SEC and FinCEN Propose Rule Requiring Certain Investment Advisers to Establish Customer Identification Programs

On May 13, 2024, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and the U.S. Securities and Exchange Commission (“SEC”) issued a joint notice of proposed rulemaking (“NPRM” or the “Proposed Rule”) that would require SEC-registered investment advisers and exempt reporting advisers (together, “Covered Investment Advisers”) to establish, document, and maintain written customer identification programs (“CIPs”).[1] The NPRM largely mirrors the CIP requirements already imposed on other financial institutions, such as brokers or dealers, and mutual funds. Comments are due by July 22, 2024. If finalized, Covered Investment Advisers would be required to comply with the rule six months from the effective date of the final rule.

The NPRM follows a separate proposed rule by FinCEN in February 2024 that would designate Covered Investment Advisers as “financial institutions” under the Bank Secrecy Act (“BSA”) and require such Covered Investment Advisers to establish anti-money laundering and countering the financing of terrorism (“AML/CFT”) programs and impose suspicious activity report (“SAR”) filing obligations, among other requirements.[2]

Key Elements of the NPRM

The NPRM would require Covered Investment Advisers to implement a written CIP that is appropriate for their size and business, and that includes risk-based procedures to verify the identity of each customer to the extent reasonable and practicable in order for Covered Investment Advisers to form a reasonable belief that they know the true identity of their customers. Covered Investment Advisers would be required to verify the identity of each customer within a reasonable time before or after the customer’s account is opened. The NPRM would also require Covered Investment Advisers to maintain records of the information used to verify a customer’s identity.[3]

Scope

Under the Proposed Rule, a “customer” is defined as “a person—including a natural person or a legal entity—who opens a new account with an investment adviser.”[4] The Proposed Rule “uses the term ‘customers’ for those natural and legal persons who enter into an advisory relationship with an investment adviser.”[5]

Under the Proposed Rule, an “account” is defined as “any contractual or other business relationship between a person and an investment adviser under which the investment adviser provides investment advisory services.”[6]

“Customer” and “account” are defined broadly in the proposed rule and would result in application of the CIP to a wide scope of Covered Investment Advisers’ activities.

It is noteworthy that the Proposed Rule appears to interpret “customer” as covering a private fund, but to “not include the investors in a private fund.”[7] The SEC and FinCEN appear to be further considering this issue, requesting comment on “How would an investment adviser apply the identification and verification requirements . . .  to a private fund customer?”[8]

The proposed rule exempts an investment advisor from having to apply the CIP rule to a mutual fund it advises “if the mutual fund has developed and implemented a CIP that is compliant with CIP requirements applicable to mutual funds” under the relevant regulation.[9]

Regarding customers with an existing account, the rule would only exempt them if “the investment adviser has a reasonable belief that it knows the true identity of the person.”[10]

Requirements

If enacted, a Covered Investment Adviser would be required to develop a written CIP as a component of its AML/CFT program and meet certain minimum requirements, including the following elements outlined below:

Identification Verification Procedures: The CIP would require risk-based procedures for verifying the identity of customers, to the extent reasonable and practicable, and that such verification occur within a reasonable time before or after the customer’s account is opened. Such procedures must enable the Covered Investment Adviser to form a reasonable belief that it knows the identity of each customer.[11]

The NPRM notes that if the identity of a customer has previously been verified, the Covered Investment Adviser would generally not be required to re-verify the customer’s identity again upon the opening of a new account, provided that the Covered Investment Adviser (1) previously verified the customer’s identity, to the extent required, in accordance with procedures consistent with the NPRM, and (2) continues to have a reasonable belief that it knows the true identity of the customer based on the previous verification.[12]

The CIP would require procedures that reflect an assessment of the relevant risks, including those presented by the “various types of accounts maintained” by the Covered Investment Adviser; the “various types of identifying information available”; the Covered Investment Adviser’s “size, location, and customer base”; the “types of money laundering and terrorist financing activities present in the respective jurisdiction” of the customer; and “the  reliance on third-party firms (including other investment advisers, broker-dealers, or funds) for identity verification procedures.”[13]

