Prepare registered investment advisers, broker-dealers, and their compliance teams for SEC and FINRA examinations. This skill covers the full examination lifecycle — from risk-based selection and notification through document production, staff interviews, deficiency findings, remediation, and follow-up. It provides frameworks for mock examinations, annual compliance reviews, and proactive use of published examination priorities to reduce regulatory risk.

9 — Compliance & Regulatory Guidance

prospective

The SEC's Division of Examinations (formerly the Office of Compliance Inspections and Examinations, or OCIE) conducts examinations of registered entities including investment advisers, broker-dealers, transfer agents, clearing agencies, and self-regulatory organizations. The Division uses a risk-based approach to select firms for examination and to determine the scope and intensity of each exam.

Risk-based selection. The Division selects firms for examination based on a range of risk indicators rather than examining every registrant on a fixed schedule. Selection criteria include:

Typical duration. SEC examinations typically last from several weeks to several months, depending on the firm's size, the scope of the examination, the complexity of issues discovered, and the responsiveness of the firm's document production.

Firms' rights during examination. Firms have the right to: receive identification of the examination staff and their supervisors; understand the general scope of the examination; request reasonable extensions for document production deadlines (extensions are granted at the staff's discretion); have counsel present during interviews (though the SEC may interview individuals separately); and receive a closing communication describing the examination outcome. Firms may also submit a response to preliminary findings discussed at the exit conference before a deficiency letter is finalized.

FINRA (the Financial Industry Regulatory Authority) examines its member broker-dealer firms through its Risk Monitoring and Examination programs. As a self-regulatory organization (SRO), FINRA has direct authority to examine, sanction, and discipline its members — a key distinction from the SEC, which must refer potential enforcement actions to its Division of Enforcement.

Risk-based approach. FINRA assigns each member firm a risk rating based on a comprehensive assessment of factors including the firm's business model, product mix, customer demographics, complaint history, financial condition, regulatory history, and supervisory structure. This risk rating determines examination frequency and intensity.

Both the SEC Division of Examinations and FINRA publish annual examination priorities or focus areas that signal where regulatory attention will be concentrated in the coming year. These publications are among the most important compliance planning tools available.

SEC Division of Examinations annual priorities. The Division publishes its examination priorities early each calendar year. Recent recurring themes have included:

FINRA annual examination priorities. FINRA's annual report on examination and risk monitoring activities similarly identifies key focus areas. Recurring FINRA priorities include:

Using exam priority letters for proactive compliance planning. Firms should treat published examination priorities as a roadmap for their own internal compliance reviews. Best practices include:

Document production is often the most operationally demanding phase of a regulatory examination. The initial document request list (IDR) sets the tone for the examination, and the quality and timeliness of the firm's response significantly influences the examination experience.

Typical items on an initial document request list. While every IDR is tailored to the specific examination, common elements include:

Scope management. Effective scope management is critical to a successful examination response:

Electronic document production. Examination staff increasingly expect electronic production:

Understanding the most frequently cited deficiency areas allows firms to focus their compliance efforts where examination risk is highest. Across SEC and FINRA examinations, the following categories consistently generate the most findings.

(a) Compliance program gaps. Deficiencies in the overall compliance program are among the most common findings:

(b) Books and records violations. Books and records deficiencies are pervasive:

(c) Advertising violations. Advertising deficiencies are a top examination focus:

(d) Custody rule issues. Custody deficiencies arise frequently for investment advisers:

(e) Fee calculation errors. Fee-related deficiencies are a recurring concern:

(f) Code of ethics violations. Code of ethics deficiencies include:

(g) Cybersecurity weaknesses. Cybersecurity deficiencies have become increasingly prominent:

Deficiency letter structure. A deficiency letter from the SEC Division of Examinations typically identifies each deficiency by category, describes the specific factual findings, cites the applicable rule or statutory provision, and requests a written response within 30 days (or another specified period) describing the corrective actions the firm has taken or plans to take. FINRA deficiency letters follow a similar format. The letter may also note areas where the staff observed practices that, while not rising to the level of a deficiency, could be improved.

How a firm responds to a deficiency letter is a critical determinant of whether the matter is resolved at the examination stage or escalated to enforcement.

Internal mock examinations are one of the most effective tools for maintaining examination readiness and identifying compliance gaps before regulators do.

