Regulatory Compliance Checklist

The CCO logs into IARD and walks through every Item — Items 1, 5, 7, 9, and 11 are the most common change points. Annual amendment is due within 90 days of fiscal year end; a missed deadline is a near-automatic deficiency at the next SEC exam.

Update fee schedules, AUM, disciplinary disclosure (Item 9), and any new conflicts. Identify whether any change is material — that determination drives Form CRS amendment and interim client delivery, not just the annual cycle.

Material changes to Form CRS require an amended filing within 30 days and delivery to existing retail clients within 60 days. Pull the existing CRS, redline against the updated facts, and submit through IARD.

Run the full client list through Refinitiv World-Check, LexisNexis Bridger, or your AML vendor of record. Don't forget beneficiaries, trust grantors, and 25%+ beneficial owners on entity accounts — incremental party adds are the most common screening gap.

For each LLC, corporate, and trust account, verify the CDD beneficial owner certification is on file for any 25%+ owner plus one control person. Stale certifications past 12 months should be refreshed.

Pull every SAR filed since the last review. Confirm each was filed within 30 days of suspicion detection, the narrative met FinCEN's five-W standard, and supporting documentation is preserved for five years.

Walk through a ransomware or vendor-breach scenario with the CCO, COO, and IT lead. Test the notification chain to clients under Reg S-P amendments and applicable state breach laws (the SEC adopted a 30-day client notification rule effective 2024).

Confirm Schwab Advisor Center, Fidelity Wealthscape, Pershing NetX360, and Altruist all require MFA for every advisor and operations user. Pay attention to service-account exceptions — those are the usual back doors.

Sample five recent wire-instruction changes and confirm operations called the client back at the number of record — not the number on the requesting email. Email-only wire changes are the single most common loss event in advisory operations.

Pull a 10-message random sample per advisor from Smarsh, Global Relay, or Bloomberg Vault. Verify retention, search, and lexicon-flagging are functioning under Rule 204-2's five-year requirement.

Every advisor signs an annual attestation that personal email, personal text, and WhatsApp are not used for client business. The 2022–2024 SEC sweeps produced more than $2B in penalties for off-channel comms — attestation alone won't save the firm, but the absence of one will sink it.

Pull a sample from Hearsay or Smarsh of advisor LinkedIn and Facebook posts. Flag any post recommending a security or making a performance claim without required disclosures — those are retail communications needing principal pre-approval.

Pull every SLOA on file and verify each meets the seven conditions of the 2017 IM Guidance no-action letter. Any SLOA missing a condition triggers custody under Rule 206(4)-2 — meaning a surprise exam by a PCAOB-registered auditor.

If custody is triggered, schedule the surprise verification within the next quarter and update Form ADV Item 9 to reflect the custody answer. The auditor needs unannounced access to client account records and signed confirmations.

Compare the internal fee invoice (Black Diamond, Orion, or Tamarac) against the custodian's actual debit and the period-balance methodology disclosed in the IAA. Three-way mismatches are a leading SEC deficiency in custody and fee disclosure exams.

Every finding gets a named owner, severity rating, target close date, and verification method. Repeat findings cycle-over-cycle are the single biggest red flag for an SEC exam team.

Walk principals through findings, remediation owners, and any policy changes recommended. Document attendance and decisions in committee minutes — examiners ask for these.