Obtaining Customer Information: The CIP would require Covered Investment Advisers to obtain, at a minimum, with respect to each customer: the customer’s (1) name; (2) date of birth for an individual or the date of formation for any person other than an individual; (3) address; and (4) identification number. The CIP would be required to establish guidelines for circumstances where, “based upon a risk-based assessment of a customer that is not an individual,” the Covered Investment Adviser should seek additional information regarding the individuals that do have “authority or control” over the customer account in order to form a reasonable belief that the Covered Investment Adviser knows the true identity of the customer.[14] The NPRM notes that “investment advisers should consider on an ongoing basis whether other identifying information or verification methods are appropriate, particularly as they become available in the future.”[15]

Customer Verification: Once identifying information has been obtained concerning a customer, the CIP would require Covered Investment Advisers to follow risk-based procedures to verify the accuracy of that information to reach a point where it can form a reasonable belief that it knows the true identity of the customer. The CIP would be required to address two methods of verifying identifying information, verification through documents and verification through non-documentary means, and would need to set forth when documents (and the types of documents), non-documentary methods (and the types of such methods), or a combination of both will be used to verify a customer’s identity.[16]

The NPRM notes the risk that a Covered Investment Adviser “will not have a reasonable belief that it knows a customer’s true identity will be heightened for certain types of accounts, such as accounts opened in the name of a corporation, partnership, or trust that is created, or conducts substantial business, in jurisdictions designated as primary money laundering concerns or designated as noncooperative by an international body, or jurisdictions that are otherwise considered high-risk for money laundering or terrorist financing with respect to their compliance with relevant international standards.”[17]

Lack of Verification: Where the Covered Investment Adviser is unable to form a reasonable belief that it knows the true identity of a customer, the CIP would require procedures to describe (1) when the Covered Investment Adviser should not open a customer account; (2) the terms under which the Covered Investment Adviser may provide advisory services to the customer while attempting to verify the customer’s identity; (3) when the Covered Investment Adviser should close an account after attempts to verify a customer’s identity fail; and (4) when a SAR should be filed in accordance with applicable law and regulation.[18]

Recordkeeping: The CIP would require procedures for making and maintaining records related to verifying customer identity, including the identification information about each customer and a description of any document relied on to verify the identity of the customer. Such records would need to be maintained while the account remains open and for five years after the date the account is closed, which is consistent with the Investment Advisers Act general five-year retention requirement.

Comparison with Government Lists: The CIP would also be required to include reasonable procedures for determining whether a customer appears on any list of known or suspected terrorists or terrorist organizations provided by any Federal Government agency that is designated as such by Treasury.[19]

Customer Notice: Covered Investments Advisers would also be required to give their customers adequate notice of their identity verification procedures. Therefore, the CIP would need to include procedures for providing customers with adequate notice that the firm is requesting information to verify their identities. Depending on how an account is opened, a Covered Investment Adviser could post a notice on its website, include the notice in its account applications, or use any other form of written or oral notice.[20]

Reliance on Another Financial Institution

The NPRM provides that in certain circumstances, the Covered Investment Adviser could rely on another financial institution for some or all of the elements of the CIP, including verification of a customer’s identity. The NPRM would permit such reliance if a customer is opening an account or has opened or has established an account or similar business relationship with the other financial institution, provided that: (1) such reliance is reasonable under the circumstances; (2) the other financial institution is subject to a rule implementing the AML/CFT compliance program requirements of the BSA and is regulated by a Federal functional regulator; and (3) the other financial institution enters into a contract with the Covered Investment Adviser requiring it to certify annually that it has implemented an AML/CFT program and will perform (or its agent will perform) the specified requirements of the Covered Investment Adviser’s CIP.[21] The Covered Investment Adviser would nonetheless remain responsible for compliance with this element of the NPRM.

