Building a Compliance Program for a New RIA: What the Advisers Act Actually Requires

When a new investment adviser registers with the SEC — or with a state securities regulator — the registration itself is only the beginning. The more demanding and ongoing obligation is building and maintaining a compliance program that satisfies Rule 206(4)-7 under the Investment Advisers Act of 1940. Many newly registered RIAs underestimate what that requires. They download a template policies-and-procedures manual, designate a part-time CCO, and assume the box is checked. It is not.

This post walks through what Rule 206(4)-7 actually requires, what "reasonably designed" means in practice, the core areas every compliance program must address, and the operational and filing obligations that run alongside the written program.

Rule 206(4)-7: The Compliance Rule

Rule 206(4)-7 has three operative requirements. First, every registered investment adviser must adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act and its rules. Second, the adviser must designate a chief compliance officer responsible for administering the policies and procedures. Third, the adviser must conduct at least an annual review of those policies and procedures to assess their adequacy and the effectiveness of their implementation.

Failure to comply with Rule 206(4)-7 is itself a violation of the Advisers Act, independent of whether any underlying substantive violation occurred. The SEC has brought enforcement actions where the firm's compliance program was deficient but no specific investor harm resulted. The rule is prophylactic — its purpose is to prevent violations before they happen.

What "Reasonably Designed" Actually Means

The standard is not perfection. It is risk-based proportionality. The SEC has made clear that a reasonable compliance program is one tailored to the specific risks presented by the adviser's business — its investment strategies, client types, organizational structure, conflicts of interest, and operational complexity.

A $150 million AUM discretionary equity manager advising institutional accounts has different compliance risks than a $500 million AUM hedge fund manager using leverage, derivatives, and side pockets. The policies and procedures that satisfy the rule for the former will not be adequate for the latter. Template programs lifted from the internet typically fail this test because they are written generically rather than for the specific business.

The practical implication: before drafting a single policy, an RIA's counsel and CCO should conduct a risk inventory. What does the firm do? Where are the conflicts? What are the most likely pathways to a violation? The written program should address those specific risks in specific terms.

The Seven Core Areas Every RIA Compliance Program Must Address

The SEC's adopting release for Rule 206(4)-7 identified specific areas that policies and procedures should address for most advisers. These are not optional topics:

Portfolio management processes. How investment decisions are made, documented, and reviewed. This includes allocation policies for investment opportunities across client accounts, valuation methodology for illiquid or hard-to-value securities, and the basis for investment recommendations.
Trading practices. Best execution policies, trade allocation, aggregation of client orders, and the adviser's order management workflow. For advisers with multiple client accounts, the allocation policy must be fair and must be followed consistently.
Proprietary trading and personal account dealing. Addressed through the code of ethics (discussed below), but the broader compliance program must also address conflicts arising from the firm's own account trading alongside client accounts.
Accuracy of disclosures. Policies ensuring that Form ADV, client contracts, marketing materials, and all other communications are accurate and not misleading. This includes a process for reviewing and updating disclosures when material information changes.
Safeguarding of client assets. Procedures relating to the custody rule (Rule 206(4)-2), qualified custodian relationships, account statement reviews, and the prevention of misappropriation.
Business continuity. A documented plan for continuing operations following a significant disruption — whether a natural disaster, cybersecurity incident, key-person departure, or systems failure. The SEC has specifically called out cybersecurity preparedness as a component of an adequate compliance program.
Privacy protection. Policies under Regulation S-P governing the protection of nonpublic personal information of natural-person clients, including initial and annual privacy notices and safeguards against unauthorized disclosure.

Written Policies and Procedures: What Must Be in Writing

Rule 206(4)-7 requires that the compliance program be in writing. This is not merely best practice — it is a condition of compliance. The SEC has cited advisers for maintaining oral policies or policies that existed only in the CCO's head. If it is not written, it does not exist for purposes of the rule.

What must be written: the core policies themselves, the procedures that implement those policies, the CCO's designation, and the record of each annual review. What can be more informal: day-to-day operational decisions that are governed by the written procedures, provided those decisions are consistent with what is written. The written procedures should be specific enough to govern actual behavior without being so granular that every minor operational choice requires a policy amendment.

A common error is writing policies in terms so vague that they provide no real guidance — for example, a best execution policy that says "the adviser will seek to obtain best execution for client transactions" without specifying how that is evaluated, documented, or reviewed. Vague policies provide no guidance to personnel and no defense in an examination.

The Annual Review

The annual review is not a box-checking exercise. It is a substantive assessment of whether the compliance program is working — whether the policies adequately address the firm's current risks and whether the firm is actually following them.

A meaningful annual review should examine: whether any material changes to the business occurred during the year that require program updates; whether any violations or near-misses occurred and what they indicate about program gaps; whether regulatory developments (new rules, SEC guidance, examination priorities) require program modifications; and whether testing of the controls is producing satisfactory results.

The review must be documented. At minimum, the CCO should produce a written annual review report that identifies what was reviewed, any deficiencies found, and remediation steps taken or planned. This report is a books-and-records item. Examiners routinely request it. Advisers who cannot produce it — or who produce a one-page memorandum that says "everything looks fine" — will have a problem.

Who conducts the review? The rule does not require an outside party, but many advisers engage outside counsel or compliance consultants to conduct or assist with the annual review, particularly where the CCO wears multiple hats or where the firm lacks the internal resources to conduct a rigorous review independently.

Designating a CCO: Qualifications, Outsourcing, and Liability

The CCO must be competent and knowledgeable regarding the Advisers Act. The rule does not impose specific credential requirements, but the SEC has taken the position that a CCO who lacks sufficient knowledge of the law and the firm's business cannot effectively administer the compliance program. A CCO who is also the firm's principal portfolio manager and who dedicates no meaningful time to compliance is a red flag in any examination.

