SEC Code of Ethics (RIA)

To meet the sec code of ethics (ria) requirement, an SEC-registered (or required-to-be-registered) investment adviser must adopt, maintain, and enforce a written Code of Ethics that sets standards of conduct, requires compliance with federal securities laws, and mandates access-person personal trading and holdings reporting with adviser review ¹. Operationalize it by defining access persons, implementing reporting/pre-clearance workflows, performing documented reviews, and retaining the required records.

Key takeaways:

• Your Code of Ethics must be written, distributed, acknowledged, and enforced, not just “on file” ².
• The operational center is access person oversight: holdings reports, quarterly transaction reports, reviews, and IPO/limited offering pre-approval ².
• SEC cases show the SEC charges firms for missing codes, paper programs, and nonexistent reviews, often alongside broader compliance program failures ³.

The SEC’s Code of Ethics rule is a baseline examination item for RIAs because it connects directly to fiduciary duty and conflicts management: personal trading, misuse of nonpublic information, and standards of conduct across supervised persons. Rule 204A-1 requires more than a policy document. You need an operating system that identifies who is an access person, collects complete personal securities data, enforces pre-approval where required, and documents supervisory review and follow-up ².

In practice, most problems come from mismatched definitions and workflows: someone is treated as a “non-access” employee but still sees client holdings; a portfolio manager submits reports but no one reviews them; pre-clearance exists in the code but approvals are done informally and never retained. The SEC has brought cases where advisers failed for years to adopt a compliant written code or to implement meaningful reviews ⁴. Examiners also look for substantive review designed to detect conflicts like parallel trading or trading around restricted lists ⁵.

This page gives requirement-level implementation guidance you can put into production quickly, including evidence to retain and a 30/60/90-day rollout plan.

Regulatory text

Rule 204A-1 requires that if you are an investment adviser registered or required to be registered under Section 203 of the Investment Advisers Act of 1940, you must establish, maintain and enforce a written code of ethics that, at a minimum:

1. sets a standard of business conduct for supervised persons reflecting fiduciary obligations;
2. requires supervised persons to comply with applicable federal securities laws; and
3. requires all access persons to report, and the adviser to review, personal securities transactions and holdings periodically ¹.

Operator translation: the SEC expects a Code of Ethics that is (a) complete on paper and (b) backed by procedures that prevent, detect, escalate, and remediate violations with evidence of supervision ².

Plain-English interpretation (what the SEC is really testing)

Exams typically test four things:

1. Governance: You adopted a written Code of Ethics that matches Rule 204A-1’s minimum elements and fits your business model ².
2. Population: You correctly identified “supervised persons” and “access persons,” and you keep that list current ².
3. Controls: You run the required personal trading and holdings reporting, plus pre-approval for IPOs and limited offerings, and you can show the control working ².
4. Supervision: Reviews are meaningful, documented, and designed to detect conflicts and misuse of information, not a checkbox ⁵.

Who it applies to (entity and operational context)

Applies to: Any investment adviser registered or required to be registered under Section 203 of the Investment Advisers Act ².

Operationally hits these teams/activities:

• Investment team: portfolio managers, analysts, traders, anyone who can influence recommendations or sees portfolio activity.
• Operations: trade support, reconciliations, performance, anyone who may see holdings or trades.
• Compliance: personal trading administration, restricted list, surveillance, investigations.
• Senior management: approval, resourcing, escalation outcomes.

Access persons: The rule defines an access person as a supervised person with access to nonpublic information about client trades/holdings, involved in recommendations, or access to nonpublic recommendations ². Your classification must be fact-based, not title-based.

What you actually need to do (step-by-step)

1) Adopt a Rule 204A-1-complete written Code of Ethics

Minimum build requirements:

• Standard of business conduct tied to fiduciary duty ².
• Requirement to comply with federal securities laws ².
• Access-person reporting of holdings and transactions, with adviser review ².
• Procedures to prevent violations using “reasonable diligence” ².
• Pre-approval requirement for IPOs and limited offerings for access persons ².
• Distribution to supervised persons and written acknowledgment ².

Practical drafting move: write the Code in two layers:

• Policy layer (what the rule requires).
• Procedure layer (how your firm will execute: systems, forms, review cadence, escalation).

2) Define and maintain your “access person” inventory

Build an access-person determination memo or matrix that maps:

• role → systems/data access → recommendation influence → access-person status → rationale ².

Process requirement: add “access person determination” to onboarding, role changes, and system entitlement changes.

