Recordkeeping: Books & Records (SEC 204-2)

To meet the recordkeeping: books & records (SEC 204-2) requirement, an investment adviser registered (or required to be registered) must create and preserve the specific books and records listed in the rule, keep them true/accurate/current, and be able to produce them promptly in an SEC exam. Build a record inventory, retention schedule, and supervised capture process across email, trading, billing, marketing, and compliance. (17 CFR 275.204-2)

Key takeaways:

• Your job is operational: identify required record categories, assign owners/systems, and prove retention and retrieval. (17 CFR 275.204-2)
• “True, accurate and current” fails most often because records are scattered across inboxes, shared drives, and third parties. (17 CFR 275.204-2)
• Exams are won by fast production plus clean audit trails: indexing, immutability controls, and documented supervision. (17 CFR 275.204-2)

Rule 204-2 is the SEC’s baseline expectation for how a registered investment adviser (RIA) documents what it did, why it did it, and how it supervised those activities. The rule is straightforward in concept: you must make and keep specific books and records, keep them accurate and current, preserve them for required periods, and be able to produce them to regulators. (17 CFR 275.204-2)

In practice, recordkeeping breaks when operating models scale: portfolio teams use chat, marketing distributes performance claims without a stable backup package, finance calculates fees in spreadsheets without version control, and key approvals live in informal channels. By the time an exam request arrives, the firm can’t reconstruct a complete story, or can’t prove the record was not altered after the fact.

This page translates the recordkeeping: books & records (SEC 204-2) requirement into an implementation checklist you can run as a CCO, Compliance Officer, or GRC lead. You’ll walk away with a defensible records inventory, a retention and destruction program, and a repeatable method to respond to SEC document requests without fire drills. (17 CFR 275.204-2)

Regulatory text

Regulatory excerpt (operator-relevant): “Every investment adviser registered or required to be registered under section 203 of the Act shall make and keep true, accurate and current the books and records specified in 17 CFR 275.204-2.” (17 CFR 275.204-2)

What this means operationally:

• You must identify the specific categories of books and records the rule requires and ensure they are captured. (17 CFR 275.204-2)
• You must keep those records true, accurate, and current, which creates an ongoing control obligation, not a one-time filing obligation. (17 CFR 275.204-2)
• You must preserve those records and be able to produce them during an SEC examination in a usable format. (17 CFR 275.204-2)

Plain-English interpretation

SEC 204-2 is a “show your work” rule. If your firm gives advice, trades, bills fees, markets performance, manages conflicts, or supervises people, you need records that (a) exist, (b) are complete, (c) can’t be casually edited without leaving a trail, and (d) can be retrieved on demand. (17 CFR 275.204-2)

Treat this as an enterprise control that spans:

• Front office: recommendations, investment decisions, trading communications
• Operations/finance: fee billing, invoices, valuations support
• Marketing: advertising claims and performance substantiation
• Compliance: code of ethics, personal trading, policies, reviews
• IT/security: system-of-record controls, retention, access logs

Who it applies to

Covered entities

• Any investment adviser registered or required to be registered under Section 203 of the Investment Advisers Act. (17 CFR 275.204-2)

Operational contexts that commonly trigger recordkeeping gaps

• Hybrid workforces relying on email, chat, and mobile for client and trade communications.
• Outsourced functions where a third party (administrator, broker, marketing consultant, billing provider, CRM provider) holds or generates required records. Your obligations do not disappear because the data sits outside your network. (17 CFR 275.204-2)
• Multiple strategies and products where performance, risk, and fee artifacts vary by vehicle.

What you actually need to do (step-by-step)

1) Build a “records inventory” mapped to the rule

Create a register of required record categories and map each to:

• Record type (e.g., advisory contracts, trade blotters, fee calculations, advertising backup, correspondence) (17 CFR 275.204-2)
• System of record (e.g., portfolio management system, CRM, archival platform, shared drive with controls)
• Business owner (named role)
• Upstream source (who creates it; include third parties)
• Retention rule (time period; destruction trigger)
• Production method (how you will export/produce for an exam)

Minimum practical scope aligned to common SEC exam requests includes: client agreements, fee billing records and calculations, performance advertising backup, trade blotters and confirmations, correspondence (paper and electronic), code of ethics reports, and compliance policies. (17 CFR 275.204-2)

Deliverable: a records inventory spreadsheet or GRC object, approved by Compliance and acknowledged by each functional owner.

