SEC Compliance Program Rule (RIA Compliance Policies)

To meet the SEC Compliance Program Rule (Rule 206(4)-7), an SEC-registered (or required-to-be-registered) investment adviser must adopt and implement written compliance policies reasonably designed for its business, designate a responsible CCO, and conduct an annual review that is documented in writing. Examiners will test whether your program is tailored, implemented, and evidenced. ¹

Key takeaways:

• Your policies must be written and tailored to your actual business model, risks, and conflicts, not a generic manual. ¹
• Your annual compliance review must be performed at least annually and documented in writing with a defensible scope and results. ²
• You must formally designate a supervised person to administer the program, and they need real authority and access to information. ¹

The SEC Compliance Program Rule is a “foundational” exam area because it sits underneath almost every Advisers Act obligation you already manage: disclosures, conflicts, safeguarding assets, MNPI, marketing, trading practices, and supervision. Rule 206(4)-7 does not give you a checklist of required chapters, but it does require outcomes: written policies and procedures that are reasonably designed for your firm, implemented in practice, reviewed at least annually, and administered by a designated individual. ³

Operationally, most firms fail this requirement in predictable ways: they buy a template manual, don’t map it to real workflows, don’t test whether the controls operate, and can’t prove what happened during the annual review. SEC examination priorities explicitly call out both “tailoring” and the annual review documentation requirement, so your execution needs to be exam-ready. ⁴

This page gives requirement-level implementation guidance you can use to stand up or remediate your RIA compliance policies quickly, with a focus on what the SEC asks for, what enforcement orders show goes wrong, and what evidence you should retain.

What this requirement is (plain-English interpretation)

Rule 206(4)-7 makes it unlawful for an investment adviser registered (or required to be registered) under Section 203 of the Advisers Act to provide investment advice unless it has:

1. Written compliance policies and procedures reasonably designed to prevent violations by the firm and its supervised persons,
2. Policies that are implemented in a way that reflects the nature of the firm’s business,
3. An annual review of adequacy and effectiveness that is documented in writing, and
4. A designated individual responsible for administering the program. ¹

Translate that into operator language:

• You need a risk-based compliance program that matches your actual services, client base, products, compensation, and operations.
• You need proof that people follow it, you test it, and you fix it.
• You need a real annual review memo, not a calendar reminder.

Regulatory text

Rule 206(4)-7 requires that an adviser “adopt and implement written policies and procedures reasonably designed to prevent violation” of the Advisers Act and SEC rules, “taking into account the nature of your business,” and to review those policies “no less frequently than annually,” documenting the review in writing, and to designate an individual responsible for administering the program. ¹

What the operator must do:

• Maintain a written compliance program that covers the risks created by your business.
• Run the program day to day (training, surveillance, approvals, exception handling).
• Perform an annual review with a written work product that explains scope, testing, findings, and remediation.
• Put a named person in charge (typically the CCO) with clear responsibilities. ³

Who it applies to (entity and operational context)

Applies to:

• Any investment adviser registered or required to be registered with the SEC under Section 203 of the Advisers Act. ¹

Operationally relevant across:

• Portfolio management and trading (including allocation, best execution processes, and restricted lists)
• Personal trading and employee conduct
• Marketing and communications (including performance-related materials)
• Conflicts of interest (fee structures, revenue sharing, share class selection, service provider arrangements)
• Safeguarding client assets and custody rule workflows
• MNPI handling for advisers with access to issuer / portfolio company information
• Supervision across offices, affiliates, relying advisers, or umbrella registration structures ⁵

What you actually need to do (step-by-step)

Step 1: Define your compliance program scope from your “firm facts”

Create a one-page “firm profile” input that drives tailoring:

• Registrant and relying adviser structure (including any umbrella registration design)
• Client types (retail, institutional, funds)
• Products/strategies (public equities, credit, private funds, illiquid holdings)
• Compensation model (wrap programs, share class considerations, performance fees)
• Third parties (prime brokers, administrators, custodians, valuation firms, marketers)
• Data/MNPI touchpoints (board seats, portfolio company reporting, deal pipelines) ⁶

Output: a scope statement for your policies plus a risk inventory you can map to procedures.