Request for Comments

The NPRM solicits comments from market participants regarding, among other topics:

• whether the proposed definition of “account” is appropriate and unambiguous, whether other examples of accounts should be added and whether accounts acquired through acquisition, merger, purchase of assets, or assumptions of liabilities should be excluded;
• whether the proposed definition of “customer” is adequate or should other examples be added;
• how the identification and verification requirements would be applied to a private fund customer and what types of information would the investment adviser use to ask identification questions;
• to what extent do Covered Investment Advisers already have procedures in place that cover customer identification and verification and how do such procedures resemble or differ from the proposed rule;
• whether there are other categories of entities that, like mutual funds, should be exempted from an investment adviser’s CIP program;
• how much time an investment adviser would reasonably need to verify customer identity (e.g., 30 days); and
• if an investment adviser cannot form a reasonable belief as to the true identity of a customer, should the investment adviser be able to engage in advisory activities prior to verifying a customer’s identity.

The public comment period will remain open until July 22, 2024.

Takeaways

The NPRM is one in a series of recently proposed rules by FinCEN that seeks to impose AML requirements on additional sectors, including, for example, FinCEN’s recently proposed rules imposing AML program requirements on investment advisers and on non-financed residential real estate transactions.[22] The NPRM reflects a broader effort by federal regulators to close perceived gaps whereby illicit actors may be more easily accessing the U.S. financial system.

As we noted in our February client alert on the FinCEN-proposed AML program rule for Covered Investment Advisors, in preparing for a final rule, Covered Investment Advisers may wish to consider taking steps, including:

• Reviewing their business and customer/client base to identify any unique and high-risk vulnerabilities from an anti-money laundering or terrorist financing perspective.
• Evaluating existing AML programs that are in place to identify any gaps with respect to the recently proposed regulatory requirements, including whether there are existing procedures in place that cover customer identification and verification, whether certain service providers (such as administrators or broker-dealers) are currently fulfilling certain aspects of these proposed rules, and whether policies, procedures, and infrastructure may need to be developed or revised to fill those gaps.

                                                                                                                        *       *       *

[1]       SEC, FinCEN, “Press Release: SEC, FinCEN Propose Customer Identification Program Requirements for Registered Investment  Advisers and Exempt Reporting Advisers” (May 13, 2024), available here; Fact Sheet, available here.

[2]       Paul, Weiss “FinCEN Proposes Rule Imposing Anti-Money Laundering Requirements on Certain Investment Advisers” (February 21, 2024), available here.  The USA Patriot Act of 2001 requires the Secretary of the Treasury to ‘‘prescribe regulations setting forth the minimum standards for financial institutions and their customers regarding the identity of the customer that shall apply in connection with the opening of an account at a financial institution.” 31 U.S.C. 5318(l)(1). For certain financial institutions, the “regulations prescribed by the Secretary under paragraph (1) shall be prescribed jointly with each Federal functional regulator[.]” 31 U.S.C. 5318(l)(4).  Here, the “appropriate Federal functional regulator for investment advisers is the SEC. Thus, FinCEN and the SEC are issuing this proposed rule jointly.” Proposed Rule at 44573.

[3]       SEC, FinCEN, Notice of Proposed Rulemaking: ”Customer Identification Programs for Registered Investment Advisers and Exempt Reporting Advisers” (May 13, 2024), available here.

[4]       Proposed Rule at 44573.

[5]       Proposed Rule at 44573. The NPRM notes that this is consistent with definitions of “clients” under the Investment Advisers Act of 1940, as amended. Id. at 44573, n.13.

[6]       Proposed Rule at 44573 (emphasis added). However, this definition excludes “an account that an investment adviser acquires through an acquisition, merger, purchase of assets, or assumption of liabilities.”

[7]       Proposed Rule at 44951, n.10.

[8]       Proposed Rule at 44580.

[9]       Proposed Rule at 44574.

[10]     Id.

[11]     Proposed Rule at 44575.

[12]     Id.

[13]     Id.

[14]     Id.

[15]     Id.

[16]     Proposed Rule at 44576.

[17]     Id.

[18]     Id. at 44577.

[19]     Id. at 44578.

[20]     Id.

[21]     Id. at 44578-9.

[22]     See Paul, Weiss “FinCEN Publishes Proposed Rule on Non-Financed Residential Real Estate Transactions” (February 12, 2024), available here.