What Investment Advisers Need to Know | New AML/CFT Compliance Requirements

Scott H. Moss: I guess I'll go next. Hi everyone, my name is Scott Moss. I'm a partner and co-chair of the investment management practice at Lone Stein Sandler and I chair the regulatory and compliance subgroup within investment management focusing on investment advisors, commodity pool operators, and commodity trading advisors.

Isatou Smith: Thank you everyone. I'm Isatou Smith. I'm based here in the Cayman Islands as part of the EisnerAmper network co-founder of the governance section, we handle regulatory AML corporate independent director services. I started my career out at the regulator here in Cayman, the monetary authority and have been sort of in the private sector doing a variety of roles including director services for the past 22 years.

Louis Bruno: Thanks everyone. Scott and Rob, we'll hand it over to you to give us an overview of the rules and regulations here.

Robert Johnston, Jr.: Great. Before we talk about what's new and what's coming, it might be helpful to briefly refresh on what is currently applicable to everyone on the line. So with respect to money laundering, all US companies and persons are subject to the Money Laundering Control Act of 1986, which broadly criminalizes engaging or attempting to engage in financial transactions with the intent to promote specified unlawful activity or to otherwise conceal the fact that the transaction proceeds are the proceeds of crime. There is no minimum dollar threshold, there's no de minimis amount that must be satisfied in order for there to be a money laundering control act violation. The statute does require knowledge, however, knowledge can be shown through willful blindness or conscious disregard of the high likelihood that criminal activity is occurring. So ignoring red flags turning a blind eye could actually rise to knowledge sufficient to establish culpability in a jury trial.

Similarly, all US persons and US companies are subject to the sanctions programs administered by the Treasury's Office of Foreign Assets Control or ofac. There are a variety of different sanctions programs. There are broad jurisdictional prohibitions. For example, there is a total prohibition on doing business with any company or person located in North Korea. There are a variety of list-based regimes where specific individuals or companies are listed on sanctions list. It's also referred to as especially designated nationals and black persons list or SDN list. And then importantly there's a concept of the 50% rule. So if one or more sanctioned persons an SDN owns 50% or more of another entity, then that entity is also subject to sanctions. OFAC prohibitions have very broad extraterritorial application and there have been cases where non-US parties, so for example a French company operating a cement factory in Lebanon and Syria was prosecuted for OFAC violations and payments made to ISIS because those payments were made in US dollars and therefore would've cleared through a correspondent bank in the United States and the US authorities determined that was a sufficient nexus to predicate criminal liability.

So very broad execut editorial reach while civil violations of an OFAC sanction are actually strict liability and again there's no minimis defense. So the mere fact that a prohibited transaction occurred could subject accompany to civil violations. Criminal violations require a showing of knowledge, but again, willful blindness or conscious disregard ignoring red flags would be sufficient to establish knowledge in discussions with ofac. Even on the strict liability civil side, OFAC will take into account whether or not the company had a reasonably designed and implemented sanctions compliance program even though the violation occurred and for everyone on the line with respect to sanctions at minimum, hopefully everyone is currently screening all counterparties investors, borrowers and vendors against the SDN lists, which are updated daily or certainly weekly. So hopefully it's an ongoing screening process you have in place to capture what is the current list at any given point in time.

Then pivoting to the new rules. So in August of last year, SEN which is part of the Department of Treasury promulgated a final rule which will for the first time subject registered investment advisors and exempt reporting advisors to the Bank Secrecy Act, which is the anti-money laundering law that covers I guess more traditional financial institutions such as banks and broker dealers. As part of this rule, a number of things will need to be put into place. So advisors will need to establish the five pillars of A BSA program, which we'll talk about in a moment. Advisors will also need to make currency transaction reports. So where advisors are actually dealing in physical currency or cash equivalents such as travelers checks or money orders, there'll be the need to make currency transaction reports. Everyone will need to monitor and report suspicious activity and file sars, which we'll go into detail in a moment.

There are some very particular and specific record keeping rules with respect to keeping records related to wire transfers under the travel rule. Also for records related to KYC or customer identification, it's actually a very lengthy record keeping requirement which extends to five years after the client relationship ends. So for example, me, I've been banking personally with Citibank since the early two thousands. That means that Citibank should have records related to my KYC on those accounts now for decades because I've been a customer for 20 years. So even if I stopped being a customer today, they would still have to keep all those records and additional fighters. There are special measures that the govern promulgates under section three 11. Recently, a number of cyber criminal networks in Cambodia and Myanmar were designated as primary money laundering concerns, which means under Patriot Act section three 11 all financial transactions those entities must cease.

