New FInCEN AML Rule: Here's What RIAs Need to Know

With FinCEN's new AML rule taking effect January 1, 2026, investment advisers are entering uncharted territory where compliance isn't just about investment practices – it's about every piece of content you put out there. The SEC-registered investment adviser industry now manages $144.6 trillion in assets across 15,870 advisers serving 68.4 million clients. With that scale comes scrutiny, and with $5 billion in AML-related fines issued in 2023 alone (a 69% jump from the prior year), the stakes couldn't be higher.

You probably knew this day was coming. Well, it's here now, and the implications go far beyond your back-office operations. Every marketing asset, every client communication, every piece of content your firm produces needs to align with these new requirements. The question isn't whether you'll need to comply, but rather will you be ready when the examiners come knocking. And this guide is to make sure you will. 

FinCEN's Final Rule

FinCEN dropped the final rule on August 28, 2024, and it changes everything for RIAs. Starting January 1, 2026, nearly all SEC-registered investment advisers – and even exempt reporting advisers – will be treated as "financial institutions" under the Bank Secrecy Act. This means you'll need to implement risk-based AML programs, file Suspicious Activity Reports, maintain fund transfer records, and comply with other BSA obligations.

And FinCEN has delegated examination and enforcement to the SEC. Starting in 2026, SEC examiners will be checking RIAs for AML compliance just like they do for broker-dealers. And if you think they'll ease into this gradually, think again.

Why the sudden urgency? Regulators identified a pretty glaring gap in the system. Criminals were exploiting the fact that investment advisers had no mandatory AML duty. A Treasury risk assessment documented numerous cases of sanctioned persons, corrupt officials, and fraudsters using investment advisers to access the U.S. financial system. Bad actors from Russia and China were funneling money through private funds to acquire sensitive U.S. technologies.

The absence of uniform requirements also let illicit investors shop around for advisors with no AML controls. Now FinCEN is closing this vulnerability and leveling the playing field across financial services. The rule also addresses a significant gap flagged by the Financial Action Task Force in its evaluation of the U.S.

The rule covers all SEC-registered investment advisers and those filing as exempt reporting advisers, which captures the vast majority of advisory assets. FinCEN did make some adjustments to reduce burden – state-registered advisers, family offices, and foreign private advisers are not covered. But if you manage client funds and fall under SEC oversight, this rule probably applies to you.

The compliance deadline is January 1, 2026, with no indication of a delay. Industry groups have been pushing for more time, but given the bipartisan focus on cracking down on money laundering, waiting for a reprieve seems like a dangerous bet.

Key Changes in Reporting Requirements

Beneficial Ownership Information

One of the biggest changes involves transparency around beneficial owners – the actual humans behind client accounts and entities. Anonymous shell companies have long been a problem for financial crime enforcement. The OECD has stated that almost every major economic crime involves misuse of corporate entities, and a World Bank study found that over 70% of grand corruption cases from 1980-2010 relied on anonymous shell companies.

The investment advisory world isn't immune to this risk. As of late 2022, SEC-registered advisers reported $284 billion in private fund equity owned by foreign investors whose ultimate owners were unknown – the ownership was so layered through intermediaries that the adviser could not reasonably obtain the beneficial owner info.

To combat shell company abuse, the U.S. enacted the Corporate Transparency Act, creating a federal beneficial ownership database. The BOI reporting rule took effect in January 2024, and FinCEN initially estimated about 32 million existing U.S. businesses would need to report their beneficial owners.

Due to legal and legislative challenges, the rollout has been significantly narrowed. In March 2025, FinCEN announced an interim rule exempting all U.S.-formed companies from BOI reporting and refocusing the requirement only on foreign companies registering to do business in the U.S.. This controversial reversal means domestic LLCs and corporations no longer have to file owner information with FinCEN, while foreign-owned entities still must report.

The beneficial ownership reporting deadlines have shifted accordingly. Foreign companies that were already registered in the U.S. before March 26, 2025 must file their BOI reports by April 25, 2025. Foreign companies that register going forward will have 30 days from registration to file.

