Code of Ethics Requirements for Registered Investment Advisers

To meet the code of ethics requirements for registered investment advisers requirement, you must adopt and enforce a written Code of Ethics that sets standards of conduct, addresses conflicts from personal trading, requires access person reporting, and retains required records. Operationally, success depends on correctly identifying access persons, collecting reports on time, and documenting supervisory review. ¹

Key takeaways:

• Write a Code of Ethics that matches your actual conflicts, strategies, and organizational structure, not a generic template. ¹
• Build a repeatable access person workflow: identification, initial/annual holdings, quarterly transactions, review, escalation, and discipline. ¹
• Treat enforcement as a supervision and annual-review problem, not a policy-writing task. ²

Rule 204A-1 under the Investment Advisers Act is the anchor requirement for an adviser’s Code of Ethics program. It is not satisfied by publishing a PDF and collecting signatures. Examiners look for a living system: clear standards of business conduct tied to your fiduciary duty, controls that surface conflicts created by personal trading, and evidence that compliance reviews what it collects and follows up.

For a CCO or GRC lead, the fastest path to operationalization is to treat this as a workflow with defined inputs, deadlines, reviewers, exception rules, and records. You need a defensible method to identify “access persons,” ensure their reports are complete, and document timely review and escalation. Weaknesses usually appear in the seams: contractors with system access who are never tagged as access persons, transaction reports collected but not reviewed, and codes that do not reflect the firm’s actual conflict landscape.

This page translates the code of ethics requirements for registered investment advisers requirement into an execution plan you can implement, test, and defend in an SEC exam. ¹

Regulatory text

Rule 204A-1 requires an SEC-registered investment adviser to adopt and maintain a written code of ethics. The code must: (1) set forth standards of business conduct reflecting the adviser’s fiduciary obligations; (2) require “access persons” to report personal securities holdings and transactions; and (3) require supervised persons to report violations of the code to the adviser. The rule also includes recordkeeping requirements tied to the code, acknowledgments, access person reports, and code administration. ¹

Operator translation (what the regulator expects you to be able to show):

• A written Code of Ethics that speaks to how your people should behave given your business model and conflicts. ¹
• A controlled population of access persons, with defined reporting obligations and documented compliance with those obligations. ¹
• A supervision loop: someone reviews the reports, documents that review, investigates exceptions, and tracks remediation. ²

Plain-English interpretation

Your Code of Ethics program is a conflicts-and-personal-trading control that sits inside your broader fiduciary duty and compliance program. The practical goal is to prevent, detect, and resolve conflicts created by employee investing and information access, and to prove you did so with records.

A workable interpretation:

1. Standards of conduct: Define what “client-first” means at your firm in day-to-day decisions (gifts, outside business activities, MNPI handling, allocation pressures, political contributions, etc.). ¹
2. Personal trading transparency: Access persons must disclose holdings and transactions so you can test for front-running, misuse of information, and other conflicts. ¹
3. Supervision and escalation: You must be able to show that exceptions trigger follow-up, and repeated issues lead to consequences. ²

Who it applies to (entity + operational context)

Applies to:

• SEC-registered investment advisers (RIAs) that are subject to Rule 204A-1. ¹

Operational scope inside the adviser:

• Supervised persons who must receive the code and be required to report violations. ¹
• Access persons who must submit personal securities holdings and transaction reports. ¹

Where programs fail in real operations:

• Access person definition is applied too narrowly (e.g., only portfolio managers), missing IT/ops staff with holdings visibility or contractors with privileged access. ¹
• The firm can produce reports, but cannot prove review, follow-up, or discipline. ²

What you actually need to do (step-by-step)

1) Map your conflicts and draft a tailored Code of Ethics

1. Run a conflicts inventory workshop with investment, trading, operations, and senior management. Capture conflicts created by: strategies you run, client types, side-by-side management, affiliated entities, and employee activities. ¹
2. Translate conflicts into concrete code rules (examples): restricted list policy, blackout windows around client trading, pre-clearance for certain securities, gifts and entertainment thresholds, outside business activity approvals, political contributions process, and escalation paths. Keep examples specific to your products and workflows. ¹
3. Assign ownership: name the code administrator (often the CCO) and a backup reviewer to avoid single-point-of-failure gaps in quarterly review. ²

Control objective: The code reads like it was written for your adviser, because it was.

