FinCEN Issues Proposed Rule Requiring Customer Identification Programs For Investment Advisers

On May 13, 2024, the US Department of the Treasury's Financial Crimes Enforcement Network ("FinCEN") and the Securities and Exchange Commission ("SEC") jointly issued a notice of proposed rulemaking ("CIP Proposed Rule") that would apply customer identification program ("CIP") obligations to investment advisers registered with the SEC ("RIAs") and exempt reporting advisers ("ERAs") (collectively, "Covered Advisers").¹ The CIP Proposed Rule would require Covered Advisers, among other things, to implement a risk-based CIP that includes procedures for verifying the identity of each customer to the extent reasonable and practicable, and maintaining records of the information used to verify a customer's identity, including name, address and other identifying information. The CIP Proposed Rule would require Covered Advisers to establish CIPs comparable to those required for other financial institutions, such as banks and broker-dealers.

The public comment period for the CIP Proposed Rule will remain open until July 22, 2024.

Relationship to AML/CFT Program Proposed Rule

The CIP Proposed Rule is the latest action taken by FinCEN to apply AML/CFT regulations to Covered Advisers. It comes only a few months after FinCEN issued a notice of proposed rulemaking that, if finalized, would require Covered Advisers to develop and implement anti-money laundering and counter-terrorist financing ("AML/CFT") compliance programs and monitor for and report suspicious activity to FinCEN ("AML/CFT Program Proposed Rule").² The AML/CFT Program Proposed Rule, if finalized, would also require FinCEN to "prescribe rules that establish minimum standards for covered investment advisers regarding the identities of customers when they open an account"; those are the standards set forth in the CIP Proposed Rule.³

The obligations of the CIP Proposed Rule and the AML/CFT Program Proposed Rule apply to the same set of Covered Advisers, which includes both primary and sub-advisers, and are meant to work together in combatting money laundering and terrorist financing.

Separately from the CIP Proposed Rule, Covered Advisers may be required to comply with other AML/CFT requirements with regard to their clients. For example, Covered Advisers may need to look through an account in connection with the customer due diligence procedures described in the AML/CFT Program Proposed Rule, once such rule is ultimately proposed and is finalized.⁴

Requirements of the CIP Proposed Rule

Under the CIP Proposed Rule, each Covered Adviser would be required to establish, document and maintain a written risk-based CIP appropriate for the size and nature of its business that incorporates the below requirements:⁵

1. Implementing risk-based procedures for identifying and verifying the identity of each customer to the extent reasonable and practicable that enable the Covered Adviser to form a reasonable belief that it knows the true identity of each customer, including:

• Collecting certain minimum identifying information of customers prior to opening an account for customers;
• For a legal entity customer, this would include: name, address, date of formation and identification number, such as an EIN;
• For a natural person customer, this would include: name, residential address, date of birth and government issued identification number, such as a social security number;⁶
• Verifying the identity of each customer, using the aforementioned information, through documentary or non-documentary means, within a reasonable time before or after opening the customer's account;
• Addressing situations where the Covered Adviser will obtain information about natural persons with authority or control over a legal entity customer's account when a legal entity customer's identity cannot be verified using the methods described above; and
• Responding to situations where the Covered Adviser cannot "form a reasonable belief" that it knows a customer's true identity. These procedures should include a description of when the Covered Adviser should not open an account for such a customer, the terms under which the Covered Adviser could provide advisory services to such a customer while such customer's identity is verified, when the Covered Adviser should close such customer's account if the Covered Adviser cannot verify such customer's identity, and when the Covered Adviser should file a suspicious activity report related to the interaction with such customer.