Step 2: Map each risk to a written policy section and an operating control

For each high-risk area, document:

• Policy objective (what violation it prevents)
• Procedure steps (who does what, when, in which system)
• Evidence (what record proves it happened)
• Escalation (who approves exceptions; when Legal is required)

Examples tied to observed enforcement themes:

• Conflicts/share class and compensation incentives: require a periodic review of recommendations and disclosures aligned to your fee model. ⁷
• Valuation for illiquid/private fund assets: define committee roles, inputs, GAAP alignment, and challenge process; keep minutes and support. ⁸
• MNPI: define restricted list triggers, email/content review rules, and marketing guardrails when discussing portfolio companies. ⁹
• Custody/audited financial statements workflow: define responsibility matrix, deadlines, and investor delivery evidence. ¹⁰

Step 3: Implement supervision mechanics (the “how it runs” layer)

Write procedures are not “implemented” until you can show:

• Assigned control owners for each procedure
• Training delivered to supervised persons on relevant policies
• A testing/monitoring cadence (trade reviews, marketing review logs, exception reports)
• A remediation workflow (ticketing, corrective actions, target dates, retesting) ¹

Practical tip: build a single “Compliance Control Matrix” that lists each procedure, owner, evidence, and test method. This becomes your exam packet backbone.

Step 4: Formalize CCO designation and authority

Document:

• CCO designation (letter, resolution, or internal memo)
• CCO responsibilities (administration, escalation, annual review ownership)
• Reporting line and access to information needed to administer the program ¹

Step 5: Execute and document the annual review (workpaper-grade)

The SEC exam program prioritizes reviewing annual compliance reviews and now expects written documentation. ¹¹

Minimum contents for a defensible annual review memo:

• Period covered and scope (entities, offices, strategies)
• Changes in business (new products, new service providers, new conflicts)
• Testing performed (what you tested; sample rationale if relevant)
• Findings ranked by risk, with root cause
• Remediation plan with owners and completion tracking
• Policy updates made (or rationale for no change)

Step 6: Keep the program current between annual reviews

Rule 206(4)-7 requires annual review, but “reasonably designed” breaks if the business changes and the manual doesn’t. Track:

• New strategies/products
• Material incidents/complaints
• New third parties in critical workflows
• Regulatory changes affecting your operations ¹

Required evidence and artifacts to retain (exam-ready list)

Maintain a folder (or GRC workspace) that can be exported quickly:

Governance

• Current compliance manual and revision history ¹
• CCO designation documentation and role description ¹
• Compliance committee agendas/minutes (if applicable)

Implementation

• Control matrix mapping risks → procedures → owners → evidence
• Training materials and attendance/attestations
• Surveillance/testing logs (trade reviews, marketing approvals, personal trading reviews)
• Exception logs with approvals and follow-up

Annual review

• Annual review memo (written) and supporting workpapers ²
• Remediation tracker with closure evidence

Daydream fit (earned mention): teams commonly store these artifacts across email, shared drives, and portfolio systems. Daydream helps centralize the control matrix, evidence collection, and annual review workpapers into a single exam-ready record set, which reduces scramble risk when the SEC asks for “past 2–3 years” of documentation. ⁴

Common exam/audit questions and hangups

Expect questions that test tailoring and implementation, not just existence:

• “Walk me through how your policies reflect your compensation structure, services, and client base.” ⁴
• “Show the written annual review documentation and the testing that supports its conclusions.” ¹¹
• “Which procedures changed after the review, and why?”
• “Who is responsible for administering the program, and how do they get information from investment teams?” ¹
• “For private funds: show valuation governance and custody-related delivery evidence.” ¹²

Public enforcement cases

These orders are useful as “what failure looks like” patterns, not as a checklist:

• Jordan/Zalaznick Advisers, Inc. (IA-6711): Highlights risks where a compliance program does not match the adviser’s operational structure (including umbrella-related supervision expectations described in the order). ¹³
• OEP Capital Advisors, L.P. (IA-6514): Focuses on MNPI handling failures tied to marketing communications and inadequate enforcement of policies. ⁹
• Forepont Capital LLC (IA-6438): Involves custody rule compliance process breakdowns, showing how missing operational procedures can drive Rule 206(4)-7 exposure. ¹⁰
• Sciens Diversified Managers, LLC (IA-6315): Addresses valuation policy weaknesses for illiquid/private investments, a classic “not reasonably designed” issue. ⁸
• Private Advisor Group, LLC (IA-6069): Illustrates conflicts and fiduciary duty issues where compliance policies did not prevent the problematic conduct; the SEC included a Rule 206(4)-7 charge in the order. ⁷

Penalty context (use carefully): publicly reported penalties in a sample of these matters range from $150,000 to $5,800,000. ¹⁴

