New Rules

New Rules
Written By Joe Reilly

Main Contributor: Joe Reilly, Compliance Associate

Background

Over the last couple years, the SEC and Treasury Department have announced a variety of new rules that affect advisers. Some of these new rules apply to all SEC-registered investment advisers, and some only apply in specific circumstances. However, advisers will have to be familiar with any new rule that might apply to them, in order to monitor whether they have triggered its requirements. For rules that might apply to your firm, pay special attention to the compliance date listed below. In addition to these new rules, we have also included a discussion of certain rules that have already become effective.

Reminders of Previous Rule Changes

Schedule 13D and Schedule 13G

Back in 2023, the SEC announced that it was going to be adopting rule changes to Schedule D and Schedule G. As a refresher, Schedule 13D and 13G are filings that are required upon acquiring over 5% of beneficial ownership of a voting class of equity shares.

Effective December 18, 2024, a structured, machine-readable language like XML will need to be used to file Schedule 13D and Schedule 13G.

Schedule 13D Changes

Effective February 5, 2024, the SEC made a couple changes to Schedule 13D:

  1. The deadline to file Schedule 13D was shortened from 10 calendar days down to 5 business days after triggering the threshold.

  2. All Schedule 13D amendments are now to be filed within 2 business days of any material changes.

Schedule 13G Changes

Effective September 30, 2024, the SEC made a variety of changes to Schedule 13G:

  1. The initial filing deadline for Schedule 13G filers who are qualified institutional investors and exempt investors owning 5% of the covered class was changed from 45 days following the calendar year to 45 days following the calendar quarter.

  2. The filing deadline for Schedule 13G amendments was changed from 45 days after year-end to 45 days after quarter-end and stipulated that only “material” changes trigger an amendment instead of “any” changes.

  3. The initial Schedule 13G filing deadline for passive investors who acquire beneficial ownership of more than 5% was changed from 10 calendar days down to 5 business days.

  4. The initial Schedule 13G filing deadline for qualified institutional investors who acquire beneficial ownership of more than 10% changed from 10 calendar days after the month-end to 5 business days after month-end.

Form PF

The SEC announced three amendments to Form PF.

  1. First, there were two new sections added effective December 11, 2023: Section 5 and Section 6.

  • Section 5: Large Hedge Fund Advisers with at least $1.5 Billion in hedge fund assets under management must file Section 5 within 72 hours of the occurrence of any of the following triggering events:

    • certain extraordinary investment losses (defined as 20% or more)

    • significant margin and default events

    • terminations or material restrictions of prime broker relationships

    • critical operations events

    • events associated with withdrawals and redemptions

  • Section 6: Private Equity Fund Advisers with at least $150 Million in private equity assets under management must file Section 6 on a quarterly basis within 60 days of the end of each fiscal quarter, detailing any of the following triggering events:

    • the completion of an adviser-led secondary transaction (in which the adviser offered investors the choice to sell or exchange their interests in a private fund)*

    • investor election to remove a fund’s general partner, to terminate a fund’s investment period or to terminate the fund during the preceding quarter.

*Note: to file this form within Section 6, the continuation fund offered from the secondary transaction must first be added to the ADV Part 1 as it flows into the Form PF, so allow yourself the extra time needed to also meet the Form PF deadline.

 

2. Second, there were changes made for Large Private Equity Fund Advisers effective June 11, 2024: Section 4.

  • Section 4: Private Equity Fund Advisers with at least $2 Billion in private equity assets under management must disclose in their annual Form PF update in Section 4:

    • information about the implementation of general partner and certain significant limited partner clawbacks

    • details about a fund’s investment strategies

    • additional information about fund-level borrowings, including the average amount borrowed over the reporting period

    • more granular information about the nature of reported events of default

    • additional identifying information about institutions providing bridge financing

    • information about a fund’s greatest country exposures

3. Third, there were changes made to Form PF to require additional information about advisers and private funds, as well as changes to reporting of hedge funds and master-feeder arrangements. All Form PFs filed after March 12, 2025 will be required to use the amended version of Form PF.

Regulation S-P Amendments

Regulation S-P currently requires advisers to safeguard and dispose of certain types of information, as well as to maintain a privacy policy. The SEC has amended Regulation S-P to adopt a new definition of “customer information,” which:

  • replaces the scope of information that advisers must safeguard, and

  • adds to scope of information of which advisers must dispose.