2. Making and maintaining a record of information collected and the verification performed under the CIP, for at least five years in a bifurcated process (for the record of information collected, five years after the account is closed, and for the verification performed, five years after the record is made).
3. Determining whether a customer appears on any list of known or suspected terrorists or terrorist organizations issued by any federal government agency and designated as such by the Department of the Treasury in consultation with federal functional regulators and doing so within a reasonable period of time after the account is opened (or earlier if required by law or guidance). While no such lists have been designated as of yet by the Department of the Treasury, the preamble to the CIP Proposed Rule ("Preamble") notes that some investment advisers already screen their customers against the Office of Foreign Assets Control's Specially Designated Nationals and Blocked Persons List; and
4. Providing customers with adequate notice of the CIP requirements in a manner designed to ensure that a prospective customer is able to view the notice, or is otherwise given notice, before opening an account. To implement this requirement, financial institutions would typically include this notice provision on account opening documents or on their website.⁷

Upon the opening of each account, the verification requirements of the CIP Proposed Rule would apply. However, if a customer whose identity has been previously verified opens a new account, the Covered Adviser would generally not need to verify the customer's identity again, provided the investment adviser previously verified the customer's identity in accordance with procedures consistent with the CIP Proposed Rule and continues to have a reasonable belief that it knows the true identity of the customer based on the previous verification. Accordingly, in certain circumstances, Covered Advisers may not be required to verify the identity of a customer whose customer relationship predated the final rule when that existing customer opens a new account. FinCEN requests comment on whether Covered Advisers should be required to re-verify a customer's identity after a specified period of time, such as annually or every two or five years.

Under the CIP Proposed Rule, Covered Advisers that are dually registered — for example, as an RIA and broker-dealer — or affiliated with a bank or broker-dealer would not be required to establish a separate CIP for their advisory activities, provided that such entity is subject to an AML/CFT program and CIP requirement, which covers all of the entity's legal and regulatory obligations. However, the Proposed Rule provides that a Covered Adviser may deem the CIP requirements satisfied for any mutual fund that it advises that has developed and implemented a CIP compliant with CIP requirements applicable to mutual funds. Those specific requirements need not be satisfied for a mutual fund to be exempt from CIP under the CIP rules applicable to other financial institutions, such as broker-dealers.

Reliance on Other Financial Institutions

Under the CIP Proposed Rule, Covered Advisers may rely on another financial institution, including an affiliated financial institution, to perform any of the procedures of the Covered Adviser's CIP if:

1. The reliance is reasonable under the circumstances;
2. The financial institution being relied upon is subject to a rule implementing 31 U.S.C. 5318(h) and regulated by a federal functional regulator; and
3. The financial institution being relied upon enters into a contract with the Covered Adviser requiring the financial institution to certify annually to the Covered Adviser that it has implemented its AML/CFT program, and that it will perform (or its agent will perform) specified requirements of the Covered Adviser's CIP. The contract requirement can be satisfied by a reliance letter or other similar documentation.

If these three conditions are met, the Covered Adviser would not be held responsible for the failure of the other financial institution to fulfill the CIP requirements. If, on the other hand, the Covered Adviser cannot establish that its reliance was reasonable and that it obtained the requisite contracts and certifications, then the Covered Adviser would remain solely responsible for the failure to perform CIP.⁸ FinCEN requests comment on whether the requirement to enter into a contract is feasible and whether the requirement should be modified.

Covered Advisers that outsource AML procedures to administrators that are not Bank Secrecy Act-regulated financial institutions can continue to do so, but would not be permitted to use this reliance provision to avoid liability for the failures of an administrator to perform proper CIP.⁹

Definition of Customer and Account

Under the CIP Proposed Rule, Covered Advisers' CIP obligations would be triggered by a "customer" opening an "account."

Definition of Customer

The CIP Proposed Rule defines "customer" as a natural person or legal entity that opens a new account with a Covered Adviser. The customer is the person identified as the accountholder¹⁰, "except in the case of an individual who lacks legal capacity, such as a minor, and non-legal entities, in which case the customer would be the individual who opens the new account for a minor or non-legal entity."¹¹

Under the CIP Proposed Rule, the definition of a "customer" excludes (i) financial institutions regulated by a federal functional regulator and banks regulated by a state bank regulator; (ii) certain entities that are publicly listed on US securities exchanges; and (iii) persons that have an existing account with the Covered Adviser, provided the Covered Adviser has a reasonable belief that it knows the true identity of the person.¹²

FinCEN requests comment on the scope of the definition of customer and whether any other examples of customers should be added to the final rule.

