IAA Comments on Customer Identification Program Proposal for Investment Advisers

July 22, 2024

---

Download PDF

 

Via Electronic Filing

Andrea M. Gacki
Director
Financial Crimes Enforcement Network
P.O. Box 39
Vienna, VA 22183

Ms. Vanessa Countryman
Secretary
U.S. Securities and Exchange Commission
100 F Street, NE
Washington, DC 20549-1090

 

Re:      Customer Identification Programs for Registered Investment Advisers and Exempt Reporting Advisers (FinCEN Release No. BSA-1, SEC File No. S7-2024-02; RINs: 1506-AB66, 3235-AN34)

Dear Director Gacki and Ms. Countryman:

The Investment Adviser Association (IAA)[1] appreciates this opportunity to comment on the Financial Crimes Enforcement Network’s (FinCEN’s) and Securities and Exchange Commission’s (SEC’s, together, the Agencies’) joint proposal (CIP Proposal) to require registered investment advisers and exempt reporting advisers (SEC Advisers) to implement procedures to verify the identities of their customers[2] through a Customer Identification Program (CIP).[3]

We agree that detecting and preventing money laundering and terrorist financing in all aspects of the financial system are critically important, and thus strongly support the U.S. government’s efforts to combat these activities through addressing meaningful regulatory gaps. However, as noted in the IAA AML Letter,[4] we are concerned that, instead of filling gaps, these proposals may add another level of redundancy to the already multi-layered AML regulatory regime. While we appreciate that the intent of the CIP Proposal is to adopt a flexible, risk-based approach to CIP compliance that will permit each SEC Adviser to tailor its CIP to match the nature and scope of its advisory business, the CIP Proposal is overly prescriptive in certain of its specific requirements. These requirements will make it more difficult for SEC Advisers to tailor their programs appropriately and thus be less effective.

In many cases, SEC Advisers are only one of a series of financial institutions (including, e.g., broker-dealers and banks) interfacing with clients, many of which already are required to perform initial and ongoing CIP reviews of the client. The IAA believes that excluding certain accounts and clients from the CIP Proposal would strengthen SEC Advisers’ CIPs by allowing them to use their finite resources to address higher-risk clients. It would also reduce situations where the costs and operational challenges of compliance with duplicative regulatory requirements will significantly outweigh the marginal benefits.

We also urge the Agencies to reconsider the scope of the CIP Proposal to develop a tailored approach that effectively addresses specific risks while avoiding unnecessary regulatory burdens, especially burdens on smaller SEC Advisers. For smaller SEC Advisers, the additional burdens will add to a mountain of new regulations that have been imposed in recent years. There are legitimate questions as to whether imposing CIP requirements on smaller SEC Advisers will meaningfully contribute to the Agencies’ efforts to prevent money laundering and terror financing. In addition, the Agencies should modify the proposal to ensure consistency with CIP obligations for other financial institutions.

We believe that the changes we recommend will improve the efficiency of the CIP Proposal’s intended regulation of SEC Advisers by excluding or exempting from coverage certain accounts and clients, enhance the ability of SEC Advisers to tailor the proposed CIP requirements to their businesses, and enable SEC Advisers to rely on certain efforts of other AML-regulated entities in the financial system. This letter also discusses certain practical and operational implications of the CIP Proposal.

 

I. Executive Summary

We make the following recommendations:

A. Provide Exclusions or Exemptions from the CIP Requirements for Activities, Accounts, and Clients that Present Little AML Risk. A significant number of SEC Advisers provide services to clients and/or engage in advisory activities that do not, in the IAA’s view, raise money laundering risks that need to be addressed by the Agencies’ proposed rules and we recommend the exclusion or exemption of these services and related accounts. As discussed in the IAA AML Letter, these services and activities include:

1. Advisory Services Not Involving Management of Client Assets. The Agencies should modify the scope of the CIP Proposal to exclude accounts that do not involve management of client assets, such as non-discretionary financial planning and publication of securities-related newsletters or research reports or the provision of “model portfolios.”
2. Advisory Services to Lower-Risk Clients. The Agencies should recognize the minimal risk presented by certain other types of advisory clients, such as retirement plans, Employees’ Securities Companies (ESCs), and publicly traded corporations, and exclude them from the scope of the CIP Proposal’s requirements.
3. Advisory Services to AML-Regulated Entities. The Agencies should not require an SEC Adviser’s CIP to be applied to activities undertaken for banking institutions, insurance companies, mutual funds, and registered broker-dealers (such entities, collectively, AML-Regulated Entities).
4. Sub-Advisory Services. The Agencies should relieve Sub-Advisers of the proposed CIP requirements because they will not possess or have access to information about the end-clients in the Sub-Advisory Arrangement and, therefore, are not well-positioned to implement a CIP for those accounts and clients.
5. No Look-Through Obligations for SEC Advisers to Private Funds. The Agencies should confirm that an SEC Adviser does not have an obligation to implement a CIP with respect to the underlying investors in an unregistered pooled investment vehicle.
6. Application of CIP Proposal to Smaller SEC Advisers. The Agencies should exclude SEC Advisers with 100 or fewer employees from the requirements of the CIP Proposal, or, at a minimum, exclude SEC Advisers with 20 or fewer employees consistent with FinCEN’s treatment of state-registered investment advisers in the AML Proposal.

B. Ease the Practical and Operational Burden on SEC Advisers in Implementing CIP Requirements. Under the CIP Proposal, every SEC Adviser would be required to implement procedures for verifying the identity of any person seeking to open an account with the SEC Adviser to the extent reasonable and practicable and to maintain records associated with such verification. While we commend the Agencies for taking a more risk-based approach, in light of the wide differences in the size, corporate structures, and business models of SEC Advisers, the Agencies should provide additional flexibility and address certain other practical and operational issues concerning the manner in which the CIP Proposal requires implementation of the CIP.