And then pursuant to section three 14 of the Patriot Act, there may be law enforcement reach out under three 14 A which will require RAs and RAs to promptly provide records and documents related to the target of the three 14 a request. And then also where the institution itself is investigating suspicious activity under three 14 B, there will actually be a safe harbor for the RIA to discuss with a broker dealer for example, also subject to the BSA on a limited basis to share information related to a specific transaction that is being reviewed. Very importantly for this group, for other financial institutions, SEN is the examiner for compliance with the BSA SEN historically has been leanly staffed and under-resourced here, however, SEN has outsourced its examination powers to the SEC. So I think it is highly likely given that the SEC does have its own division of examinations that RIAs will be examined on a ML to be seen if it will be part of a standard routine exam or if the SEC will do targeted examinations starting in 2026 when this role goes effective. And then Scott, to put you a bit on the spot, I think interestingly for ERAS is ERAS will now be subject at least with respect to a ML, to routine examination by the SEC Scott, although even though it's a case, they're not subject to the general examination of the SEC. Is that right?

Scott H. Moss: That's true. I mean the SEC does have examination authority over federal exempt reporting advisors and I'll distinguish between federal exempt reporting advisors and those that may be exempt advisors at the state level. We're talking about federal law here. So for federal exempt reporting advisors, they're subject to SEC jurisdiction. The SEC could examine them if they wanted to, but they don't have a routine examination program. So it doesn't happen the same way as registered investment advisors. It typically only happens for cause. Similarly, the exempt reporting advisors are not subject to all the same rules and regulations that a registered investment advisor is subject to like appointing a chief compliance officer like having a more fulsome compliance manual. So this is a bit of a weird case for exempt reporting advisors where they were included in more stringent regulation in this way where they were exempt from some of the more ext stringent regulation under the advisors Act

Robert Johnston, Jr.: Note, and we'll come back to this in a moment, the effective date for this law is January. This rule is January 1st, 2026. And so that means everyone on the line I would suggest needs to have a fully operational BSA compliance program no later than January 1st, 2026 because as of that date there will be the affirmative obligation to monitor for suspicious activity and make reports. For example, the second related rule is the proposed customer identification program rule, also known as KYC or know your customer. So there is a proposed rule that was issued in May. It was a joint rule by FINON and the SEC which lays out how advisors are supposed to conduct KYC on their customers, myself and others. We would've all thought by now this rule from nearly a year ago would already be final as we'll discuss in a bit. In my opinion, the customer identification program is the most important of the five pillars of A BSA program and so I think there are some very real questions as to how we as an industry can start standing up BSA programs when we don't have a final rule on arguably the most important part of the program.

So anyway, the proposed rule will require everyone to have a written risk-based set of reasonable procedures to verify the identity of any person seeking to open an account with the RIA. As I mentioned before, records will have to be kept for at least five years following account closure. Now there's a little bit of a wrinkle here in the proposed rule in that the customer was defined as the entity or person having a contractual relationship with the investment advisor. So many of us would've said, great, we only have to conduct KYC on our own advisory clients or own funds, no problem. However, Vincent has since promulgated some FAQs say, no, no, no, we really meant the underlying investors and if you actually read the 300 odd pages of implementing release around both rules, the problem that FINON is trying to solve for their perceived problem is that high risk individuals and entities are entering the US financial system as limited partners and managed funds.

So the draft rule as currently constructed arguably doesn't solve the problem that the government was trying to solve for and perhaps that is part of the delay. Also, we had a change in administration with new senior people being seated at both treasury and the SEC. Now that those people are all confirmed and in place, perhaps this rule will go final, but any event the RIA is assuming the rule gets adopted as drafted and assuming that the definition has changed at minimum with respect to investors and advise clients, R i's clients, RIAs and ERAS will need to collect things like photo IDs to establish the full legal name, date of birth, date of formation, validate the address, obtain some sort of identification number, whether it's an EIN, social security number or passport and an higher risk situations whether it's a higher risk investor or some other initiative higher risk, perhaps collect some additional information as part of the KYC process.

