SEC Supervision Rule - Section 203(e)(6)

SEC Supervision Rule - Section 203(e)(6) requires you to maintain and execute a supervision system that is reasonably designed to prevent and detect securities law violations by your supervised persons, and to be able to prove it worked (or that you reasonably carried out your duties). Operationalize it by mapping supervisors to risks, hardening communications and systems controls, and documenting testing, escalation, and remediation. ¹

Key takeaways:

• Assign named supervisors to specific activities, channels, and systems, then evidence the supervision.
• Focus on known failure modes: off-channel communications, remote/branch oversight, and model/system change controls.
• Treat “procedures + reasonable discharge of duties” as an evidence problem, not a policy-writing task. ¹

Section 203(e)(6) is the SEC’s failure-to-supervise authority under the Investment Advisers Act. You rarely “comply” with it through a single policy. You comply by running supervision as an operating system: clear supervisory assignments, documented procedures, surveillance and review, escalation, and follow-through when exceptions occur. The SEC’s recent matters show how supervision failures show up in practice: employees using unapproved messaging that defeats recordkeeping, weak controls over who can change investment models, and inadequate oversight for dispersed offices or independent contractors. (Sources: 15 U.S.C. § 80b-3(e)(6); Investment Advisers Act Release No. 6581 (April 3, 2024); Investment Advisers Act Release No. 6824, File No. 3-22418 (January 16, 2025); SEC Division of Examinations (October 21, 2024); SEC Division of Examinations Risk Alert)

This page translates the sec supervision rule - section 203(e)(6) requirement into an implementation checklist you can execute quickly. The emphasis is exam-ready operations: who supervises whom, what gets reviewed, what systems enforce the rules, what gets tested, and what artifacts you retain so you can assert the statutory defense that you had established procedures and reasonably discharged supervisory duties. ¹

Regulatory text

Citation: 15 U.S.C. § 80b-3(e)(6)

What the statute does (operator view): Section 203(e)(6) authorizes the SEC to sanction an adviser (and certain responsible persons) for failing to reasonably supervise a supervised person who violates the federal securities laws, subject to a defense when the firm had established procedures and a system to apply them, and the supervisor reasonably carried out supervisory responsibilities. ¹

Plain-English interpretation of the requirement

• You must design supervision that matches your actual risks (products, client types, channels, systems, offices).
• You must run the supervision you designed (reviews happen, exceptions are escalated, remediation closes).
• You must prove both design and execution with records that tie supervision to outcomes. ¹

Who it applies to (entity and operational context)

Primary scope

• SEC-registered or SEC-reporting investment advisers and their supervised persons. The statute’s trigger is a supervised person’s violation plus a failure to reasonably supervise. ¹

Where it bites operationally

• Electronic communications and recordkeeping: supervision over approved channels, retention, and detection of off-channel business communications. (Sources: Investment Advisers Act Release No. 6581 (April 3, 2024); Investment Advisers Act Release No. 6655, File No. 3-22002 (August 14, 2024))
• Quant/model and trading systems: supervision over access, parameter changes, approvals, and audit logs. ²
• Branch offices, remote staff, and independent contractors: supervision that works across distance, not just on paper. (Sources: SEC Division of Examinations (October 21, 2024); SEC Division of Examinations Risk Alert)
• Third parties: vendors that host communications, portfolio systems, or cybersecurity services become part of your supervision story because they affect your ability to evidence control and retain records. ³

What you actually need to do (step-by-step)

1) Define your supervisory map (people → activities → risks)

1. Inventory supervised activities: portfolio management, trading, client communications, marketing, billing, custody-related workflows, and model governance (if applicable). ³
2. Assign a named supervisor for each activity and a backup. Tie assignments to job descriptions and your supervisory procedures. ⁴
3. Create a supervision coverage matrix (table format) with columns: activity, who performs it, supervisor, surveillance/review control, evidence produced, escalation path, review frequency (set frequency based on risk). ⁴

2) Write procedures that are testable (not narrative)

Your written supervisory procedures should be auditable. For each risk area, state:

• What is prohibited/required
• How supervision detects violations
• Who reviews what
• What constitutes an exception
• What happens next (escalation + remediation + discipline) ¹

High-impact procedure modules aligned to current SEC focus:

• Off-channel communications: approved tools list, prohibition on unapproved apps and auto-delete for business, attestations, monitoring, and consequences. (Sources: Investment Advisers Act Release No. 6581 (April 3, 2024); Investment Advisers Act Release No. 6655, File No. 3-22002 (August 14, 2024))
• Remote/branch supervision: branch review program, sampling of client files and communications, local attestations, and targeted training. (Sources: SEC Division of Examinations (October 21, 2024); SEC Division of Examinations Risk Alert)
• Model/system change management: access control, approvals, peer review, logging, and post-change validation checks. ²

3) Put technical controls where policy cannot scale

Policies do not stop behavior. Systems do.