1. Confirm Existing Clients of SEC Advisers are Excluded from the CIP Requirements. The Agencies should confirm that the CIP Proposal will not apply retroactively to existing clients where the SEC Adviser has a reasonable belief that it knows the true identity of the client. The IAA also requests that, similar to other financial institution CIP rules, the Agencies allow SEC Advisers to demonstrate their “reasonable belief” in alternative ways such as a long-standing relationship with the client or knowledge that another financial institution has already completed identity verification for the client.
2. Do Not Require SEC Advisers to Obtain the Date of Formation for Institutional Clients. Consistent with the CIP requirements for other financial institutions, SEC Advisers should not be required to obtain the date of formation for non-individual entities.
3. Only Require SEC Advisers to Include Obvious Indicators of Fraud as a Factor in Client Identity Verification. Consistent with the CIP requirements for other financial institutions, the Agencies should only require SEC Advisers to include obvious indicators of fraud as a factor in determining whether they could form a reasonable belief that they know the client’s true identity. We recommend including this language in the final rule release.

C. CIP Recordkeeping Requirements

1. 1. Allow SEC Advisers the Option of Retaining Images of Documents to Meet Their CIP Recordkeeping Obligations. The Agencies should provide flexibility to SEC Advisers by allowing them to meet their recordkeeping obligations by retaining an image of the document used for client identity verification.
   2. Do Not Require SEC Advisers to Retain Records of the Specific Non-Documentary Verification Methods Used for Each Client. The Agencies should allow SEC Advisers to retain a description of the non-documentary client verification methods used in a general policy or procedure instead of documenting what method was used for each individual client.

D. Provide SEC Advisers Ample Notification of New Lists of Known or Suspected Terrorists or Terrorist Organizations. The Agencies should notify SEC Advisers directly of new CIP lists and the lists should be published prominently on the Treasury Department and SEC public websites.

E. Do Not Require a Written Agreement for SEC Advisers When Relying on a Third Party to Implement Their CIPs. The Agencies should recognize the tremendous challenges SEC Advisers face in negotiating written contracts with service providers and not require SEC Advisers to enter into written agreements when relying on third parties to implement their CIPs. Instead, as we have urged in other contexts,[5] SEC Advisers should be given the flexibility to oversee their service providers based on the nature and size of their businesses and in light of the risks posed by the facts and circumstances.

F. Provide a More Reasonable Implementation Period. The Agencies should extend and stagger the implementation period to allow SEC Advisers an adequate amount of time to come into compliance with both the new AML and CIP requirements. We recommend that FinCEN provide at least 18 months for larger SEC Advisers to implement the CIP Proposal and, to the extent they are not excluded from the CIP requirements, a longer period of at least 24 months for smaller SEC Advisers with 100 or fewer employees.

G. Reopen the Comment Period for the CIP Proposal If and When the AML Proposal is Finalized. Because of their interrelatedness, the Agencies should reopen the CIP Proposal if and when the AML Proposal is finalized to allow commenters to address CIP obligations in light of changes made to the AML Proposal. At a minimum, FinCEN should reopen the comment period for the AML Proposal to allow commenters to reconsider their comments in light of the CIP Proposal and the recently proposed changes to financial institutions’ AML programs.

The IAA urges the Agencies to consider these comments when finalizing the CIP Proposal.

 

II. Recommendations

A. Provide Exclusions or Exemptions from the CIP Program Requirements for Certain Types of Accounts and Clients

The proposal imposes CIP requirements on all SEC Advisers, irrespective of the nature of their clients or their types of advisory business. However, as the IAA noted in the IAA AML Letter, a significant number of these SEC Advisers have relationships with clients and/or engage in advisory activities that do not, in the IAA’s view, raise money laundering risks that need to be addressed by the CIP Proposal. To the extent an SEC Adviser’s advisory business is limited to the low-risk services and clients discussed below, that SEC Adviser should be excluded from the CIP requirements altogether. SEC Advisers that engage in these activities or serve these types of clients but do not do so exclusively would still need to establish a CIP, but the scope and operational burdens of their programs would be significantly reduced if these accounts were carved out.

1. Advisory Services Not Involving Management of Client Assets

As discussed in the IAA AML Letter, the IAA strongly supports the proposed exclusion from the CIP requirements of accounts where the SEC Adviser provides non-advisory services.[6] We believe this same logic should extend to exclude non-management investment advisory services as well.

Certain SEC Advisers provide non-management investment advisory services, including, but not limited to, non-discretionary financial planning and publication of securities-related newsletters, “model portfolios,” and research reports (Non-Management Services). In providing these types of services, SEC Advisers are functioning entirely outside of the “payment chain”—the SEC Adviser neither manages, directly or indirectly, the client’s assets nor participates in instructing the transmittal of any client funds to or from any recipient. Accordingly, in these circumstances, there is little to no risk that the SEC Adviser will be an entry point for money laundering or terrorist financing activities. Moreover, the SEC Adviser would not have access to sufficient information about the account or who the account holder is. In many instances, SEC Advisers may not even possess the names of or other identifying information about the investors who receive Non-Management Services. Applying CIP requirements to the SEC Adviser in this context would not meaningfully contribute to the AML regime but would meaningfully burden the SEC Adviser. We therefore request that the Agencies modify the CIP Proposal to provide that SEC Advisers need not include within the scope of their CIP those accounts to which they provide only Non-Management Services, and that SEC Advisers that provide only Non-Management Services would not need to have a CIP at all.

2. Advisory Services to Lower-Risk Clients

Certain advisory clients, although not themselves subject to formal AML program requirements, nonetheless present a lower risk of suspicious activity. Retirement plans, ESCs, and publicly traded corporations are notable examples.

