News & Insights

Regulatory Preparedness 2025: Amended Reg S-P and AML/CFT

May 16, 2025

As we approach the mid-point of 2025, two compliance deadlines stand out for compliance professionals: Amended Regulation S-P and FinCEN’s Anti-money laundering/countering the financing of terrorism Rule (the “AML/CFT” Rule).

Reg S-P

The amendments to Reg S-P treat Registered Investment Advisers (“RIAs”) as “covered institutions” under the rule.  As covered institutions, RIAs need to develop the following to comply by December 3rd, 2025 (for larger entities with $1.5 billion or more in assets under management), or June 3rd, 2026 (for smaller entities managing less than $1.5 billion):

  • Vendor Management Program:
    • Expansive policies and procedures to complete vendor due diligence and ongoing monitoring beyond current due diligence expectations.
    • A new 72-hour notice requirement – Service providers must notify RIAs within 72 hours of becoming aware of a breach resulting in unauthorized access to a customer information system maintained by the vendor.
    • RIAs may need new agreements or assurances from service providers that notification will be given within the required 72-hour time frame.
    • RIAs must implement an incident response plan upon receipt of a notification of such a breach.

Existing vendor due diligence policies and procedures will lack the new 72-hour notification requirement and updated definition of a service provider. Older service provider agreements will lack the notification requirement too, which may mean addendums or revisions to existing agreements ahead of the compliance deadline.

  • Incident Response Program:
    • RIAs must maintain an incident response program.
    • The program must be designed to detect, respond, and recover from unauthorized access or use of client information and to prevent unauthorized use.

Even if you have an incident response plan in place, you will still need to update your program to comply with the amendments to Reg S-P, especially as they relate to the 72-hour service provider notification time frame and the 30-day customer notification requirement.

  • Customer Notification Requirement: 
    • RIAs are required to notify those whose sensitive information was, or is reasonably likely to have been, accessed or used.
    • RIAs must provide this required notice to customers within 30 days.

Policies and procedures are needed for this new requirement. Even if an RIA determines that a given breach did not reveal sensitive information, the procedure for making that determination must be in place, and a record of the determination that notification was not needed must be maintained.

  • Expansion of Safeguards and Disposal Rules (including written records):
    • The amendments expand the safeguards and disposal rules to cover nonpublic personal information that an RIA obtains about its own clients and nonpublic personal information received from other financial institutions about clients of that institution.
    • Written documentation is needed for any detected unauthorized access, any response to, and recovery from such access.
    • Any investigation and determination made regarding whether notification is required, including the basis for such determination, as well as any notice transmitted, must also be documented.

These records are needed in addition to any written contracts or agreements entered into pursuant to the rule. For RIAs, these records must be maintained for five years, the first two years in an easily accessible place.

AML/CFT

Registered Investment Advisers (“RIAs”) and Exempt Reporting Advisers (“ERAs”) were added to the definition of “financial institutions” under the Bank Secrecy Act (“BSA”) in the AML/CFT Rule.  The Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) has proposed several AML-focused rules, including the Corporate Transparency Act (“CTA”), which is a final rule, and the AML Customer Identification Program Rule, which is still in the proposed rule stage. Under FinCEN’s AML/CFT Rule, firms have until January 1, 2026, to create a compliant AML/CFT program, begin filing necessary Suspicious Activity Reports(“SARs”) and Currency Transaction Reports (“CTRs”), comply with information sharing and special measures under the USA PATRIOT Act, and comply with Recordkeeping and Travel Rules.