Scott H. Moss: So we're going to pivot a bit to the second most answered asked question we get. So the first most asked question we get is what are the new rules say, which is what Rob just went through. The second probably most asked question we get is when are these actually going to be effective? So as Rob just talked about, there's an AML rule that is scheduled to be effective January 1st, 2026 and there was a CIP rule proposal that was supposed to be effective with the AML rule when FinCEN made it effective. They said, we are going to do this or the CIP rule effective on 1 1 26, same as a ML rule, stay tuned. But since that August, 2024, that hasn't happened. So obviously we had an administration change, we have a new chair, the SEC, we have a new tone at the top and a lot of lobbyist groups or industry groups got into the mix and they wrote to the SEC and they wrote to FINRA and they said at a minimum the compliance date of January 1st, 2026 should be pushed out if nothing else because it should coincide with an effective date for the CIP rule with the A ML rule.

And they're right. It really, in my opinion they're right. It really doesn't make sense to have one effective without the other because they relate and compliance policies and procedures relate and it really doesn't make sense to have policies and procedures for the AML rule and then do all again for the CIP rule if there was a separate effective date and they wouldn't really mesh very well if they did it separately. The other thing the industry groups had called for was additional comment. So they said the CIP rule was not final yet you should open up comment period. And because it really relates to the A ML rule, even though that's final, you should also give an additional comment period for the AML rule and allow everybody to comment on both and revisit facilitating risk-based approaches. Revisit reducing duplicative burdens. So for example, if you're a managed account advisor and all your advisory clients open brokerage or bank accounts, those brokers and banks are already subject to the BSA.

So why make the registered investment advisor if they do not actually transact in currency or take travelers checks? It's the qualified custodian that's actually taking the money and holding the money and custodying the money and they're already subject to the B, excuse me, the BSA. Why should the advisor have to duplicate any efforts of that qualified custodian? Let's revisit that in the additional comment. So right now what Rob just went through is what is technically standing that the AML rule has a compliance date of January 1st, 2026 and there is no final CIP rule. At a minimum, most of the market expects the compliance date to be pushed back but nobody knows exactly if and when that's going to happen. But that is kind of the market expectation. If it also has an additional comment that would not be surprising but we at least expect or most people expect a pushback of the compliance date, but we have to stay tuned.

We may not even know that date is going to be pushed back till December till much closer to the time of the January 1st, even though those industry groups have asked the SEC and FI in to tell us sooner rather than later. So people can plan. It may very well be that we need to draft policies and procedures and compliance programs for the AML rule just in case it actually does come into effect 1 1 26 and then be pleasantly surprised if it gets pushed back closer to the date. And then those industry groups had also asked for an 18 to 24 month transition once both the CIP rule and maybe modified AML rule are finalized. But right now the thing we have to go by is a 1 1 26 compliance state for the AML rule and we're staying tuned for that to be pushed back, although it's probably likely it gets pushed back but we don't know when and to how long and for a final CIP rule.

Robert Johnston, Jr.: So we have a polling question and I'll answer a couple questions I saw on the chat. So there's a question about intermediaries. So for example, let's say that there's a private bank channel that is providing investors to you. Yes, under certain circumstances you could rely on that third party provided. The third party is itself a financial institution that is subject to the Bank Secrecy Act or to substantially similar regulation to that there is a contractual relationship between you and that third party financial institution that expressly gives you the right to rely on the work that they're performing and three, that you have the right upon demand to access underlying KYC records where necessary. I good. So at least most people are aware of the rules and I guess Bruno and Satya will kick it over to you for how we're going to prepare for all this. 

Louis Bruno: Yeah, thanks Rob. Thanks Scott as well. So the points I think that came up certainly is that when the rules were finalized last summer, there were some initial reactions from advisors where we have an AML policy, I think it's up to snuff comfortable with it and we have some time to make updates as the year progressed and as we're getting closer to what is the compliance state and absent of any extensions, advisors are reevaluating the requirements and really what it means to have a risk-based compliance program. The good news is that there's a lot of standards out there as we talked about it Rob, you mentioned the idea of the five pillars. This is very recognizable by banks and broker dealers. These are frameworks that have been in place and defined for years. So leveraging this existing framework and a lot of existing predefined types of controls is possible.

