Running an independent registered investment adviser is freedom with responsibility. Compliance is not paperwork you do once. It is a business system you run every day to protect clients and your firm. The good news is that the core requirements are clear, and with a simple structure, you can stay exam-ready without overbuilding.
Here is a practical, on-brand guide to the RIA compliance program regulators expect to see, what is changing, and how to operationalize it in a small firm.
Start With Who Regulates You
Your baseline duties are the same, but your primary regulator matters for filings, exams, and timing.
| Registration | Who Regulates | Key Thresholds |
|---|---|---|
| SEC-registered investment adviser | U.S. Securities and Exchange Commission | Registered at 100 million in regulatory assets under management (RAUM). Must switch to SEC at 110 million. Can remain with SEC until below 90 million |
| State-registered investment adviser | One or more state securities regulators | Generally below 100 million. States may require bonding, net worth, or specific BCP elements, and often examine new firms early |
The industry keeps growing. SEC-registered advisers now number more than 15,000 and oversee about 128 trillion in assets, according to the 2025 Investment Adviser Industry Snapshot source. Expect ongoing exam attention.
The Core Compliance Program Every RIA Needs
Designate a Chief Compliance Officer and do an annual review
Rule 206(4)-7 requires advisers to adopt and implement written policies and procedures, review them at least annually, and designate a chief compliance officer
Your CCO can be the owner or an employee, but they must understand your business model. The CCO role cannot be outsourced to a third party, though third-party compliance providers can assist with tasks. Document an annual review that covers your risks, tests your controls, summarizes findings, and assigns remediation with dates. Learn more about the top characteristics of an effective compliance officer.
Write policies and procedures that match how you actually work
Templates help, but regulators look for alignment with your real processes. At a minimum, address:
- Portfolio management and trading, including best execution and trade errors
- Fee billing and expense reimbursements
- Conflicts, disclosures, and client communications
- Privacy, data security, and vendor oversight under Regulation S-P
- Business continuity and succession planning
- Custody risks, including fee deduction and standing letters of authorization
- Advertising and solicitation under the Marketing Rule
Adopt a Code of Ethics and monitor personal trading
Rule 204A-1 requires a Code of Ethics. Identify access persons, require holdings and transaction reports, define restricted lists and preclearance where appropriate, and keep records of certifications and reviews.
Maintain books and records
Rule 204-2 sets what you must keep and for how long. Capture advisory agreements, client communications, advertising and performance materials, personal trading reports, best execution reviews, and written acknowledgments for delivery of Form ADV and Form CRS. Keep records for five years, the first two in an appropriate office of the adviser. Archive email, texts, and social media you use with clients. Read our guide to compliant document storage for RIAs.
Filings and Ongoing Disclosures
- Form ADV Part 1 and Part 2A: File your annual amendment within 90 days of the fiscal year end. Promptly amend as required (certain Part 1A items must be updated when any information becomes inaccurate; others when materially inaccurate; Part 2A for material changes). Deliver a current Part 2A or deliver a summary of material changes with an offer of the updated brochure to clients within 120 days of the fiscal year end
- Form ADV Part 2B: Provide to clients for supervised persons with advisory responsibility and update when material information changes
- Form CRS: Deliver to retail investors, post on your public website if you have one, and update within 30 days for material changes with re-delivery timelines per instructions
- Pay to Play Rule 206(4)-5: Track political contributions and placement agent relationships to avoid the two-year compensation timeout
Hot Topics Regulators Are Reviewing Now
Marketing Rule compliance
The Marketing Rule allows testimonials, endorsements, and third-party ratings, subject to conditions. It also tightened performance advertising. SEC exam staff reported frequent deficiencies tied to the rule, including a lack of substantiation and missing disclosures for promoters, as well as issues with third-party ratings, in the SEC Risk Alert.
- Keep a written inventory of all advertisements and promoters
- Substantiate material statements of fact
- Pre-review processes for performance and hypothetical performance
- Written promoter agreements and oversight
Regulation S-P amendments
In 2024, the SEC amended Regulation S-P to require written incident response programs and client notifications for certain data breaches within 30 days of the SEC. Update your privacy policy, vendor oversight, and breach playbook, and test your contact lists.
Custody and safeguarding client assets
The current Custody Rule 206(4)-2 still applies. If you have custody, you may need a surprise exam or audits for pooled vehicles, and specific procedures for standing letters of authorization. In 2023, the SEC proposed a Safeguarding Rule that would have expanded coverage to more assets, but the proposal was withdrawn in 2025. Focus on strong controls under the existing Custody Rule. See our overview of understanding RIA custody of funds or securities.
