Regulatory Preparedness 2025: Amended Reg S-P and AML/CFT

PDF Download

As we approach the mid-point of 2025, two compliance deadlines stand out for compliance professionals: Amended Regulation S-P and FinCEN’s Anti-Money Laundering / Countering the Financing of Terrorism Rule (the “AML/CFT” Rule).

Amended Regulation S-P

The amendments to Reg S-P treat Registered Investment Advisers (“RIAs”) as “covered institutions” under the rule.  As covered institutions, RIAs need to develop the following to comply by December 3rd, 2025 (for larger entities with $1.5 billion or more in assets under management), or June 3rd, 2026 (for smaller entities managing less than $1.5 billion):

Compliance Dates

Compliance Date Covered Entity
12/3/2025 Larger Entity Compliance Date: RIAs with $1.5 billion in assets under management
6/3/2026 Small Entity Compliance Date: RIAs with less than $1.5 billion in assets under management

Requirements

As covered institutions, RIAs need to develop the following:

  • Vendor Management Program:
    • Expansive policies and procedures to complete vendor due diligence and ongoing monitoring beyond current due diligence expectations.
    • A new 72-hour notice requirement – Service providers must notify RIAs within 72 hours of becoming aware of a breach resulting in unauthorized access to a customer information system maintained by the vendor.
    • RIAs may need new agreements or assurances from service providers that notification will be given within the required 72-hour time frame.
    • RIAs must implement an incident response plan upon receipt of a notification of such a breach.

Existing vendor due diligence policies and procedures will lack the new 72-hour notification requirement and updated definition of a service provider. Older service provider agreements will lack the notification requirement too, which may mean addendums or revisions to existing agreements ahead of the compliance deadline.

  • Incident Response Plan:
    • RIAs must maintain an incident response plan.
    • The plan must be designed to detect, respond, and recover from unauthorized access or use of client information and to prevent such access or use.

Even if a firm has an incident response plan in place, updates will still be needed for the firm to comply with the amendments to Reg S-P, especially as they relate to the 72-hour service provider notification time frame that would trigger enacting the incident response plan.

  • Customer Notification Requirement: 
    • RIAs are required to notify those whose sensitive information was, or is reasonably likely to have been, accessed or used.
    • RIAs must provide this required notice to customers within 30 days.

Even if an RIA determines that a given breach did not reveal sensitive information, the procedure for making that determination must be in place, and a record of the determination that a notification was not needed must still be maintained.

  • Expansion of Safeguards and Disposal Rules (including written records):
    • The amendments expand the safeguards and disposal rules to cover nonpublic personal information that an RIA obtains about its own clients and nonpublic personal information received from other financial institutions about clients of that institution.
    • Written documentation is needed for any detected unauthorized access, any response to, and recovery from such access. Any investigation and determination made regarding whether notification is required, including the basis for such determination, as well as any notice transmitted, must also be documented.

These records must be maintained in addition to any written contracts or agreements made pursuant to the rule. For RIAs, these records must be maintained for five years, the first two years in an easily accessible place.

  • Policy and Procedure Updates:
    • New policies and procedures are needed to cover:
      • The Vendor Management Program;
      • The Incident Response Plan;
      • Detection, investigation, and notification procedures for breaches and unauthorized access; and
      • The amended rules and recordkeeping provisions.

AML/CFT

Registered Investment Advisers (“RIAs”) and Exempt Reporting Advisers (“ERAs”) are now included in the definition of “financial institutions” under the Bank Secrecy Act (“BSA”) in the AML/CFT Rule. In addition, the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) has proposed several AML-focused rules including the Corporate Transparency Act (“CTA”), which is a final rule. and the AML Customer Identification Program Rule “AML CIP”), which is still in the proposed rule stage.

Under FinCEN’s AML/CFT Rule, firms must create a compliant AML/CFT program, begin filing necessary Suspicious Activity Reports(“SARs”) and Currency Transaction Reports (“CTRs”), comply with information sharing and special measures under the USA PATRIOT Act, and comply with Recordkeeping and Travel Rules.