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails in exams	Fix that works
Copy/paste manual with no tailoring	SEC tests whether policies “reflect… business, compensation structure, services, client base, and operations.” 4	Write a firm profile; map each material business line to a procedure and evidence artifact.
“Annual review” is a meeting with no workpapers	Written documentation is required; the Division prioritizes reviewing it. 2	Produce an annual review memo with testing evidence and a remediation tracker.
CCO named on paper but lacks access/authority	Administration obligation is real; inability to evidence administration becomes a practical failure. 1	Define escalation rights, standing meetings, and data access (trading, marketing, portfolio updates).
Private fund valuation treated as “finance-only”	Enforcement shows valuation policy design and governance failures trigger 206(4)-7 issues. 8	Put valuation governance into compliance scope with minutes, challenge documentation, and policy mapping.
MNPI policy exists but marketing emails bypass it	Enforcement shows violations where policies are not enforced. 9	Add pre-clearance triggers, restricted list workflow, and periodic testing of outbound communications.

Enforcement context and risk implications

Rule 206(4)-7 is frequently charged alongside other Advisers Act violations because it is the SEC’s way to address the program failure that allowed the underlying misconduct. The risk is not limited to a “technical” citation; the compliance program finding often connects to conflicts, MNPI, custody, and disclosure issues. ¹⁵

Exams also treat 206(4)-7 as a readiness test: if your annual review is thin, your manual generic, or evidence scattered, the exam can expand quickly into other areas because the SEC cannot rely on your supervisory controls. ⁴

Practical 30/60/90-day execution plan

First 30 days (stabilize and inventory)

• Confirm applicability and in-scope entities/branches; document firm profile inputs. ¹
• Collect current compliance manual, prior annual reviews (if any), and CCO designation documentation. ¹
• Build a first-pass risk inventory aligned to your business lines (private funds, MNPI access, custody workflows). ¹⁶
• Stand up an evidence library structure (by control area) so documents land in one place.

Days 31–60 (tailor and implement)

• Draft or revise the compliance manual to match actual workflows and owners. ²
• Publish a compliance control matrix with owners, evidence, and test method.
• Deploy targeted training for supervised persons in high-risk areas (MNPI, marketing, personal trading, valuation governance). ¹⁷

Days 61–90 (test and prepare the annual review package)

• Run initial testing for each major control area; log exceptions and remediation.
• Produce an annual review memo template and begin compiling workpapers so the end-of-year process is repeatable. ²
• Update policies based on findings and document the change rationale.

Ongoing cadence: maintain a rolling remediation tracker and refresh the firm profile whenever the business changes so the program stays “reasonably designed.” ¹

Frequently Asked Questions

Do we need specific chapters in the compliance manual to satisfy Rule 206(4)-7?

The rule is principles-based and does not prescribe a required table of contents. Your manual must be written, reasonably designed for your business, implemented, and reviewed annually with written documentation. ³

What qualifies as “document the annual review in writing”?

Keep a dated annual review memo (or report) that describes scope, testing performed, findings, and remediation status. SEC exam priorities explicitly focus on reviewing this documentation. ²

Can the CCO be outsourced or be a non-employee?

The rule requires you to designate an individual who is a “supervised person” responsible for administering the policies. Work with counsel to determine whether your structure meets “supervised person” and administration expectations. ¹

We use a third party compliance consultant. Does that satisfy the rule?

A consultant can help you design and test the program, but the adviser must adopt and implement the written policies and designate a responsible individual to administer them. Keep clear role definitions and retain consultant workpapers as supporting evidence. ¹

What do examiners mean by “tailored to your business”?

The SEC looks for policies that reflect your services, client base, compensation structure, operations, and current market risks. Generic policies with no firm-specific procedures and evidence trails are a common deficiency theme. ⁴

We have private funds. Which areas tend to trigger 206(4)-7 findings?

Enforcement orders show common weaknesses in valuation governance for illiquid holdings, custody/audit delivery processes, and MNPI controls tied to portfolio company access and marketing communications. ¹⁸

Footnotes

1. 17 CFR § 275.206(4)-7

2. 17 CFR § 275.206(4)-7; 2024 Examination Priorities

3. 17 CFR § 275.206(4)-7; IA-2204

4. 2024 Examination Priorities

5. IA-2204; IA-6711; IA-6514; IA-6438; IA-6315; IA-6069

6. IA-2204; IA-6711; IA-6514

7. IA-6069

8. IA-6315

9. IA-6514

10. IA-6438

11. 2024 Examination Priorities; 17 CFR § 275.206(4)-7

12. IA-6315; IA-6438

13. IA-6711

14. IA-6711; IA-6069; IA-6514; IA-6438; IA-6315

15. IA-6069; IA-6514; IA-6438

16. IA-6514; IA-6438; IA-6315

17. IA-6514; IA-6315

18. IA-6315; IA-6438; IA-6514