AML requirements for advisers
In 2024, FinCEN proposed rules that would apply anti-money laundering and suspicious activity reporting requirements to investment advisers. Monitor the rulemaking process and be prepared to update onboarding and monitoring processes accordingly FinCEN proposal.
Build a Simple Compliance Calendar
You do not need fancy software to start. A calendar with ownership and due dates works.
- Quarterly: Trade and personal trading reviews, email and social media archiving checks, best execution analysis
- Semiannual: Fee billing sample testing and invoice tie-outs, conflict inventory updates, website and marketing content review
- Annual: Compliance program review and report, policy updates, vendor due diligence, privacy notice delivery, business continuity test, training, and Code of Ethics certifications, Form ADV annual amendment and delivery
- As needed: Prompt Form ADV and Form CRS updates for material changes, incident response steps for data events, and new promoter onboarding under the Marketing Rule
Examination Readiness
Exams are risk-based and frequent enough that you should assume you will be reviewed. The Division of Examinations continues to prioritize areas such as Marketing Rule compliance, fee-related practices, custody, cybersecurity, Regulation S-P, and books and records SEC. States often examine new firms within the first year or two. Review our 8 things to do to prepare for an RIA audit.
- Keep evidence, not just policies. Save workpapers showing reviews, sampling, and follow-up
- Document exceptions and fixes. Regulators expect issues and want to see remediation
- Use a single source of truth. Maintain a current disclosure map tying conflicts to Form ADV items and to policy controls
- Train your team. Short, recurring sessions beat annual marathons
How Community and Structure Help
Compliance gets easier when you are not alone. Peer examples speed up policy tailoring. Shared calendars and workflows reduce misses. At XYPN, we see firms gain momentum when they treat compliance like client service. Clear tasks, owned by people, with deadlines and documentation.
Aim for consistent, explainable processes that match your actual practice. That is what exam staff expects to see
Quick Reference: Core Requirements and Citations
| Requirement | Reference |
|---|---|
| Compliance program, annual review, CCO | Advisers Act Rule 206(4)-7 |
| Books and records | Rule 204-2 |
| Code of Ethics | Rule 204A-1 |
| Form ADV | Form and instructions |
| Form CRS relationship summary | Form and instructions |
| Marketing Rule | Rule 206(4)-1 |
| Custody of client assets | Rule 206(4)-2 |
| Privacy and safeguards, incident response | Regulation S-P amendments |
Compliance is a muscle. Build routines, keep evidence, and lean on the community. That is how independent advisors protect clients and keep control of their firms.
Key sources and further reading
- SEC Advisers Act Rule 206(4)-7: https://www.ecfr.gov/current/title-17/part-275/section-275.206%284%29-7
- SEC Books and Records Rule 204-2: https://www.ecfr.gov/current/title-17/part-275/section-275.204-2
- SEC Code of Ethics Rule 204A-1: https://www.ecfr.gov/current/title-17/part-275/section-275.204A-1
- SEC Marketing Rule 206(4)-1 and 2023 Risk Alert: www.sec.gov/files/exams-riskalert-mrkt-rule-2512-508.pdf
- SEC Custody Rule 206(4)-2: https://www.ecfr.gov/current/title-17/part-275/section-275.206%284%29-2
- Form ADV and instructions: https://www.sec.gov/about/divisions-offices/division-investment-management/electronic-filing-investment-advisers-iard/frequently-asked-questions-form-adv-iard
- Form CRS and instructions: https://www.sec.gov/resources-small-businesses/small-business-compliance-guides/form-crs-relationship-summary-amendments-form-adv
- SEC Regulation S-P amendments press release: https://www.sec.gov/news/press-release/2024-58
- SEC Division of Examinations priorities overview: https://www.sec.gov/compliance/complianceoutreach/compliance-outreach-program-investment-adviser-investment-company-chief-compliance-officers/compliance-outreach-program-regional-seminars/2025-compliance-outreach
- Investment Adviser Industry Snapshot (IAA): https://www.investmentadviser.org/industry-snapshots/
- FinCEN 2024 proposed AML/CFT rule for advisers (Federal Register publication): https://www.federalregister.gov/documents/2024/02/16/2024-02153/anti-money-launderingcountering-the-financing-of-terrorism-program-and-suspicious-activity-reporting
