Oyster Stew - A Broth of Financial Services Commentary and Insights
Our financial services industry insights come from on-the-ground experience, successfully navigating complex challenges and business. Our insights are your opportunities.
Oyster Stew - A Broth of Financial Services Commentary and Insights
Time to Act: Why RIAs Must Prepare for AML Compliance Now
Understanding and implementing the new FINCEN AML (anti-money laundering) requirements for registered investment advisors (RIAs) is crucial to achieving compliance by the 2026 deadline. Preparing for AML compliance as an RIA will take time. Firms must develop and implement risk-based AML programs, appoint compliance officers, establish monitoring systems, and ensure staff receive proper training—steps that require careful planning and execution well ahead of the 2026 deadline.
Join Ed Wegner and Bryan Jacobson as they discuss
· 8 critical elements of compliance and their implications
· Building a strong AML program: steps for RIAs
· The importance of a risk-based approach to AML compliance
· Key elements required for establishing an AML program
· The role of a designated AML Compliance Officer (AMLCO)
· Independent testing and ongoing compliance monitoring
· Leveraging third-party resources and ensuring adequate training
Whether you are already familiar with AML regulations or completely new to the topic, this episode provides essential insights to prepare your firm for the upcoming changes. Tune in to ensure that you have the knowledge and tools needed to comply with these vital regulations.
Oyster Consulting has the expertise, experience and licensed professionals you need, all under one roof. Follow us on LinkedIn to take advantage of our industry insights or subscribe to our monthly newsletter.
Does your firm need help now? Contact us today!
Libby Hall: Hi, and welcome to today’s episode of the Oyster Stew Podcast. I’m Libby Hall, Director of Communications for Oyster Consulting. In this episode, we’re focusing on a critical regulatory development that will impact Registered Investment Advisors (RIAs) and Exempt Reporting Advisors (ERAs) - the new anti-money laundering (AML) requirements introduced by the Financial Crimes Enforcement Network (FinCEN).
With the January 2026 compliance deadline approaching, RIAs must prepare to implement risk-based AML programs, designate compliance officers, conduct independent testing, and monitor for suspicious activity. But who exactly is impacted? How can firms build an effective AML program? And what are the risks of non-compliance? And why do they need to start preparing now?
Today, our experts break down everything RIAs and ERAs need to know—from understanding their obligations to leveraging existing compliance programs and avoiding costly enforcement actions. Whether you're an RIA executive, compliance officer, or risk management professional, this episode will provide key insights to help you stay ahead of the regulatory curve. Let’s get started – Ed?
Ed Wegener: Hello everyone, and welcome to our podcast today on AML Requirements for Registered Investment Advisors. My name is Ed Wegner, and I am the Practice Lead for Governance Risk and Compliance, or GRC, at Oyster Consulting. I'm really fortunate to have Bryan Jacobson with me. Bryan's one of our senior level consultants in GRC, and he has extensive experience in broker dealer and investment advisor compliance, which includes experience with things like AML compliance and more complex areas like digital assets and cryptocurrencies. So, we're really fortunate to have Bryan with us today. Welcome, Bryan.
Bryan Jacobsen: Thanks, Ed. Just a little bit about myself - I've been in the industry for over 25 years, and pretty much spent my entire industry career within compliance. I've had the fortune of being the CCO for several different firms including digital asset firms, RIAs and broker dealers and clearing firms. And so, I've been able to touch a lot of different aspects of the business. One of the areas that I do specialize in is anti-money laundering, so I'm definitely looking forward to this discussion.
Ed Wegener: And you are ACAM certified, correct?
Bryan Jacobsen: I am ACAM certified as well as having spent numerous hours just personally reviewing AML rules and regulations.
Ed Wegener: Excellent. Well, it's terrific to have you here as we talk about this topic. The reason we're here is because in August of last year, FinCEN, the Financial Crimes Enforcement Network, which is a part of the Treasury, adopted new rules that add certain investment advisors and exempt reporting advisors to the definition of designated financial institution for anti-money laundering and counter financing of terrorism purposes. It is going to put requirements onto those types of entities, or at least some of those types of entities. The impacted ones are going to have to have certain AML requirements and very similar to what we've seen for broker dealers. Bryan, given that, can you share an overview of what will be required of RIAs and ERAs?