Retirement plans are created to secure employees’ retirement benefits. They are funded by contributions directly from participants’ salaries and from the sponsoring employer, and participants are not permitted to withdraw their plan contributions prior to reaching age 59; indeed, they will be subject to severe penalties for doing so. The Agencies have previously recognized that retirement plans involve little AML risk.[7] ESCs are companies all the outstanding securities of which are beneficially owned by current and former employees of a single employer (or group of affiliated employers), immediate family members thereof, and/or the relevant employer(s), and are established to benefit, reward, and retain employees and are similar to retirement plans in form and function.[8] Public corporations generate income from active business operations, are subject to significant audits and other regulatory requirements, and are heavily regulated by the SEC. For these reasons, advisory accounts for retirement plans, ESCs, and publicly traded corporations present a significantly lower risk of money laundering.

Several other advisory clients would also fall into this lower-risk category and we recommend that they be treated in a similar manner. These include accounts of government entities, such as municipal or state agencies; governmental pension plans; non-profit organizations; higher education endowment funds; and multi-employer plans. Moreover, these accounts are held in custody by a financial institution that is already required to conduct BSA-compliant AML reviews of the account, adding an additional layer of security.

As we requested in the IAA AML Letter, we ask that the Agencies explicitly recognize here too the minimal risk presented by the types of advisory clients discussed above and exclude these clients from the CIP requirements. If the Agencies decline to adopt our recommendation, however, at a minimum they should confirm that SEC Advisers’ CIP requirements with respect to these entities would be minimal under a risk-based approach.

3. Advisory Services to AML-Regulated Entities

SEC Advisers serve a diverse range of clients, including, for example, individuals, banks, mutual funds, pension funds, hedge funds, private equity funds, charitable organizations, endowments, corporations, and state or municipal entities. Certain types of advisory clients are themselves AML-Regulated Entities and are already subject to the extensive AML program requirements of the BSA, including a requirement to implement a CIP. Moreover, assets that an SEC Adviser manages for a client that is itself an AML-Regulated Entity have already been subject to a CIP review before allocation to the SEC Adviser for management. Therefore, requiring an SEC Adviser to conduct a CIP review of clients that are AML-Regulated Entities would be needlessly duplicative of protections already in place and impose a substantial cost and burden on SEC Advisers without providing a commensurate improvement in the detection and prevention of illicit money laundering activities.

We recommend that the CIP Proposal be amended to provide that an SEC Adviser is not required to include AML-Regulated Entity clients within the scope of its CIP program.

4. Sub-Advisory Services

Relief is also warranted in the common context of sub-advisory relationships, where one SEC Adviser (Primary Adviser) takes responsibility for the day-to-day administration of a client’s account and client-related account services (such as reporting and recordkeeping), but contracts with one or more other SEC Advisers (Sub-Advisers) to make investment management decisions for the account or part of the account (collectively, Sub-Advisory Arrangements).

A Sub-Adviser likely will not possess or have access to information about the end-clients or fund investors in the Sub-Advisory Arrangement and, therefore, is not well-positioned to implement a CIP for those accounts and clients. In some cases, this lack of transparency may indeed be critical to the commercial (e.g., due to competitive concerns) or legal (e.g., due to varying privacy laws applicable to non-U.S. clients) viability of the Sub-Advisory Arrangement. Moreover, as a party involved in only the investment management aspects of the Sub-Advisory Arrangement, the Sub-Adviser typically will have no direct contact with the account holder or investor and will not have investor-level visibility into the circumstances surrounding subscriptions, redemptions, and other cash moves impacting the account. As such, the Sub-Adviser is unlikely to have access to the type of information required to be gathered for the CIP.

Similar to our request in the IAA AML Letter, the IAA requests that the Agencies relieve Sub-Advisers and AML-covered Sub-Advisory Arrangements from the CIP requirements with respect to their sub-advisory activities.

5. No Look-Through Obligations for SEC Advisers to Private Funds

The IAA appreciates the Agencies’ risk-based approach that permits SEC Advisers to risk-rate their CIP obligations based on the money-laundering risks associated with particular types of accounts.[9] The proposal notes, in particular, that an SEC Adviser would not be required to look through a trust or similar account to its beneficiaries and would only be required to verify the identity of the named account holder.[10]

Similar to our request in the IAA AML Letter, we ask for confirmation that an SEC Adviser’s CIP would not require SEC Advisers to look through the private fund to the underlying investors. It is important to note that the SEC Adviser has a contractual relationship with the private fund, where the private fund is the SEC Adviser’s client, not the underlying investors in the fund.[11] We believe this also aligns with the BD CIP Rule where, with respect to an omnibus account established by an intermediary, a broker-dealer is not required to look through the intermediary to the underlying beneficial owners if the intermediary is identified as the account holder.[12]

6. Application of CIP Proposal to Smaller SEC Advisers

The Agencies use an outdated and totally unrealistic definition of small entity, concluding that only an estimated 2.7% of all SEC Advisers[13] impacted by the CIP Proposal are small entities.[14] Based on this, the Agencies estimate that the CIP Proposal will not impact a substantial number of small entities.[15] The IAA has long objected to the use of this definition and has asked the SEC through a petition for rulemaking to recognize that most SEC Advisers are small businesses by any rational measure.[16]

Similar to our comments in the IAA AML Letter, the CIP Proposal should exclude smaller SEC Advisers with 100 or fewer employees from the CIP requirements, or, at a minimum, it should exclude smaller SEC Advisers with 20 or fewer employees.[17] This would be consistent with FinCEN’s treatment of state-registered investment advisers in the AML Proposal, which we supported.[18]

As noted in the IAA AML Letter, fiduciary investment advice from SEC Advisers is increasingly important as financial markets become more and more complex.[19] SEC Advisers help individual investors meet their financial goals, including investing for retirement, home ownership, elder care, and education, and support their communities in myriad ways. The majority of these SEC Advisers are small businesses, and they are struggling under the weight of the current regulatory agenda. Indeed, new regulations burden smaller SEC Advisers in unique ways and these burdens are only increasing.

Smaller SEC Advisers will also face unique challenges under the CIP Proposal. For example, smaller SEC Advisers, which have limited personnel and other resources, will likely need to divert resources from client-servicing functions and other compliance requirements to invest in building out a CIP.