FinCEN's rule change dramatically reduced the volume of expected filings – from an estimated 32.6 million companies down to roughly 20,000 companies now covered.

While this development has limited the scope of the new BOI database, the big-picture trend toward transparency remains. RIAs should anticipate that even if they themselves don't file BOI reports, they will need to use BOI data in their due diligence. FinCEN has a parallel proposal to update the customer due diligence rule so that financial institutions can access the BOI registry for verifying customers' owners. The bottom line: knowing your client's true owners is now an expectation, and failing to do so can be a serious compliance and reputational risk.

Customer Due Diligence (CDD)

Customer due diligence is being reinforced as a key pillar of AML compliance. CDD means identifying your clients, verifying their identity, checking their risk profile, and monitoring their transactions. Banks have been subject to formal CDD rules for years, but investment advisers historically were not. Now, as RIAs prepare for BSA obligations, risk-based CDD will be mandatory.

Even though the final rule did not initially mandate a specific Customer Identification Program rule, FinCEN has signaled that future joint rulemakings with the SEC will address CIP and beneficial owner collection requirements for RIAs. Advisers should proactively adopt the same CDD standards that banks follow.

Why is CDD so important? Recent enforcement actions show that failures in basic due diligence can lead to serious penalties. In a January 2025 case, the SEC charged Navy Capital for claiming to follow "voluntary" AML procedures but then failing to actually vet its investors. The firm took in money from high-risk, opaque foreign entities without conducting promised background checks. One investor was later found to have suspected money laundering ties, and a foreign court froze one of the fund's assets due to those tainted funds. Navy Capital paid a $150,000 penalty for these compliance failures.

Another example is the SEC's action against LPL Financial in January 2025, which resulted in an $18 million fine. LPL had systemic breakdowns in its customer identification and monitoring. The firm failed to timely verify new customers' identities and left thousands of high-risk accounts open in violation of its own AML policies.

From a law enforcement perspective, the impact of strong CDD and reporting is measurable. Financial institutions filed a record 4.6 million SARs in FY 2023, and that data has become a goldmine for investigators. The IRS reports that 85.7% of cases it referred for prosecution had a related BSA filing supporting the investigation. Even more telling, 13.9% of all new IRS-CI investigations in FY 2023 were directly triggered by BSA reports.

Implications for Registered Investment Advisers

Exempt Reporting Advisers

One notable aspect of FinCEN's rule is that it doesn't only cover large SEC-registered advisers. It also covers "Exempt Reporting Advisers" – firms that are exempt from full SEC registration but must file limited reports (typically private fund advisers with under $150 million AUM or those solely advising venture capital funds).

This brings many smaller and previously lightly regulated advisory firms into the AML fold. According to Treasury data, as of 2023 there were approximately 5,846 ERAs in the U.S. in addition to around 15,400 SEC-registered advisers. In the past, ERAs didn't have to implement full compliance programs due to their exempt status. Now, if you're an ERA, you are a "financial institution" under the BSA and must comply just like a large RIA.

The rule was created to avoid duplication where possible. For example, an adviser that is part of a bank can largely defer to the bank's enterprise AML program, and an adviser to mutual funds can exclude those funds from its own program since mutual funds separately have BSA obligations.

FinCEN explicitly excluded certain categories of advisers from the definition. The rule does not apply to state-registered investment advisers, "foreign private advisers" (advisers with under 15 U.S. clients and under $25 million U.S. AUM), or family offices that are wholly private for a family's own investments. Also, if an adviser's only reason for SEC registration was being a "mid-sized" or multi-state firm, or a pension consultant, and it otherwise has no reportable AUM, it is carved out.

For the vast majority of SEC advisers and ERAs, no exemption applies – they will need to comply fully by the 2026 deadline. Industry estimates suggest that around 20,000+ advisory firms will be subject to the new rule.

Policies and Procedures

RIAs should be proactive in developing written policies and procedures to meet the new AML obligations. FinCEN's rule is performance-based – it doesn't dictate a one-size program, but it does prescribe minimum standards. Every covered adviser must implement an AML program that is "reasonably designed" to prevent the firm from being used for money laundering or terrorist financing.