Bryan Jacobsen: So, it's important to understand that there's really eight key elements of the FinCEN final role proposal. The first, and probably the starting point is, as you mentioned, an expansion of the definition of a financial institution. Why that's key is that if you look at the previous regulations, RIAs were specifically excluded from the definition of a financial institution, which ultimately drives all of the other requirements that we're going to talk about. So, by including an RIA in that definition, it does create the need to create everything that we're going to talk about. But beyond that, the other seven items are implementing a risk-based AML program. That's key because, ultimately, what firms need to do is understand that an AML program is not a one-size fits all. It really comes down to the specific type of business that the RIA is in, their client demographics, all of the various risks, and really tailoring their AML program based on that. There's also a need for independent testing of the AML program, and that should be done annually. There's a need to designate an AML compliance officer (AMLCO), someone that's ultimately responsible for the AML program. You need to provide employee training. You need to monitor and file suspicious activity reports, and also report currency transactions, cash currency transactions. And then the last thing is to ensure that there's trade rule compliance that you have the ability to review for that level of trade surveillance.
Ed Wegener: That's a lot of things that firms need to consider and be ready for, and the time is kind of short. I mean, the rule goes into effect at the beginning of 2026, so January 1st, 2026, which sounds like it's a lot of time because it's a year away, but given all the things that you had mentioned, that's a heavy lift for firms. They really need to start thinking about these things now and start planning for these things now, and why we thought it was a good opportunity at the beginning of this year to start talking about what those requirements are. But importantly, not all firms, not all RIAs and ERAs are impacted by this. While I think probably most are, there are certain ones that aren't. Bryan, I wonder if you can explain who will be impacted by these requirements?
Bryan Jacobsen: Yep. Absolutely. So, first of all, and just to touch on the point that you're making, what I don't want is for firms to think that it's as easy as putting in place some policies and procedures, and therefore, you can wait until whatever the fourth quarter of this year and then do that work. Really, there's a lot that's going to go into creating your policy. So now is the time to start that, if you haven't already started. But to answer your question directly, the rule ultimately applies to any SEC registered investment advisors and exempt reporting advisors. There are some exclusions, for example, mid-size advisors, multi-state advisors, pension consultants, family offices and state registered advisors, are not covered under the rule. Now that's not to say that individual states as an example may not come up with their own AML requirements, but as it relates to this specific rule, they are exempt.
Ed Wegener: Excellent. And, in thinking about the firms that are impacted in this, there are many firms that have expanded to work internationally. There are foreign firms, where the jurisdictional lines aren't as clear. For firms that do business internationally, do FinCEN’s new requirements impact them the same as they would a firm that's doing business solely domestically?
Bryan Jacobsen: There is definitely an impact, but it's not quite the same playing field. So, for foreign advisors with their principal place of business outside of the US, the rule really only applies to the advisory activities that are conducted within the US or involve services that are provided to US persons. So, there is a little bit of a different mindset when it comes to these foreign based RIAs.
Ed Wegener: No, that makes a lot of sense. Thinking about other types of advisors, there are registered investment advisors whose clients are or may already be subject to AML requirements because they're considered financial institutions. So how does that work where an RIA’s clients may already be subject to the AML requirements?
Bryan Jacobsen: Great question. If an RIA's client is a regulated entity, whether it's a mutual fund, an RAA, a bank trust, so on and so forth ultimately the RIA is exempt from the AML requirements for that client. So, you are able to rely on the fact that they are a regulated entity and do not have the same level of AML responsibilities.
Ed Wegener: And presumably, especially with things like a mutual fund where there are certain RIAs where their clients are exclusively mutual funds that are already covered in those cases, you know based on their business model, they would not be required to comply with the requirements and could because their clients are already complying.
Bryan Jacobsen: That's correct, yes.
Ed Wegener: You mentioned that, and this being an important part of one of the requirements that you had mentioned is that impacted RIAs and ERAs need to designate a specific AML compliance officer. Having worked with broker-dealers, reviewing the requirements of the new rule, what types of qualifications firms should be looking for or are required of an AML compliance officer?