• Communications archiving and surveillance: implement capture/retention for business communications on approved platforms, then run periodic surveillance and exception triage. (Sources: Investment Advisers Act Release No. 6655, File No. 3-22002 (August 14, 2024); SEC Division of Examinations (October 2023))
• System access controls: role-based access for portfolio systems, trading tools, and model repositories; periodic access recertification; immutable logs for sensitive changes. ²
• Third-party governance controls: vendor inventory, due diligence for systems that affect supervision (archiving, trading, cybersecurity), contract requirements for record access and incident notice, and ongoing monitoring. ³

Practical note: Daydream is useful here because it can centralize your third-party inventory, due diligence artifacts, and ongoing monitoring tasks so supervision dependencies (archiving vendor, EDR vendor, portfolio system vendor) are visible and reviewable in one place. Keep it evidence-first: every control should point to a retained artifact.

4) Execute supervision on a calendar (and keep the outputs)

Build a supervision runbook with recurring reviews:

• Communications reviews (sampling + lexicon/keyword alerts where supported)
• Branch/remote reviews
• Trade surveillance exception review (if applicable)
• Access recertification and change management review
• Complaint and incident trend review
• Training and attestations follow-up (Sources: SEC Division of Examinations (October 2023); SEC Division of Examinations Risk Alert)

5) Test and improve annually (and whenever the business changes)

• Perform periodic testing of whether supervisory procedures are followed and effective, and update them when you add new products, client types, offices, or tools. Examiners have flagged business model changes and never/infrequently examined advisers as focus areas. ⁵

Required evidence and artifacts to retain

Keep artifacts in a format you can produce quickly during an exam. Typical must-haves:

• Supervisory structure: org chart; supervision coverage matrix; role descriptions; delegation letters. ⁴
• Written supervisory procedures: version history; approval records; training mapping to procedures. ⁴
• Execution evidence: review logs, surveillance outputs, exception tickets, attestations, disciplinary actions, remediation plans with closure evidence. ¹
• Communications controls: approved channel list; archiving configuration evidence; monitoring reports; off-channel investigations. (Sources: Investment Advisers Act Release No. 6581 (April 3, 2024); Investment Advisers Act Release No. 6655, File No. 3-22002 (August 14, 2024))
• System governance: access lists; access recertification sign-offs; change requests/approvals; audit logs for model or parameter changes. ²
• Third-party oversight: vendor due diligence, SOC reports where obtained, security reviews, contract clauses for record access and incidents, ongoing monitoring notes. ³

Common exam/audit questions and hangups

Expect questions that test whether supervision is real:

• “Show me who supervises portfolio managers, traders, and IARs, and what they reviewed last quarter.” ⁴
• “What channels are permitted for business communications? How do you detect off-channel use?” (Sources: Investment Advisers Act Release No. 6581 (April 3, 2024); Investment Advisers Act Release No. 6655, File No. 3-22002 (August 14, 2024))
• “How do you supervise remote staff and independent contractors?” ⁵
• “Who can change models/parameters, and what approvals and logs exist?” ²
• “How do you supervise third parties that affect recordkeeping, cybersecurity, or trading operations?” ³

Frequent implementation mistakes (and how to avoid them)

1. WSPs that can’t be tested. Fix: require each procedure to name an owner, data source, review output, and escalation step. ⁴
2. “Prohibited” communications without technical enforcement. Fix: approved tools with archiving plus periodic audits and consequences for exceptions. (Sources: Investment Advisers Act Release No. 6581 (April 3, 2024); Investment Advisers Act Release No. 6655, File No. 3-22002 (August 14, 2024))
3. No supervision story for quants, engineers, or system admins. Fix: treat model and system change control as a compliance control with logs and approvals. ²
4. Branch/remote oversight done ad hoc. Fix: scheduled reviews, documented sampling, and tracked remediation. (Sources: SEC Division of Examinations (October 21, 2024); SEC Division of Examinations Risk Alert)
5. Third parties “owned by IT” with no compliance evidence. Fix: vendor inventory, due diligence standards, and monitoring that ties vendors to supervision dependencies. ³

Public enforcement cases

These matters show how Section 203(e)(6) supervision failures get charged alongside recordkeeping, compliance program, or conduct issues.

Case	What went wrong (supervision lens)	Why it matters
In the Matter of Two Sigma Investments, LP and Two Sigma Advisers, LP	SEC alleged failure to supervise an employee who changed investment model parameters without authorization, leading to significant performance discrepancies. 2	Supervision must cover technologists and model governance, not only traditional advisory roles.
In the Matter of Raymond James & Associates, Inc.	SEC alleged supervision failures tied to electronic communications recordkeeping, including unapproved channels and lost communications. 6	Off-channel communications is a supervision and recordkeeping problem, and penalties can be large at scale. 6
In the Matter of Senvest Management LLC	SEC alleged off-channel communications with auto-delete settings and related supervision/recordkeeping failures. 7	Even smaller advisers face standalone actions tied to messaging and retention controls.
In the Matter of HCR Wealth Advisors	SEC alleged failure to reasonably supervise an adviser representative who violated securities laws. 8	Classic “rep misconduct + weak supervision” pattern; your evidence must show active oversight.
In the Matter of Frontier Wealth Management	SEC administrative proceeding alleging failure to reasonably supervise advisory representatives under Section 203(e)(6). 9	Reinforces that supervision failures can pair with compliance program weaknesses.

