FinCEN’s AML rule for investment advisers: What asset managers need to know

FinCEN’s AML rule for investment advisers: What asset managers need to know

Author

The Carta Policy Team

|

Read time: 

6 minutes

Published date: 

2 July 2026

The FCA is intensifying its focus on AML and KYC compliance in private markets. Read Carta’s guide to managing risk and aligning policies with its “Dear CEO” letter.

The Financial Crimes Enforcement Network (FinCEN) finalized its anti-money laundering (AML) rule for investment advisers in August 2024—and while the effective date has since been pushed to January 1, 2028, the rule is not going away. For registered investment advisers (RIA) and exempt reporting advisers (ERA), the delay is an opportunity to build a defensible compliance program on your own terms rather than under deadline pressure.

This article breaks down who the rule applies to, what it requires, and why the compliance work matters even before the rule takes effect.

The rule at a glance

On August 28, 2024, FinCEN issued a final rule extending AML and counter-terrorism financing (CFT) requirements to RIAs and ERAs for the first time. The rule brings investment advisers under the Bank Secrecy Act (BSA) framework—a regulatory regime previously focused on banks, broker-dealers, and similar financial institutions.

The original compliance deadline was January 1, 2026. In July 2025, Treasury announced the requirements would be delayed for two years, and FinCEN adopted rules formally pushing the effective date toJanuary 1, 2028. The agency cited the volume and scope of comments received during the rulemaking process and the need to give firms adequate lead time to build or adapt compliance programs. FinCEN also indicated it would use the extended period to reconsider and re-tailor certain elements of the rule, and to coordinate with the long-expected Customer Identification Program (CIP) rule.

The delay is being widely misread. Patrick Daniel Squatriti, managing director of compliance for Carta Law, puts it plainly:

"For the managers already well down the path of building an AML program, the delay is a gift of time to build it properly rather than retrofit under pressure. For those who hadn’t started, it is not a reprieve—it is a widening gap between firms with a genuine AML posture and firms that will be exposed the moment the rule lands, or an LP asks the question first. Over the last 12 months, the weight LPs place on a GP’s compliance posture in their allocation decisions has risen sharply. Institutional allocators are increasingly treating a credible AML program as a baseline expectation rather than a differentiator—and managers who can demonstrate one are converting it into a genuine competitive advantage at the fundraising stage."

— Patrick Daniel Squatriti, managing director of compliance, Carta Law

Who the rule applies to

The FinCEN rule applies to:

  • Registered investment advisers (RIA): Firms registered with the U.S. Securities and Exchange Commission (SEC) that offer advisory services across diverse client bases.

  • Exempt reporting advisers (ERA): Entities exempt from full SEC registration but subject to reporting requirements—primarily those solely advising VC funds or private funds under $150 million AUM.

According to FinCEN's August 2024 rulemaking, together these firms manage approximately $119 trillion in assets and include roughly 14,000 RIAs and 6,000 ERAs.

State-registered advisers, foreign private advisers, and family offices are excluded from the rule’s requirements. Even so, firms that fall outside the scope may benefit from building toward an AML framework—particularly as compliance transparency is increasingly expected by institutional LPs and co-investors regardless of regulatory obligation.

The five pillars of AML compliance

At the heart of the FinCEN rule is a requirement to maintain a comprehensive AML/CFT program built on five pillars. Understanding each pillar is essential for legal and compliance teams beginning to scope the work.

Pillar 1: Designate an AML compliance officer

Firms must appoint a compliance officer with sufficient authority, independence, and resources to oversee the AML program. This individual should have a direct reporting line to senior management or the board, as required under FinCEN guidance. Firms should also consider the potential personal liability of the compliance officer and develop appropriate indemnification provisions to protect them in the execution of their duties.

Pillar 2: Develop internal policies and procedures

Firms must design policies and procedures to prevent, detect, and address money laundering and terrorist financing risks. They need to reflect the firm’s specific risk profile—accounting for client demographics, transaction types, and geographic exposure. Key elements include:

  • Risk-based client onboarding: Evaluating each client’s risk profile based on factors such as geography, transaction complexity, and beneficial ownership structures.

  • Transaction monitoring protocols: Clear thresholds and escalation procedures for identifying and investigating unusual activity.

Pillar 3: Establish ongoing employee training

The rule requires firm-wide training to ensure employees can recognize and escalate suspicious activity. Training materials should be comprehensive and defensible in the event of regulatory inquiry. Firms may benefit from engaging outside experts on specialized topics, including terrorist financing and emerging risks in digital asset transactions.

Pillar 4: Conduct independent AML testing

The rule requires regular, independent audits of the AML program—whether by internal audit functions or external parties. These audits validate that the program meets regulatory standards and create a documented record of good-faith compliance efforts that can be relevant in any enforcement context. Firms should comprehensively document audit findings.