Bryan Jacobsen: So really, I would say that there's two main things that you should look for when determining whether it's an internal person that you're going to promote as AMLCO or if it's an external hire. But the first thing that you need to look at is obviously their familiarity with the type of business that your firm does. So, for example, if an AML officer has extensive experience in maybe retail securities, they may be great, and they may be knowledgeable about AML in general. But if your firm does business specifically in private funds, and that's the majority of where you spend your time, then perhaps the background does not exactly match. So, you definitely want to make sure that the person that is assuming this role has a good level of business knowledge of the type of business that the firm does.
And then also you want to look for the other type of qualifications. You know, while it's not mandatory within the rule, certain certifications such as the ACAMS, AML specialist designation are definitely highly recommended. There are also several other good ones out there, although ACAM is probably the most well-known organization, but you want to look for that. And then, just given the high stakes of AML compliance in that any mistakes, if you will, can certainly result in seven figure fines. You really want to ensure that the AMLCO does have an extensive number of years of experience advising firms on AML policies. And again, each firm needs to set this number, but I always recommend at least 10 years of relevant experience providing this type of advice.
Ed Wegener: No, that's great. And I think highlighting the fact that, especially with larger financial institutions where there have been AML breakdowns, those findings are very significant. Even with smaller firms, they wouldn't be as significant as they are with the larger firms, but it could have a big impact on the firm. So, having somebody who has that understanding both of the firm's business and the AML requirements is really going to be key. One question that comes up often when we think about this is RIAs often have affiliates that are already subject to AML requirements, for example, broker dealers, banks, et cetera. Can an RIA or ERA utilize the AML programs of those types of affiliated entities?
Bryan Jacobsen: Yeah, absolutely. I think that in keeping with, in general, the AML rules that are affecting our organizations such as banks or broker dealers today, you can definitely rely on the AML program whether it's the parent entity or an affiliate. However, the one caveat I would mention is that you have to make sure that at a minimum, their program encompasses everything that the FinCEN requirements require you to do. So, if there are glaring gaps because of different regulatory bodies that that entity reports to, then you just need to make sure that you shore that up and have at least as comprehensive a program that addresses all of the needs. But ultimately, yes, there is certainly a desire not to have to duplicate or replicate resources and efforts, and you can rely on those programs to the extent that they fit within the regulations.
Ed Wegener: That makes sense. When thinking about the work that we've done with broker dealer clients on their AML programs, they often rely to some extent on third parties, for example, their clearing firms. How will RIAs be able to rely on similar third parties? I'm thinking about potentially their custodians. Will they be able to rely on them at least for certain activities?
Bryan Jacobsen: So, the short answer is yes. There is definitely an ability to rely on a third party, including a custodian. However, I'm going to put this in big brackets and quotes and say that you really need to look at your custodial contract in most contracts. There will be a specific section that talks about the AML requirements and the fact that the custodian will not take responsibility over those requirements.
So, as an example, a custodian may do something like an OFAC check, and they're doing that as it's required for them as a custodian. However, even if they report those results to you, you can't really rely on those results unless it’s specifically spelled out in the contract. Other things that you would need to make sure that are done are that, obviously, of the formal agreement that outlines specifically the delegated duties, and then also you need to make sure that there's an annual attestation from the third party that basically says that they will continue to perform these duties and that they meet all the AML obligations.
And the last thing is, you need to make sure that whichever third party you're relying on, that they are subject to AML requirements under the Bank Secrecy Act and are also regulated by a federal authority. So again, specific to custodians, yes, theoretically you could rely on a custodian, but I think what you'll find is that most custodians will probably not be willing to take on that liability. And in all cases, just remember, you can always delegate the work. You can never really delegate the liability. If you're relying on a third party, you just need to make sure that you have a lot of confidence in their process and that you've done the due diligence to know that they have a good process. Because if they make a mistake contractually, you might have some ability to go after that third party. But the reality is that any regulatory issues or reputational damage because it's on the front page of the Wall Street Journal, or so on and so forth that you can't really delegate. So, something to keep in mind.