Using compliance consultants. Firms may engage external compliance consultants to conduct independent mock examinations. External mock exams provide several benefits: the consultant brings fresh perspective and experience from examinations at other firms; the exercise is more realistic because business personnel interact with an unfamiliar examiner; and the results carry more weight with senior management. When selecting a consultant, prioritize individuals with recent SEC or FINRA examination experience.

SEC Rule 206(4)-7 under the Investment Advisers Act of 1940 requires every registered investment adviser to: (1) adopt and implement written policies and procedures reasonably designed to prevent violation of the Advisers Act and its rules; (2) designate a chief compliance officer responsible for administering the compliance program; and (3) review the adequacy of the policies and procedures and the effectiveness of their implementation at least annually.

Conducting the annual review. The annual compliance review is a regulatory requirement, not a discretionary exercise. It should be documented in writing and presented to senior management. The review should assess:

Documentation. The annual compliance review must be documented. While the SEC does not prescribe a specific format, the documentation should be sufficient to demonstrate that a thorough review was conducted. SEC examination staff regularly request the annual compliance review report as one of their first IDR items.

The following checklist, organized by functional area, identifies key documents and evidence that should be organized, current, and readily accessible at all times — not assembled only when an examination is announced.

Scenario: A registered investment adviser that has been in operation for 18 months and manages $350 million in client assets receives its first SEC examination notification letter. The firm has four employees: the founder/portfolio manager (who is also the designated CCO), a junior analyst, an operations manager, and an administrative assistant. The initial document request list contains 45 items spanning compliance policies, trading records, advertising materials, fee calculations, and cybersecurity documentation. The firm has 21 calendar days to produce the documents. The CCO has never been through a regulatory examination.

Analysis: The CCO should take the following steps immediately upon receiving the notification letter. First, engage outside compliance counsel or a compliance consultant with SEC examination experience — attempting to navigate a first examination without experienced guidance significantly increases risk. Second, assign responsibility for each IDR item to a specific person with a clear internal deadline (at least five days before the SEC deadline to allow for quality review). Third, conduct a rapid self-assessment: compare the firm's written compliance policies to its actual practices and identify any material gaps. If the compliance manual was adopted at registration but not updated since, this gap will be apparent to examiners and should be acknowledged proactively. Fourth, prepare for staff interviews — the SEC will almost certainly interview the CCO/founder at length about the compliance program, fee calculations, trading practices, and advertising. The founder should be able to articulate the firm's investment process, compliance controls, and how conflicts of interest (including the dual PM/CCO role) are managed. Fifth, review the firm's Form ADV for accuracy — the examination staff will compare the ADV disclosures to actual practices, and any inconsistencies will generate findings. Common mistakes first-time examinees make include: producing documents without a quality review (resulting in incomplete or disorganized productions that frustrate staff and extend the examination); becoming defensive during interviews rather than being forthcoming and professional; failing to request a reasonable extension when the production deadline is genuinely unachievable (most examination staff will grant a short extension for first-time examinees if asked promptly and with good reason); and neglecting to implement a document hold, resulting in the routine deletion of emails or records within the scope of the examination.

Scenario: A mid-size investment adviser ($2 billion AUM, 30 employees) receives a deficiency letter from the SEC Division of Examinations following a routine examination. The letter identifies six deficiency findings: (1) custody rule violations — the adviser has inadvertent custody over three client accounts where it serves as trustee, but has not obtained a surprise examination or ensured independent verification under Rule 206(4)-2; (2) advertising compliance — the firm's website includes backtested performance for a model portfolio without required disclosures regarding methodology, assumptions, limitations, or risks, and without net performance alongside gross performance, in violation of Rule 206(4)-1; (3) incomplete books and records — the firm failed to retain business-related text messages exchanged between the portfolio manager and a broker-dealer counterparty, in violation of Rule 204-2; (4) code of ethics — two access persons failed to submit quarterly transaction reports for three consecutive quarters, and the firm had no process to identify or follow up on missing reports, in violation of Rule 204A-1; (5) annual compliance review — the firm's most recent annual review under Rule 206(4)-7 was a two-page summary that did not assess the adequacy of any specific policy or procedure; (6) cybersecurity — the firm had no written incident response plan and had not conducted a risk assessment of its information technology systems. The firm has 30 days to respond.

Analysis: The firm should structure its response as follows. First, engage compliance counsel to assist in drafting the response — given the number and seriousness of the findings, professional guidance is important. Second, address each finding individually in the order presented in the deficiency letter. For each finding, the response should: acknowledge the finding (or explain the basis for disagreement, if applicable); describe the root cause; detail the specific corrective actions already taken; provide a timeline for any remaining remediation; and identify the responsible person.

