Taking a Practical Approach to AML Policy
Originally published in Private Funds Management
Pending anti-money laundering policy requirements for investment advisors can create anxiety. EisnerAmper’s principal Louis Bruno and director Venkat Rao discuss the ins and outs of crafting a sound AML program.
The compliance burden is increasing again for many private fund managers.
The US Treasury department’s Financial Crimes Enforcement Network (FinCEN) has proposed a rule requiring registered investment advisors to implement anti-money laundering programs, and detect and report suspicious activity.
The rule would expand the definition of ‘financial institution’ under the Bank Secrecy Act to include investment advisors, subjecting them to additional regulations, such as recordkeeping and filing currency transaction reports. Lastly, the proposed rule would provide the SEC with examination authority over private fund managers in AML matters.
The challenge for private fund managers is that their AML risk profile differs from larger institutions, such as banks managing hundreds of daily transactions. To meet this challenge, practical risk-based considerations would serve private fund managers well in effectively and efficiently fulfilling their AML obligations.
A practical approach means AML programs will vary; a large hedge fund’s program will likely differ from a smaller private equity fund. Smaller funds have fewer compliance resources, are less likely to employ a full-time chief compliance officer and may outsource the function entirely. Moreover, these organizations may lack the expertise to identify AML issues, particularly when onboarding new investors.
Key elements of an AML program
Regardless of the FinCEN proposed rule, a private fund manager should implement a risk-based AML program meeting industry best practices with the following elements:
- Management oversight: Management is responsible for the program and should clearly define and document the investor review and approval process.
- Written policies: AML policies should be reasonably designed to achieve compliance with the proposed rules, delineate responsibilities for identifying and reporting suspicious activities and conducting investor due diligence requirements, address management approval and define risk appetite for onboarding new investors.
- Written procedures: Separate from the policy, an AML program requires written procedures reasonably designed to prevent the firm from being used for money laundering or terrorist financing activities. These controls must be designed to address applicable AML risks to the advisor.
- Periodic independent testing of the AML program: Such periodic testing (ie, annually) must be conducted by an entity independent of the investment advisor.
- Designation of an AML Compliance Officer: These must be “knowledgeable and competent” on applicable regulatory requirements to effectively fulfill the responsibilities attached to the role.
- Training: Employees of the advisor, depending on their roles, would require periodic training on the requirements of the BSA and related AML regulations.
Unlike other financial institutions, investment advisors are not required to enact a customer identification program under the proposed rule. Nevertheless, an effective AML program requires monitoring and detection of suspicious activity, and possibly filing suspicious activity reports. In addition, FinCEN anticipates addressing a CIP requirement in future rulemaking with the SEC. Therefore, a fund manager’s AML program requires adequate due diligence before accepting investor money to meet SARs and CTR responsibilities.
Compliance policies can vary across organizations. However, in the simplest form, a policy should describe the business activities, the associated risks and controls to mitigate the risks. AML risk assessments can be incorporated into an investment advisor’s annual review under Rule 206(4)-7 of the Investment Advisers Act, but higher risks may need more frequent review.
Elements of a risk-based AML policy should include: a clear ‘money laundering’ definition; examples of ‘red flags’ indicating suspicious activities; identification of the persons responsible for administering and enforcing the AML program; criteria and tolerance for onboarding high risk investors (eg, politically exposed persons), particularly where sources of funds are unclear; and consequences for policy violations.
Importantly, AML policies are frequently distinct documents from an investment advisor’s compliance manual. To promote a consistent compliance program, fund managers should align the AML policy to the compliance manual.
Many fund managers outsource some or all of their AML procedures to third parties, such as fund administrators. Regardless of any outsourcing, FinCEN emphasizes that fund managers remain fully responsible for the adequacy and effectiveness of their AML program, including elements performed by third-party service providers. Regulators will not accept blame by advisors for a third-party investor’s due diligence failure.
If fund managers elect to outsource, several best practices apply for fulfilling AML responsibilities. A fund manager’s policy should specify the level of investor due diligence performed by a third party, and the amount of oversight by the manager. Examples may include periodic onsite visits to the third party, testing of processes and meeting with key personnel to gain comfort with procedures.
Additionally, when completing service level agreements, fund managers should consider:
- Level of due diligence: SLAs must address the level and scope of fund manager due diligence on the outsourced third party. The fund manager should have the right to inspect an administrator’s due diligence reviews on new investors. For high risk investors, such as PEPs, SLAs should articulate any enhanced due diligence procedures performed by the third party that would allow the fund manager to gain comfort with the investor’s source of funds, such as requiring additional documents or information from the investor. These concerns are illustrated by the recent publication of the Panama Papers.
- Record retention: If the fund administrator holds AML records on behalf of the fund manager, SLAs should clearly define regulatory expectations on document production. Typically, regulators require document production within 24 to 48 hours for an examination request, and SLAs should contain appropriate language to protect fund managers.
- On-site inspections: An advisor’s periodic onsite due diligence of third parties should include reviews of AML files the third party maintains for the fund manager and testing of AML activities. SLAs should allow advisors the right to review such files and conduct testing of the third party’s procedures.
- Escalation procedures: If a fund administrator identifies any red flags during AML reviews, SLAs should contain escalation procedures to immediately notify the AML compliance officer. Red flags may include the presence of PEPs or negative investor information, but fund managers must be prepared to take prompt and appropriate action in such circumstances.
Private fund managers can ease their anxiety concerning the new FinCEN rule by following AML fundamentals. Risk-based AML policies start with knowing your investors and their source of funds through proper diligence. A practical approach may include outsourcing AML tasks to third parties, but fund managers must provide proper oversight and draft agreements taking AML responsibilities into consideration to reduce their compliance risk.
WHAT FUND MANAGERS SHOULD ASK THEMSELVES:
- Is there established governance allowing management to review and approve new investors?
- Has a risk assessment outlining the advisor’s AML risks and corresponding controls been implemented?
- Has management defined the firm’s risk appetite for onboarding potentially high-risk investors?
- Is the firm staffed to support investor due diligence, monitoring and reporting or is outsourcing necessary?