Asset Managers: AML ready?

On August 25^th, the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) proposed anti-money laundering requirements for US investment advisers. The proposal requires advisers that are registered with the Securities and Exchange Commission (SEC) to establish anti-money laundering (AML) programs, to report suspicious activities related to money laundering and terrorist financing, and to comply with other sections of the Bank Secrecy Act (BSA).

If finalized as proposed, the impact of these new requirements will vary. Advisers owned by bank holding companies (BHCs) are already subject to similar requirements that are applicable to their BHC parents and enforced by the Federal Reserve. These advisers will nevertheless likely experience an increase in regulatory oversight, as the proposal now allows the SEC to enforce AML requirements.

Larger, non-BHC owned advisers will experience more change, as they are not currently subject to any AML requirements. However, many of these advisers have a compliance head start due to existing internal risk management or sanctions processes that can be leveraged toward meeting the new requirements. Finally, smaller non-BHC owned advisers without risk management processes in place will be the most heavily impacted, as they need to either establish an AML program or outsource the effort.

Noncompliance stakes continue to rise, as evidenced by recent increased fines, deferred prosecution agreements, and at times targeted management accountability for AML and OFAC violations. In addition, noncompliance could cause fatal reputational damage to an adviser due to early withdrawal of current investors, difficulty in obtaining new investors, and loss of trading counterparties or bank credit facilities.

Those advisers that outsource their AML control to third parties (e.g., transfer and administrative agents) should especially consider enhancing their oversight of these third parties, given the criticality and high risk of AML controls and processes.

This post outlines challenges and other considerations around establishing an AML program, and provides our view on what’s next for advisers.

Challenges of establishing an AML program

Under the proposal, an AML program must have four Pillars: (1) policies, procedures, and controls, (2) an AML Compliance Officer, (3) ongoing employee training, and (4) independent testing (i.e., audit) of the program.

Of these, designating an AML Compliance Officer responsible for the oversight and execution of the AML program under Pillar 2 is the easiest to establish. Depending on the adviser’s size and operational needs, the AML Compliance Officer may have to be dedicated full-time to this role.

Advisers should ensure that clear reporting lines are established for the AML Compliance Office to provide frequent (i.e., no less than quarterly) AML risk updates to senior management.

The remaining pillars are more complex. They pose the following five major implementation challenges:

1. Oversight and governance

The first step in establishing a strong AML program is creating a robust governance structure and setting the “tone from the top.” To that end, senior management must be made responsible for:

• Appointing the AML Compliance Officer
• Approving the AML compliance program and related policies (as developed by the AML Compliance Officer)
• Providing on-going and active support (e.g., staffing and technology), and oversight to the AML program and the AML Compliance Officer
• Overseeing the independent testing of the AML program, reviewing the findings, and ensuring that identified weaknesses are addressed by responsible staff in a timely manner

The impact of the AML compliance program, which is the centerpiece of AML governance, goes beyond the new or enhanced AML policies and procedures to advisers’ other existing practices. For example, advisers will most likely need to collect more investor information via their subscription documents and onboarding procedures (e.g., “know your investor”) to the extent such information is currently collected at all.

2. Risk assessment

We expect the final rule to retain the proposal’s risk-based approach to AML compliance, under which AML policies, procedures, and controls should be tailored to the adviser’s specific risk profile. Accordingly, prior to developing their AML program, advisers need to perform a risk assessment of their organizational structure, and of each investor and advised vehicle regardless of whether the vehicle is created and/or administered by the adviser itself or by a third party. A detailed list of key AML risk factors is provided in Appendix 1 of the complete publication.

Notably, lack of information does not excuse an adviser from assessing the AML risks associated with a specific investor, even where obtaining such information is impractical (e.g., in case of off-shore hedge funds). On the contrary, this lack of information itself should be factored into the assessment, leading perhaps to a higher level of assessed risk.

Advisers that currently employ AML/OFAC policies, procedures, and controls should factor in the mitigating effect these existing measures may have on their AML risks, regardless of whether these measures are executed by the adviser or a third party service provider.

After completing their initial risk assessment, advisers need to periodically update the assessment’s results in light of changes to individual investors’ risk profiles, investor composition, or the adviser’s internal control program and structure. Based on our experience with other types of financial institutions, the risk assessment should be updated at least annually.

The risk assessment process can be leveraged beyond the development of the AML compliance program. For example, individual investor assessments could be used to highlight previously unnoticed high risk factors, allowing the adviser to take appropriate measures, such as implementing enhanced monitoring.

3. Monitoring and suspicious activity reporting

Ongoing monitoring of investor activity is a mandatory AML program control noted by the proposal. Accordingly, the proposal requires advisers to establish a suspicious activity monitoring program that is designed in light of each adviser’s unique risk profile. Appendix 2 of the complete publication provides examples of suspicious transactions and events that would generate alerts under a monitoring program.

Though not explicitly listed in the proposal, advisers will also need to establish a due diligence process for determining which alerted activities are in fact suspicious. To make that determination, alerts should be compared against expected investor activity (based on “know your investor” information which is obtained at the time of subscription and periodically updated), or the adviser’s historical experience with the investor. The due diligence process should be thoroughly documented, regardless of whether the activity is ultimately deemed suspicious, to evidence compliance efforts for regulatory examinations or independent testing.