Ed Wegener: It sounds like that's very similar to other situations where firms delegate certain regulatory requirements, where they're allowed to, in that, they can do that, but at the end of the day, they're required to make sure that’s happening, and it's being done effectively. So due diligence on the front end as well as ongoing due diligence to make sure that those delegated functions are being done and being done effectively is going to be critical. Because if there is a breakdown, as you had mentioned, the regulators will understand if you've delegated something, but they're going to want to make sure that you were doing that ongoing review, because if you aren't, then it will be difficult not to have that liability attached to some extent, to the RIA that's delegated those activities. So, it is a really important thing to keep in mind. One of the other important things that you mentioned is very similar to other areas - is training. They specifically call out training as being a requirement. What should RIAs and ERAs expect in terms of the training programs and what makes an effective training program?
Bryan Jacobsen: Great question. I've reviewed a lot of different firms of different industries, RIAs, broker dealers, and reviewed the training documents. One aspect that I think firms tend to not do as good job in, is around trying to make the training one-size-fits-all. What I mean by that is they'll come up with a training deck that talks about the three stages of money laundering, and then they'll talk about some common red flags. And all of that is great to set the floor level understanding with employees. But then from there, firms really do need to look at first of all, the specific risks facing their business, and what type of training do they need to do to educate their employees on those specific risks.
Using the previous example, I could talk about red flags involving retail securities, but is that really appropriate for a firm that handles mostly private funds? So, the point being, is that you need to tailor your training to the business of the firm. But then more important than that even is also looking at the type of employees that you have and their interactions and their touch points as it relates to AML. So what I mean by that is that the training that you give a front facing employee that maybe deals with customers or deals with more of the sales aspects of the RIA, their training may very well be very different than someone that is more operational and kind of more on the back end of things because of their visibility into whether it's client communications, whether it's systems that they're using. And so, the training really needs to be tailored towards their specific functions so that they're aware of the piece that they play as it relates to AML and safeguarding the firm against violations.
Ed Wegener: Excellent. Another thing, just thinking about those eight requirements that you had mentioned, an important one is independent testing. I'm curious, what are the testing requirements and when FINRA talks about the testing being independent, what does that look like? What does that mean?
Bryan Jacobsen: I think the word independent has to come before anything else. At the end of the day, a firm, if they choose to do it internally, the testing really needs to be done by someone that is not directly or indirectly involved in the AML program. So, for example, if you're the Chief Compliance Officer for the firm and maybe the AML compliance officer reports to you, well you would not be able to do the testing because ultimately that's part of your chain of command, if you will. Similarly, if you are responsible for onboarding customers or any aspects of the AML program you would not be considered independent. So it has to be someone outside of those functions. And then once you identify an independent source, then you need to make sure that person is obviously trained in AML and trained to look for AML violations. So that would be to understand the end rules, the Bank Secrecy Act (BSA), the SEC rules, all of that to make sure that they can do a thorough independent review of the AML program.
Ed Wegener: You know, all of this kind of goes back to, you know, whether it's policies and procedures or training or testing, that it needs to be risk-based. As part of assessing your training, assessing your testing, the types of testing that you do, developing your policies and procedures, risk should be forefront. So how should firms be assessing risk as part of their AML programs? And is assessing risk the same as testing each firm?
Bryan Jacobsen: In order to develop a comprehensive AML program, you should absolutely create a risk assessment specific to AML. There are other uses you can do a risk assessment for, but specific to AML. What’s interesting about the risk assessment is that while it's not specifically mentioned in the final rule the fact remains that most regulators do expect AML programs to have a risk assessment. And they look at that as a sign of a mature and comprehensive program that the firm has gone through the process of creating a risk assessment. The risk assessment should not be thought of as a one and done document. It really is a living, breathing ongoing exercise. And what you're doing is creating a numeric score, and you're looking at two things.
You identify all of the risks that you can think of that would impact the potential AML program. So, you're looking at things such as client demographics, client background, resources, and personnel. You're looking at product and product demographics, all of those things that make up the program, and you're essentially saying, okay, without any controls whatsoever at the firm, what is the relative risk of these various items that I've identified? You come up with a score from one to five. Then on the flip side, you would look at things such as well, now that I've put together the mitigation of those risks, I have a surveillance program, I have whatever the mitigations are. You then decide, okay, what is the true risk or the true score of that risk based on the mitigation that I have in place?