  • The Regulation S-P amendments also require certain institutions to notify customers of certain types of breaches, and to respond appropriately. This rule applies to various types of entities, which are collectively referred to as “covered institutions.”

Definitions

  • “Covered Institutions” includes registered investment advisers, investment companies, and broker-dealers.

  • “Customer information,” as noted above, generally means any record containing nonpublic personal information.

  • “Consumer information” generally means any record about an individual that is a consumer report or is derived from a consumer report.

  • “Disposal” includes not only discarding or abandoning customer information or consumer information, but also selling, donating, or transferring anything that stores consumer information or customer information.

  • “Sensitive customer information” is defined as any component of customer information that, by itself or with other information, would be reasonably likely to risk substantial harm or inconvenience to an individual identified with the information.

Effective Dates

The effective date for Regulation S-P amendments differs for different types of entities.

  • December 3, 2025 effective date for:

    • SEC-registered investment advisers with $1.5 Billion or more in AUM

    • Investment companies such as mutual funds

    • Broker-Dealers

  • June 3, 2026 effective date for:

    • SEC-registered investment advisers with less than $1.5 Billion in AUM

Incident Response

Data breaches and incidents are unfortunately becoming more frequent. The new Regulation S-P amendments lay out requirements for responding to incidents involving unauthorized access to or unauthorized use of customer information. Under these amendments, advisers will be required to develop, implement and maintain a written incident response program. This is in addition to the requirement already in place to have policies and procedures that address administrative, technical, and physical safeguards to protect customer information. The policies and procedures must be reasonably designed to:

  • secure and safeguard customer information, and

  • protect against threats, unauthorized access, or unauthorized use that could result in substantial harm or inconvenience to clients.

Overall, the firm’s incident response program must:

  • Assess the incident’s nature and scope.

  • Take appropriate steps to contain and control the incident.

  • Notify each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.

Customer Notification

Recipients

If sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization at either the covered institution or at a service provider, then the covered institution must notify individuals affected by the unauthorized access or use – unless it determines that sensitive customer information has not been (and is not reasonably likely to be) used in a manner that would result in substantial harm or inconvenience. If the covered institution does not make that decision, then it must send the notice described below to each affected individual whose information was (or is reasonably likely to have been) accessed or used without authorization.

If the covered institution is unable to identify whose information has been accessed or used, then it must notify all individuals whose information was (or was reasonably likely to have been) accessed or used without authorization. However, if the covered institution determines that someone’s information was not accessed or used without authorization, then the covered institution does not need to notify that individual.

Timing

The covered institution must send out the customer notice as soon as practicable, but not later than 30 days, after becoming aware of unauthorized access to or unauthorized use of the sensitive customer information.

Notice Details

In the event of a breach, the notice must:

  1. Generally describe the incident and the type of sensitive customer information that was or is reasonably likely to have been used.

  2. Include, if possible, the date, estimated date, or date range of the incident.

  3. Include contact information sufficient to permit an affected individual to contact the covered institution, including the institution’s email, phone number, postal address, and the name of a specific office of the institution to contact for further information and assistance.

  4. Recommend for any individuals who have accounts with the covered institution to review their account statements and immediately report any suspicious activity to the covered institution.

  5. Explain what a fraud alert is and how to place a fraud alert in the customer's credit report to put their creditors on notice that they may be a victim of fraud like identify theft.

  6. Recommend that affected individuals

    • Periodically obtain credit reports from each nationwide credit reporting company and

    • Delete information relating to fraudulent transactions.

  7. Explain how to obtain a free credit report.

  8. Include information about the availability of online guidance from the FTC and usa.gov with

    • Steps to take to protect against identity theft,

    • A statement encouraging reporting of any incidents of identity theft to the FTC, and

    • The FTC’s website, in order to show how to obtain government information about identify theft and report suspected identity theft.

Service Providers

Advisers and other firms in the financial industry frequently rely on service providers to safeguard client information. In light of this, the Regulation S-P amendments extend to service providers of covered institutions. The covered institution’s policies and procedures must be reasonably designed to require oversight, including through due diligence and monitoring of service providers, in part to ensure that the notification process as described above occurs. In addition, the covered institution’s policies and procedures must be reasonably designed to ensure that service providers take appropriate measures to:

  1. Protect against unauthorized access to or use of customer information.

  2. Provide notice to the covered institution within 72 hours (or as soon as possible) of becoming aware of a breach of the service provider’s customer information system. Once the covered institution receives this notice, it must initiate its incident response program as described under Incident Response above.