Definition of Account

The CIP Proposed Rule defines an "account" as "any contractual or other business relationship between a person and an investment adviser under which the investment adviser provides investment advisory services."¹³ An "account" does not include any "account that the investment adviser acquires through any acquisition, merger, purchase of assets, or assumption of liabilities."¹⁴

FinCEN requests comment on several questions related to the definition of "account," including whether other examples of accounts should be included in the final rule, whether any types of accounts should be exempted from the CIP requirements and whether there are any circumstances in which Covered Advisers should be required to apply their CIP to transferred accounts.

Application to Investors in Private Funds

The definition of account requires a contractual or other business relationship to provide advisory services, which would likely cause CIP to be applicable to the private funds that Covered Advisers form as well as separately managed account relationships. However, it would not include investors in private funds that Covered Advisers form and the CIP Proposed Rule does not contemplate that a Covered Adviser would have to verify the identity of investors in its private funds.¹⁵ In fact, in the Preamble discussing the Paperwork Reduction Act, FinCEN explains that the term customer "does not include the investors in a private fund."¹⁶ Rather, a Covered Adviser's identity verification obligations would be applicable to its private funds.

FinCEN requests comment on whether the definitions of "customer" and "account" are appropriate and whether Covered Advisers should apply the CIP obligations to private fund investors. If Covered Advisers are required to apply the CIP obligations to private fund investors, it is not clear how Covered Advisers would do so for investors in private funds investing on behalf of other parties, for example through a nominee arrangement.¹⁷

Further, unlike the CIP rules applicable to broker-dealers, mutual funds and other financial institutions, the Proposed Rule does not exclude ERISA accounts from the definition of "account." The reason for that, as explained in the Preamble, is "to harmonize the applicability of this proposed rule with the [AML/CFT Program Proposed Rule], which would require RIAs and ERAs to apply AML/CFT program and SAR reporting requirements to all of their accounts, including accounts opened for the purpose of participating in an employee benefit plan established pursuant to ERISA."¹⁸ FinCEN requests comment on whether ERISA accounts should be excluded from the definition of account.

Effective Date

Under the CIP Proposed Rule, Covered Advisers must develop and implement the required CIP six months from the effective date of the final rule, but no earlier than the required compliance date of the AML/CFT Program Proposed Rule. The compliance date of the AML/CFT Proposed Rule is 12 months from the effective date of the final AML/CFT program rule.

Takeaways

If the CIP Proposed Rule and AML/CFT Program Proposed Rule are finalized as proposed, they may add significant compliance obligations for Covered Advisers. Covered Advisers that use administrators should also take into consideration that the CIP Proposed Rule may impact the way customer identification and verification can be delegated and outsourced. Covered Advisers should consider commenting on the definitions of "account" and "customer," the categories of entities that should be exempt from a Covered Adviser's CIP, and the feasibility of requiring other financial institutions to generally enter into contracts with Covered Advisers for proper reliance.

Footnotes

1. CIP Proposed Rule, Customer Identification Programs for Registered Investment Advisers and Exempt Reporting Advisers, 89 Fed. Reg. 44571 (May 21, 2024), available here.

2. AML/CFT Program Proposed Rule, Anti-Money Laundering/Countering the Financing of Terrorism Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempt Reporting Advisers, 89 Fed. Reg. 12108 (Feb. 15, 2024), available here; for more information on the AML/CFT Program Proposed Rule, please see our prior Alert "FinCEN Once Again Proposes Anti-Money Laundering Program Requirements for Investment Advisers," available here.

3. CIP Proposed Rule, 89 Fed. Reg. at 44581.

4. Covered Advisers should also monitor future rulemakings as any additional beneficial ownership information due diligence obligations may require identify verification and due diligence on investors in private funds.