For finding (1) (custody), the firm should immediately engage an independent public accountant to conduct the required surprise examination under Rule 206(4)-2(a)(4), or alternatively, ensure that the trustee accounts are subject to an annual audit by an independent public accountant with the results distributed to the beneficiaries. The response should confirm the engagement, provide the accountant's name, and state the expected completion date. For finding (2) (advertising), the firm should remove the non-compliant backtested performance from its website immediately and describe the process for revising the content to include net performance, methodology disclosures, risk and limitation disclosures, and audience access controls as required by Rule 206(4)-1. For finding (3) (books and records), the firm should implement an approved communication platform, deploy mobile device management technology to capture text messages, issue a revised communication policy prohibiting business communications through unapproved channels, and train all employees. For finding (4) (code of ethics), the firm should collect the missing quarterly transaction reports retroactively, implement an automated tracking system that flags missing reports and escalates to the CCO, and discipline or counsel the access persons who failed to file. For finding (5) (annual compliance review), the firm should engage an external compliance consultant to conduct a comprehensive annual review covering all required elements under Rule 206(4)-7, with the results documented in a detailed written report presented to management. For finding (6) (cybersecurity), the firm should engage an information security consultant to conduct a risk assessment and develop a written incident response plan, with testing scheduled within 90 days. The firm should prioritize the custody finding and the off-channel communications finding, as these carry the highest enforcement risk, and ensure that corrective actions for these items are completed — not merely planned — before submitting the response.

Scenario: The Chief Compliance Officer of a mid-size broker-dealer (150 registered representatives, 12 branch offices) wants to implement an annual mock examination program. The firm's last FINRA cycle examination, two years ago, resulted in a deficiency letter with findings in trade surveillance, communications supervision, and branch office inspection procedures. The CCO has proposed a budget of $75,000 for annual mock examinations (including external consultant fees) and has presented the proposal to the firm's executive committee. The CEO and head of sales view the program as unnecessary overhead, arguing that the firm "already has a compliance department" and that the prior deficiency findings were "minor." They have asked the CCO to justify the expenditure.

Analysis: The CCO should build the business case on three pillars: risk reduction, cost avoidance, and regulatory expectation. On risk reduction: the firm's prior deficiency findings create a heightened examination risk profile. FINRA will expect to see documented evidence that the firm identified the root causes of the deficiencies, implemented corrective actions, and tested the effectiveness of those actions. A mock examination program produces exactly this evidence. Without it, the firm enters its next examination unable to demonstrate that it has improved — and if the same deficiencies recur, the likelihood of formal enforcement action (fines, censure, individual sanctions) increases substantially. On cost avoidance: the $75,000 annual investment in mock examinations should be compared to the cost of regulatory enforcement. FINRA fines for supervisory failures regularly exceed $500,000 and can reach millions of dollars for larger firms. Beyond fines, enforcement actions generate legal fees (typically $200,000 to $1 million or more to defend a FINRA enforcement proceeding), reputational damage, increased E&O insurance premiums, and potential loss of clients. The mock examination program is a fraction of the cost of a single enforcement action. On regulatory expectation: both FINRA Rule 3120 (requiring an annual report by designated supervisory control persons certifying the adequacy of supervisory controls) and FINRA's examination priorities consistently emphasize the importance of testing supervisory systems. A mock examination program demonstrates to FINRA examiners that the firm takes its supervisory obligations seriously and proactively identifies and addresses issues.

For program design, the CCO should propose a proportionate program: conduct one comprehensive annual mock examination covering the highest-risk areas (selected based on FINRA's published examination priorities, the firm's prior deficiency history, and any new business activities), supplemented by targeted quarterly reviews of specific compliance functions. The annual mock exam should simulate a FINRA cycle examination, including a mock IDR, document production exercise, and interviews with branch managers and supervisory personnel. Engage an external compliance consultant with FINRA examination experience for the annual comprehensive exam to ensure objectivity and credibility. The quarterly targeted reviews can be conducted internally by the compliance team, focusing on areas such as communications supervision (one quarter), trade surveillance (another quarter), branch office inspections (another quarter), and AML/financial crimes (another quarter). This phased approach distributes the workload across the year and ensures continuous monitoring rather than a single point-in-time assessment. The CCO should present the mock examination results to the executive committee after each exercise, creating a documented record of management engagement with compliance findings — a factor that FINRA considers favorably during examinations.