For the same reasons that state advisers are excluded, we also believe that smaller SEC Advisers generally pose less risk with regard to the proliferation of money laundering and terrorist financing. In our view, the appropriate cutoff for an exclusion is an SEC Adviser with 100 or fewer employees. At a minimum, however, we urge the Agencies to exclude SEC Advisers with 20 or fewer employees.

 

B. The Agencies Should Ease the Practical and Operational Burden on SEC Advisers in Implementing CIP Requirements

In addition to providing exclusions or exemptions where the risk and thus the potential benefits are small, but the burdens are significant, the Agencies should amend the CIP Proposal to address certain practical challenges SEC Advisers are likely to face in implementing CIPs. We appreciate the Agencies’ efforts to include an element of reasonableness, i.e., that the proposed CIP must be reasonably designed to require verification of the identity of any person seeking to open an account with the SEC Adviser to the extent reasonable and practicable. However, the minimum requirements that the CIP would be required to meet are nevertheless highly prescriptive, which will make it more challenging for SEC Advisers to adopt a tailored, risk-based program. We address certain practical issues concerning the way the CIP Proposal requires implementation of the CIP below.

1. Confirm Existing Clients of SEC Advisers are Excluded from the CIP Requirements

The CIP Proposal would require that each SEC Adviser’s CIP would apply to any person that opens an account with the SEC Adviser. The CIP Proposal includes an exemption for persons that have an existing account with the SEC Adviser, provided the SEC Adviser has a reasonable belief that it knows the true identity of the person. Thus, the CIP Proposal will not apply retroactively to existing clients, nor will it apply to existing clients who open a new account with the same SEC Adviser, as long as the SEC Adviser reasonably believes that it knows the client’s true identity. The IAA strongly supports the exemption, but we ask that it be clarified to ensure that it functions as intended and is consistent with how similar exemptions are applied in the context of CIP requirements for other financial institutions.

Our concern arises from the language in the release that appears to be more prescriptive than the proposed rule text. The proposed rule text requires an SEC Adviser to have a reasonable belief that it knows the true identity of the client, but, similar to how this requirement is handled in other CIP contexts, does not prescribe a particular method for forming the reasonable belief. The release, on the other hand, states that this safe harbor would only apply if the SEC Adviser previously verified the client’s identity, to the extent required, in accordance with procedures consistent with the proposed rule and continues to have a reasonable belief that it knows the true identity of the client based on the previous verification.[20]

As noted above, SEC Advisers enter into investment management agreements with clients at the beginning of the relationship. While the agreements may be modified and/or updated, SEC Advisers would generally not enter into entirely new agreements or business relationships with existing clients. Additionally, since SEC Advisers are not currently subject to CIP requirements, they would likely not have previously verified the client’s identity with procedures “consistent with the proposed rule.”

Therefore, to more accurately reflect the rule text, the IAA requests that the Agencies confirm that any final rule will not apply retroactively to existing clients where the SEC Adviser has a reasonable belief that it knows the true identity of the client, which may be demonstrated through alternative ways, such as a long-standing relationship with the client or knowledge that another financial institution has already completed identity verification for the client.[21]

2. Do Not Require SEC Advisers to Obtain the Date of Formation for Institutional Clients

The CIP Proposal would require the SEC Adviser to obtain the date of formation for a person that is not an individual. The CIP Proposal states that the date of formation may be available on the certificate of formation or incorporation (or other document used to create a legal person), as well as any amendments to those documents.[22]

Notably, other financial institutions with CIP obligations do not include a “date of formation” collection requirement for legal entities as part of the basic data elements required to be collected.[23] The Agencies did not elaborate on the addition of this requirement in the CIP Proposal and it is thus not clear why the Agencies believe that SEC Advisers should be subject to a different requirement than other financial institutions.

The IAA therefore recommends that, consistent with the CIP requirements for other financial institutions, SEC Advisers not be required to obtain the date of formation for non-individual entities.

3. Only Require SEC Advisers to Include Obvious Indicators of Fraud as a Factor in Client Identity Verification

We appreciate that the CIP Proposal would allow SEC Advisers to rely on an unexpired government-issued identification for verification purposes and not require SEC Advisers to take steps to determine whether a document has been validly issued.[24] However, the CIP Proposal also states that if a document has indicators of fraud, the SEC Adviser would have to consider that factor in determining whether it could form a reasonable belief that it knows the client’s true identity. This differs from the BD CIP Rule, which similarly allows broker-dealers to rely on government-issued identification as verification of a customer’s identity, unless a document shows “obvious” indications of fraud, in which case the broker-dealer must consider that factor in its reasonable belief determination.[25]

The IAA supports not requiring SEC Advisers to take steps to determine whether a document has been validly issued, which would be extremely challenging. However, we are concerned that without the qualifier that the indications of fraud be “obvious,” it is unclear how “indicators of fraud” would be construed and SEC Advisers will likely err on the side of caution and feel compelled to take additional steps to meet their obligations under the CIP Proposal.[26]

We recommend that any final rule, similar to the BD CIP Rule, add the helpful qualifier to require an SEC Adviser to include obvious indicators of fraud as a factor in determining whether it could form a reasonable belief that it knows the customer’s true identity.

 

C. CIP Recordkeeping Requirements

The CIP Proposal would require SEC Advisers to retain the information obtained about a client pursuant to the proposal.

1. SEC Advisers Should be Allowed to Retain Images of Documents to Meet Their CIP Recordkeeping Obligations

The CIP Proposal would require SEC Advisers to obtain and maintain all identifying information about a client, including a description of any document that was relied on for verification, noting the type of document, any identification number contained in the document, the place of issuance, and if any, the date of issuance and expiration date.

The IAA is concerned about the sheer amount of data that would be required to be obtained by SEC Advisers and how that data would be integrated into an SEC Adviser’s systems. For example, SEC Advisers would likely need to build new systems or substantially modify existing systems to obtain and maintain the information in a specific, structured format as required by the CIP Proposal.

