Developing an AML Program? What Investment Advisers Need to Know

The Financial Crimes Enforcement Network (FinCEN) has issued a final rule requiring investment advisers to establish an anti-money laundering (AML) program. While the current Presidential Administration may delay the rule’s effective date (currently set to go into effect Jan 1, 2026), there is no guarantee this will happen. Therefore, organizations should begin or continue developing a compliance program to address the rule. Below are five key areas advisers should consider when building an AML program.

1. Building a Risk-Based AML Program: The Foundation for Success

An AML program must be risk-based, with its scope and complexity aligned to the level of money laundering risk the organization faces. A risk assessment is therefore a critical component of the process. When developing and applying a risk assessment, organizations should consider key factors such as the following:

Coverage Areas

When establishing a risk assessment, organizations should focus on three primary areas: the products and services they offer, the types of clients they serve, and the geographic regions in which they and their clients operate. To effectively identify AML risks, organizations should leverage a combination of quantitative and qualitative information across these areas.

Methodology

When developing a risk assessment, an organization should establish a formal methodology. This should include clear definitions of risk levels (typically High, Moderate, and Low) and the specific criteria used to assign those ratings. An outside party reviewing the risk assessment, such as an auditor or an examiner, should be able to understand and reproduce the logic that was used in determining a rating.

If certain areas are weighted more heavily than others, the rationale behind these weightings should be clearly documented. In addition to assessing inherent risk, the organization should also evaluate the effectiveness of existing internal controls and determine the resulting residual risk.

Risk Assessment Utilization

A well-executed risk assessment should help the organization identify its highest areas of risk. The result of the risk assessment should directly inform the development of the formal AML policy and related written procedures.

Training materials should be designed to educate staff on the specific risks the organization faces and clarify their responsibilities within the AML program. The allocation of resources, design of internal controls, and selection of supporting systems should also be aligned with the results of the risk assessment.

2. Designating the Right AML Officer

The AML rule under 1032.210(b) contains five core components of the program, typically referred to as “pillars.” The third such pillar states that the AML program must designate a person or person(s) responsible for implementing and monitoring the operations and internal controls of the program. This individual is typically known as an AML officer. In designating an AML officer, the organization will want to consider the following:

Level of authority

The AML officer should have sufficient authority within the organization to make policy decisions related to the AML program and implement changes as necessary. While the individual’s formal title (e.g., Chief Compliance Officer, Vice President) is not prescribed, they must hold a position that carries an appropriate level of authority.

Knowledge & Experience

The AML officer should have sufficient knowledge of anti-money laundering practices to effectively develop and maintain the program. While an industry certification such as Certified Anti-Money Laundering Specialist (CAMS) is a strong advantage, it is not required. If the officer lacks relevant experience or expertise, they should pursue additional training to build the necessary knowledge before the rule takes effect.

Staffing

The organization should assess the level of resources required to support the AML program. Depending on the scope of effort, the AML officer may either serve in a dual capacity – handling additional responsibilities within the organization – or be assigned to the role on a full-time basis. For organizations with higher volume or risk exposure, additional staff may be necessary to support AML activities. These responsibilities can be fulfilled by individuals from existing compliance or operational teams, or by personnel solely dedicated to AML functions.

3. Gaining Expertise & Efficiency With Outsourcing

Outsourcing parts of an organization’s AML program can offer valuable benefits, such as access to external expertise and resources the organization may lack internally. This can be especially helpful for daily operations, independent program testing, and other key functions. However, before proceeding, organizations should carefully evaluate several important considerations.

For instance, while organizations can rely on third parties for day-to-day activities, the ultimate responsibility for compliance lies with the organization. Therefore, organizations should conduct thorough due diligence on any third parties involved in their AML program. The extent of oversight should align with the scope and criticality of the activities being outsourced.

The organization should also determine whether the third-party has obligations to comply with AML rules, and if so, whether it has its own AML program. This should be identified in either contractual documents or other written documentation.

Additionally, the organization should conduct research or ask relevant questions to determine whether the third-party has appropriate experience and qualifications in AML. While it is not always required for third parties to have their own AML program (such as with a third-party auditor assessing the organization’s AML compliance), the organization should still evaluate the qualifications of the third-party. For example, it’s important to ensure that individuals performing audit work have relevant AML expertise and/or hold industry certifications related to AML.

When relying on a third-party for daily activities, such as suspicious activity monitoring, the organization should consider establishing a monitoring program to determine whether activities are being performed as expected and comply with the organization’s policy.

4. Tapping Into External Resources for AML Program Development

Organizations should take advantage of external resources to ease the process when developing an AML program. AML programs have been a requirement in other industries for many years. While the specific application of the rules may differ based on industry and an organization’s operations, much of the Investment Adviser AML rule mirrors those already in place in other sectors. As a result, compliance professionals with experience in these industries can offer valuable insights and guidance on how their program operates.

Additionally, organizations should consider joining associations that provide networking opportunities and access to valuable training resources. The Association of Certified Anti-Money Laundering Specialists (ACAMS) is a leading organization for AML matters. In addition to offering useful resources, ACAMS provides the Certified Anti-Money Laundering Specialist certification, which can demonstrate an individual’s expertise and experience. Other associations, such as the Investment Adviser Association (IAA), may also offer valuable opportunities for engagement and support.

5. Integrating Related Compliance Programs: A Holistic Approach to AML

The AML rule issued by FinCEN is just one of several new or existing regulations addressing money laundering and financial crimes. As organizations develop their AML programs, they should consider integrating not only the requirements of the rule but also other relevant areas, in its written policies and procedures, training, independent testing, and daily personnel responsibilities.

The Securities and Exchange Commission (SEC) and FinCEN have also proposed a joint rulemaking for a Customer Identification Program (CIP). Although this is technically a separate rule, organizations in other industries often integrate CIP into their broader AML programs due to its close connection with proper customer identification, due diligence, and suspicious activity reporting. Organizations should closely monitor the status of any proposed CIP rulemaking and be prepared to incorporate it into their AML programs once it is finalized.

Another rule closely associated with AML is the Office of Foreign Assets Control (OFAC) regulations, which impose sanctions-related requirements on companies. As part of an OFAC program, organizations should screen new clients and other business partners to ensure they are not listed on any sanctions lists.

Being included on a sanctions list can raise additional concerns about the individual or entity, and the organization should assess the exposure it may have, including any potential impact on its AML obligations. Similar to CIP, OFAC programs are often combined with AML-related policies, training, officer designations, and other components within many organizations.

Need a Trusted Partner for Your AML Compliance Program?

Wolf has decades of experience providing services to financial companies in various industries that are subject to AML rules. This includes performing audits, providing training, developing risk assessments and other matters.

If you have any questions or would like to discuss AML with us further, contact our Regulatory Compliance team today.