With FinCEN's final rule bringing Registered Investment Advisers (RIAs) and Exempt Reporting Advisers (ERAs) under the scope of the Bank Secrecy Act (BSA), effective January 1, 2026, a new compliance paradigm is emerging for the investment advisory sector. Unlike previous regulatory obligations focused on fiduciary conduct and disclosure, this rule demands a fully operational AML/CFT infrastructure capable of mitigating financial crime risks.

This article unpacks the five pillars of an effective AML program as prescribed by FinCEN and outlines how RIAs can meet each requirement through a full-stack compliance infrastructure. We also demonstrate how Flagright’s platform serves as a purpose-built solution to enable real-time compliance, risk mitigation, and operational efficiency across the full lifecycle of client interactions.

1. Internal Controls

Regulatory Expectation: Establish and maintain internal policies, procedures, and controls designed to detect and prevent money laundering and terrorist financing.

Why it matters for RIAs:RIAs manage portfolios across a broad spectrum of asset classes and investor types, including high-net-worth individuals (HNWIs), family offices, and foreign intermediaries. These relationships often involve:

  • Complex ownership structures
  • Cross-border investment vehicles
  • Multiple legal entities and fund layers

Traditional static policy documents and fragmented compliance tools can’t handle this level of operational complexity.

How Flagright helps:

  • Centralized orchestration layer: Manage AML policies and processes across client types and jurisdictions.
  • No-code rule engine: Adapt AML rules dynamically for bespoke client structures, from discretionary mandates to pooled investment vehicles.
  • Automated controls: Align internal procedures with real-time screening, transaction risk analysis, and monitoring workflows.

2. Designation of a Compliance Officer

Regulatory Expectation: Designate an individual responsible for coordinating and monitoring AML compliance.

Why it matters for RIAs:The effectiveness of your AML program hinges on your compliance officer’s ability to act proactively, not just review issues after the fact. With growing regulatory expectations around governance and board-level accountability, transparency and control are critical.

How Flagright helps:

  • Role-based dashboards: Enable compliance officers to monitor case status, risk scores, and escalation metrics in real time.
  • Integrated audit trails: Ensure all decisions, rule changes, and case outcomes are logged for internal and external audits.
  • Alert management workflows: Allow compliance teams to configure, assign, and close alerts based on materiality and risk profile.

3. Ongoing Employee Training

Regulatory Expectation: Provide AML training to relevant employees on a continuing basis.

Why it matters for RIAs:Compliance isn’t siloed. Portfolio managers, investor relations personnel, and onboarding teams must all understand their roles in AML detection and escalation. But most RIAs lack tailored AML training programs—especially for hybrid roles.

How Flagright helps:

  • Role-specific risk scenarios: Generate simulations based on the firm’s actual risk environment (e.g., unusual redemption requests or sudden offshore transfers).

4. Independent Testing:

Regulatory Expectation: Conduct periodic independent testing of the AML program’s effectiveness.

Why it matters for RIAs:Testing must be rigorous, repeatable, and defensible. With the SEC as the primary examination authority, RIAs will be expected to show not only that they have a program, but that it works under scrutiny.

How Flagright helps:

  • System-generated audit logs: Provide granular records of every AML action, alert review, and rule modification.
  • Real-time and historical analytics: Evaluate performance indicators like SAR submission rates, alert conversion ratios, and rule effectiveness.
  • Testing-ready exports: Facilitate third-party or internal audit reviews with one-click data access and audit packages.

5. Customer Due Diligence & SAR Filing

Regulatory Expectation: Implement risk-based customer due diligence (CDD) procedures and file Suspicious Activity Reports (SARs) when warranted.

Why it matters for RIAs: Investment advisers are not transactional institutions in the traditional sense, but their exposure to financial crime risk is substantial. This includes:

  • Use of advisory accounts for layering or concealment
  • Third-party subscriptions and redemptions
  • Transfers between related managed accounts

How Flagright helps:

  • Risk-based onboarding: Tailor KYC requirements by client type, geography, and risk profile.
  • Real-time risk scoring and monitoring: Detect anomalies based on behavioral patterns, fund flows, and deviation from expected investor behavior.
  • SAR-ready case management: Build comprehensive investigative files with audit logs, documentation, and embedded SAR templates for quick filing.

Infrastructure, Not Checklists, Will Define AML Success for RIAs

The 2026 deadline may appear distant, but the complexity of implementing a full-stack AML program in a non-banking environment is not to be underestimated. For RIAs, now is the time to move beyond policies and into purpose-built compliance infrastructure.

Flagright offers a modular, API-first platform that empowers investment advisers to deploy AML systems with the speed, configurability, and depth required by FinCEN's expectations. Whether you're a boutique advisory firm or a multi-entity asset manager, Flagright ensures your compliance is not only audit-ready but future-proof.

Learn how Flagright can help you launch a comprehensive AML program before the deadline. Schedule a demo today.