Pillar 5: Implement customer due diligence (CDD)

Customer due diligence—commonly called know your customer or KYC—requires firms to identify clients and investors (and potentially transaction counterparties), understand ownership and control structures, and verify that information using reliable documentation. In most cases, this means collecting and reviewing documentation on clients and beneficial owners with an interest greater than 25%.

The obligation extends beyond identity verification. It includes understanding a client’s business purpose and financial activities, as well as ongoing screening against sanctions databases, financial crime registries, regulatory enforcement records, and political exposure lists—from the point of onboarding forward.

The rule's ongoing monitoring requirement also extends to existing investors: Fund managers with active funds linked to their ERA or RIA registration will be expected to conduct CDD on current investors—not just those onboarded after the rule takes effect.

Additional compliance obligations

Beyond the five pillars, the rule creates four additional compliance requirements for investment advisers.

  • Travel rule. Certain client and transaction information must accompany funds transfers throughout the payment chain. Advisers should document these procedures clearly in client agreements and onboarding materials to reduce ambiguity.

  • Suspicious Activity Reports (SAR). Advisers must file SARs for transactions that appear suspicious or lack an apparent lawful purpose. Timely filing is required, making training on recognition and reporting procedures essential.

  • Currency Transaction Reports (CTR). Advisers must file CTRs for cash transactions above $10,000, as well as for structured transactions designed to avoid that threshold. Unlike SARs, CTRs are triggered by transaction size, not suspicion of illicit activity. 

  • Response to law enforcement requests. The rule requires firms to respond to information requests from law enforcement regarding transactions potentially linked to illicit activity. Legal counsel should develop protocols that balance cooperation with law enforcement against the need to protect client confidentiality and privilege.

The regulatory framework that isn’t waiting

The 2028 delay does not pause the rest of the AML-adjacent compliance framework. Several obligations apply to investment advisers today, independent of the FinCEN rule’s effective date.

  • OFAC. Sanctions obligations under the Office of Foreign Assets Control apply to all U.S. persons and all transactions with a U.S. nexus. There is no threshold and no exemption for investment advisers, and no delay. The 50% Rule—which treats entities owned 50% or more in aggregate by one or more blocked persons as themselves blocked—is the single most common source of operational error in private markets.

    • Separately, institutional LPs are increasingly requiring managers to conduct UBO sanctions screening down to 25% ownership—below the OFAC threshold—as a condition of their own allocation diligence. Adopting the lower threshold now aligns with both evolving LP expectations and the beneficial ownership standards embedded in the FinCEN rule's CDD requirements.

  • SEC examination focus. The SEC has been increasingly active on adviser examinations touching AML-adjacent areas, including source-of-wealth documentation for high-net-worth clients and beneficial ownership reporting. These do not constitute an AML program, but they test many of the same underlying data points.

  • State-level requirements. State overlays add a further layer of complexity. NYDFS Part 504 applies to institutions with a New York banking license and is relevant for managers with New York-domiciled affiliates or partner institutions.

“While the compliance date was delayed and the rule’s contours may evolve, the policy direction is clear. Private markets are becoming more institutional, more technology-enabled, and more exposed to AML-adjacent scrutiny through SEC exams, sanctions compliance, digital assets, and AI-driven onboarding. Documented policies and KYC workflows are already part of the operating infrastructure LPs, regulators, and institutional partners expect to see—regardless of whether a formal mandate is in effect. The firms best positioned for this next phase are treating that signal—not just final rule text—as the planning input.”

— Holli Heiles Pandol, senior policy counsel, Carta

What to do now

The delay to 2028 creates a window, but not an indefinite one. Firms building toward compliance now are better positioned to raise capital from institutional LPs, respond to SEC examinations, and avoid the operational scramble that a compressed timeline creates.

Here are the practical starting points:

  • Designate or identify a candidate for the AML compliance officer role

  • Conduct a gap analysis of current KYC and onboarding processes against the rule’s core requirements

  • Map OFAC screening obligations and the 50% Rule to existing counterparty workflows

Carta Law works with fund managers and investment advisers to build AML programs that are proportional to the firm’s risk profile and built to scale. 

Contact Carta Law to learn more.

AI-Native Law Firm for Private Capital
Scale your legal and compliance operations through AI-native workflows with expert oversight built into every step.
Get started

The Carta Policy Team
Carta’s Policy Team aims to connect the policymaking community and venture ecosystem to build an ownership economy and advance policies that support private companies, their employees, and their investors.

DISCLOSURE: This communication is on behalf of eShares, Inc. dba Carta, Inc. ("Carta"). This communication is for informational purposes only, and contains general information only. Carta is not, by means of this communication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services nor should it be used as a basis for any decision or action that may affect your business or interests. Before making any decision or taking any action that may affect your business or interests, you should consult a qualified professional advisor. This communication is not intended as a recommendation, offer or solicitation for the purchase or sale of any security. Carta does not assume any liability for reliance on the information provided herein. ©2026 Carta. All rights reserved. Reproduction prohibited.