Outsourced CCO arrangements — where the firm contracts with a third-party compliance consultant to serve as CCO — are permissible, but they come with important caveats. The outsourced CCO must be genuinely responsible for administering the program, not merely a figurehead. The arrangement must be disclosed in Form ADV. And the outsourced CCO arrangement does not eliminate the firm's own responsibility for compliance — the firm's principals remain liable for the firm's compliance failures even if they point to the outsourced CCO as the responsible party.

CCO liability has been a contested area. The SEC has brought enforcement actions directly against CCOs, not just the firms they serve, in cases where the CCO affirmatively participated in a violation or consciously disregarded red flags. The mere failure to prevent a violation is generally not enough to support a CCO enforcement action, but the line is not always clear. CCOs should understand that their designation comes with genuine legal exposure.

Form ADV Compliance

Registration and compliance are inseparable from Form ADV, the SEC's primary registration form for investment advisers. Form ADV has four operative parts.

Part 1 is the registration form itself — organizational information, regulatory status, assets under management, types of clients, and background information on the firm and its key personnel. Part 1 is filed electronically through the IARD system and is publicly accessible on the SEC's Investment Adviser Public Disclosure database.

Part 2A is the firm brochure — a narrative disclosure document that must be written in plain English and delivered to clients. It covers advisory services, fees, conflicts of interest, disciplinary history, and numerous other topics addressed in a subsequent post.

Part 2B consists of brochure supplements for individual supervised persons who provide investment advice and have direct client contact. Each supplement must describe the supervised person's educational background, business history, disciplinary history, and other business activities.

Part 3 is the Client Relationship Summary (Form CRS), required for advisers serving retail investors. It is a two-page standardized document that describes the adviser's services, fees, conflicts, disciplinary history, and how clients can obtain additional information. Form CRS must be delivered to retail clients at or before the commencement of an advisory relationship and is publicly filed on IARD.

The Code of Ethics

Rule 204A-1 requires every registered investment adviser to adopt a code of ethics. The rule's requirements are specific. The code must set standards of business conduct reflecting the adviser's fiduciary obligations. It must require compliance with the federal securities laws. And it must address personal securities trading by "access persons."

An access person is any supervised person who has access to nonpublic information about the adviser's clients' securities transactions, or who is involved in making securities recommendations to clients. For most small to mid-size advisers, every professional employee is an access person by definition.

The code must require access persons to report their personal securities holdings periodically — initially within 10 days of becoming an access person, and annually thereafter — and to report every personal securities transaction within 30 days after the end of each calendar quarter. The initial holdings report and each annual holdings report must be current as of a date no more than 45 days before the report is submitted.

For "reportable securities" — which includes most securities other than direct obligations of the U.S. government, money market instruments, and shares of broad-based open-end mutual funds — the code must require pre-clearance before an access person may execute a personal trade. The firm's compliance program must include a pre-clearance process, records of pre-clearance requests and approvals, and a mechanism for identifying and addressing conflicts between personal trades and client trades.

Books and Records: Rule 204-2

Rule 204-2 is arguably the most detailed books-and-records requirement in financial services regulation. It runs to dozens of categories of records that registered advisers must create and maintain, covering financial records, communications, client records, and compliance documentation.

Key retention periods: most required records must be kept for five years from the end of the fiscal year in which they were created, with the first two years in an easily accessible place. Partnership agreements, articles of incorporation, and similar organizational records must be kept for the life of the business plus three years. Communications that relate to recommendations or investment advice must be retained for five years.

Electronic storage is permissible — and practically necessary — but the rules impose specific requirements on electronic storage systems: records must be maintained in a format that preserves them for the required retention period, must be capable of being reproduced as legible paper copies, and must be indexed and available for prompt production to the SEC upon request. The SEC has taken action against advisers for inadequate electronic storage systems that failed to capture all required communications, including text messages and personal email used for business purposes.

State vs. SEC Registration

Not every adviser registers with the SEC. An adviser with less than $100 million in regulatory assets under management generally must register with the state securities regulator in the state where it has its principal office and place of business, rather than with the SEC. Between $25 million and $100 million, the adviser is in what is sometimes called the "notice filing zone" — it may be required to register in multiple states and may or may not be eligible for SEC registration depending on whether it qualifies for an exemption.

Advisers with between $100 million and $110 million may register with the SEC or with states; once assets exceed $110 million, SEC registration is required. There are also basis-for-registration provisions that allow SEC registration regardless of AUM — for example, advisers to registered investment companies, advisers expecting to be eligible for SEC registration within 120 days, and multi-state advisers registered in 15 or more states.

State-registered advisers are subject to state law requirements that vary by jurisdiction and may differ from the federal requirements discussed here. Advisers subject to both federal and state requirements should not assume they are identical.

The Initial Registration Process

SEC registration requires the submission of Form ADV through the IARD system. The SEC has 45 days to review the application and either grant registration or institute proceedings to deny it. As a practical matter, most applications are processed within that window without substantive review — the SEC's examination program is separate from the registration process, and the grant of registration is not an endorsement of the adviser's disclosures or practices.

New registrants should expect to be examined within their first year of registration. The SEC's Division of Examinations conducts "presence exams" of newly registered advisers specifically to assess whether their compliance programs are operational. Advisers that register and then fail to build out their compliance program before the first examination are in a difficult position.

The right sequence is: retain counsel, conduct the risk inventory, draft the compliance manual, draft the code of ethics, designate the CCO, complete the Form ADV, file for registration, and be ready for examination from day one. Building the compliance program after registration — or worse, after receiving an examination notice — is not a viable approach.

This article is for informational purposes only and does not constitute legal advice. No attorney-client relationship is formed by reading this content.