Disposal of Customer Information

Covered institutions will have to dispose of customer information by taking reasonable measures to protect against unauthorized access or use in connection with their disposal. Further, they must have written policies and procedures to address the disposal of customer information.

AML Program and SAR Filings

The Treasury Department adopted a rule that will require SEC-registered investment advisers and exempt reporting advisers to adopt and implement a written anti-money laundering (“AML”) program and file suspicious activity reports (“SARs”) by January 1, 2026. Most SEC-registered investment advisers must develop and implement an AML Program, with a few exceptions*.

*Note: RIAs that meet any of the following requirements do not have to comply with this new AML rule.

  1. Mid-sized advisers (AUM between $25 million and $100 million and have their principal office and place of business in New York or Wyoming)

  2. Multi-state advisers

  3. Pension consultants

  4. Advisers that don’t report any assets under management.

Also note that for foreign advisers, the new AML rule only applies to advisory activities that meet any of the following criteria:

  1. takes place in the U.S.

  2. involves advisory services to a U.S. person

  3. involves advisory services to a foreign-located private fund with an investor who is a U.S. person.

AML Program Requirements

Currently, broker-dealers and financial institutions are subject to AML requirements. With this new rule, the Department of Treasury will be requiring SEC-registered investment advisers and exempt reporting advisers to do so as well, by adopting a risk-based AML program that is tailored to their business and meets the five requirements below. Firms must also adopt policies, procedures, and controls to comply with this new rule and to prevent their organizations from being used for money laundering, terrorist financing, or other illicit activities. Each adviser must:

  1. Have their AML program tested by an independent party (either the adviser’s personnel or a third party)

    • “Independent” means someone who (i) did not implement the AML Program and (ii) does not directly report to the AML officer.

  2. Designate one or more persons as an “officer” to be responsible for implementing and monitoring the policies, procedures, and controls of their AML program.

    • This officer cannot be a third party or an outside consultant; the officer must be an employee of the adviser or of the adviser’s affiliate.

  3. Train their employees, as well as agents or service providers that are delegated with administering any portion of the AML program in the requirements of the new rule that are relevant to their functions. The training should be designed to help identify potential signs of money laundering, terrorist financing, and other illicit financial activities that could arise in the course of their duties.

  4. Implement risk-based procedures for conducting ongoing customer due diligence. Based on the nature and purpose of the adviser’s customer relationships, the adviser must conduct ongoing monitoring to identify and report suspicious transactions, as well as to maintain and update customer information.

  5. The AML program must be approved in writing by a board of directors, trustees, or others who have similar types of functions.

Note: There is no requirement yet for advisers to identify and verify their customers’ identities, or the identities of the beneficial owners of their legal entity customers.

Suspicious Activity Report Requirements

  1. SEC-registered investment advisers and exempt reporting advisers must also file SARs for transactions that occurred by, at, or through, the adviser, if:

  2. the transaction involves or aggregates fund assets or other assets of at least $5,000, and

    • the adviser knows, suspects, or has reason to suspect that the transaction(s) meets any of the following criteria:

    • Involves funds derived from illegal activity, or is intended or conducted to hide or disguise funds or assets derived from illegal activity

    • Is designed to evade any requirements under the Bank Secrecy Act

    • Does not have a business-related or apparent lawful purpose, and is unexplainable

    • Involves the use of the adviser to facilitate criminal activity

Note: the adviser must submit the SAR filing within 30 days after initially detecting (1) and (2) above.

Conclusion

 In conclusion, the evolving landscape of regulatory requirements presents both challenges and opportunities for investment advisers. As we navigate the new rules set forth by the SEC and the Treasury Department, it is crucial for advisers to remain vigilant and informed about the specific changes that impact their operations. Staying ahead of these changes requires a proactive approach to compliance, including the adoption of best practices for monitoring submission timelines, enhancing internal policies, and fostering a culture of continuous learning and adaptation. Ultimately, by prioritizing compliance and transparency, investment advisers can not only fulfill regulatory requirements but also build stronger trust with their clients.

 

Joe Reilly https://seccsllc.com/joe-reilly-bio
Previous

Roles and Responsibilities of the Chief Compliance Officer
Next

Nine Key Compliance Items for New SEC-Registered Investment Advisers