Enforcement context and risk implications

Section 203(e)(6) is often charged when the SEC can point to a supervised person’s violation and show your procedures or execution did not meet a reasonable standard, or you cannot substantiate the safe-harbor-style defense built into the statute. ¹ Recent cases illustrate three recurring risk implications:

• Recordkeeping exposure becomes supervision exposure when employees use unapproved channels and the firm fails to prevent, detect, or remediate. (Sources: Investment Advisers Act Release No. 6581 (April 3, 2024); Investment Advisers Act Release No. 6655, File No. 3-22002 (August 14, 2024))
• System integrity is a compliance risk when a single employee can alter models or parameters without effective oversight. ²
• Distance increases scrutiny for advisers supervising dispersed offices or independent contractors. ⁵

Practical 30/60/90-day execution plan

First 30 days (stabilize and map)

• Build the supervision coverage matrix and get leadership sign-off on supervisory assignments. ⁴
• Freeze and publish the approved communications channels list, and launch immediate attestations for all supervised persons. (Sources: Investment Advisers Act Release No. 6581 (April 3, 2024); Investment Advisers Act Release No. 6655, File No. 3-22002 (August 14, 2024))
• Identify your highest-risk systems (email archive, portfolio platform, trading tools, model repositories) and confirm access logging exists. ²
• Stand up a third-party inventory for tools that affect supervision and recordkeeping. ³

Days 31–60 (implement controls and reviews)

• Turn procedures into repeatable reviews: define samples, reviewers, outputs, and escalation steps. ⁴
• Implement or validate communications capture/archiving and surveillance, then document the workflow for triage and remediation. (Sources: Investment Advisers Act Release No. 6655, File No. 3-22002 (August 14, 2024); SEC Division of Examinations (October 2023))
• Launch a branch/remote review plan for dispersed personnel, with documented testing and remediation tracking. (Sources: SEC Division of Examinations (October 21, 2024); SEC Division of Examinations Risk Alert)
• Formalize model/system change management: approvals, logs, and periodic review of changes. ²

Days 61–90 (prove effectiveness)

• Run your first supervision cycle end-to-end: reviews performed, exceptions logged, remediation closed, management reporting produced. ¹
• Conduct a targeted test of high-risk areas: off-channel communications detection, access recertification, branch review follow-through. (Sources: SEC Division of Examinations Risk Alert; SEC Division of Examinations (October 21, 2024))
• Operationalize third-party monitoring in Daydream (or your GRC system): due diligence artifacts, renewal dates, incident obligations, and evidence of ongoing oversight. ³

Frequently Asked Questions

Does Section 203(e)(6) require a specific set of written supervisory procedures (WSPs)?

The statute does not prescribe a single WSP format, but it conditions the supervisory defense on having established procedures and a system to apply them, plus reasonable discharge of duties. Build procedures that produce review evidence you can show in an exam. ¹

How should I supervise off-channel communications without inspecting everyone’s personal phone?

Start by limiting business communications to approved, archived channels and requiring attestations, then run surveillance and investigate exceptions. Recent SEC matters show supervision and recordkeeping failures tied to unapproved apps and auto-delete settings. (Sources: Investment Advisers Act Release No. 6581 (April 3, 2024); Investment Advisers Act Release No. 6655, File No. 3-22002 (August 14, 2024))

Our adviser has independent contractors across multiple states. What will examiners expect?

Expect scrutiny of how you implement supervision across dispersed locations, including documented branch/remote reviews, escalation, and training. The SEC has highlighted supervision of independent contractors in exam priorities. ⁵

We run quantitative strategies. Is model governance really a “supervision” issue?

Yes. The SEC has brought a Section 203(e)(6) case tied to unauthorized model parameter changes, which frames model access and change control as supervision expectations. Treat model changes like a controlled, logged process. ²

How does third-party oversight connect to Section 203(e)(6)?

If a third party provides tooling that affects recordkeeping, cybersecurity, or key operational controls, weak oversight can undermine your ability to supervise and to evidence it. SEC exam priorities call out third-party vendor oversight as a focus area. ³

What evidence best supports the “reasonable supervision” defense?

Evidence that ties design to execution: clear supervisory assignments, dated review logs, exception tickets, remediation closure, and periodic testing results. That evidence maps directly to the statute’s procedures-and-reasonable-discharge concepts. ¹

Footnotes

1. 15 U.S.C. § 80b-3(e)(6)

2. Investment Advisers Act Release No. 6824, File No. 3-22418 (January 16, 2025)

3. SEC Division of Examinations (October 2023)

4. [SEC Division of Examinations Risk Alert](https://www.sec.gov/files/OCIE Risk Alert - Supervision Initiative.pdf)

5. SEC Division of Examinations (October 21, 2024)

6. Investment Advisers Act Release No. 6655, File No. 3-22002 (August 14, 2024)

7. Investment Advisers Act Release No. 6581 (April 3, 2024)

8. Investment Advisers Act Release No. 5361 (September 30, 2019)

9. September 2021 Administrative Proceeding