And so these are the so-called five pillars of the AML program which we have up here. And they at a high level, they're designating a qualified senior management individual for overseeing the program. And that term qualified is important to understand. I overheard the concept of that someone who not only understands the BSA AML requirements but then has the ability to be the point person for the program. The other idea, and we'll go into detail on some of these, but maintaining comprehensive written policies and procedures and the key point about this is that they really need to define the firm risks. Again, we'll go into more detail about that, but the idea is not only defining the risk but then describing how the specific AML program is designed to mitigate those risks. Another pillar is the training and certainly at least on an annual basis, but periodically to ensure that all employees are aware of the risks to the firm and understand their responsibilities.

And you have a pillar that address testing and this is specifically called out it's independent testing. So it's conducted by either an internal audit team or a third party and well-defined program to attest the effectiveness of the AML policy and certainly identify any weaknesses. Then lastly Rob touched on was the customer due diligence program. And so at a high level this effectively identifies and verifies the identity of investors and beneficial owners. It also includes the concept of monitoring and identifying changes to relationships and identifying any specific suspicious activities. So again, this is a high level, this topic could certainly fill a whole webinar presentation, but let's talk a little bit about how investment advisors can apply this to their business.

Robert Johnston, Jr.: And real quickly, I would note in response to a question, the only pillar that cannot be outsourced is a designated AML compliance officer. That must be a human being employer of the RIA or the ERA. Everything else can be outsourced. So there's a question that Chad, about using a third party administrator to conduct KYC. Yes, absolutely that's permitted. However, the other pillar testing, you must go in and frequently test them for example. So as long as you have that human being AML officer, you can outsource the rest. Sorry, go ahead.

Louis Bruno: No thanks Rob. And that's important we'll go and do a little bit just tell, talk a lot about the outsourcing of this program, but first the concept of owning the policies and defining risk-based approach. What is it? Really best way to describe it I think is it's not a one size fits all. The approach is really intended to give investment advisors the flexibility to design controls that specifically mitigate the firm's risk. So we've outlined here different best practices when defining the risks and to review some of these. So the first concept would be considering the business activities and these could be activities being specific channels where the advisor may or may not know the underlying investor or where they may not necessarily interact with the underlying investor. So I think it was brought up earlier, there could be fundraising activities via third parties or sub advisory relationships.

Those are all things that would need to be and considered in terms of building that business risk profile. The other idea is thinking about the types of advisory clients and then the investment vehicles that are set up. So as an example, exchange listed or registered closed-end funds could be considered lower risk because the structure and certainly that they're traded primarily through entities, broker dealers, banks that are subject to SAML. However, looking at private funds, again, same concept where funds with lower subscription amounts or limited restrictions on redemptions could potentially be considered lower risk or should be considered differently than firms that have longer lockup periods or funds that have longer lockup periods. There's a lot of discussion in the regulation and certainly in the industry about separately managed accounts. It's been noted that there's limited transparency potentially and potential creative liquidity options as comparing that to pooled investment vehicles, which again, the SMAs may present an opportunity for attracting bad actors. So defining the risks there is important. And then lastly and important to note, it's been highlighted a couple of times that real estate funds, given their complexity of the legal entities and the ownership structure can make it more difficult to identify origins of funds and therefore should be also considered in the risk matrix. Lastly here, looking at the underlying investor risks, consider some of the key things are these individuals or institutionals that already may have a defined AML controls in place that you're comfortable with.

Obviously high risk jurisdictions for money laundering, so investors that come from those jurisdictions we need to be considered as part of the firm's risk, high risk business activities from these investors. They're involved in casinos or precious metal dealers, those are of note. And then lastly, at least for this example, consider politically exposed persons, either people who are PEPs or affiliated with PEPs. Those would all bring into the idea of the firm's risk profile.

Scott H. Moss: And Louis, if you don't mind, I just wanted to add this, defining the risks is really critically important to making good policies and procedures. So in my opinion, this is one of our most important slides in this presentation. And while most registered investment advisors are covered by at least the current AML rule, there really can be very different kinds of registered investment advisors. So it covers private fund advisors, closed-end, open-end, managed account advisors, robo-advisors, advisors that only accept a wire into a qualified custodian or advisors accept cryptocurrency or investments in kind. So really thinking about the kind of advisor you are and inventorying the risk becomes very, very important to getting good policies and procedures. And while our slides are probably more geared towards thinking about investors and clients and when they send money or transfer money or withdraw money, also think about the kind of strategies you employ. So if you trade on US exchanges, once you actually get client money or your qualified custodian gets client money, that's a lot different risk than if you're say a lender to individuals or to institutions in other jurisdictions. So the kind of advisor you are is not just the kind of clients you have but also the kind of business you conduct and how you actually use the money and invest the money for your client.