Finally, activities that are determined to be suspicious must be reported to FinCEN via suspicious activity reports (SARs). Generally, these are transactions of $5,000 or more that are deemed suspicious (e.g., due to lack of a business purpose). However, advisers may choose to voluntarily report suspicious transactions that fall below the $5,000 threshold as long as the activity meets at least one of the suspicious activity criteria (listed in Appendix 3 of the complete publication).

To comply with these requirements, we expect many advisers to implement an automated transaction monitoring process to detect suspicious activities. The choice between automated and manual monitoring should be informed by factors such as the number of investors and the number of transactions to be processed. Advisers should also note that the prevailing regulatory expectation for other types of financial institutions is to have an automated monitoring process, and a similar regulatory approach is expected for advisers.

4. Training

Under the proposed AML program, employees with job functions that would require knowledge of the BSA must be trained to recognize signs of illicit activities. For a typical adviser, this requirement is applicable to front office staff (e.g., sales personnel, portfolio managers, and traders), key control staff, and senior management. In addition, training is required for employees of an agent or other third party performing AML controls on behalf of the adviser.

The initial training must be followed up by periodic “updates and refreshers.” The proposal does not prescribe a specific frequency for such training updates, but following the example of other types of financial institutions subject to similar requirements (e.g., banks, broker-dealers, and mutual funds), it should be provided at least annually. For new employees, training should commence shortly after being hired.

To prepare for potential regulatory examinations and independent testing, advisers should document both the initial and follow up training provided to employees. Documentation should include training materials, attendance records, and an employee acknowledgment that adequate understanding of the subject matter has been obtained.

5. Outsourcing of AML program activities

Given the significant effort required to establish internal AML controls, some advisers may consider outsourcing much of the operational aspects of their AML program to a third party service provider (e.g., a transfer or administrative agent). This strategy would be consistent with currently common industry practices.

However, advisers considering this option must keep in mind that they ultimately retain all AML obligations and liabilities. Therefore, advisers that choose to outsource their AML controls to third parties will still need to implement additional controls over their AML vendors, including initial verification of the third party’s AML compliance capabilities, enhanced contractual protections for the adviser, and on-going monitoring of the third party’s performance. Appendix 4 of the complete publication offers a more comprehensive list of these controls.

These outsourcing efforts are likely to be even more complicated as many transfer and administrative agents are located off-shore, and are subject to different regulatory regimes. Furthermore, since neither US nor foreign agents are currently subject to US AML regulations, they may not have adequate controls and infrastructure in place to meet the new regulatory requirements.

Due to these complexities, the decision to outsource AML controls should be made after carefully considering all associated risks and benefits, rather than merely potential cost savings.

Other considerations

In addition to the AML program itself, the proposal subjects advisers to several other BSA-related requirements, including filing currency transaction reports (CTRs), complying with recordkeeping and travel rules, and information sharing.

Filing CTRs is unlikely to be difficult for advisers, as this requirement only applies to cash transactions which are uncommon in the industry. Similarly, we do not expect advisers to find recordkeeping and travel rules challenging, although compliance would require transaction records to be more comprehensive and maintained for a longer period of time.

The information sharing requirements (established under the USA PATRIOT Act) could be more challenging for advisers, especially since the proposal does not provide much detail in this regard. The proposal requires advisers to share specific investor information with FinCEN, and allows advisers to also voluntarily share customer information with other financial institutions (e.g., banks, broker-dealers, and other advisers).

To share sufficient information with FinCEN, an adviser would need to check its investor accounts and transaction records against specific names provided by FinCEN. FinCEN requests are generally issued once every two weeks, and must be checked against accounts maintained during the past 12 months and transactions carried out over the past six months. Any matches must be reported back to FinCEN within two weeks of the request.

Therefore, advisers need to establish and streamline their internal processes to satisfy FinCEN requests. Furthermore, the matching process should be documented to show that all systems and databases were checked for each request.

Unlike information sharing with FinCEN, which is required under the proposal, information sharing with other financial institutions is optional. Information sharing amongst financial institutions is encouraged by FinCEN to facilitate advisers’ investigation of potentially suspicious transactions. Therefore, despite potential concerns around sharing of proprietary investor information, we recommend that advisers consider this option to make their AML due diligence processes more effective.

What’s next?

We expect the proposal (which is open for comments until November 2^nd) to be finalized with its core framework intact. Despite its many new requirements, the proposal is only part of a comprehensive AML regime for advisers, with more BSA-related requirements yet to be proposed by FinCEN.

The proposal itself contemplates some of these yet-to-be proposed measures. Most notably, we expect FinCEN (after discussions with the SEC) to propose restrictions on US correspondent or pay-through accounts for foreign financial institutions, and on shell banks. We also expect FinCEN to require more comprehensive information collection practices (and increased due diligence) with respect to investor accounts.

A more comprehensive list of these and other expected proposals is included in Appendix 5 of the complete publication.