Once you do that, that allows you to really examine and identify the specific risk that you need to focus on. It'll give you a comprehensive risk score so that you can see whether or not your AML program as a whole is high or low. Then you can also then focus on the different risks and focus your attention and your resources on areas that perhaps are scoring a little bit higher than you would like, even after the mitigation has been put in place. That way you can say, obviously I need to put in more guardrails or more controls. So, by doing that, once you're done with that, then that allows you to really develop your policies and procedures, because you've gone through the exercise of understanding exactly where and how the risks lie out.
You can create your surveillance program, you can determine how many resources you need to dedicate to the AML function, so on and so forth. So, I was just going to say, the one thing some firms do get confused, and I think you alluded to this earlier, is the difference between the risk assessment and the independent audit that I mentioned before. Whether it's Oyster or internally, whenever an independent audit is done, we're really looking at it from a period of time. We're saying, show me records from Jan 1st to December 31st of this year, and we're going to look at that, and then we're going to look at your policies and procedures to see if there's any obvious gaps in your policies and procedures. But then what we're going to do is based on that data set, we're going to then test that data against whatever policies and procedures you've laid out. That is the audit portion. The risk assessment is really more of a holistic view of the entire program. Certainly, it's more than just a scope and time. It's looking at the entire program at the holistic level.
Ed Wegener: It's looking at the business that the firm does, which could be customers, types of products and services that are offered, the jurisdictions in which you act and then assessing based on all of that, how risky is our program. And that really drives all of these other things, policies, procedures, testing, training, et cetera. And one of the primary things that this all comes down to is the requirement to monitor for and then potentially report where required suspicious activities or filing of Suspicious Activity Reports (SARS), the policies and procedures, having an AML compliance officer. All of that is really focused on making sure firms can assess activity and identify where there might be issues. And so, I wonder if you could talk a little bit about the requirement both to monitor suspicious activities and then, where necessary, to file SARS.
Bryan Jacobsen: I think this is one of the areas that is probably going to be the most time-consuming for firms as they develop these AML programs. First of all, in order for you to report on suspicious activity, you need to make sure that you have the tools and the resources to do the monitoring. So that may involve whether it's a proprietary system that you develop or a third-party system. Either way, there's going to be a time element where you need to implement those new systems so that you can then review both client behavior as well as transaction behavior to look for any number of red flags. And those red flags need to be identified by the firm based on the business of the firm and the type of business that the firm does.
But ultimately, you need to create that process so that you can surveil the activities of the firm. Then, once that's done, as you're starting to receive potential suspicious activity, then you need to make sure that you go into the system and actually do the filing. Ultimately, SARS are required to be filed 30 calendar days after the date that the activity is initially detected. And there's certain thresholds, and I think, in a future podcast, we'll go much deeper because SARS filings by itself can certainly be a very good in-depth discussion. But just keeping it at a high level, you know when you're doing these SARS filings, you want to make sure that you're noting how suspicious activity was discovered. Who discovered the activity, what actually happened, and what red flags were noted as part of the review.
And certain demographic information such as the client’s name, address, that sort of thing and account number. And then of course one thing to always keep in mind is that SARS filings are always assumed to be confidential. So that's not just confidential from the standpoint of not informing the person whose account you filed the SARS on, but also internally. So, unless that AML function reports through that chain of command, you cannot discuss the SARS itself unless there's someone that you had to bring in as part of furthering the investigation. But either way, the SARS are absolutely considered confidential and should not be disclosed outside of the immediate chain of command.
Ed Wegener: Well, the whole issue around monitoring suspicious activities and reporting suspicious activities is one of the primary areas where we've seen firms, as we've been working with broker dealers, in the broker dealer space run into trouble. When we talk about those really significant enforcement actions that are taken, oftentimes it's related to the monitoring and suspicious activities, or the lack of or the reporting of suspicious activities or the lack of, and it seems like a good starting point is to really understand what those red flags are. And there are things that you can look to FINRA in helping broker dealers comply with their requirements, has put out lists of types of things that they consider to be suspicious activities. FinCEN has done similar things I would anticipate in the lead up to this.