2) Define capture rules for communications and “correspondence”

Write and implement a correspondence capture standard that answers:

• Which channels are approved (email domains, archived chat, recorded lines).
• Which channels are prohibited for business use (personal email, unapproved messaging).
• What gets captured automatically vs manually uploaded.
• How you handle client portals, SMS, and collaboration tools.

Control test: pick a supervised person and recreate a client interaction end-to-end using only your archive/search tools. If you need to ask them to forward emails, your capture design is weak.

3) Put retention and destruction on rails

Operationalize retention with:

• A retention schedule aligned to Rule 204-2 categories and preservation expectations. (17 CFR 275.204-2)
• Legal/regulatory hold procedures so normal destruction pauses during exams, litigation, or investigations.
• Automated alerts for approaching destruction dates (a practical control to prevent accidental deletion). (17 CFR 275.204-2)

Evidence you want: system retention configurations, hold logs, and destruction approvals.

4) Control “true, accurate, current” through governance and change control

For records that are easy to manipulate (spreadsheets, PDFs, pitchbooks, fee worksheets), add:

• Version control (repository history or document management system)
• Approval workflows (who approved, when, what version)
• Access controls (least privilege; separate creator/approver where practical)
• Immutable archiving for final versions of marketing and client deliverables

Common high-risk areas:

• Performance presentations without a locked backup package.
• Fee calculations that rely on manual overrides with no explanation trail.
• Trade allocation rationales stored informally.

5) Make exam production a practiced workflow, not a scramble

Build a repeatable exam-response process:

• Intake request list, map each item to your records inventory owner/system.
• Run searches in archives using consistent query syntax; document the query.
• Produce in a standardized format with Bates-style indexing or consistent file naming.
• Track completeness: what produced, what not found, what is pending with a third party.

Practical tool: a “document request tracker” that ties each request to (a) record category, (b) owner, (c) system, (d) due date, and (e) production link.

6) Extend oversight to third parties that create or hold required records

For each third party involved in trading, billing, marketing, archiving, or IT:

• Contractually require retention, access, and timely production support.
• Test retrieval at least once in a calm period (not during an exam).
• Confirm how the third party handles deletion, backups, and holds.

If you use Daydream as your third-party risk and due diligence system, link each third party to the record categories they touch, store contract clauses and SOC reports, and track evidence of periodic retrieval tests.

Required evidence and artifacts to retain

Use this as your “proof binder” list for an exam-ready posture:

Governance and program artifacts

• Books & records policy and procedures mapped to Rule 204-2. (17 CFR 275.204-2)
• Records inventory with owners, systems, and production methods.
• Retention schedule and destruction approval workflow documentation.
• Legal/regulatory hold procedure and hold event logs.

Operational records and system evidence

• Archive configuration screenshots/exports (email, chat, file repositories).
• Access control lists for key repositories; evidence of periodic access reviews.
• Samples of supervised communications captured and retrievable.
• Marketing substantiation packages (final ad + backup + approvals).
• Fee billing support: inputs, calculations, approvals, invoices, and client disclosures.
• Trade records: blotters/confirmations and any supporting trade communications. (17 CFR 275.204-2)

Exam readiness

• Document request tracker template and a completed “dry run” package.
• Retrieval test logs for critical systems and third parties.

Common exam/audit questions and hangups

Expect examiners to probe these operational points (phrased as they often show up in document requests):

• “Show me how you retain and retrieve electronic correspondence for supervised persons.” (17 CFR 275.204-2)
• “Provide backup documentation supporting performance and advertising claims.” (17 CFR 275.204-2)
• “Walk through your fee billing process and produce the calculation support.” (17 CFR 275.204-2)
• “What records does your third party administrator/broker/marketer maintain, and how do you access them?” (17 CFR 275.204-2)
• “Demonstrate your retention settings and how you prevent premature deletion.” (17 CFR 275.204-2)

Hangups that slow production:

• No single system of record; records split across shared drives and inboxes.
• “Final” marketing decks exist, but the backup is scattered or unreviewed.
• Third party data access requires tickets and long lead times.

