As the year 2025 comes to an end, Registered Investment Advisers (RIAs) should complete an annual compliance checklist, focusing on updating policies, reviewing the Code of Ethics, conducting a mock audit, and ensuring data privacy and cybersecurity measures are up to date. This proactive approach is crucial for demonstrating compliance, mitigating risks, and preparing for potential regulatory exams.
Here are some basic things to do:
1. Review and update policies and procedures
- Annual review: The SEC requires investment advisers to annually review their written policies and procedures for adequacy and effectiveness, designating a Chief Compliance Officer (CCO) to oversee this process.
- Update documentation: Ensure all policies and procedures are updated to reflect current regulations, firm structure, and business practices.
- Accessibility: Make sure your policies are easy for all employees to access and understand to ensure consistent application.
2. Code of Ethics
- Review and update: Update your firm's Code of Ethics to ensure it is current and relevant.
- Monitor employee activity: Ensure all employee trading activity was properly reported in accordance with your Code of Ethics.
3. Mock audit and risk assessment
- Conduct a mock audit: Perform a mock compliance audit to identify any potential gaps or weaknesses in your compliance program before a real SEC or state regulator examination.
- Review past audits: Analyze findings from previous audits and check that all identified issues have been corrected.
- Perform a risk assessment: Conduct a new risk assessment, focusing on any new services, products, or regulatory changes that may have introduced new risks.
4. Cybersecurity and data privacy
- Cybersecurity review: Evaluate your cybersecurity measures, especially since the SEC has specific cybersecurity compliance requirements.
- Data mapping: Map and flag high-risk and critical business data to understand what sensitive personal data you are storing and protecting.
- Breach notification readiness: Review your plan for responding to a data breach, including the timelines and requirements for notifying the SEC and impacted individuals.
5. Books and records
- Review record-keeping practices: Ensure all books and records are being maintained properly and are easily accessible, as required by SEC rules.
- Check for completeness: Confirm that all required documents, such as client account statements and trade records, are being kept for the required retention period.
6. Training and education
- Annual employee training: Conduct annual training for all employees on updated policies and procedures and reinforce compliance best practices.
- Review new regulations: Stay informed about new SEC and state regulatory priorities for the upcoming year to ensure your firm is prepared.
