Under Rule 206(4)-7 of the Investment Advisers Act of 1940, Investment Advisers (RIAs) registered with the Securities and Exchange Commission (SEC) are required to conduct an annual review of their compliance program[1]. This review is designed to evaluate whether the firm’s policies and procedures are both adequate and effectively implemented to prevent violations of applicable federal and state securities regulations.
Commonly referred to as the Annual Review, this process is one of the most important opportunities each year for RIAs to step back, evaluate the effectiveness of the compliance program, and ensure that it evolves with the business and the regulatory landscape. The Annual Review process should not be viewed as a one-time exercise or a formality; rather, it should be viewed as an ongoing process to uncover weaknesses, address conflicts, and strengthen oversight.
This Risk Management Update explores practical strategies advisers can use to elevate the Annual Review process, including developing a clear plan, taking a risk-based approach, employing meaningful testing and documentation, incorporating guidance from the SEC, and creating effective response plans when issues are uncovered. By embracing these practices, advisers can transform their Annual Review process from a regulatory requirement into a driver of stronger governance and accountability.
Building a Strong Annual Review Plan
Strong Annual Reviews require a structured plan that embeds compliance into the daily operations of the firm. In addition, firms should aim to have the Annual Review woven into the overall culture of compliance as much as possible. This means thinking beyond a one-time, annual exercise and incorporating year-round monitoring and testing into the process.
Key elements of a robust plan include:
- Written assessments that identify firm risks and conflicts of interest and include steps the firm takes to address and disclose.
- A compliance manual that outlines applicable federal and state regulations in a practical manner, is tailored to the firm’s business practices, and supported by separate operations and supervision manuals where appropriate.
- Ongoing monitoring and testing of firm policies and procedures.
- Periodic mock regulatory exams or independent program testing to gauge continued effectiveness.
Equally important is senior management involvement. Commonly referred to as “Tone at the Top” it is the foundation of a solid compliance program. Having engaged leadership not only ensures that oversight responsibilities are clearly understood and any compliance gaps found during reviews receive the attention and resources they deserve, it also sends a clear message to all firm personnel that senior management believes in compliance.
The Value of a Risk-Based Approach
The SEC has consistently emphasized the need for Annual Reviews to include a focus on high-risk areas[2]. This requires firms to take a dynamic approach to identifying, prioritizing, and testing areas of regulatory concern that are pertinent to their business services.
To begin, an advisory firm should:
- Evaluate current risks and conflicts of interest and assess whether sufficient checks and balances exist.
- Review past SEC deficiency letters and any historical compliance issues or violations.
- Account for new products, services, or lines of business that may have altered the firm’s risk profile.
- Be familiar with the SEC’s Risk Alerts and Exam Priorities Lists, which often foreshadow the areas of focus during a routine examination.
By grounding the review in risk, advisers not only demonstrate regulatory alignment but also create a framework that protects the business from emerging threats.
Testing and Documentation
Testing is the engine of the Annual Review. A strong program uses layered testing methods to capture both everyday compliance and more subtle issues. Ensure your firm is performing:
- Transactional testing – Reviewing specific activities to identify red flags.
- Periodic testing – Conducted at intervals to confirm ongoing adherence.
- Forensic testing – Designed to uncover attempts to circumvent controls.
Key testing areas should include portfolio management, trading practices, disclosures, marketing, valuations, fee billing, business continuity, cybersecurity, and electronic communications, just to name a few.
Documentation is equally critical. SEC examiners often request written records that memorialize what risks were identified and how they are managed, the type and timing of tests performed, along with results, and corrective actions taken, supported by exception reports and other evidence[3]. Without this documentation, even the most rigorous review will appear incomplete.
Event-Driven Reviews
In addition to the annual cadence, advisers should incorporate event-driven reviews when significant changes occur. These might include mergers, acquisitions, technology shifts, or new regulatory guidance and/or requirements.
Recent SEC Risk Alerts offer valuable insight into areas that require particular attention, from marketing disclosures under the amended Marketing Rule to safeguarding client information in an era of heightened cybersecurity threats. Aligning review procedures with these priorities helps advisers stay aligned with regulatory expectations.
Identifying and Addressing Issues
One of the most important aspects of the Annual Review is what happens after risks and/or compliance gaps have been identified. Firms should establish a clear process to promptly determine:
- When new policies and procedures are needed.
- Whether a material issue requires consultation with outside counsel.
- If client remediation or restitution is necessary.
- When training programs should be updated to prevent recurrence.
Chief Compliance Officers have a duty to share findings with senior management. These discussions often lead to meaningful organizational changes, whether improving internal controls, enhancing oversight, or reshaping compliance culture.
Conclusion
While the Annual Review is mandated under Rule 206(4)-7 of the Advisers Act, it should not be viewed as a burden, nor should the requirement be taken lightly. Done right, it is an opportunity to continually strengthen a firm’s compliance program, bolster trust with clients, and demonstrate adherence to regulators.
By taking a proactive, risk-based, and well-documented approach, advisers can turn the Annual Review process into a cornerstone of their compliance program. More than that, they can position their firms for long-term resilience in an increasingly complex regulatory landscape.
Core Compliance understands that a properly performed Annual Review is necessary for ensuring a successful and robust compliance program. Our team has decades of experience performing Annual Reviews and is here to help your firm every step of the way. Reach out to us today at (619) 278- 0020 or visit us at www.corecls.com to learn more.
Author: Anna Schnitkey, Sr. Operations Associate; Editor: Tina Mitchell, Managing Director, Consultation Services, Core Compliance & Legal Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, and private fund managers on regulatory compliance issues.
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon regarding any particular facts or circumstances without first consulting with a lawyer and/or tax professional.
[1] See SEC.gov | Compliance Programs of Investment Companies and Investment Advisers
[2] See OCIE Observations: Investment Adviser Compliance Programs
[3] See Investment Advisers: Assessing Risks, Scoping Examinations, and Requesting Documents