There are common core elements that regulators will expect. These include internal policies covering customer onboarding and due diligence, appointment of an AML compliance officer, ongoing training for appropriate personnel, and independent testing or audit of the AML program.

The final rule did not immediately impose a Customer Identification Program rule or a requirement to collect beneficial ownership info from clients. FinCEN opted to address those requirements in a separate, future rulemaking (probably in coordination with the SEC).

But RIAs shouldn't wait. Regulators will expect you to adopt best practices now. The SEC has already indicated in risk alerts and enforcement actions that it views customer identification and verification as fundamental. In the LPL case, the firm's failure to promptly verify customer identity was cited as a major violation.

RIAs should also align their external disclosures and contractual agreements with their new obligations. Marketing or investor documents that mention AML safeguards must accurately reflect what the firm is doing – the Navy Capital case showed the danger of misrepresenting your compliance level. Advisers may need to update fund subscription agreements, client onboarding forms, and third-party vendor contracts to ensure they cover the collection of required information.

Starting in 2026, we can expect the SEC's Division of Examinations to make AML a priority in RIA exams. Now is the time to get those policies in place, train staff, and fix any gaps (you can use a compliance checklist to stay organized) before the regulators show up.

Due Diligence Requirements

The new rule effectively makes "Know Your Customer" and due diligence mandatory for RIAs. After January 2026, failure to conduct proper due diligence won't just be a risk – it will be a violation of law. The costs of getting this wrong can be severe. U.S. law allows regulators to impose civil penalties up to $25,000 per day for willfully failing to implement an adequate AML program. Each specific reporting failure can carry a fine of up to $100,000 per violation.

These fines can accumulate quickly. FinCEN noted that a compliance officer in one case faced a theoretical $4.75 million penalty for AML program failures calculated over 190 days.

In the RIA context, the SEC has already begun enforcement. Since July 2024, the SEC has announced or settled at least nine AML-related enforcement actions, resulting in over $100 million in penalties across broker-dealers and investment advisers. These actions have hit firms large and small, and have cited various failures – from not filing SARs at all, to filing bare-bones SARs that lacked useful detail, to inadequate customer due diligence, and even misleading investors about having an AML program.

The clear takeaway is that regulators will not hesitate to punish AML lapses in the advisory space, even before the rule's official effective date. Once the rule is in effect, we can expect even less leniency. FinCEN's Director has emphasized that penalties are reserved for "significant and systemic" violations, not minor technical slip-ups. A firm that ignores the AML rule or only pays it lip service is exactly the kind of significant violator those statutes had in mind.

Beyond regulatory fines, failing in due diligence can cause direct business harm. We already analyzed the Navy Capital example above where a fund's assets were frozen due to an investor that the adviser hadn't vetted. These cautionary tales show that due diligence is a real line of defense, not a checkbox. If a firm unknowingly takes in illicit money and something blows up, the firm faces not just fines but loss of client trust, lawsuits from investors, and irreversible reputational damage.

Filing BOI Reports

Many RIAs have affiliated entities or clients that are entities – all of which have been impacted by the rollout of Beneficial Ownership Information reporting under the Corporate Transparency Act. As discussed, FinCEN dramatically narrowed the BOI reporting requirements in March 2025. Here's the current state:

Who must file: As of the interim rule, only "foreign reporting companies" – entities formed under foreign law that register to do business in a U.S. state – are required to report BOI to FinCEN. U.S.-formed entities are exempt from the federal BOI filing requirement now.

Deadlines: For foreign companies that were already registered in the U.S. prior to the rule change, BOI reports had to be filed by April 25, 2025. Foreign companies that register on or after March 26, 2025 were obliged to file within 30 days of their registration.

For RIAs, the key point is to stay aware of BOI obligations for any entities you manage. If you sponsor an offshore fund that registers in the U.S., you might need to ensure it files a BOI report. Also, when onboarding entity clients, an adviser will eventually be able to access FinCEN's BOI database (with client consent) to verify the owner information the client provides. FinCEN is developing protocols for financial institutions to query the BOI data for due diligence purposes.