Louis Bruno: No, thanks Scott. That's helpful too because the ultimate goal out of defining the risk is to create the right policies and procedures as you said. And so at a very minimum you would expect well-written policies and procedures to specifically define that risk, define the regulatory requirements that are subject to then defining the risks, consequences of violations to the policy, potentially giving, describing the oversight and the role of management in supporting the policies. We talked about the concept of clearly defining or designating AML officer or someone who's responsible for the program and then defining the controls. I think that's at least from where we sit many times we see a lot of standard policies and the perception of controls that should be in place. But we recommend many times creating an inventory of controls and monitoring requirements. So you have this well-written policy, you've defined your risks, but how do you support it? And this can be as simple as a list of policy topics and the actual control processes that you do to support this. It's it is a way to kind of organize what do you have to do and how you do it. We've seen this managed everything from a spreadsheet to obviously incorporate into a risk management. And so there's a lot of considerations here about not only documenting everything that you have to do but then putting in the controls around how to do it.

You talked about training and clearly that has to be defined to the specific risk and many times there's off the shelf training that doesn't really address the firm's policies. And then we also talked about the independent testing of the program. And this again, if you have an existing independent internal audit team, this can be something that is done internally by the audit team or outsourced to a third party. And back to the concept of testing the effectiveness, that leads back to the idea of the controls being well-defined and what it truly means or what the controls the intention of the control is designed to do. So there are many obviously best practices with engaging, whether it be internal or external auditors, but I think one to highlight is back to that control inventory and indicating that the control inventory can certainly help define the scope as well of the risk assessment.

So you can see there's a lot, right? There's a lot to developing what is traditionally being called the right sized compliance program that would mitigate the firm's specific risk. Clearly there there's a lot of dedication that's required from senior management, both right human resources and technology resources that are required to support a traditional program. I'm going to now move on to let's talk a little bit about the red flags or what you would see or define as part of the investment advisors program. So we've outlined a few here and I think it's important to understand that nothing is definite, these aren't definite proofs of wrongdoing, but maybe some alerts that could be considered or alerts that would warrant further investigation, potentially reporting. They're obviously unique as you said, Scott, to each advisor and certainly the business model that you can see. Some of the, I'll say traditional examples on the left hand side associated with investing onboarding would be any obviously negative news about the investor or their affiliated parties.

Situations where you see an investor having difficulty describing the nature of the business. And again, that can be something that is an alert but certainly need investigation situations where an investor appears to be avoiding standard KYC documentation or providing that standard KYC documentation or they're reluctant to provide or to find their affiliations. Those are some examples. Again, this is during an investor onboarding. There's obviously many situations and they're not necessarily, again broad level of defined, but there are unique to the business activities. On the right hand side, we're looking at some examples of what would be potential specific activities from existing investors. So throughout the investment process and certainly throughout the life of a fund and the investors involved in fund, you can see activities that may be inconsistent with an investor strategy.

Situations where you have requests for full liquidation or redemption requests that are not necessarily in line with agreements or even that may seem suspicious is going through the lack of concern is also a red flag where investors, they make rational decisions or not in line with their investment thesis again. And then any other types of unusual transactions could be related to third parties could be changing bank account information at the last during redemptions. And so again, this is kind of an overview, but there are many things that should be specifically defined to each business. Rob, I'm going to ask if you wouldn't mind to talk a little bit about the suspicious reporting and how to file.

Robert Johnston, Jr.: So we've put to the side for the moment, currency transaction reporting CTRs are necessary where there's $10,000 in cash travelers checks or other cash equivalents within a 24 hour period. That's really a concept that makes more sense if you are a retail bank with a branch on 42nd street where someone's coming in off the street, I suspect that very few if any RIAs or RAs actually be handling physical currency in that way. So we put CTRs to the side. However, suspicious activity reporting, there probably will be instances in which people need to file a sars. So importantly, there's a tight deadline. So within 30 days of the RIA or ERA becoming aware of suspicious activity, a SAR R would need to be filed. It could involve insider abuse in any amount potential criminal violations involving 5,000 or more where a specific individual could be identified or instances where there's potential criminal activity of 25,000 or more, regardless of whether you can identify a specific individual.

