RIA Compliance Blog
Both the SEC and the U.S. Department of the Treasury’s Financial Crime Enforcement Network (“FinCEN”) recently announced actions to delay or remove pending regulations that would have increased compliance obligations for RIAs. FinCEN announced that it was postponing the effective date of final rules regarding investment advisers’ obligations under anti-money laundering (“AML”) regulations. The SEC announced that it was withdrawing the proposed cybersecurity risk management rule for RIAs, investment companies, and BDCs.
AML Rule
We have previously written about FinCEN’s proposed rule and the passage of the final version.
FinCEN’s recent announcement delays the effective date of the IA AML Rule from January 1, 2026, until January 1, 2028. At the same time, FinCEN detailed that it intends to revisit the IA AML Rule through future rulemaking during the postponement period. What future form the IA AML Rule will take, if any, is unknown and depends on the future priorities of the Treasury and SEC.
Without the postponement, under the new IA AML Rule, certain investment advisers would have had the same regulatory requirements historically reserved for banks, broker-dealers, money transmitters, and casinos. These requirements would have required investment advisers to adopt a risk-based anti-money laundering and countering the financing of terrorism (“AML/CFT”) program, file Suspicious Activity Reports (“SAR(s)”) with FinCEN, comply with the Recordkeeping and Travel Rules, and fulfill other obligations relevant to the Bank Secrecy Act (“BSA”) and FinCEN.
Proposed Cybersecurity Rule
When first announced, the SEC stated that the proposed cybersecurity rule reflected observations and deficiencies found during examinations of RIAs and investment funds. As the SEC stated in the proposing release, the financial services industry is increasingly faced with hackers and others who “use constantly evolving and sophisticated tactics, techniques, and procedures” that pose a “serious risk” to the financial system.
The proposed rule would have required investment advisers and funds to adopt cybersecurity policies and procedures that are reasonably tailored to the business operations and cybersecurity risk. While the SEC found that many RIAs and funds already had cybersecurity policies and procedures under Rule 206(4)-7, they also found that these policies were typically not substantial enough to reflect the firm’s operations or risk. The proposed rules would have required cybersecurity policies and procedures to address specific elements dictated by the Rule.
It is difficult to predict the future actions of the SEC or FinCEN with regards to the impacted rules and their underlying subject matter. FinCEN has announced that it intends to revisit the AML Rule, but how and when are still outstanding questions. The SEC’s withdrawal does not include information about any intention to revisit the proposed rule. Both rules would have had significant compliance impacts and associated costs, and without doubt, will face significant opposition from industry participants if re-proposed in the near future.
Parker MacIntyre provides legal and compliance services to investment advisers, broker-dealers, registered representatives, hedge funds, and issuers of securities, among others. Our Investment Adviser Group assists financial service providers with complex issues that arise in the course of their business, including complying with federal and state laws and rules. Please visit our Investment Adviser Practice Group page for more information.