You might see guidance coming out from the SEC as well. International bodies, such as FATF, have put out a number of different typologies that are the types of red flags that a firm might see. Understanding what those red flags are, making sure that you have means to monitor, to look for those types of red flags. And then importantly, where I've seen firms fall down and leading to enforcement actions, is making sure that the follow up to the monitoring, when there are alerts and flags that say, there's some suspicious activity, making sure that that follow up is thorough and that there's a good decision making process around whether that's something where a suspicious activity report needs to be filed, that's going to be important. So, as you start to think towards getting your program ready for next year, that's going to be an important consideration.
There's a lot of vendors that help with the types of systems that they have for doing that kind of monitoring. You should be thinking about what types of vendors you need to engage. And potentially, if custodians have programs to kind of help, as we talked about earlier, there could be some reliance on some of the tools and resources that they may have.
It sounds like a lot that needs to be done. Again, there's a year before this actually becomes effective, so now's the time to start thinking about this. Bryan, before we end this, I was wondering if there are other considerations you think that firms should be planning for?
Bryan Jacobsen: Well, just to talk quickly about the potential liability. So, you're absolutely right. Now is the time to get these programs up and running because before you know it, and everyone has so many multiple hats that they wear and all that stuff, it's going to be the fourth quarter, and you're going to have three months to try and cram all this in, which is certainly not enough time. What I would recommend is that firms start with the risk assessment now. If they haven't already started, they should do a comprehensive risk assessment that probably will take a few months. Then, at the end of first quarter, I would probably start working on the policies and procedures and looking at the resources to bring in and systems that they need to implement.
And all of that could easily take the rest of 2025. So, definitely now is the time to get going on that. One thing to keep in mind is that failure to implement solid AML procedures is not going to work for anyone. If you've paid attention to some of these AML fines, rarely do you see the AML fine that starts with less than six figures. And usually that six figure starts at $500,000 or more. Recently, just as an example, a bank was hit with a $3 billion AML violation which included obviously a lot of penalties and fines. But that may not be quite the same for you. Obviously, that's a very large bank, but even on smaller entities, what I see is typically the starting point for regulatory violations is around $400,000 or $500,000.
So even at a very small entity, the AML fines are very stiff. Not to mention there's potential jail time and, that sort of thing for the AMLCO or other people in that chain of command that exhibited what the regulators would call willful blindness, which is, even though you didn't specifically check on that, you probably should have checked on it and you had all the information to know that there is suspicious activity. So, that's what I would recommend. If there's one thing you take away from this podcast is the fact that now is the time to act. You should not wait. You should definitely look at the stuff immediately.
Ed Wegener: Those are all really important points. Another thing that I think firms need to be aware of is if you haven't worked in the AML space before, even though they talk about this in terms of AML, which is anti-money laundering or counter financing of terrorism CFT, the requirements are very broad, especially the requirements to monitor for and report suspicious activities. And it goes beyond just what you would think would be traditional money laundering or terrorist financing activities. It covers any illicit activities done by or through the RIA. It's important to think broadly as you're thinking about those red flags that we were talking about before.
Just as an example, FINRA had used these AML requirements in targeting illicit activity that they saw around penny stock fraud. Even though when you think of penny stock fraud, you're not thinking that's traditional money laundering, there might be some money laundering that happens as a result of that. Just the penny stock manipulation activity itself was considered illicit and should have been monitored for. It's an example of where these AML requirements go beyond just traditional money laundering and terrorist funding at financing activities. I would expect that other types of areas such as cyber incidents, generalized fraud, elder exploitation, those are the types of things that as you're thinking about your programs, here are things that you need to keep in mind in terms of things that you should be monitoring for. It's a lot to digest. We've got some time ahead of us, but really appreciate the opportunity, Bryan, for you to share what those requirements are so that our clients can really start thinking about what they need to do between now and the end of the year. So I really appreciate that and look forward to talking to you more. Great. Thank you.
Libby Hall: If you found today's discussion helpful, don't forget to subscribe to more episodes, where we dive into industry strategies and best practices. For more information about our experts, visit our website at oysterllc.com. Thanks for listening.