  • AML/CFT Program – AML/CFT programs have six requirements:
    • Written Policies and Procedures – RIAs and ERAs must implement risk-based policies, procedures, and controls reasonably designed to prevent the investment adviser from being used for money laundering, terrorist financing, or other illicit finance activities and to achieve compliance with the applicable provisions of the BSA.
    • Board Approval – The AML/CFT program must be approved in writing by a board of directors or trustees, or, if none, by the sole proprietor, general partner, trustee, or other persons who have functions similar to a board of directors.
    • Independent Testing – Testing of the AML/CFT Program must be performed by either a qualified third party or by firm personnel who are not involved in the operation or oversight of the AML/CFT Program.
    • AML/CFT Officer – The AML/CFT Program must identify a person or persons responsible for implementing and monitoring the operation and internal controls of the AML/CFT Program. The AML/CFT Officer must be an employee of the firm or an affiliate.
    • Training – Ongoing training for appropriate persons to provide necessary awareness of the AML/CFT requirements, illicit finance risks, and job-specific guidance tailored to an individual’s role and function within the firm.
    • Ongoing Customer Due Diligence – FinCEN split the Customer Due Diligence requirements from the BSA between the finalized AML/CFT Rule and the proposed AML CIP Rule. Two requirements exist for customer due diligence under the AML/CFT Rule, and firms need to implement risk-based procedures to include:
      1. Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
      2. Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.

The more burdensome customer identification and verification requirements of the BSA are not included in the AML/CFT Rule, but are present in the proposed AML CIP Rule, which has not yet been finalized.

  • Suspicious Activity Reports (“SARs”) – The AML/CFT Rule requires RIAs and ERAs to file SARs with FinCEN for suspicious transactions or patterns of transactions conducted or attempted by, at, or through the firm with at least $5,000 in aggregate value. This reporting obligation applies to activities on behalf of clients as well as suspicious transactions involving a portfolio company in which an advised private fund is invested.
  • Information Sharing and Special Measures under the USA PATRIOT Act – FinCEN’s rules allow law enforcement to request information about suspected criminal or terrorist activity. Firms must search their account and transaction records and respond to these FinCEN requests under 314(a) of the USA PATRIOT Act. In the private fund context, responses are expected to be for the fund, and not for the underlying investors in the fund.  Additionally, the Treasury Department may impose special measures in the future under 311 of the USA PATRIOT Act that could include recordkeeping, information collection, or reporting requirements, among others.  Current special measures, such as those related to illicit Russian finance activities and illicit opioid trafficking, will remain in effect.
  • Recordkeeping, Travel Rules and Currency Transaction Reports – The AML/CFT Rule does not exempt RIAs or ERAs from the requirement to file Currency Transaction Reports (“CTRs”) or adhere to the Recordkeeping and Travel Rules. The following are required:
    • Recordkeeping and Travel Rules – Records must be created and retained for transmittals of funds “travels” between RIAs and ERAs and the next financial institution in the payment chain for transmittals that equal or exceed $3,000, unless an exception applies. Where an adviser’s customer has a direct account relationship with a qualified custodian subject to AML/CFT requirements, such as a bank or broker-dealer, the qualified custodian, not the adviser, would be required to comply with the Recordkeeping and Travel Rules.
    • Currency Transaction Reports (“CTRs”) – RIAs and ERAs are required to file CTRs with FinCEN for transactions in currency of more than $10,000. This replaces the existing requirement for investment advisers to report currency-related transactions on Form 8300.  To be clear, CTR requirements only apply to transactions in physical currency (e.g., rolls of coins or stacks of paper currency) and not wires or any form of electronic transfer.

Start Now

Whether you need a gap analysis, assistance on a specific sub-requirement, or a compliance partner to help you start from scratch, contact us today. Our Cyber team offers full support for every aspect of Amended Regulation S-P. There is just enough time left for firms to be prepared by the compliance deadlines.

Click below to view General Filing Deadlines and SEC Holidays

Regulatory Calendar

Stay up to date on the latest industry news and resources.

Filter by Topic

Filter by Category

Fairview has been providing streamlined solutions to providers in the financial services industry since 2005. We are part of ViewPoint Partners, our employee-owned parent company for both Fairview and FilePoint, which provides regulatory reporting solutions for registered investment companies.

©2025 Fairview® Investment Services, LLC. All rights reserved.

1330 St. Mary’s St.
Suite 400
Raleigh, NC 27605

info@fairviewinvest.com
919.706.4100
FAX: 800.770.9925