Instead, SEC Advisers should be given the flexibility to retain an image of the document used for verification, which could be stored as different media, including, but not limited to, a paper photocopy, electronic photo (.jpeg file) or scanned file (.pdf file). This would significantly reduce the costs associated with this requirement without reducing the protections. For example, an image of a government-issued identification document, such as a driver’s license or passport, would include the identification number, place of issuance, the date of issuance, and expiration date. Any value derived from creation of a new system to maintain this information would be greatly outweighed by the costs.

We believe the Agencies can achieve their recordkeeping objectives without a prescriptive mandate. Therefore, we suggest the following marked revisions to proposed Rule 1032.220(a)(3)(i)(B):

(i) Required records. At a minimum, the record must include:

(A) All identifying information about a customer obtained under paragraph (a)(2)(i) of this section,

(B) An image or description of any document that was relied on under paragraph (a)(2)(ii)(A) of this section,. Any description must note noting the type of document, any identification number contained in the document, the place of issuance, and if any, the date of issuance and expiration date;

Should the Agencies decline to allow SEC Advisers to retain images in lieu of the proposed detailed description, we call on the Agencies, at a minimum, to realistically consider the proposed requirement’s costs and implementation challenges.[27]

2. SEC Advisers Should Not Be Required to Retain Records of the Specific Non-Documentary Verification Methods That Were Used for Each Client

The CIP Proposal would require that SEC Advisers retain records of the description of the methods and results of any measures undertaken to verify the identity of a client. This would include clients who are identified through documents or through non-documentary verification methods.

The IAA requests that, consistent with prior FinCEN guidance for banks,[28] the Agencies confirm that it will be acceptable for SEC Advisers to retain a description of the non-documentary client verification method used in a general policy or procedure instead of recording the fact that a particular method was used on each individual client’s record, as long as the record cross-references the specific provision(s) of the risk-based procedures contained in the SEC Adviser’s CIP used to verify the client’s identity. This will allow the Agencies to meet their policy goals, while allowing SEC Advisers to reference their policies without having to detail how the verification was completed for each individual client.

Therefore, we suggest the following marked revision to proposed Rule 1032.220(a)(3)(i)(C):

(C) A written policy or procedure that includes a description of the methods and results of any measures undertaken to verify the identity of a customer under paragraphs (a)(2)(ii)(B) and (C) of this section; and

 

D. The Agencies Should Provide SEC Advisers Ample Notification of New Lists of Known or Suspected Terrorists or Terrorist Organizations

Under the CIP Proposal, SEC Advisers will need to have reasonable procedures for determining whether a client appears on any list of known or suspected terrorists or terrorist organizations issued by any Federal Government agency and designated as such by the Treasury Department in consultation with the SEC. However, the Treasury Department has not yet designated any such lists for the purposes of CIPs.

The IAA requests that formal notification of any new lists be provided directly (by paper or email) to SEC Advisers and that the lists be published prominently on the Treasury Department and SEC public websites.

 

E. The Agencies Should Not Require a Written Agreement for SEC Advisers When Relying on a Third Party to Implement Their CIPs

An SEC Adviser’s CIP may include procedures that specify when the SEC Adviser will rely on the performance by another financial institution (including an affiliate) of any procedures of the SEC Adviser’s CIP, and thereby satisfy the SEC Adviser’s obligations under the CIP Proposal. The IAA strongly supports allowing an SEC Adviser to outsource its CIP to a third-party service provider. This is especially important for smaller SEC Advisers. As discussed in the IAA AML Letter, smaller SEC Advisers, which have limited personnel and other resources, will likely need to outsource certain AML program requirements, including the CIP, to a third party.

We have expressed similar support for outsourcing certain services to third parties in many of the other open SEC proposals.[29] In our responses to those proposals, however, we have also repeatedly expressed strong concerns about the infeasibility of negotiating contracts with or obtaining written assurances from third-party service providers—and thus the likely ineffectiveness of such requirements.[30]

We have noted that many entities are unwilling to negotiate with their customers, including when those customers are SEC Advisers, and SEC Advisers (particularly smaller SEC Advisers)[31] lack leverage to engage in contractual negotiations with many service providers, especially when those terms expose service providers to potential liability. Given our members’ experience, we believe it is highly unlikely that service providers will voluntarily enter into legally binding contracts with SEC Advisers, as contemplated by the CIP Proposal, when they are not otherwise required to do so. SEC Advisers that are unable to enter into these contracts would be unable to take advantage of scale, potentially requiring them to build out systems and technology themselves, which can be very expensive and for which they may not have the expertise.

In our view – and as we have recommended in other contexts – an effective alternative to a required written agreement would be to allow SEC Advisers to tailor their oversight of service providers based on the nature and size of their businesses and in light of the risks posed by the facts and circumstances, i.e., through a risk-based and principles-based internal controls approach. The SEC recently took this preferred approach in the final rulemaking that amended SEC Advisers’ data privacy programs.[32] While the SEC had proposed that SEC Advisers would need to enter into written agreements with their service providers to require service providers to take appropriate measures that are designed to protect against unauthorized access to or use of client information, the final rule removed that requirement.[33]

We believe the Agencies can achieve their objectives without a prescriptive contract mandate. Therefore, we suggest the following marked revisions to proposed Rule 1032.220(a)(6):

The CIP may include procedures specifying when the investment adviser will rely on the performance by another financial institution (including an affiliate) of any procedures of the investment adviser’s CIP with respect to any customer of the investment adviser that is opening, or has opened, an account or has established an account or similar business relationship with the other financial institution to provide or engage in services, dealings, or other financial transactions, provided that:

(i) Such reliance is reasonable under the circumstances;

(ii) The other financial institution is subject to a rule implementing 31 U.S.C. 5318(h) and regulated by a Federal functional regulator; and

(iii) The investment adviser adopts and implements policies and procedures reasonably designed to ensure that the The other financial institution enters into a contract with the investment adviser requiring it to certifyies annually to the investment adviser that it has implemented its anti-money laundering/countering the financing of terrorism program, and that it will perform (or its agent will perform) specified requirements of the investment adviser’s CIP.