Importantly, again, these thresholds probably make sense for commercial banking. These thresholds for people on the phone, I think almost everything we do is going to be involved a wire transfer or other attempted transaction in excess of $25,000. So you're probably always going to be over the minimum reporting thresholds. The next important point is the transaction itself does not have to actually be consummated. So any of suspicious transaction or potentially criminal transaction either conducted or attempted by or through the financial institution or one of its affiliates would need to be reported if it involves potential money laundering or potential illegal activity would be designed to evade the PSA. So for example, people who know about the currency transaction reporting rules might try to structure a $20,000 cash deposit by going to four different branches and depositing $5,000 in each one of the four branches or where the transaction has no apparent lawful purpose is not a transaction that the customer normally would be expected to engage in.

This ties back to know your customer and CIP, you need to have a KYC program so that you can build an expected risk profile and expected transaction profile of the customer in order to know whether or not their proposed subscription or redemption request is suspicious or whether or not it is in fact consistent with the behavior of how the customer would be expected to act or where there's no reasonable explanation for the transaction after a review of the available facts. Now importantly, a R is a suspicious activity report. It is not the output of a six month investigation where you've hired law firms and accounting firms and you've reviewed a million emails and interviewed witnesses. You might need to do that as the facts emerge while you're doing the SAR reporting. However, the threshold for filing a SAR is relatively low. There is potentially illegal or some other transaction has no reasonable explanation, $25,000 or more attempted or actually conducted through you or one of your affiliates.

Most institutions subject to SAR reporting today, when in doubt they file a sar because a SAR filed in good faith is subject to a safe harbor. The person about whom you filed the SAR one will never know about it, most likely because SARS are to be kept strictly confidential and two actually is precluded from bringing an action against you for filing a SAR in good faith. On the other hand, if the government in hindsight finds out that you were aware of the activity and did not file a SAR R, you could in fact be charged with BSA violations for failing to have filed a SAR where the government thinks you should have done so. When in doubt almost every financial S today will err on the side of filing this a even within your organization. It is a very, very need to know basis.

There are criminal penalties for tipping off. So if there was a potential SAR to be filed about one of your limited partners and the relationship manager and investor relations told the limited partner about the internal review or the SAR filing, that would actually be a criminal act. So most financial institutions even within the compliance or legal department, the existence or non-existence of a SAR R is a very limited need to know small group of people. And so people should think about ways to, but you also have to keep records about it. So you should think about ways to permission the record keeping to the very small subset of group of people that need to know about the SARS existence. I think that takes us to the next polling question. Maybe we should read out the first CLE code for those who need it.

Astrid Garcia: And I'm going to jump in here. Sorry, I know that this question for the poll has a lot of multiple choices. Just make sure that you select an answer and scroll down. If you can't see the submit button, you want to make sure you submit your answer to make sure that it's registered back to you.

Louis Bruno: Thank you Astrid. So there are a lot of permutations here, but essentially the question's asking you do you have the policy and so who audits the program if you have it and if you don't have it, you don't conduct pending testing. And then interestingly, I was just going to say interesting, go ahead.

Robert Johnston, Jr.: I was going to say briefly on the testing point, it is independent testing and so that word should be bold and underlined in your mind. More likely than not, everyone's compliance department is going to own a ML and the RIA certainly are subject to the annual review and CCO reporting process. And so compliance may test AML as part of the rule 2 0 6 4 7 process. Unfortunately that does not satisfy independent testing. So FINON was very clear in their written guidance in response to questions. Independent testing means an entity or a division separate and apart from the entity or division performing or responsible for AML. So again, if you have internal audit or if not unfortunately, you'll need to hire an external party. Sorry,

Louis Bruno: That's helpful. No, that's helpful. So before we go to the results here and see what we're thinking, I think lastly if you were in that group of individuals saying, I think I have a policy in place, I'm pretty comfortable with it and you are unsure now I think we have the last piece that we can say. I'm not sure that's an important one to highlight. You're not sure if it's existing. Alright, so let's go to the next, let's see if we have our results here. Okay, so it's pretty relatively evenly spread that many people do have or a good portion has all autism position in place and does the testing, curious if anything had been changed after that answer after Robin explained the idea of the independent testing. That is key and it looks like some people have identified that here where they don't have it. Independent testing is not your 2 0 6 4 7 program. Alright. From there I will hand it over to Kto and is going to talk to us a little bit about the outsourcing abilities and specifically how firms potentially leverage outsourced activities that are designed to support Cayman Island requirements. So I'll pass it over to you.

