Compliance Considerations: 5 Things to Know About Books and Records

4 min read
October 18, 2018

When it comes to books and records requirements, there’s good and bad news. Let’s get the bad news out of the way—books and records requirements are some of the broadest compliance requirements RIA firms face.

In other words, basically every type of document that is generated, created, leveraged, and reviewed by RIA firms can fall into the category of “books and records” during a regulatory audit or examination.

The good news is that the requirements as outlined by regulatory agencies are more specific than many of the other compliance areas of interest. There aren’t quite as many grey areas with books and records requirements as there are when, for example, trying to map marketing and advertising regulations under SEC 206(4) to social media dos and donts.

To narrow the scope of the discussion, we will take a look at five things you should know about books and records.

#1. Accounting Records and Client-Facing Documents

Firms must maintain adequate accounting books and records. This is perhaps the most obvious requirement. This includes but is not necessarily limited to checkbooks, balance sheets, bank statements, invoices, written agreements, cash receipts, and internal audit working papers.

This also includes other records the regulatory agency deems necessary, such as invoices and records of payments for third-party vendors and independent contractors that the firm uses to conduct business.

It is not at all uncommon for firms to be asked to make records available directly from their accounting software during a regulatory exam, so firms are advised to be prepared for this request.

In addition to accounting records, all client-facing documents such as advisory contracts, investment policy statements, and risk tolerance questionnaires will need to be maintained for regulatory review.

#2. Recordkeeping is a Dynamic Process

There are many facets to operating an RIA that keep advisors and firm owners very busy. As a result, the temptation with compliance responsibilities is to “set it and forget it.”

Unfortunately, the process of maintaining books and records is a dynamic one in that the documentation to be maintained is subject to change with the evolution of the regulatory landscape, and the processes leveraged by firms may need to be adjusted from time to time.

At the core of this idea is the need for books and records to be true, accurate, and current. For example, if a firm decides to change its tech vendor for data backup, then the process by which that data is backed up and accessed is also likely to change. If nothing else, other changes in the regulatory landscape, such as an increased focus on cybersecurity, may prompt a firm to revisit and revise its books and records processes.

You don't want to be your own CCO, and we don't blame you. Check out how much  simpler Registering your RIA with XYPN can be

#3. All Books and Records Must be Maintained for Five Years

This is the standard period for which books and records must be maintained and easily accessible.

In addition, firms must be able to provide records promptly within 24-48 hours of a request initiated by regulators. A regular task in compliance task management software can help avoid a fire drill in the event books and records are requested on short notice.

#4. Electronic Storage is Acceptable (Including Emails)

One key item to remember with electronic storage is that firms must be careful to avoid a single point of failure with regards to electronic storage. By “single point of failure,” I am referring to a single event within the recordkeeping system that would render the books and records unable to be retrieved should that event occur.

Here, firms are wise to leverage both physical and electronic safeguards. During regulatory exams, advisors must be able to communicate with regulators as to how storage is being maintained and safeguarded in a way that avoids a single point of failure.

As it pertains to maintenance of client records, firms are permitted to implement an alpha or numeric code system to categorize and preserve client identity within their records.

However, if firms choose to do so, the system must be consistently applied and used on a regular basis, and the system must be designed so the firm can provide names of clients to the regulatory agency if requested.

#5. Organization is the Name of the Game

As with most compliance areas of risk, there is no substitute for simply being organized! Compliance officers must have policies and procedures addressing individual books and records that both identify the person(s) responsible and the location of books and records.

It is also imperative to ensure anyone involved in these processes thoroughly understands the requirements and can speak to their role in the process. As previously mentioned, a regular task to be executed by the compliance officer of the firm can be executed via the firm’s compliance task management software to assist with this process.

An important note: Firms are not permitted to pass off any portion of their books and records obligations to a third-party vendor or compliance service provider.

It is tempting for busy firm owners to hire an outside compliance consultant and/or tech vendor and fall back on the excuse that  “the tech guy keeps that for us” when a regulator asks for something. This is an unacceptable response. The Chief Compliance Officer of the firm must take full ownership of books and records requirements.

At the core of being an effective compliance officer is possessing both the willingness and capability to take ownership of the firm’s compliance program. It is impossible to show ongoing supervision and oversight if the compliance officer is unable to locate the documentation that was required to be reviewed and maintained.

If the documentation can be located but appears to have been neglected and void of review for an extended period of time, this could lead to a “failure to supervise” audit deficiency. For this reason, books and records requirements are absolutely vital to the risk management process for compliance officers, and the process for ensuring compliance should be administered consistently and meticulously.

New call-to-action


About the Author

Scott is a licensed Securities Principal with experience in both RIA and broker-dealer compliance. He began his financial services career in 2006 as a Registered Representative with E*Trade Financial in Alpharetta, GA. He has also worked with J.P. Morgan Private Banking in Chicago, IL and with Wells Fargo Advisors in Chapel Hill, NC.

Scott’s most recent role before joining Team XYPN was as Compliance Officer of Carolinas Investment Consulting, in Charlotte NC. He’s a graduate of The University of North Carolina at Chapel Hill and holds FINRA Series 63, 65, 24, 4 and 53 Licenses.

Scott lives in Charlotte NC with his wife Meredith, and their two Sons Tyson and Jackson. In his free time, Scott enjoys watching sports, exercising, and operating the charitable organization he created upon his father’s passing.

You can connect with him on LinkedIn.

Subscribe by email