Dually Registered Firms: Steps for Performing an Efficient Annual Review and Gap Analysis

In accordance with Rule 206(4)-7 of the Investment Advisers Act of 1940 (the “Act”), as amended, an investment adviser (“RIA”) registered with the Securities and Exchange Commission (“SEC”)  is required to conduct an annual compliance review to assess the adequacy and effectiveness of the firm’s policies and procedures (“Annual Review”). Similarly, a Financial Industry Regulatory Authority (“FINRA”) registered Broker-Dealer (“BD”) is required under FINRA Rule 3120 to perform testing of the firm’s supervisory procedures and controls at least annually (“Gap Analysis”).


Performing these reviews requires an extensive amount of time, especially for dually registered firms (i.e., firms that are registered as both an RIA and a BD). In this Regulatory Management Update, we discuss the requirements for these reviews and provide suggestions on ways to approach the testing and review functions in order to save time and help ensure efficiency.

The Rules

RIA Annual Review – Under Rule 206(4)-7 of the Act, an RIA must perform an annual review of its policies and procedures to ensure they are reasonably designed to prevent violations of applicable federal and state securities regulations.  This review requires more than a simple read-through of the Firm’s manual. An RIA must perform comprehensive testing of the policies, procedures, and internal controls they have in place. Additionally, the review needs to take into consideration any changes to the firm’s business practices, along with new and/or amended regulations.

BD Gap Analysis – Under FINRA Rule 3120, a BD is required to annually test and verify that their supervisory procedures are reasonably designed with respect to the activities of the firm and its associated persons, to achieve compliance with applicable securities laws, regulations and FINRA rules, and update supervisory procedures where the need is identified by such testing and verification. The designated principal(s) of the BD also must submit a report to the firm’s senior management detailing the BD’s system of supervisory controls, the summary of the test results, and the updated supervisory procedures drafted in response to the findings.

Ways to Increase Efficiency When Performing Reviews

Step One: Deciding Areas to Test First

Effective Annual Review and Gap Analysis assessments need to be based on testing that is performed and reviewed throughout the year. Since a firm’s written policies and procedures generally cover a significant number of applicable federal, state, and FINRA rules, it can be a daunting task to prioritize testing areas. To begin, a firm should identify its highest areas of risk. Although not required, performing a risk assessment[1] prior to, or in conjunction with performing these reviews can help this process be more effective and increase efficiency.  

Once risks are identified, they should be rated from highest to lowest. The important objective is to identify the firm’s highest risks and prioritize those areas for testing before other areas.

Step Two: Design and Perform the Testing

Once a firm has determined the high-risk areas to focus on first, they should design specific tests for those areas. Testing generally takes three forms.

  1. Transactional testing, which is performed at the time of the activity. An example of a transactional test would be pre-clearance of personal trades.
  2. Periodic testing, which is testing that is performed at certain times/intervals. An example would be quarterly email correspondence reviews.
  3. Forensic testing, which involves analyzing information over a period of time, looking for trends and patterns. An example would be a review of trade blotter and trade memorandums.

Step Three: Document the Review and Report to Senior Management

Rule 206(4)-7 does not require the creation of a written report, only documentation substantiating the performance of an Annual Review. However, FINRA Rule 3120 does require BDs to create a written report. For dually registered firms, it’s usually more efficient to create a report covering both reviews. Importantly, the following areas should be included in the report:

  • Area Reviewed and Tested
  • Testing Performed
  • Risk Level
  • Applicable Rule
  • Findings
  • Recommended Corrective Action
  • Date Corrective Action Completed

Once completed, the report should be presented to the firm’s senior management for assessment and approval of recommended corrective actions. Additionally, BDs are required under FINRA Rule 3130) to present the report to the firm’s Senior Principal (in most cases the Chief Executive Officer) and obtain a signed certification that the Gap Analysis performed has been presented to the CEO and the CEO understands the status of the Compliance Program and that the Compliance Program is reasonably designed to meet regulatory requirements. In addition, the Gap Analysis must be submitted to the BD’s board of directors and audit committee within 45 days of execution of the certification.

If a combined report is done, then the report and certification should be maintained in the firm’s books and records for a period of no less than five years from the end of the fiscal year in which the review was performed.

Step Four: Implementation of Recommended Corrective Actions

Typically, the Chief Compliance Officer is the person tasked with monitoring and assisting with, when necessary, the completion of corrective actions outlined in the report.  To the extent possible, corrective actions should be completed promptly after approval of such actions, addressing the high risks areas first.

As a best practice, each year’s Annual Review and Gap Analysis report should include a summary of the status of all corrective actions from the previous year’s reviews. 


Annual Reviews and Gap Analyses are not just regulatory requirements to fulfill. Rather, they are an important process that allows firms to not only assess the effectiveness of their policies and procedures, but to help ensure that the controls in place adequately address risks and conflicts. Performing testing throughout each year allows firms to promptly correct any gaps found in their Compliance Program, which in turn can potentially result in cost savings for the firm. The annual testing performed should be varied in order to meet changing regulatory requirements and firm business practices. Chief Compliance Officers should have a thorough understanding of the responsibility they have for administering this important part of their firm’s compliance program.


Author: Core Compliance & Legal Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, hedge funds, and private equity firms on regulatory compliance issues.


This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.

[1] See https://www.corecls.com/news-events/core-steps-for-performing-and-documenting-a-risk-assessment

Leave a Reply

Your email address will not be published. Required fields are marked *