2) Define “access person” and build a controlled population

1. Create an access person role matrix by department and system permission. Include non-obvious roles (client service with holdings access, IT administrators, operations staff pulling position files, certain finance roles). ¹
2. Document inclusion/exclusion rationale for each role, then produce an access person list (current plus historical versions). ¹
3. Add triggers so HR/IT changes force an access person reassessment (new hire, role change, new system access, contractor onboarding). ¹

Common best-practice control: Perform an annual org chart and role review to validate the access person list stays complete as the firm changes. ¹

3) Implement the reporting workflow (holdings + transactions + attestations)

Build a simple workflow you can run repeatedly:

1. Distribute the code to all supervised persons and collect written acknowledgments of receipt (and acknowledgment of amendments when updated). ¹
2. Collect access person reports required by the rule (holdings and transactions), and define how they submit (compliance system, attestations, broker feeds, or manual forms). ¹
3. Require reporting of code violations by supervised persons, with a clear intake method (email alias, ticket, or compliance portal) and non-retaliation language aligned to your HR process. ¹

4) Review, investigate, and document exceptions (the supervision loop)

A code without review is where exam findings pile up. Make the review process auditable.

1. Set a review calendar for transaction reports and holdings attestations, and assign named reviewers. ²
2. Create exception rules to triage what gets investigated first, such as:
   • Trades in securities also traded for clients or appearing in recommendations/holdings
   • Short-term or repetitive trading patterns
   • Trading that conflicts with restricted/blackout rules
     ²
3. Investigate exceptions with a standard case memo: facts, data reviewed, employee explanation, determination, corrective action, and whether the event triggers other reporting (e.g., ADV disclosure updates, if relevant). Keep the memo format consistent. ²
4. Escalate repeat issues using a documented disciplinary framework (warnings, trading restrictions, termination), and keep HR in the loop. ²

5) Integrate with your annual compliance review and supervision program

Tie code of ethics testing into the broader compliance program review so it does not become a side project.

• Add code-of-ethics KPIs that are auditable without being performative: completion, timeliness, review evidence, exceptions opened/closed, and themes. ²
• Update the code when the business changes (new strategies, affiliated entities, new product types), then redistribute and re-acknowledge. ¹

Required evidence and artifacts to retain

Expect these to be requested in an SEC exam. Keep them organized by period and version.

Policy and governance

• Current Code of Ethics and prior versions
• Evidence of distribution to supervised persons
• Written acknowledgments of receipt (initial and amended versions)
  ¹

Access person population management

• Current and historical access person lists
• Methodology and rationale for access person identification (role matrix, system access map)
  ¹

Reporting and review artifacts

• Initial holdings reports, annual holdings reports, and quarterly transaction reports for access persons
• Review logs showing who reviewed, when, what was tested, and what exceptions were found
• Investigation memos, outcomes, and remediation tracking
• Pre-clearance approvals (if your code requires it) and restricted list evidence (if applicable)
  ³

Program oversight

• Annual compliance review materials addressing code effectiveness and any enhancements
• Senior management reporting on themes and repeat offenders (where applicable)
  ²

Common exam/audit questions and hangups

Use these as a pre-exam readiness checklist:

• “Show me your Code of Ethics and walk me through how it reflects your fiduciary duty and conflicts.” ¹
• “Who are your access persons? How did you decide?” Expect probing on IT/ops, contractors, and affiliates. ¹
• “Provide the last cycle of transaction reports and evidence of review.” Examiners focus on whether review happened and what you did with exceptions. ²
• “What happens when someone does not submit a report or violates the code?” They want escalation and consequences, not informal reminders. ²