5. The CIP should be incorporated into a Covered Adviser's overall AML/CFT program. While the CIP Proposed Rule does not include a requirement to separately have the CIP approved, the AML/CFT Program Proposed Rule requires each Covered Adviser's AML/CFT program be approved in writing by its board of directors or trustees. AML/CFT Program Proposed Rule, 89 Fed. Reg. at 12125-26.

6. For non-US persons, one or more of the following is required: taxpayer identification number; passport number and country of issuance; alien identification card number; or number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard. For a non-US person that is not an individual and that does not have an identification number, the Covered Adviser must request alternative government-issued documentation certifying the existence of the person.

7. The CIP Proposed Rule includes sample language that Covered Advisers can use to provide notice to customers. CIP Proposed Rule, 31 C.F.R. § 1032.100(a)(5)(iii).

8. Pursuant to a Securities Industry and Financial Markets Association no-action letter, the SEC staff stated they would not recommend enforcement action if a broker-dealer relies on an RIA to perform some or all aspects of the broker-dealer's CIP obligations or customer due diligence requirements regarding beneficial owners of legal entity customers, provided that certain conditions are met, including that the RIA implements its own AML/CFT program. The no-action letter was originally issued in 2004 and has been periodically reissued since. The CIP Proposed Rule confirms that the no-action letter remains effective.

9. The CIP Proposed Rule does not include further discussion of third-party service providers or administrators. However, the AML/CFT Program Proposed Rule permits delegating the implementation and operation of aspects of a Covered Advisers AML/CFT program to an agent or service provider, but the Covered Adviser would remain responsible and legally liable for the program's compliance with regulations, as well as responding to requests from regulators like FinCEN and the SEC. AML/CFT Program Proposed Rule, 89 Fed. Reg. at 12125.

10. Customers would not include individuals with authority or control over accounts or persons who fill out the account opening paperwork or provide information necessary to set up an account unless any such person is the accountholder. However, the CIP Proposed Rule would require a Covered Adviser's CIP to address situations where, based on the Covered Adviser's risk assessment of a new account opened by a customer that is not an individual, the Covered Adviser will need to obtain information about individuals with authority or control over the account in order to verify the customer's identity.

11. CIP Proposed Rule, 89 Fed. Reg. at 44574.

12. The Preamble notes that these exemptions are "consistent with CIP requirements for other financial institutions." CIP Proposed Rule, 89 Fed. Reg. at 44574.

13. CIP Proposed Rule, 31 C.F.R. § 1032.100(a)(1).

14. CIP Proposed Rule, 31 C.F.R. § 1032.100(a)(2)(i).

15. See Goldstein v. SEC, 451 F.3d 873, 883 (D.C. Cir. 2006) (holding that an earlier SEC rule that would have required private fund managers to consider the investors of the private fund its clients, thereby requiring the manager to register with the SEC, was arbitrary and in conflict with the purpose of the underlying statute in which the new rule was included).

16. CIP Proposed Rule, 89 Fed. Reg. at 44591.

17. While the AML/CFT Program Proposed Rule identifies nominee arrangement as a potential area of concern, FinCEN does not discuss in the AML/CFT Program Proposed Rule or CIP Proposed Rule how to address the common industry practice for Covered Advisers to rely on the AML/CFT practices of other regulated financial institutions in connection with nominee arrangements.

18. CIP Proposed Rule, 89 Fed. Reg. at 44573. The CIP Proposed Rule does not specify who would be considered the "customer" of the Covered Adviser with regard to ERISA accounts. Although ERISA accounts are exempt from the definition of "account" in the bank CIP rule, the customer for an account established by an employer at a bank to maintain and administer assets under a non-ERISA employee retirement, benefit, or deferred compensation plan is the employer, or, as applicable, the trust established by the employer to maintain the assets. Interagency Interpretive Guidance on Customer Identification Program Requirements under Section 326 of the USA PATRIOT Act, FAQ 7 (April 28, 2005).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.