Compliance Date

Compliance Date Covered Entity
1/1/2026  For all RIAs and ERAs

Requirements

  • AML/CFT Program – AML/CFT programs have six (6) requirements:
    • Written Policies and Procedures – RIAs and ERAs must implement risk-based policies, procedures, and controls reasonably designed to prevent the investment adviser from being used for money laundering, terrorist financing, or other illicit finance activities and to achieve compliance with the applicable provisions of the BSA.  These policies and procedures must include documentation of approvals, filings, testing, designations, training, due diligence, and recordkeeping as described below
    • Board Approval – The AML/CFT program must be approved in writing by a board of directors or trustees, or, if none, by the sole proprietor, general partner, trustee, or other persons who have functions similar to a “board of directors.”
    • Independent Testing – Testing of the AML/CFT Program must be performed by either a qualified third-party or by firm personnel who are not involved in the operation or oversight of the AML/CFT Program.
    • AML/CFT Officer – The AML/CFT Program must identify a person or persons responsible for implementing and monitoring the operation and internal controls of the AML/CFT Program. The AML/CFT Officer must be an employee of the firm, or of an affiliate.
    • Training – Ongoing training for appropriate personnel to provide necessary awareness of the AML/CFT requirements, illicit finance risks and red-flags, and role-specific guidance tailored to the employee’s role and function within the firm.
    • Ongoing Customer Due Diligence – FinCEN split the Customer Due Diligence requirements from the BSA between the finalized AML/CFT Rule and the proposed AML CIP Rule. Two requirements exist for customer due diligence under the AML/CFT Rule, and firms need to implement risk-based procedures to include:
      1. Understanding the nature and purpose of customer (i.e., client, private fund and private fund investor) relationships for the purpose of developing a customer risk profile; and
      2. Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.

The more burdensome customer identification and verification requirements of the BSA are not included in the AML/CFT Rule but are present in the proposed AML CIP Rule.

  • Suspicious Activity Reports (“SARs”) – The AML/CFT Rule requires RIAs and ERAs to file SARs with FinCEN for suspicious transactions, or patterns of transactions, conducted or attempted by, at, or through the firm, with at least $5,000 in aggregate value. This reporting obligation applies to activities on behalf of clients and investors, as well as suspicious transactions involving a portfolio company in which an advised private fund is invested.
  • Information Sharing and Special Measures under the USA PATRIOT Act[1] (“PATRIOT Act”) – FinCEN’s rules allow law enforcement to request information about suspected criminal or terrorist activity. Firms must search their account and transaction records and respond to these FinCEN requests under 314(a) of the PATRIOT Act. If related to a private fund, responses under this section of the  PATRIOT Act are expected to be for the fund, and not for the underlying investors in the fund.  Additionally, the Treasury Department may impose special measures in the future under 311 of the USA PATRIOT Act that could include recordkeeping, information collection, or reporting requirements, among others.  Current special measures, such as those related to illicit Russian finance activities and illicit opioid trafficking, will remain in effect.
  • Recordkeeping, Travel Rules and Currency Transaction Reports – The AML/CFT Rule requires that RIAs or ERAs file Currency Transaction Reports (“CTRs”) or adhere to the Recordkeeping and Travel Rules.
    • Recordkeeping and Travel Rules – Records must be created and retained for transmittals of funds’ “travels” between the firm and the next financial institution in the payment chain for transmittals that equal or exceed $3,000, unless an exception applies. Where an adviser’s customer has a direct account relationship with a qualified custodian subject to AML/CFT requirements, such as a bank or broker-dealer, the qualified custodian, not the adviser, would be required to comply with the Recordkeeping and Travel Rules.
    • Currency Transaction Reports (“CTRs”) – RIAs and ERAs are required to file CTRs with FinCEN for transactions in currency of more than $10,000. This replaces the existing requirement for investment advisers to report currency-related transactions on Form 8300.  To be clear, CTR requirements only apply to transactions in physical currency (e.g., rolls of coins or stacks of paper currency) and not wires or any form of electronic transfer.

Start Now

Whether your firm needs a gap analysis, assistance on a specific sub-requirement, or a compliance partner to start from scratch, contact us today. We offer full support for the new requirements under Amended Regulation S-P and can help you prepare for the new AML/CFT Rule.

 

[1] The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001.

Meet Our Compliance Administration Team

Ellen Harvin

CEO, Compliance Administration and Performance Services

Need Compliance Administration support?

919.706.4100

Contact Us

ComplianceCheck

Learn more about our recordkeeping and document management platform.

Fairview has been providing streamlined solutions to providers in the financial services industry since 2005. We are part of ViewPoint Partners, our employee-owned parent company for both Fairview and FilePoint, which provides regulatory reporting solutions for registered investment companies.

©2025 Fairview® Investment Services, LLC. All rights reserved.

1330 St. Mary’s St.
Suite 400
Raleigh, NC 27605

info@fairviewinvest.com
919.706.4100
FAX: 800.770.9925