3) Implement personal securities reporting workflows (collection)

Your process must capture holdings and transactions for access persons and get them into a reviewable format ².

Implementation choices:

• Attestation + brokerage feeds (preferred when available): reduces omission risk and supports exam evidence.
• Manual reporting: higher risk; requires stronger follow-up controls and exception tracking.

Operational minimums to document:

• Who must report (named list).
• What accounts must be disclosed (beneficial ownership concept should be covered in training and FAQs, and enforced through account disclosure).
• How you handle late/missing reports (escalation path and consequences).

4) Enforce pre-clearance for IPOs and limited offerings

Your code must require approval before access persons acquire beneficial ownership in IPOs or limited offerings ².

A workable pre-clearance control includes:

• Request form capturing issuer, offering type (IPO/limited), relationship to issuer, allocation size, and whether the person has relevant client/MNPI exposure.
• Compliance approval/denial with rationale and timestamp.
• A check against restricted lists and current client activity where applicable ⁵.

5) Perform substantive reviews and document them

The rule requires you to review reports ². The SEC has flagged weak reviews that do not reasonably identify conflicts, patterns, or violations ⁵.

A “substantive” review protocol should include:

• Compare personal trading to restricted list and any watch list you maintain ⁵.
• Look for patterns: trading ahead of client activity (front-running risk), parallel trading, short-term trading contrary to internal rules, repeated late reporting.
• Confirm pre-clearance was obtained where required ².
• Evidence of follow-up: inquiries, resolutions, exceptions granted, disciplinary action where appropriate.

6) Train, distribute, and get acknowledgments

You need to distribute the code and obtain acknowledgments from supervised persons ². Operationally:

• Tie acknowledgment to onboarding and annual compliance training.
• Maintain a controlled version, with amendment history and distribution dates.

7) Retain records so you can answer an exam request fast

Exams commonly request the code, access-person lists, reports, approvals, and review evidence ⁶. Build a “204A-1 exam binder” folder structure and keep it current.

Where Daydream fits naturally: Daydream can act as the system of record for your access-person population, automated attestations, pre-clearance routing, review sign-offs, and exception workflows so the “enforce” requirement is provable with audit trails rather than emails and spreadsheets ².

Required evidence and artifacts to retain (exam-ready list)

Maintain, at minimum:

• Current Code of Ethics and prior versions; approval record ².
• Access person list with classification rationale ².
• Holdings and transaction reports (or brokerage feed extracts) for access persons ².
• Documentation of reviews: sign-offs, surveillance notes, escalations, resolutions ⁶.
• IPO and limited offering pre-approval requests and decisions with rationale ².
• Acknowledgments of receipt (and amendments) from supervised persons ².
• Restricted list/watch list history and evidence it is used in reviews ⁵.
• Training materials and attendance/attestation logs.

Common exam/audit questions and hangups

Expect these:

• “Show me your access person definition and why each person is or is not an access person.” ²
• “How do you confirm employees disclosed all brokerage accounts and beneficial ownership accounts?”
• “Walk me through your review process. What are you looking for besides completeness?” ⁵
• “Provide IPO/limited offering pre-clearance records and approvals/denials.” ²
• “Show evidence you enforced consequences for late reporting or violations.”

Hangups that slow exams:

• Reviews done in email with no centralized audit trail.
• Restricted list exists but reviewers cannot show it was checked ⁵.
• Access person population is stale after organizational changes.

Frequent implementation mistakes (and how to avoid them)

1. Treating an employee handbook as the Code of Ethics. Fix: crosswalk your document to Rule 204A-1 sections and fill gaps ⁷.
2. No evidence of review. Fix: require reviewer sign-off and documented follow-ups per reporting cycle ⁶.
3. Pre-clearance exists only “on paper.” Fix: route every IPO/limited offering request through a tracked workflow; retain rationale ⁸.
4. Mis-scoping access persons. Fix: base on information access and recommendation influence, reviewed at onboarding and at least annually ².
5. No integration with MNPI controls. Fix: align restricted list/watch list processes and personal trading reviews to MNPI risk themes in the SEC risk alert ⁵.