Importantly, in many cases, SEC Advisers are only one of a series of financial institutions interfacing with a client in connection with a new advisory engagement, many of which already are required to perform initial and ongoing identity verification of the client. Therefore, at a minimum, SEC Advisers should be allowed to rely on a broker-dealer or bank CIP without entering into a written agreement for clients whose assets are custodied at that broker-dealer or bank and who have already been subject to the bank or broker-dealer CIP requirements.

 

F. Provide a More Reasonable Implementation Period

The IAA believes that 6 months will be insufficient for SEC Advisers to develop a compliant CIP and to put in place the systems, personnel and required disclosures necessary to implement the CIP. Even if the SEC Adviser has voluntarily implemented a CIP, it is unlikely that that program will fully track the prescriptive requirements in the CIP Proposal, and the CIP Proposal will thus require most SEC Advisers to build systems that do not currently exist or make substantial modifications to existing systems.

Our concerns regarding the short implementation period have been greatly exacerbated by the sheer scale and speed of rulemaking activities affecting SEC Advisers over the past two years.[34] SEC Advisers will be expected to implement an enormous number of new requirements over a relatively short period of time. The implementation timeline must be considered as part of this bigger picture.

In light of the significant undertaking that will be required of SEC Advisers to comply with the CIP Proposal, and in the context of the exceedingly challenging regulatory landscape, we request that the effective date for the new requirements be at least 18 months from the date the rules are finalized for larger SEC Advisers and at least 24 months for smaller SEC Advisers with 100 or fewer employees, should the Agencies determine not to exclude them from the CIP requirements.[35]

 

G. Reopen the Comment Period for the CIP Proposal If and When the AML Proposal is Finalized

The Agencies should re-open the CIP Proposal if and when the AML Proposal is finalized. Adoption of the CIP Proposal depends on and would not occur unless SEC Advisers are first designated as “financial institutions” for purposes of the BSA. While the CIP Proposal is separate from the AML Proposal, the Agencies have been clear that a CIP must be a part of the SEC Adviser’s AML program and have stated that they “anticipate that any change to the scope of the [AML Proposal], as finalized, would also be reflected in [the CIP] rule, to ensure that the scope of both rules remain consistent.”[36]

The IAA believes that the proposals should be addressed through a two-step process. First, FinCEN should determine the scope of SEC Advisers and investment advisory services that should be covered under the BSA, which is the subject of the AML Proposal. Second, the Agencies can then determine how a CIP should be applied with respect to that set of SEC Advisers and investment advisory services that are the subject of the CIP Proposal.

Otherwise, it becomes difficult to provide a thoughtful economic analysis for either rulemaking. It also dilutes the quality of comments submitted in response to the CIP Proposal. Commenters seeking to analyze the CIP Proposal have no way of knowing the baseline against which the requirements of the CIP Proposal should be assessed. That baseline will be set by FinCEN on a standalone basis in connection with the AML Proposal. Depending on that outcome, time and money may be spent unnecessarily articulating, for example, why certain SEC Advisers and investment advisory services should be excluded, thereby diluting attention from more relevant and practical concerns about the CIP Proposal.

By finalizing the AML Proposal and then re-opening the CIP Proposal, the scope of the CIP Proposal will be known, and the public will be better equipped to analyze its costs and benefits. At a minimum, the IAA reiterates its request in the IAA AML Letter that because a CIP rule has now been proposed for SEC Advisers, FinCEN should reopen the comment period for the AML Proposal to allow commenters to reconsider their comments on the AML Proposal in light of the CIP Proposal, which are highly interrelated.[37]

 

* * *

 

We appreciate your consideration of our comments on this important issue. Please do not hesitate to contact the undersigned at (202) 293-4222 if we can be of further assistance.

Respectfully Submitted,

Gail C. Bernstein
General Counsel

William A. Nelson
Associate General Counsel

 

---

[1] The IAA is the leading organization dedicated to advancing the interests of fiduciary investment advisers. For more than 85 years, the IAA has been advocating for advisers before Congress and U.S. and global regulators, promoting best practices and providing education and resources to empower advisers to effectively serve their clients, the capital markets, and the U.S. economy. The IAA’s member firms manage more than $35 trillion in assets for a wide variety of individual and institutional clients, including pension plans, trusts, mutual funds, private funds, endowments, foundations, and corporations. For more information, please visit www.investmentadviser.org.

[2] The CIP Proposal uses the term “customers” for those natural and legal persons who enter into an advisory relationship with an SEC Adviser. This is consistent with the terminology in the Bank Secrecy Act (BSA) and FinCEN’s implementing regulations. Because the Investment Advisers Act of 1940 and its implementing regulations primarily use the term “clients,” we use that term herein.

[3] FinCEN and SEC: Customer Identification Programs for Registered Investment Advisers and Exempt Reporting Advisers, 89 Fed. Reg. 44571 (May 21, 2024), available https://www.govinfo.gov/content/pkg/FR-2024-05-21/pdf/2024-10738.pdf

[4] The IAA submitted comments on the February 2024 FinCEN proposal that would designate SEC Advisers as “financial institutions” under the BSA and subject them to anti-money laundering (AML) program requirements and Suspicious Activity Report (SAR) filing obligations (AML Proposal). See IAA Letter to FinCEN re Anti-Money Laundering / Countering the Financing of Terrorism Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempt Reporting Advisers (Apr. 15, 2024), available at https://www.investmentadviser.org/wp-content/uploads/2024/04/Investment-Adviser-Association-AML-for-Advisers-Letter.pdf?t=6618369214292 (IAA AML Letter). Because of their interrelatedness, many of our recommendations in response to the CIP Proposal are the same or similar to recommendations we made in the IAA AML Letter.

[5] We discuss other relevant IAA comments below.

