Regulatory Compliance Checklist

The CCO logs into IARD and walks through every Item — Items 1, 5, 7, 9, and 11 are the most common change points. Annual amendment is due within 90 days of fiscal year end; a missed deadline is a near-automatic deficiency at the next SEC exam.

Update fee schedules, AUM, disciplinary disclosure (Item 9), and any new conflicts. Identify whether any change is material — that determination drives Form CRS amendment and interim client delivery, not just the annual cycle.

Material changes to Form CRS require an amended filing within 30 days and delivery to existing retail clients within 60 days. Pull the existing CRS, redline against the updated facts, and submit through IARD.

Send Part 2A (or summary of material changes plus offer to provide) to every existing client within 120 days of fiscal year end. Capture delivery confirmation per client in the CRM — Wealthbox, Redtail, and Salesforce FSC all support a delivery field for exam evidence.

Run the full client list through Refinitiv World-Check, LexisNexis Bridger, or your AML vendor of record. Don't forget beneficiaries, trust grantors, and 25%+ beneficial owners on entity accounts — incremental party adds are the most common screening gap.

For each LLC, corporate, and trust account, verify the CDD beneficial owner certification is on file for any 25%+ owner plus one control person. Stale certifications past 12 months should be refreshed.

Pull every SAR filed since the last review. Confirm each was filed within 30 days of suspicion detection, the narrative met FinCEN's five-W standard, and supporting documentation is preserved for five years.

Cover red flags specific to your client base — cash-heavy small business, international wires, unusual structuring. Capture attendance with a sign-in sheet or LMS roster; training is required annually under BSA and is one of the first items examiners ask for.

Walk through a ransomware or vendor-breach scenario with the CCO, COO, and IT lead. Test the notification chain to clients under Reg S-P amendments and applicable state breach laws (the SEC adopted a 30-day client notification rule effective 2024).

Confirm Schwab Advisor Center, Fidelity Wealthscape, Pershing NetX360, and Altruist all require MFA for every advisor and operations user. Pay attention to service-account exceptions — those are the usual back doors.

Sample five recent wire-instruction changes and confirm operations called the client back at the number of record — not the number on the requesting email. Email-only wire changes are the single most common loss event in advisory operations.

Use the firm's MSP scan or a tool like Tenable, Qualys, or Rapid7. Map findings to the Identity Theft Red Flags program (Reg S-ID) and the WISP under Reg S-P safeguards rule.

Pull a 10-message random sample per advisor from Smarsh, Global Relay, or Bloomberg Vault. Verify retention, search, and lexicon-flagging are functioning under Rule 204-2's five-year requirement.

Every advisor signs an annual attestation that personal email, personal text, and WhatsApp are not used for client business. The 2022–2024 SEC sweeps produced more than $2B in penalties for off-channel comms — attestation alone won't save the firm, but the absence of one will sink it.

Pull a sample from Hearsay or Smarsh of advisor LinkedIn and Facebook posts. Flag any post recommending a security or making a performance claim without required disclosures — those are retail communications needing principal pre-approval.

Reconcile the prior-year G&E log against expense reports and vendor records. Flag any single item over $100 (FINRA's de minimis under Rule 3220) and investigate omissions before resetting for the new year.

Pull every SLOA on file and verify each meets the seven conditions of the 2017 IM Guidance no-action letter. Any SLOA missing a condition triggers custody under Rule 206(4)-2 — meaning a surprise exam by a PCAOB-registered auditor.

If custody is triggered, schedule the surprise verification within the next quarter and update Form ADV Item 9 to reflect the custody answer. The auditor needs unannounced access to client account records and signed confirmations.

Compare the internal fee invoice (Black Diamond, Orion, or Tamarac) against the custodian's actual debit and the period-balance methodology disclosed in the IAA. Three-way mismatches are a leading SEC deficiency in custody and fee disclosure exams.

Verify with Schwab, Fidelity, Pershing, or Altruist that quarterly statements went directly to clients. If the firm sends supplemental performance reports, confirm they include the custodian-statement reconciliation legend required under Rule 206(4)-2.

Every finding gets a named owner, severity rating, target close date, and verification method. Repeat findings cycle-over-cycle are the single biggest red flag for an SEC exam team.

Walk principals through findings, remediation owners, and any policy changes recommended. Document attendance and decisions in committee minutes — examiners ask for these.

Required under Rule 206(4)-7 — the CCO must annually review the adequacy of the firm's compliance policies and procedures and the effectiveness of their implementation. Sign and archive the memo with the year's working papers.