Frequent implementation mistakes (and how to avoid them)

1. Treating retention as IT-only. Compliance needs control ownership, testing, and documented procedures. Fix: co-own the records inventory with IT and business leads. (17 CFR 275.204-2)

2. Relying on manual collection. People forget, forward late, or curate. Fix: automate capture for approved channels and block unapproved channels for business. (17 CFR 275.204-2)

3. No audit trail for spreadsheets. Fee and performance support often lives in editable files. Fix: move to versioned repositories, require approvals, and archive final artifacts in read-only form.

4. Third party blind spots. If the broker, administrator, or marketer has the record, you still must produce it. Fix: add contract clauses, retrieval tests, and named contacts.

5. No practiced production workflow. Fix: run a tabletop exam and measure time-to-produce, completeness, and repeatability.

Enforcement context and risk implications

No public enforcement cases were provided in the supplied source catalog for this page, so this section stays practical rather than case-driven. Operationally, books and records weaknesses create two predictable risks: (1) you cannot defend the firm’s conduct because you cannot evidence it, and (2) you trigger broader scrutiny because missing records often correlate with supervision and disclosure failures. The safest posture is “prove it fast”: accurate capture, controlled retention, and repeatable production. (17 CFR 275.204-2)

Practical 30/60/90-day execution plan

First 30 days (stabilize and map)

• Appoint a books-and-records program owner (usually Compliance) and system owners (IT, Ops, Marketing).
• Build the first version of the records inventory mapped to Rule 204-2 categories and common exam requests. (17 CFR 275.204-2)
• Identify high-risk channels (personal email, unarchived chat) and publish a short “approved communications” standard.
• Start a legal/regulatory hold procedure draft and identify who can trigger a hold.

Days 31–60 (implement controls and test)

• Configure or validate archiving for email and any approved chat/collaboration platforms.
• Implement retention settings and document them as evidence. (17 CFR 275.204-2)
• Build marketing “substantiation packages” with version control and approvals.
• Run a retrieval test for: (a) correspondence, (b) a marketing claim, (c) a fee calculation, and (d) a trade record. Document results and gaps.

Days 61–90 (operationalize and make it exam-ready)

• Stand up an exam production workflow: request tracker, naming conventions, and a central production repository with access controls.
• Add third-party requirements: contract addenda where needed, and at least one retrieval test with each critical provider.
• Train supervised persons on approved channels and escalation paths.
• Schedule ongoing monitoring: periodic sampling of captured correspondence and periodic checks that retention settings remain enforced. (17 CFR 275.204-2)

Frequently Asked Questions

Does Rule 204-2 apply if we are exempt reporting advisers (ERAs)?

This page addresses advisers “registered or required to be registered” under Section 203. (17 CFR 275.204-2) If your status is uncertain, confirm with counsel and align your internal recordkeeping standard to your registration posture.

Can we store required records in cloud systems like Microsoft 365 or Google Workspace?

Yes, if the system supports controlled retention, access controls, and reliable retrieval for exams. Your evidence should include retention configuration, access governance, and a documented production method. (17 CFR 275.204-2)

Are Slack/Teams messages considered correspondence we must retain?

If supervised persons conduct advisory business in those tools, treat them as business communications that require capture and retention. Operationally, either archive them with tested search/production or prohibit business use in those channels. (17 CFR 275.204-2)

What does “true, accurate and current” mean for fee spreadsheets and performance files?

You need traceability: inputs, calculation logic, approvals, and the final client-facing output, with version history that supports reconstruction. If a file can be edited silently, add version control and archive the final approved version. (17 CFR 275.204-2)

How do we handle records held by a third party (administrator, broker, marketing firm)?

Contract for retention and rapid access, then test retrieval outside exam conditions. Keep the test output and communications as evidence that you can produce the records on demand. (17 CFR 275.204-2)

What is the fastest way to get exam-ready if our records are scattered?

Start with an inventory and production map, then prioritize capture and retention for correspondence, marketing substantiation, fee billing support, and trade records. Run a dry-run production exercise and fix whichever step forces manual chasing. (17 CFR 275.204-2)