[6] Similar to the AML Proposal, the CIP Proposal would only require a CIP where the SEC provides “investment advisory services.” CIP Proposal, 89 Fed. Reg. at 44573.

[7] We agree with the Agencies that retirement plans “are less susceptible to be used for the financing of terrorism and money laundering because, among other reasons, they are funded through payroll deductions in connection with employment plans that must comply with federal regulations.” See Customer Identification Programs for Broker-Dealers, 68 Fed. Reg. 25113, 25115 (May 9, 2003) (BD CIP Rule). See also Customer Identification Programs for Mutual Funds, 68 Fed. Reg. 25131, 25134 (May 9, 2003) (MF CIP Rule) (“We believe that these [retirement] accounts are less susceptible to use for the financing of terrorism and money laundering, because, among other reasons, they are funded through payroll deductions in connection with employment plans that must comply with federal regulations that impose various requirements regarding the funding and withdrawal of funds from such accounts, including low contribution limits and strict distribution requirements.”). For these reasons, the BD CIP and MF CIP Rules exclude from the definition of “account” an account opened for the purpose of participating in an employee benefit plan established under ERISA.

[8] ESCs are established in accordance with Section 2(a)(13) of the Investment Company Act of 1940, 15 U.S.C. § 80a-2(a)(13).

[9] For example, the CIP Proposal “would provide [SEC Advisers] with the flexibility to use a risk-based approach to determine when the identity of a [client] must be verified relative to the opening of an account.” CIP Proposal, 89 Fed. Reg. at 44576.

[10] Id. at 44574.

[11] See Nat’l Ass’n of Priv. Fund Managers v. SEC, 2024 U.S. App. LEXIS 13645, *33 (The SEC Adviser’s “duty extends to the client alone, which is the fund, not the investors in the fund.”); see also Goldstein v. SEC, 451 F.3d 873, 880 (D.C. Cir. 2006) (“If the person or entity controlling the fund is not an ‘investment adviser’ to each individual investor, then a fortiori each investor cannot be a ‘client’ of that person or entity”); see also 15 U.S.C § 80b–3.

[12] See BD CIP Rule, supra note 7.

[13] Approximately 276 RIAs and 113 ERAs are defined as small entities. CIP Proposal, 89 Fed. Reg. at 44592.

[14] The CIP Proposal, in analyzing the impact on smaller SEC Advisers, applies a definition of “small entity” based essentially on having assets under management of less than $25 million—a definition that excludes substantially all the SEC Advisers covered by the proposal. According to our most recent report on the SEC Adviser industry, 92% of SEC-registered advisers reported having 100 or fewer non-clerical employees. See IAA-COMPLY Investment Adviser Industry Snapshot 2024 (June 2024), p. 24, available at https://www.investmentadviser.org/wp-content/uploads/2024/06/Snapshot2024_FINAL.pdf.

[15] CIP Proposal, 89 Fed. Reg. at 44592.

[16] The IAA has petitioned the SEC to initiate rulemaking proceedings to amend the definition of small entity for purposes of the Regulatory Flexibility Act of 1980 and use the number of employees of an adviser as the appropriate size standard for purposes of determining the impact of its regulations on small advisers. See IAA Letter to SEC re Petition for Rulemaking to Amend the Definition of “Small Entity” in Rule 0-7 under the Investment Advisers Act of 1940 for Purposes of the Regulatory Flexibility Act (Sept. 14, 2023), available at https://www.investmentadviser.org/wp-content/uploads/2023/09/IAA-Rulemaking-Petition-9.14.23.pdf?t=650356467cbe3.

[17] As reported in the SEC Adviser’s Form ADV Part 1A.

[18] AML Proposal, 89 Fed. Reg. at 12171. A recent report from the North American Securities Administrators Association (NASAA) found that 14,079 (83%) state advisers have fewer than 3 employees, 2,771 (16%) have 3-10 employees, 107 (0.6%) have 11-20 employees and 1 (0.3%) has more than 20 employees. NASAA, Investment Adviser Section Annual Report (2023), available at https://www.nasaa.org/wp-content/uploads/2023/09/2023-IA-Section-Report-FINAL.pdf. As noted below, the median number of employees reported by SEC Advisers is eight. See IAA-COMPLY Investment Adviser Industry Snapshot 2024, infra note 31.

[19] See IAA AML Letter, supra note 4.

[20] CIP Proposal, 89 Fed. Reg. at 44575 (emphasis added). The language in the release is also inconsistent with prior CIP guidance for banks. See FDIC, FinCEN, OCC, NCUA, Interagency Interpretive Guidance on Customer Identification Program Requirements under Section 326 of the USA PATRIOT Act, FAQs (Apr. 28, 2005), available at https://www.fincen.gov/resources/statutes-regulations/guidance/interagency-interpretive-guidance-customer-identification (Bank CIP Guidance) (stating that banks can demonstrate a “reasonable belief” in several ways. One way, but not the only way, is to have comparable (not identical) procedures in place to verify the identity of existing clients. Another way would be through having a longstanding relationship with the existing client); see also FinCEN, FAQs: Final CIP Rule (Jan. 2004), available at https://www.fincen.gov/sites/default/files/guidance/finalciprule.pdf (FinCEN Bank CIP FAQs).

[21] This also aligns with the prior banking guidance. See FinCEN Bank CIP FAQs, supra note 20. (“For purposes of the CIP rule, each time a loan is renewed or a certificate of deposit is rolled over, the bank establishes another formal banking relationship and a new account is established. However, the rule provides that the term ‘customer’ does not include a person that has an existing account with the bank, provided that the bank has a reasonable belief that it knows the true identity of the person … In each of these cases, the customer has an existing account. Therefore, as long as the bank has a reasonable belief that it knows the person’s true identity, the bank need not perform its CIP when a loan is renewed or certificate of deposit is rolled over.”). The definition of “customer” in the BD CIP Rule also excludes a person who has an existing account with the broker-dealer, provided that the broker-dealer has a reasonable belief that it knows the true identity of the person. See BD CIP Rule, supra note 7.

[22] CIP Proposal, 89 Fed. Reg. at 44575.

[23] See MF CIP Rule and BD CIP Rule, supra note 7.

[24] CIP Proposal, 89 Fed. Reg. at 44576.

[25] BD CIP Rule, supra note 7, at 25120.

[26] For example, the Agencies state that “[i]n light of the recent increase in identity theft, [SEC Advisers] would be encouraged to use non-documentary methods as well, even when an [SEC Adviser] has received identification documents from the customer.” CIP Proposal, 89 Fed. Reg. at 44577. We are concerned that this additional verification would become a de facto requirement.

[27] Currently, the Agencies estimate that SEC Advisers will spend only 30 minutes and approximately $100 per client to meet their recordkeeping obligations. We believe this grossly underestimates the true cost of the recordkeeping obligations, which would include initial and ongoing investments in staff and technology.

[28] See Bank CIP Guidance, supra note 20 (“Would it be acceptable to retain a description of the non-documentary customer verification method used … in a general policy or procedure instead of recording the fact that a particular method was used on each individual customer’s record? Yes, provided that the record cross-references the specific provision(s) of the risk-based procedures contained in the bank’s CIP used to verify the customer’s identity.”).

[29] See, e.g., IAA Letter to SEC re Outsourcing by Investment Advisers (Dec. 23, 2022), available at https://investmentadviser.org/resources/iaa-letter-to-sec-on-service-provider-outsourcing/ (First IAA Outsourcing Letter); IAA Letter to SEC re Outsourcing by Investment Advisers (Apr. 20, 2023), available at https://www.investmentadviser.org/resources/iaa-submits-supplemental-letter-on-outsourcing-proposal/ (IAA Supplemental Outsourcing Letter); IAA Letter to SEC re Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies (Apr. 11, 2022), available at https://www.investmentadviser.org/resources/comments-on-proposed-cybersecurity-rules-for-advisers/ (IAA Cybersecurity Letter).

[30] See, e.g., First IAA Outsourcing Letter; IAA Supplemental Outsourcing Letter; IAA Cybersecurity Letter; IAA Letter to SEC re Private Fund Advisers (Apr. 25, 2022), available at https://investmentadviser.org/resources/iaa-letter-to-sec-on-private-fund-advisers-proposal/; and IAA Letter to SEC re Safeguarding Advisory Client Assets (May 8, 2023), available at https://investmentadviser.org/resources/iaa-letter-to-sec-on-safeguarding-advisory-client-assets-proposal/.

[31] The median number of non-clerical employees of SEC-registered investment advisers was eight at the end of 2023, with 92.7% of SEC-registered advisers having fewer than 100 non-clerical employees. See IAA-COMPLY Investment Adviser Industry Snapshot 2024 (June 2024), available at https://www.investmentadviser.org/wp-content/uploads/2024/06/Snapshot2024_FINAL.pdf.

[32] Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, 89 Fed. Reg. 47688 (June 3, 2024), available at https://www.govinfo.gov/content/pkg/FR-2024-06-03/pdf/2024-11116.pdf (Reg S-P Rule).

[33] The SEC also removed a written agreement requirement from its final rule on accelerating the securities settlement cycle from T+2 to T+1. Shortening the Securities Transaction Settlement Cycle, 88 Fed. Reg. 13872, 13893 (Mar. 6, 2023), available at https://www.govinfo.gov/content/pkg/FR-2023-03-06/pdf/2023-03566.pdf (“[T]he written agreement requirement is designed to achieve the same goals as the alternative policies and procedures requirement, and broker-dealers may elect to comply with the alternative that they believe is better suited to their existing operations, specific business model, customer base, securities offered for settlement, and commercial relationships … the Commission acknowledges that the costs and challenges of negotiating a written agreement with the relevant parties may lead broker-dealers to choose to implement the rule via the policies and procedures requirement.”).

[34] See IAA Rulemaking Implementation Chart, https://www.investmentadviser.org/wp-content/uploads/2024/06/SEC-Rule-Chart-Compliance-Dates-Gantt-9.6.2024-with-logo.pdf; see also IAA Letter to SEC re Adviser Proposals (June 17, 2023), available at https://www.investmentadviser.org/wp-content/uploads/2023/06/IAA-Comment-Letter-to-Adviser-Proposals-6.17.23.pdf.

[35] We note that the SEC acknowledges the disproportionate burdens facing smaller SEC Advisers and has included staggered implementation periods for smaller SEC Advisers in its recent rulemaking proposals and final rules. See, e.g., SEC, Safeguarding Advisory Client Assets, 88 Fed. Reg. 14672 (Mar. 9, 2023), available at https://www.govinfo.gov/content/pkg/FR-2023-03-09/pdf/2023-03681.pdf (Proposed Safeguarding Rule); and Reg S-P Rule.

[36] CIP Proposal, 89 Fed. Reg. at 44574. The IAA has concerns related to consistency. For example, the CIP Proposal includes definitions that are not included in the AML Proposal and, if both rules are adopted as proposed, FinCEN and the SEC anticipate that the definitions would be aligned. Id. at 44574, n. 19. We are also concerned about consistency with other financial institution CIP rules. The CIP Proposal includes ERISA accounts in the definition of “account” to harmonize the CIP Proposal with the AML Proposal; however, as noted above, it is inconsistent with the BD and MF CIP rules, which exclude ERISA accounts.

[37] The recent proposal to update AML programs for current financial institutions makes providing an opportunity to submit additional comments on the AML Proposal even more critical. The IAA is concerned that commenters did not have a complete picture to effectively respond to the AML Proposal without also being able to consider the recent, proposed changes to the broader AML landscape. See Anti-Money Laundering and Countering the Financing of Terrorism Programs, 89 Fed. Reg. 55428 (July 3, 2024), available at https://www.govinfo.gov/content/pkg/FR-2024-07-03/pdf/2024-14414.pdf.