Isatou Smith: Sure, thank you. So I think it's been touched on sort of generally before in terms of utilizing third party support and as is mentioned, I think Rob mentioned it quite nicely in that you can rely and you can delegate any component of your AML program with the exception of the actual officer, which has to be an in-house employee. I think the key is here is that despite any sort of delegation or any reliance that you're placing on any other party, the registered investment advisor is ultimately responsible and ultimately is the one that will be held liable for any sort of deficiencies, which again comes back to the importance of having those testing being conducted on any party that's performing any part of your AML compliance program. So on this slide here, we've sort of set out a few scenarios where you could rely on a potential outsource solution.

So whether that be for investor due diligence, the customer identification sanction screening, or maintaining the required records. Again, the key here is that despite the fact that you are delegating, you remain ultimately responsible. So there was a question that says whether or not having a policy that says you're relying on the steps of the administrative that's sufficient. Is it sufficient insofar as documenting what you're doing? But it's not sufficient to just let it stand there, you have to go that further step. It actually starts from the beginning when you're conducting your vendor oversight. So you have to do the relevant checks in the beginning to see why you're able to rely on this particular fund administrator and then document that. And then you also document how on a regular basis you're going to test the program of that particular fund administrator or consultant or whoever you're using.

And then also, again was touched on a bit earlier as well, this also comes down to a risk-based approach, right? So you may have a fund admin that's based in the US that's not regulated. You might have a fund admin that's based in Cayman that's regulated and that for the most part, all of the requirements that are now being proposed are already being conducted. So the way you conduct your testing is also based on the level of risk and the type of AML that you're relying on for that particular vendor. So once you have that documented, then you would be expected to carry that through with your testing.

So moving on then to how you can leverage your existing Cayman compliance program. So there are maybe about 10 points here that we put together in terms of how the proposed legislation for the US and the current legislation for Cayman stacks up. And I think the good thing is that it's sort of a resounding yes that you do have the ability to leverage the Cayman AML framework in almost all circumstances. But as we've noted, the key is to then decide whether or not there are any significant differences that you need to consider. Luckily in most scenarios the differences are that the Cayman regime in most cases is a bit more stringent. So therefore if you are relying on the Cayman AML service provider for the most part you will be covered. I think there's also a caveat here that we wanted to make clear in that your fund admin or your AMLs solution or service provider based in Cayman is typically only going to be providing those services for your Cayman fund.

Now when you're talking about the framework of your advisor, that is not just limited to your Cayman fund, obviously you might also have non Cayman funds and then you also have the framework of the advisor itself, which comes into the employees and their training and all the other facets that an advisor does that is not solely related to just the funds that you have based in Cayman. So while there is some ability to leverage that existing framework, that still has to tie into an overall AML policy and an overall sort of business risk assessment that determines how everything fits into the bigger AML picture for that advisor. So the first three that you're looking at here, the scope of activities again for the US is proposed including advisors except those with exemptions and Cayman. Everyone that's conducting relevant financial services business, whether it's a fund, whether it's an advisor, whether it's a manager, everyone has to comply with that EML regime.

And in some cases there are also entities that are called designated non-financial services businesses and these also still have to comply. So there's no sort of exemption for certain categories when you're conducting a financial services business. So in that way you know that once your fund or even a manager that is registered here is conducting business out of Cayman, then they would have to be under that L regime. From an AML compliance officer perspective, I think the only thing to note here is that Cayman also has that requirement, but one step further is that we also have a money laundering reporting officer and a deputy money laundering reporting officer. And whereas for the US perspective it's just one individual. For Cayman, you can have an overlap, but you must have a minimum of two. And then policies and procedures, this in and of itself could be one whole webinar, but the key here again is risk-based approach.

