Compliance is the backbone of every successful RIA firm. It’s not just about following the rules. It’s about building trust with your clients, protecting your business, and showing regulators that you take your responsibilities seriously.
In this article, we’ll break down the essentials of your RIA compliance checklist. We’ll share a free downloadable checklist you can use. You can also use it as a framework to build one of your own.
Every RIA, no matter its size, needs a compliance checklist. This list is your roadmap to meeting legal requirements and protecting your clients.
The essentials start with:
If you manage $100 million or more in assets, you must register with the Securities and Exchange Commission (SEC). RIAs with AUMs below this figure register with their state regulator. Completing Form ADV is the first compliance requirement for any RIA.
Part 1 of Form ADV gathers basic information about the firm. Part 1A is for firms registering with the SEC. Part 1B is an additional form for registering with state regulators.
Part 2 functions as a brochure for the firm. It should be written in plain English to help clients understand what your firm and services are about.
You’ll find guidelines on completing these forms in the SEC’s Form ADV guide.
Next, you need a chief compliance officer (CCO). This person is responsible for making sure your firm follows the rules.
Your compliance program should include:
Your CCO must be appointed in-house, but some compliance tasks can be outsourced.
Recordkeeping is another essential. Keep detailed records of your business activities, including client agreements, trades, and marketing materials.
All records should be organized and easy to access if regulators ask for them. Some filing compliance solutions offer excellent options for document management.
Some compliance requirements need to be met every year. These requirements keep your firm in good standing and help you spot problems early.
Update and file your Form ADV at least once every year. This must be done within 90 days of the end of your RIA’s fiscal year.
Updates to Form ADV are done through the Investment Adviser Registration Depository (IARD) portal.
Go over your policies and procedures at least every year. Make sure they still work and reflect how your business operates. Document your review and any changes you make.
Section 204A-1 of the Investment Advisers Act 1940 requires that RIAs adopt a code of ethics. Check your code of ethics yearly; update it to address new risks or changes in your business.
Provide compliance training for all staff at least once a year. Make sure everyone understands their responsibilities and knows how to report concerns.
Challenge and test your compliance systems and processes. This could include spot-checking records, reviewing communications, or running mock audits.
Review all marketing materials and advertising for accuracy and compliance with SEC rules. Under section 206 of the Act, an advertisement must be honest and not mislead anyone. It cannot leave out important facts, exaggerate benefits, or hide risks.
Update your business continuity plan to make sure you can keep serving clients during a crisis. This could include staff shortage due to a natural disaster or disruptions caused by cyberattacks.
Cybersecurity threats are growing, and the risks to your firm’s operations and your clients’ information are higher than ever. The SEC is making cybersecurity a top priority during examinations or audits, and your RIA compliance checklist should reflect that.
Based on the SEC’s examination priorities for fiscal year 2025, auditors will check that you:
Let’s look at each aspect a bit more closely:
Make sure your policies and procedures are designed to prevent disruptions to your most important services. Safeguard all investor information, records, and assets from cyber threats.
Be ready for a range of risks. Aside from cyberattacks, be prepared for:
Your compliance program should address how you’ll keep running and protect client data if something unexpected happens.
Review and update your cybersecurity policies. Ensure that your leadership team is involved in overseeing information security and that everyone knows their responsibilities.
Use tools and processes to prevent unauthorized access or leaks of sensitive data. Limit account access to only those who need it and monitor account activity for unusual behavior.
Pay close attention to the cybersecurity practices of any vendors, contractors, or IT services you use. Assess and manage risks from third-party products and services, especially those not formally approved or monitored by your IT department.
A top priority for regulators is checking that you are fulfilling your fiduciary duty. They want to see that you are always acting in your clients’ best interests, never letting your own interests come first.
Using the SEC’s exam priorities as framework, regulators expect RIAs to:
Regulators will look at how you recommend investments, especially complex or high-cost products. They want to see that your advice suits each client’s needs and goals, and that you consider points like risk, cost, and account type before making recommendations.
Examiners expect you to spot any situation where your interests might conflict with your clients’. You should address these conflicts or explain why there’s a conflict of interest. Doing so will help clients make informed choices.
Be upfront about how you and your staff get paid, especially if there are incentives that could influence your advice.
Your compliance program should be tailored to your business. It should reflect your services, compensation structure, and any current market risks.
Regulators want to see that you review and update your policies regularly, and that you actually follow them in practice.
Good recordkeeping is essential. Regulators will check that you keep accurate, secure records of client communications, marketing materials, and compliance activities.
Auditors will also want to see that you protect client privacy and safeguard sensitive information. Communicate with clients using authorized platforms so that messages can be recorded and stored.
Off-channel communication is a no-no. Case in point: a New York-based RIA was fined $6.5 million by the SEC for using unofficial channels when texting clients.
Your advertising and marketing must be truthful and not misleading. Regulators will review your materials to ensure you can back up any claims you make.
Auditors will check that you’re following all rules around testimonials, performance reporting, and third-party endorsements.
Examiners will look at how you protect client funds and confidential data, including your controls for preventing unauthorized access or misuse.
If you use third-party vendors or have multiple offices, regulators want to see that you have oversight processes in place to ensure compliance across your entire operation.
Any time you make significant changes to your services or agreements, you should get clear, informed consent from your clients.
Regulators expect you to conduct a thorough annual review of your compliance program, making improvements where needed, and documenting your process.
Here’s the bottom line: regulators are looking for a culture of compliance. It’s one where your firm’s actions, not just your paperwork, show a real commitment to putting clients first and managing risks responsibly.
A well-built RIA compliance checklist is your first step to meeting these expectations.
We’ve summarized these key points in an RIA compliance checklist on a single page. You can download, print, and use it as-is.
You can also use it as a framework for drafting your own checklist. Use it along with any of the top compliance software to make sure you meet SEC or state mandated requirements on time.
Compliance isn’t just about rules; it’s also about culture. A proactive compliance culture means everyone in your firm understands the importance of doing things right.
Start by making compliance a regular part of your conversations. Hold training sessions, share updates, and encourage staff to speak up if they see something wrong. Recognize and reward employees who pay attention to compliance.
Leadership sets the tone. When firm leaders take compliance seriously, the rest of the team will too.
Open communication and ongoing education help build a culture where everyone feels responsible for protecting clients and the firm.
An RIA has many compliance requirements to think about, so having it in one checklist helps streamline these processes. Use this along with other tools and software built especially for investment advisors.
With the right approach, compliance becomes a natural part of your firm’s success. Review your checklist regularly, stay informed about new rules, and keep your team engaged. That’s how you build a resilient, trusted RIA.
Read and bookmark our compliance section for the latest in regulatory requirements for RIAs.
While unveiling new portfolio management and direct indexing tools for RIAs, Betterment's Devon Klumb said the firm's advisor referral pilot is intended to convert retail users into RIA clients as their financial needs become more complex.
Dynasty advisors gain access to white-label fund solutions and relationship pricing as two firms cement long-term build-out.
The AI prospecting startup expands beyond individual advisors, targeting centralized marketing groups at firms with large home offices.
With a 25% revenue share and $250,000 client minimum, Robinhood Advisor Network pitches a mobile app-based client-to-advisor match pipeline at it plans to soon expand from 16 to 60 independent advisors.
New data from FINTRX show breakaway teams and M&A powering the next generation of mega-firms, with Wisconsin emerging as a dark horse on the state-level leaderboard.
As $84 trillion prepares to change hands, advisors who treat estate planning as peripheral are quietly building a sieve, not a book.
In volatile markets, the advisors who win aren't the ones with the best calls - they're the ones whose clients stay the course.