Public enforcement cases

The SEC has charged advisers for failures to adopt, maintain, or enforce a Code of Ethics, frequently paired with broader compliance program failures:

• In the Matter of Two Point Capital Management, Inc. and John B. McGowan (IA-6199, 2022): The SEC alleged the adviser failed to establish, maintain, and enforce a written code of ethics over an extended period, alongside compliance program failures ⁹. Publicly reported penalty: $100,000 ⁹.
• In the Matter of Mortgage Industry Advisory Corporation (IA-6413, 2023): The SEC alleged code-of-ethics and compliance program deficiencies, including failure to adopt a compliant written code for years despite prior exam notice ¹⁰. Publicly reported penalty: $100,000 ¹⁰.
• In the Matter of Senvest Management LLC (IA-6772, 2024): The SEC’s order included code-of-ethics enforcement issues tied to personal trading/pre-clearance adherence as part of a broader matter ¹¹. Publicly reported penalty: $6,500,000 ¹¹. The SEC press release frames that penalty in a broader enforcement context, so do not treat it as typical for code-of-ethics issues alone ¹¹.

Risk implication for operators: Code of Ethics weaknesses are easy for exam staff to evidence (missing documents, missing reports, missing sign-offs) and can become “program credibility” problems that expand the scope of an exam ¹².

Practical 30/60/90-day execution plan

First 30 days: get to a compliant baseline on paper and scope

• Draft/update Code of Ethics to meet Rule 204A-1 minimum elements; align to IA-2256 concepts where helpful ¹.
• Build access-person inventory and rationale matrix; validate with IT entitlements and the investment team ².
• Decide reporting method (system vs manual) and design your evidence trail ².

Days 31–60: operationalize reporting, pre-clearance, and reviews

• Launch holdings and transaction reporting workflow for access persons; set deadlines and escalation.
• Stand up IPO/limited offering pre-clearance workflow and repository ².
• Train supervised persons; distribute code and collect acknowledgments ².
• Implement review checklist aligned to SEC risk alert themes (restricted list comparisons, pattern detection) ⁵.

Days 61–90: run the control cycle and harden supervision

• Complete at least one full review cycle end-to-end and document findings, exceptions, and remediation.
• Test for completeness: reconcile disclosed brokerage accounts to attestation lists; chase stragglers; document enforcement actions.
• Create your “exam binder” package and run an internal mock exam request: code, lists, reports, reviews, pre-clearance evidence ⁶.
• If you are scaling, implement Daydream (or equivalent) to centralize attestations, pre-clearance, and review sign-offs with immutable audit trails.

Frequently Asked Questions

Who counts as an “access person” for the SEC code of ethics (RIA) requirement?

An access person is a supervised person who has access to nonpublic information about client transactions or holdings, makes securities recommendations, or has access to nonpublic recommendations ². Title alone is not determinative; document your rationale.

Do I need pre-clearance for every personal trade?

Rule 204A-1 specifically requires pre-approval for access persons acquiring beneficial ownership in IPOs and limited offerings ². Many firms extend pre-clearance beyond that as a policy choice, but that expansion is a design decision you must then enforce.

What does the SEC consider a “substantive” review of personal trading reports?

The SEC has flagged reviews that are pro forma and do not check for conflicts like restricted list breaches, parallel trading, or trading around MNPI controls ⁵. Your review file should show what you checked and what you did when you found an issue.

Can we satisfy the requirement with attestations only, without brokerage statements or feeds?

The rule requires reporting and adviser review ². Attestations can work, but you need controls to reduce omission risk and prove follow-up when disclosures are incomplete.

How should we handle late personal trading reports?

Define lateness, escalation steps, and consequences in procedure, then document each exception and resolution. SEC orders show long-running failures to implement and enforce basic requirements draw enforcement attention ¹³.

What’s the fastest way to become exam-ready if we’re currently using spreadsheets and email?

Centralize the system of record for access persons, report intake, pre-clearance approvals, and reviewer sign-offs, then backfill evidence for the current period. Tools like Daydream can reduce gaps by keeping audit trails in one place rather than across inboxes ².

Related compliance topics

• 2025 SEC Marketing Rule Examination Focus Areas
• Access and identity controls
• Access Control (AC)
• Access control and identity discipline
• Access control management

Footnotes

1. 17 CFR § 275.204A-1; IA-2256

2. 17 CFR § 275.204A-1

3. IA-6413; IA-6199; IA-6772

4. IA-6413; IA-6199

5. Risk Alert - April 26, 2022

6. 17 CFR § 275.204A-1; Risk Alert - April 26, 2022

7. 17 CFR § 275.204A-1; IA-6413

8. 17 CFR § 275.204A-1; IA-6772

9. IA-6199

10. IA-6413

11. IA-6772

12. IA-6413; IA-6199; Risk Alert - April 26, 2022

13. IA-6199; IA-6413