From a Cayman perspective, when we look at a fund or any sort of entity, we probably break it down into at least six or seven main categories. And those categories range from who are the clients or the investors, what's the geography, what's the distribution channel for that particular entity, what is the transaction risk and who are the clients and is there any sanctions or any hits like that? And from a risk-based perspective, most of your Cayman service providers are going to be waiting these. So for example, the client risk might be a 20% waiting, whereas your distribution channel or your transaction risk might be a 5% rating out of that 100. Again, this all starts from the beginning whereby you're setting up your program for the risk that's acceptable to you and then also for risk in terms of how you see the most risk for your clients that you take on.

Next slide just talks a bit about customer diligence, customer identification, program investment diligence and governance and oversight. The only thing to mention here, I think, and it was touched on before, is that in terms of the customer identification program, the final rule does not require investment advisors to implement CIP, which is the opposite here in Cayman. You must know, you must identify not only who the client is, but you must identify who the controllers are and the beneficial owners and that is anyone over a 10% or more thresholds. So that is the only significant difference here on this slide that I think we could highlight.

Next slide talks about training, record keeping and independent audit. Again, for the most part, the proposed rule and the current rules here in Cayman are similar. We require training for staff employees and also any AML officer needs to have advanced training, which is slightly different than the current wording for the proposed rule in the US record keeping similar, any key documents and transaction records need to be kept for a minimum of five years and that five years sort of kicks in. I think as Rob mentioned in the beginning five years from the date of the last transaction or if there was an instance where there was a suspicious activity report filed. And there has been any communication, say with a regulatory body, it has to be at least five years from the date of any sort of communication. So even if you terminated the relationship three years before and something comes in from that regulator after the fact, you're still required to keep those documents five years from the date of that last communication.

And again, I don't think I need to add much more here on the independent audit point, but suffice to say that in both scenarios from the US perspective and from the human perspective, you need to have a regular internal audit. And the key here is that it should be independent. This most likely is going to boil down to size. Again, banks typically will have a whole independent audit sort of section for their bank, but maybe a small RIA or a small other type of financial institution may not have the resources to have a completely in-house independent audit function. Again, if that is outsourced, you just have to make sure from a vendor oversight perspective and an outsourcing perspective that you have the right policies and procedures in place to do the identification of who that provider is and that you can rely on them because again, it's ultimately your liability that's on the line.

And the thing with the Cayman, from a Cayman perspective, again, it all boils down to the risk, right? So however you've assessed the risk of your business and how frequently you conduct that internal audit should be commensurate with your overall business wide risk assessment. So if you've identified your EL risk for your company as being high, then you should not be conducting an independent audit once every five years. It should be much more frequent than that. And on the flip side, if you've conducted it, it's a low risk then it's not necessarily that you would be conducting an a OL independent audit every six months. So again, there is some sort of subjectivity and a bit of flexibility once you've identified the overall risk assessment that from an email perspective that you have for your entity. So I think that sums it up quite nicely in terms of the ability to leverage a K nine compliance program.

Again, the ability is there, you can do it, but you just need to make sure that whatever you're relying on completes your full AML program or if there is not a complete reliance that's available to you, then any gaps that are left behind, you have to ensure that that's covered and that that's appropriately documented somewhere. So our next slide will be just based on what we've talked about polling question. So how does your firm plan to manage the entire A MO program? And I think we're going to have that up for a while so that people are able to respond while we talk about that. I know we're coming down to time, but we did have a scenario and I think Rob, if you want to touch on it with me as well. So we have a hypothetical situation and I'll just read it out now.

So we have an individual, she has a subscription document in for a fund. She wants to make an investment, she has a Russian passport, her bank is Cyprus, her family wealth is her source of funds and she, her occupation is a teacher. So when you look at that scenario, you start to think, well, what is required to validate her identity in those scenarios? And we'll talk about that. We can say passport, but again, it all comes back to the reporting requirements in various jurisdictions and the risk assessment. These things in and of itself does not mean that an individual is high risk. You can have a bank anywhere in the world, and I know a lot of people when they see Russia, they think, well, okay, immediately high risk. Again, it all comes down to your policies or procedures and whether or not there are any sort of sanctions in place that would prohibit you from either dealing with that individual or dealing with a certain country in and of itself. So just a hypothetical situation there for people to think about when considering your overall AML program.

Louis Bruno: Thank you. And

Should give you, given that we're at time here, there are a lot of questions in the q and a section here. We'd love to address 'em directly with you. If you'd like to reach out, we can certainly circulate contact information and to address 'em directly.

^{Transcribed by Rev.com AI}