This will be part of the "integrated CDD rule" that FinCEN has in the works, aiming to connect what financial firms do for KYC with the new BOI repository. While the BOI filing requirements may not directly hit most domestic RIAs, the information produced will flow into the AML infrastructure that RIAs now must be aware of.

Impact on Financial Institutions and Law Enforcement

The extension of AML rules to investment advisers is a significant expansion of the regulated perimeter – and it comes at a time of intensified focus on AML enforcement effectiveness. Financial institutions in the U.S. have ramped up their reporting of suspicious activity to historic highs, and law enforcement agencies are using that data more than ever to crack down on financial crime.

Here are some statistics on the AML enforcement:

Record Filing Volumes: Banks, brokers, and other institutions filed 4.6 million SARs in fiscal year 2023, the most ever in a year. (By comparison, a decade ago SAR filings were around half that number annually.) FinCEN's data also shows 20.8 million Currency Transaction Reports filed in FY 2023 for cash transactions over $10,000. As RIAs come online in 2026, they will add to these totals, especially via SAR filings for suspicious investor or transaction activity.

Law Enforcement Effectiveness: The flood of BSA reports is yielding investigative leads. In recent years, 85%+ of IRS-CI's prosecuted cases involved BSA data, and roughly 15% of FBI active cases are directly connected to SAR/CTR reporting. By bringing RIAs under AML rules, regulators aim to capture intelligence that may currently be missed – for example, suspicious wire transfers or private fund subscriptions that an adviser might observe.

Surge in Penalties: Regulators are aggressively enforcing AML laws. In 2024, U.S. regulators issued nearly 50 enforcement actions in the AML arena, accounting for 95% of all global AML penalties by value that year (approximately $4.6 billion). We've already seen an $18 million fine in the advisory space, and smaller firms are getting penalized as well. Enforcement agencies often make an example of new sectors when rules are extended – RIAs should expect a similar pattern starting in 2026.

From the industry side, financial institutions (including newly covered RIAs) will face higher compliance costs and challenges, especially initially. Smaller firms may need to hire or designate compliance personnel and invest in software for monitoring transactions and checking client names against sanctions lists. There could be growing pains as RIAs get up to speed – FinCEN and the SEC have indicated they will issue guidance and work with the industry to clarify expectations during the implementation period.

In the long run, most firms recognize that having a solid AML program is far preferable to dealing with an enforcement action or being the unwitting conduit for laundered funds. By bringing RIAs into the AML regime, illicit actors will find it harder to hide and launder money, improving overall detection of crimes like fraud, corruption, and tax evasion that harm investors and markets.

Final Thoughts

Come 2026, "I didn't know we had to do that" might not be a viable excuse, compliance will be examined and enforced from day one. The SEC's recent flurry of cases "reveals a deliberate and sustained approach to policing the AML space" leading up to the rule's effective date. Even changes in SEC leadership are unlikely to slow this down – the incoming SEC Chair nominee has a strong AML background, suggesting continuity in focusing on illicit finance issues.

For RIA compliance, the writing is on the wall. The investment advisory sector manages tens of trillions in assets, and regulatory agencies are not going to leave it unguarded against abuse. The costs of AML compliance – while not trivial – are far outweighed by the risks of non-compliance. A single enforcement penalty can be in the millions, and that's before considering reputational fallout or client losses.

While we can't promise that compliance will be easy or eliminate all regulatory risk, we can help you build a system that works. At Luthor, we understand that every piece of marketing content you create needs to align with these new AML requirements. Our AI-driven platform continuously scans your marketing materials across websites, emails, and social media to catch potential compliance issues before they become problems.

We help marketing and compliance teams work together more effectively, automating the repetitive review tasks so your professionals can focus on higher-value work. If you're ready to tackle AML compliance at scale while keeping your marketing efforts compliant and effective, we'd love to show you how our platform works. Request demo access and see how we can help you stay ahead of the curve.