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails	Fix
Boilerplate code that does not match your strategies or conflicts	Creates gaps you cannot defend in an exam	Start with a conflicts inventory and write provisions that map directly to those conflicts. 1
Access person list limited to investment team	Misses indirect information access and creates reporting holes	Build a role + system access matrix; revalidate on organizational change and periodically. 1
Collecting reports without review evidence	Looks like paper compliance; supervisory failure risk	Keep a review log, exception criteria, and closed-loop investigation memos. 2
No documented escalation/discipline	Repeat violations continue; weak tone from the top	Define consequences and track them through HR and compliance case management. 2
Code not updated after business changes	New conflicts appear without controls	Add code review as a mandatory step in new product/strategy approvals. 1

Enforcement context and risk implications (without case citations)

Even without a cited public case list on this page, the risk pattern is consistent: regulators treat Code of Ethics failures as indicators of weak supervision and weak conflict management. Programs get into trouble when they cannot show (a) tailoring to real conflicts and (b) active enforcement through review and escalation. ²

Practical risk implications:

• Fiduciary duty exposure if personal trading conflicts harm clients or appear unmanaged. ¹
• Deficiency letters and remediation burden if you cannot produce evidence of review, investigations, and updates. ²

A practical 30/60/90-day execution plan

Days 1–30: Stabilize the program (get to “exam defensible”)

• Inventory your current Code of Ethics, acknowledgments, and reporting artifacts; identify missing periods and missing people. ¹
• Build or refresh the access person role matrix with HR and IT permission lists. ¹
• Stand up a review log template and an exception/investigation memo template; begin using them immediately. ²

Days 31–60: Fix tailoring and workflow gaps

• Run a conflicts workshop and rewrite the code sections that do not reflect your actual products, strategies, and affiliations. ¹
• Re-issue the code (or an amendment) and collect updated acknowledgments. ¹
• Train access persons on reporting expectations and consequences for non-compliance; document attendance and materials. ²

Days 61–90: Operationalize monitoring and integrate with supervision

• Perform a full cycle test: confirm all required reports are submitted, reviewed, exceptions investigated, and cases closed with documentation. ²
• Add code-of-ethics controls to supervisory procedures and the annual compliance review testing plan. ²
• If you need automation (broker feeds, attestations, review queues), implement it with audit-ready exports so you can produce records quickly. Daydream can help centralize the access person population, reporting collection, review workflows, and evidence packaging for exams without turning the program into a spreadsheet exercise. ¹

Frequently Asked Questions

Do I need to tailor my Code of Ethics, or is a template acceptable?

You can start from a template, but the final code must reflect your fiduciary obligations and the conflicts that actually arise from your operations. A generic document that omits your real conflict points creates exam and enforcement risk. ¹

Who counts as an “access person” in practice?

Build the definition from information access, not job titles. Include anyone with access to nonpublic information about client transactions, holdings, or recommendations, which often reaches beyond the investment team. ¹

What’s the minimum evidence examiners expect for “review” of transaction reports?

A timestamped review log plus documented follow-up for exceptions is the baseline. If you investigated a flagged trade, keep the case memo and outcome, not just an email thread. ²

Can I rely on brokerage statements instead of bespoke transaction reports?

The rule focuses on holdings and transaction reporting obligations for access persons and associated recordkeeping. If you use statements or feeds, ensure they capture required fields and you can prove completeness and review. ¹

How do I handle contractors or consultants with systems access?

Treat access to nonpublic client trading/holdings data as the trigger, even for non-employees. Document your determination and, if they qualify, bring them into the access person reporting and code acknowledgment workflow. ¹

What should trigger a Code of Ethics update?

Any business change that introduces new conflicts or new personal trading risks should trigger a code review, plus redistribution and acknowledgments if you amend the code. Build this into new product/strategy approvals so updates happen before launch. ¹

Related compliance topics

• 2025 SEC Marketing Rule Examination Focus Areas
• Access and identity controls
• Access Control (AC)
• Access control and identity discipline
• Access control management

Footnotes

1. 17 C.F.R. § 275.204A-1

2. Compliance Rules v2 - sec-code-of-ethics

3. 17 C.F.R. § 275.204A-1; Compliance Rules v2 - sec-code-of-ethics