beneficial ownership and what is needed to manage risk properly. FinCEN has asked for comments on whether this definition needs to be modified. So, between the submitted comments on the IA rule and the ultimate revised CDD Rule, we will have to see whether investors will be included in CIP and CDD requirements.
Recordkeeping

Implications for Insurance Companies with RIAs

RIAs won’t have long to come into compliance with these new rules. So, it would be wise for insurance companies with RIAs to begin to consider how the changes may affect their programs. Some key considerations include:

If your institution/firm currently has an AML program, does its target operating model and policy cover the business activity within your RIA legal entity?
RIAs may already obtain certain identifying information to comply with sanctions and export control requirements. Has your institution/firm considered what existing elements of those processes your institution/firm can leverage for the CIP requirement?
With investors not included but key to identifying suspicious activity, is your institution/firm considering whether to conduct due diligence on investors?
Once defined as a “financial institution” under FinCEN’s rule, RIAs will need to implement a CDD program to align with FATF requirements and potentially FinCEN’s revised CDD rule. Moreover, the data collected via CDD is a critical element in determining whether activity is suspicious and complying with the SAR filing requirement. Is your institution/firm considering CDD efforts, including identifying beneficial ownership, even if not explicitly required in the rules?
Given the growing emphasis on the risk-based approach, including in another Rule proposed by FinCEN in July meant to strengthen AML/CFT programs, does your current risk assessment methodology coverage extend to your RIA legal entity?
Is your institution/firm conducting any investigative efforts to develop a baseline understanding of your RIA’s exposure to risk typologies and what those typologies look like?
Is your institution/firm considering whether your current technology solutions, including transaction monitoring/suspicious activity monitoring and KYC/customer risk rating, are sufficient to comply with regulations and properly calibrated to manage the RIA’s specific risks?
If your institution’s/firm’s current technology is insufficient to ensure compliance and effective risk management, are you considering other technology or technology providers?
Given the complex and intermediated nature of relationships RIAs have with fund administrators, prime brokers, custodians, etc., is your institution/firm considering a proper communication plan with these partners that would help detect suspicious activity?
The rules allow for reliance on or delegation to third parties for certain AML/CFT requirements. Has your institution/firm begun to consider whether or what activities may be delegated?
Under the rule, a RIA’s AML program would need to be approved by its board of directors or trustees. If the IA does not have a board, the AML/CFT program would need to be approved by the IA’s sole proprietor, general partner, trustee, or other persons who have functions similar to a board of directors. Is your institution/firm considering how this might impact you?

Technology to Ensure Compliance & Effective Risk Management

Based on the above requirements, RIAs will need the right mix of technology solutions to underpin their AML and CIP/CDD programs. Some of those solutions include:

Transaction Monitoring/Suspicious Activity Monitoring

Given the unique nature of RIA business, the nuances of AML risk in that business, and the intermediated chain of relationships with other financial entities (e.g., prime brokers, custodians, etc.), RIAs will need a solution that is adaptable, configurable, and transparent. The flexibility to create your own rules will be imperative as much is still to be learned about the risk typologies in the RIA space.

Entity Resolution and Network Visualization

Relationships in the highly intermediated RIA business can be complex. At the same time, typologies within the RIA space often involve few transactions. Yet, the path, associated parties, and jurisdictions can be very telling, particularly where a network of funds or funds-of-funds and the potential for “nesting” is involved. Therefore, entity resolution and network visualization are key capabilities RIA’s will need in their technology mix.

CDD and Customer Risk Rating

Given the current CIP and due diligence requirements and the expectation that the future revised CDD rule could further change requirements, along with the fact that customer information in this space is a critical component to the detection of suspicious activity, a robust due diligence and customer risk rating solution will be critical for effective compliance and risk management.

AI-Driven Solutions

AI capabilities across monitoring, due diligence, and entity resolution that can emerge trends, patterns, and unknown risks and map tricky relationships will not only be critical for compliance but also for building a better understanding of risk that can lead to better control design and calibration. Moreover, and especially for those IAs who are new to AML obligations, new controls may create a lot of noise, which AI-driven solutions can help mitigate and manage.

Sources: