How the New FinCEN AML Rule Affects Financial Firms
A new FinCEN rule takes effect January 1, 2026, and it changes who counts as a "financial institution" under the Bank Secrecy Act. Published as 89 FR 72156 on September 4, 2024, the rule brings certain registered investment advisers (RIAs) and exempt reporting advisers (ERAs) within the Bank Secrecy Act's reach for the first time, together with a new minimum anti-money laundering and countering-the-financing-of-terrorism (AML/CFT) program requirement and a duty to report suspicious activity to FinCEN. For a financial firm that sponsors or operates an investment adviser, this is not a scheduling change to an existing duty — it is a new compliance program that has to exist, staffed and operating, by the effective date.
This guide explains, in plain English, what the rule requires, which advisers it reaches, what a firm should have in place before the date, and how the ongoing monitoring and recordkeeping work can be operationalized at volume. It leads with the obligation and the date, not with any product, so a compliance or operations team can act on a clear, sourced picture without re-reading the full Federal Register entry itself.
Key Takeaways
A FinCEN final rule, 89 FR 72156, brings certain registered investment advisers (RIAs) and exempt reporting advisers (ERAs) within the Bank Secrecy Act's "financial institution" definition, effective January 1, 2026.
Covered advisers must establish a minimum anti-money laundering/countering the financing of terrorism (AML/CFT) program and report suspicious activity to FinCEN, under 31 CFR Part 1010 and 31 CFR Part 1032.
The rule was published September 4, 2024, and carries RIN 1506-AB58; FinCEN is a bureau of the Treasury Department.
This post is informational only and is not legal or tax advice; consult a qualified attorney or compliance professional before acting on any specific situation.
What this rule actually does
FinCEN, a bureau of the Treasury Department, issues rules under the Bank Secrecy Act (BSA) that define which institutions must maintain anti-money laundering programs and report suspicious activity. This rule, 89 FR 72156, adds certain registered investment advisers and exempt reporting advisers to the list of institutions the BSA reaches. Before this rule, those advisers were not swept into the BSA's "financial institution" definition, and FinCEN had not prescribed a minimum AML/CFT program standard for them. The rule closes that gap: it brings the covered advisers within the financial institution definition, sets minimum program standards for them, and requires them to file suspicious activity reports with FinCEN. FinCEN's own framing is that these advisers "may be at risk for misuse by money launderers, terrorist financers, or other actors who seek access to the U.S. financial system for illicit purposes" — the stated rationale for closing the gap, not a comment on any particular firm.
The rule is effective January 1, 2026, as stated in 89 FR 72156. That is the date the new obligations apply — not a comment deadline and not the start of a phase-in. A firm's investment adviser subsidiary or affiliate either has a compliant AML/CFT program and reporting process in place by that date, or it does not.
What changes for investment advisers
| Requirement | Before this rule | Starting January 1, 2026 |
|---|---|---|
| BSA "financial institution" status | Certain RIAs and ERAs fall outside the Bank Secrecy Act's "financial institution" definition | Certain RIAs and ERAs are included in the BSA "financial institution" definition |
| AML/CFT program | No FinCEN-prescribed minimum AML/CFT program standard applies to these advisers | A minimum AML/CFT program is required, under 31 CFR Part 1010 and 31 CFR Part 1032 |
| Suspicious activity reporting | No BSA suspicious activity reporting duty applies to these advisers | Covered advisers must report suspicious activity to FinCEN |
Every row above traces to the rule abstract published at 89 FR 72156; nothing in the table extends beyond what that abstract states.
Who is affected
The rule's reach follows its own title: it covers registered investment advisers (RIAs) and exempt reporting advisers (ERAs). A financial firm's first task is to confirm whether its investment adviser is registered with the SEC as an RIA or operates as an ERA, because the rule's obligations attach to advisers in either category. Per the abstract published at 89 FR 72156, FinCEN's stated purpose is to reach advisers who may be at risk for misuse by money launderers, terrorist financers, or other actors who seek access to the U.S. financial system for illicit purposes and who threaten U.S. national security.
| Stakeholder | Why they are affected |
|---|---|
| Registered investment advisers (RIAs) | Newly brought within the BSA "financial institution" definition; must run the AML/CFT program and reporting duties starting January 1, 2026 |
| Exempt reporting advisers (ERAs) | Named in the rule alongside RIAs and subject to the same new program and reporting duties |
| Compliance and operations teams | Own building and running the AML/CFT program, recordkeeping, and suspicious activity reporting workflow before the effective date |
| Investors and the U.S. financial system | The stated beneficiaries — the rule aims to guard against misuse by money launderers, terrorist financers, and other illicit actors |
A firm that sponsors, owns, or partners with an investment adviser should treat this as an operational build, not a policy footnote. The rule requires the program and the reporting duty; it does not describe how a specific firm should staff or design either one, which is a decision for the firm and its own counsel.
What Financial Firms should do before the date
The most important reading of this rule is that the obligation is new, not incremental. A firm whose investment adviser has never filed a suspicious activity report or run a BSA-standard AML/CFT program cannot lightly retrofit one in the weeks before January 1, 2026. The rule requires covered advisers to have the program and the reporting capability in place by the effective date; it does not describe a separate grace period beyond that date.
A sensible, sourced preparation path looks like this. First, confirm whether the firm's adviser is an RIA or an ERA and confirm that classification with counsel, since the rule's coverage runs through that status. Second, stand up — or validate an existing — AML/CFT program that meets the minimum standards under 31 CFR Part 1010 and 31 CFR Part 1032, rather than assuming a bank or broker-dealer affiliate's existing program automatically covers the adviser. Third, build the suspicious activity reporting workflow itself — who reviews an alert, who signs off, and how the filing reaches FinCEN — well before the effective date, so the first real filing is not also the first test of the process. Fourth, keep the rule's own text, 89 FR 72156, on hand as the controlling document, since the primary source governs, not any secondary summary.
Throughout, the operative framing is that the rule requires covered advisers to meet these program and reporting standards by January 1, 2026. This is a description of the rule as published in the Federal Register, not a personalized compliance plan for any one firm, and it is not a substitute for advice from the firm's own counsel.
Operationalizing AML/CFT monitoring at volume
The hardest part of this rule for most firms is not the first read — it is running the AML/CFT program and the suspicious activity reporting workflow continuously, across every account and every transaction, without letting a real alert sit unreviewed. That is a monitoring and workflow problem, and it is where US Tech Automations fits. Configured against a firm's own account and transaction data, a workflow can watch for the patterns a compliance team has defined, flag anything that matches, and route the flagged item to a named compliance reviewer instead of leaving it in a queue no one owns.
The second half of the work is the paperwork that follows a real flag. A configured pipeline can pull the relevant account and transaction fields into a draft suspicious activity report, timestamp the review chain, and escalate anything that looks material to a compliance officer for sign-off, so the flag, the draft, and the human decision all live in one auditable place. You can see how that kind of monitoring and reporting workflow is structured on the US Tech Automations agentic workflows page. The point is not to replace a compliance officer's judgment about what is suspicious; it is to make sure nothing that matters reaches January 1, 2026 unreviewed.
How this fits the broader regulatory window
This rule does not stand alone. It is one of 259 federal rules sealed in our point-in-time index of rules published July 1, 2024 – July 5, 2026 by 10 agencies governing our covered industries. A single AML/CFT program requirement is straightforward to read in isolation; the harder problem is that financial firms carry many BSA and FinCEN obligations at once, each with its own effective date and its own CFR part, and a rule that is new today is one more thing a compliance calendar has to track indefinitely.
The practical takeaway for leadership is that January 1, 2026 is a floor, not a one-time event — the program and the reporting duty keep running after the date, and FinCEN guidance tied to this rule can still follow. Firms that build the monitoring, the recordkeeping, and the reporting duty into a durable workflow are the ones that reach the effective date with a program that keeps working afterward, not one built to survive a single deadline.
Frequently asked questions
What does the FinCEN rule require of investment advisers?
The rule requires certain registered investment advisers (RIAs) and exempt reporting advisers (ERAs) to become BSA "financial institutions," to run a minimum AML/CFT program, and to report suspicious activity to FinCEN. These requirements are set out in 89 FR 72156 and apply under 31 CFR Part 1010 and 31 CFR Part 1032.
When does the FinCEN AML rule take effect?
The rule is effective January 1, 2026, as stated in 89 FR 72156. The rule itself was published September 4, 2024, which gave covered advisers a runway to build the required program before the effective date.
Which investment advisers are covered — RIAs, ERAs, or both?
Both. The rule's own title names registered investment advisers and exempt reporting advisers as the covered population, per 89 FR 72156. A firm's first step is confirming which category its adviser falls into, since that status is what brings the rule's requirements into play.
Which parts of the Code of Federal Regulations does this rule affect?
The rule affects 31 CFR Part 1010 and 31 CFR Part 1032, which is where the new financial-institution status, the AML/CFT program standard, and the suspicious activity reporting duty for these advisers now sit.
Does this rule replace other Bank Secrecy Act obligations a financial firm already has?
No. The rule adds a new financial institution category and a new set of program and reporting duties for RIAs and ERAs specifically; it does not describe itself as replacing any other institution's existing Bank Secrecy Act obligations. A firm with other regulated entities, such as a bank or broker-dealer affiliate, should treat this as an additional adviser-specific obligation layered on top of what those entities already do under the BSA.
Is this a final rule, or could the requirements still change before the effective date?
It is a final rule, published as 89 FR 72156 on September 4, 2024, not a proposal. Final rules can still be corrected or clarified by follow-on guidance, so a firm should keep the primary source on hand and watch for anything FinCEN issues that references this same rulemaking or its RIN 1506-AB58 before the effective date.
Related guidance
For related financial-services compliance coverage, see our notes on FinCEN's beneficial ownership information reporting revision, the SEC's Regulation S-P privacy requirements for financial institutions, and the SEC fund names and Form N-PORT reporting rule.
To see how US Tech Automations structures this kind of monitoring and reporting workflow — and what compliance-automation plans cost — visit ustechautomations.com/pricing.
Disclaimer
This article is provided for informational purposes only and does not constitute legal or tax advice. Reading it does not create an attorney-client relationship. Regulatory requirements are fact-specific, and you should consult a qualified attorney or compliance professional before acting on any matter discussed here. Every date, citation, RIN, CFR reference, and figure in these posts is copied verbatim from the Federal Register and eCFR as of the snapshot date. Nothing is estimated, modeled, or extrapolated. This is not legal or tax advice.
Last reviewed: July 5, 2026.
Source: U.S. Federal Register (89 FR 72156); current text via eCFR, 31 CFR Part 1010 and 31 CFR Part 1032.
Related Articles
See how AI agents fit your team
US Tech Automations builds and runs the AI agents that handle this work end to end, so your team doesn't have to.
View pricing & plans