Annual Legal and Compliance Program Review

Compare the firm's AML policy to the latest FinCEN advisories and the SEC's investment-adviser AML rule (effective Jan 2026). Confirm the BSA Officer and escalation path are named, and that the risk assessment reflects the current client base — entity accounts, foreign clients, and any PEPs.

Pull a sample of accounts opened in the prior 12 months and verify CIP documentation (government ID, identity verification result) and CDD beneficial-owner collection for all entity accounts. Common gap: 25%+ beneficial owners not captured on LLC and trust accounts.

Pull the OFAC screening log from Refinitiv World-Check or LexisNexis Bridger and confirm every hit was dispositioned with a reviewer name, date, and rationale. Verify rescreening cadence ran on every party add (beneficiaries, joint owners, trustees) — not just initial onboarding.

Verify every SAR was filed within 30 days of detection and every CTR within 15 days of the reportable currency transaction. Flag any filing where the narrative is thin or the trigger-to-filing gap exceeded the deadline — these become MRAs at the next exam.

For any late filings, document root cause (detection delay, queue backlog, narrative review), file the corrective SAR/CTR via FinCEN's BSA E-Filing system, and add a remediation entry to the compliance findings log with a named owner and closure date.

Pull the LMS report and confirm 100% completion across all registered persons, IARs, and operations staff. Anything below 100% requires a chase list with a 7-day cure window before escalation to the BSA Officer.

Confirm the annual privacy notice was delivered to every client of record (or that the firm qualifies for the annual-notice exception under the FAST Act). Check delivery evidence — email logs from the CRM, mailed-letter confirmations, or portal acknowledgments.

Confirm full-disk encryption on all firm laptops, TLS on email gateways, and encryption-at-rest on document management (NetDocuments, ShareFile, Box). Spot-check that no client PII is sitting in OneDrive personal folders or unencrypted USBs — a common audit finding.

Pull the vendor inventory (CRM, planning tools, custodian aggregators, archiving providers) and confirm each has a current data-handling addendum or DPA and a SOC 2 Type II report on file. Flag any vendor where the SOC 2 has lapsed beyond 12 months.

Review the incident log for any unauthorized access, lost device, misdirected email, or vendor breach affecting client PII during the review period. Even small incidents (one misdirected statement) get logged — exam staff want to see the program detects, not just the headline events.

Under the amended Reg S-P (effective 2025/2026 depending on firm size), affected individuals must be notified as soon as practicable but no later than 30 days after the firm becomes aware. Coordinate with outside counsel on notice content and any state-law overlays (e.g., NY DFS, California).

Annual amendment is due within 90 days of fiscal year end. Confirm AUM, employee count, custody answer, disciplinary disclosures, and Item 5 fee schedule reconcile to internal records. Any material change between filings also requires a separate other-than-annual amendment.

Within 120 days of fiscal year end, deliver the updated brochure (or a summary of material changes plus offer) to every existing client. Common gap: delivery confirmation not retained per client. Use the CRM bulk-deliver flow with acknowledgment tracking.

If Form CRS was amended this cycle, redeliver to all retail clients within 60 days of the amendment and post the updated version to the firm website. Verify the website link is live and the prior version is archived rather than deleted.

Run a notice-filing reconciliation: every state where the firm has 6+ clients (de minimis varies by state) needs a current notice filing. Confirm renewals were paid and any newly-triggered states added. Old filings for states no longer triggered can be terminated.

Sample 10–20 retail rollover and product recommendations from the period and confirm each has documented why this recommendation is in the client's best interest — not just a check-box. PTE 2020-02 rollover analyses need cost, services, and feature comparisons in writing.

Pull every written complaint logged this period. Confirm each has a response, a resolution date, and (if applicable) a U4 disclosure if it meets the FINRA reportable threshold. Verbal complaints that escalated also get logged.

Reset the per-rep G&E annual log to zero for the new year and recirculate the firm's $100/recipient FINRA limit reminder. Common gotcha: vendor holiday gifts late in December not logged before year-end rollover.

Pull the Hearsay or Smarsh archive for the period and confirm every retail communication had principal pre-approval where required by FINRA Rule 2210 or the SEC marketing rule. Spot-check rep LinkedIn posts — un-pre-approved investment recommendations are the most common finding here.

Three-way tie-out: internal fee calculation (Orion / Black Diamond / Tamarac) vs. custodian fee debit vs. invoice sent to client. Material variances require client refunds plus a documented control fix. Confirm the calculation basis (period-end vs. average daily) matches the disclosed method in ADV Part 2A.

Engage the third-party security firm (or internal MSSP) for the annual external pen test and quarterly vulnerability scan. Capture the findings report and triage any critical or high findings into the IT remediation backlog with named owners.

Confirm MFA is enforced on Schwab Advisor Center, Fidelity Wealthscape, the CRM, the email tenant, and the planning suite. Phishing-resistant MFA (FIDO2 / hardware keys) is preferred over SMS for any role that can move client funds.

Run a 60–90 minute scenario walkthrough — ransomware on the file server, BEC wire-fraud attempt, or custodian breach — with the incident response team. Document gaps in the after-action and update the IRP. Required annually under the SEC's adopted cyber rules and most state DFS regimes.

Sample wire-instruction changes processed this period. Confirm each has a recorded verbal callback to a known client phone number — not the number on the change request. Email-only wire changes are the single most expensive control failure in this industry.

For any wire processed without verbal verification, identify the operations staff member, document root cause, and either recover the funds (if possible) or open a fidelity-bond claim. Add mandatory re-training and supervisor sign-off requirement until the next review cycle.

The CCO reviews the consolidated findings, attaches the signed Rule 206(4)-7 annual review memo, and presents the summary to the firm's management committee. The signed memo and supporting evidence go into the compliance file for the next SEC or state exam.