Complete Guide to RIA Compliance Requirements

Introduction

Running a registered investment adviser firm means operating under a web of regulatory obligations that never stops expanding. Registration thresholds, fiduciary duties, recordkeeping rules, marketing restrictions, annual reviews — each one carries enforcement risk on its own.

Miss a recordkeeping deadline, post a non-compliant testimonial, or hand the CCO role to someone without real authority, and you're looking at examination findings or worse.

According to SEC Investment Adviser Statistics, there are currently 15,906 SEC-registered advisers managing $145.8 trillion in regulatory assets under management as of December 2024. The SEC's exam staff has grown from roughly 500 in 1995 to over 1,100 today — meaning more examiners covering a larger, increasingly complex adviser population.

This guide covers:

  • What RIA compliance is and why it matters
  • Registration thresholds and how to determine which regulator applies
  • Core requirements under the Investment Advisers Act
  • The CCO role — and what alternatives exist
  • How to prepare for an SEC examination
  • Ongoing filing obligations and annual review requirements

TL;DR

  • RIAs with $110M+ AUM generally must register with the SEC; below that, state registration applies
  • The fiduciary standard means acting in the client's best interest; disclosing a conflict alone doesn't satisfy it
  • Rule 206(4)-7 mandates written policies, annual reviews, and a designated CCO
  • Records must be retained for five years, with two years in an accessible location
  • A fractional CCO model gives smaller firms credible compliance leadership without a full-time salary

What Is RIA Compliance?

RIA compliance refers to the full set of legal and regulatory obligations that registered investment advisers must meet under the Investment Advisers Act of 1940 and the rules the SEC enforces under it. The core purpose is investor protection: ensuring clients receive honest advice, transparent disclosures, and fair treatment from the people managing their money.

The critical distinction from broker-dealers: RIAs operate under a fiduciary standard, meaning they must act in the client's best interest at all times. Broker-dealers historically operated under a suitability standard, which required only that recommendations be suitable — a lower bar. The fiduciary standard demands more.

Who It Applies To

Any person or firm that provides investment advice for compensation and meets the applicable registration threshold qualifies as an RIA. That covers solo practitioners, boutique wealth managers, hedge fund advisers, and institutional asset managers alike.

That broad scope means compliance obligations follow the firm regardless of size or strategy. An active RIA compliance program spans:

  • Registration and annual Form ADV amendments
  • Fiduciary duty obligations and conflict management
  • Written policies and procedures (Rule 206(4)-7)
  • Recordkeeping (Rule 204-2)
  • Marketing and advertising compliance (Rule 206(4)-1)
  • Ongoing supervision and staff training
  • Periodic SEC or state examinations

The SEC's exam division has grown steadily — and its FY2026 priorities explicitly name newly registered and never-examined advisers as focus areas. Firms that treat compliance as a background function tend to surface those gaps during examination, not before.

RIA Registration Requirements: SEC vs. State

The AUM Threshold

The primary registration trigger is assets under management:

  • $110M+ RAUM: Generally required to register with the SEC
  • $100M–$110M RAUM: May register with the SEC (optional buffer zone)
  • Below $100M RAUM: Generally required to register at the state level
  • Below $90M RAUM: SEC-registered advisers in this range are generally required to withdraw from SEC registration

RIA AUM registration threshold tiers SEC versus state regulator breakdown

Verify these thresholds periodically against the SEC Form ADV instructions — the SEC updates them without much fanfare.

Exceptions to the Standard Threshold

Several categories allow or require SEC registration regardless of AUM:

  • Advisers to registered investment companies (mutual funds, ETFs)
  • Multi-state advisers required to register in 15 or more states
  • Internet-only advisers operating exclusively through an interactive website (per the amended Rule 203A-2(e), effective July 2024)
  • Firms with a principal office in New York with $25M+ AUM — this is a New York-specific rule, not a universal threshold

State registration still applies in any state where the adviser maintains an office, employs a representative, serves five or more clients, or is actively soliciting. Requirements vary by state; always consult each state's specific securities regulator.

Form ADV: The Registration Document

Once you've determined where to register, Form ADV is how you do it. The document has four distinct parts:

Part Content
Part 1A Firm structure, AUM, ownership, affiliations
Part 2A Client-facing brochure: services, fees, conflicts
Part 2B Brochure supplements for individual adviser reps
Part 3 (Form CRS) Required for SEC registrants serving retail investors

Form ADV isn't filed once and forgotten. Material changes require prompt amendment, and an annual updating amendment is due within 90 days of fiscal year-end. Stale or inaccurate Form ADV disclosures are a common examination finding.

One administrative note worth clarifying: FINRA does not regulate RIAs but does operate the IARD (Investment Adviser Registration Depository) system used for both SEC and state filings. Submitting through IARD is a procedural requirement — it doesn't put you under FINRA's oversight.

Core RIA Compliance Requirements

Fiduciary Duty and the Client Best Interest Standard

The fiduciary standard is the foundation everything else rests on. Per the SEC's 2019 interpretation, an adviser's fiduciary duty comprises two components:

Duty of Care — encompasses:

  • Providing advice in the client's best interest
  • Seeking best execution when selecting broker-dealers
  • Providing ongoing advice and monitoring over the course of the relationship (where agreed)

Duty of Loyalty — requires putting client interests ahead of the firm's own, disclosing all material conflicts, and in some cases avoiding the conflict entirely.

A common misconception: disclosing a conflict satisfies the duty of loyalty. It doesn't. The SEC's interpretation is clear that disclosure must be full, fair, and specific enough for the client to give informed consent. Disclosure that uses "may" for a conflict that actually exists is inadequate.

Some conflicts cannot be disclosed away and must be eliminated entirely.

Policies, Procedures, and Supervision (Rule 206(4)-7)

Rule 206(4)-7 is the compliance program rule. It requires every SEC-registered adviser to:

  1. Adopt written policies and procedures reasonably designed to prevent violations of the Advisers Act
  2. Review those policies annually — no less frequently, and the review must be documented
  3. Designate a CCO responsible for administering the program

Rule 206(4)-7 three-part compliance program requirements process flow diagram

The rule demands real operational compliance, not documentation for its own sake. A compliance manual that describes policies the firm doesn't actually follow is treated by examiners as a deficiency, not a defense. Policies must reflect the firm's real operations, client base, investment strategies, and risk profile.

Books, Records, and Recordkeeping (Rule 204-2)

Rule 204-2 sets the recordkeeping baseline. Required records include:

  • Client agreements and advisory contracts
  • Transaction records and trade documentation
  • All written business communications (email, messaging, collaboration tools)
  • Performance data and supporting calculations
  • Code of ethics records, including personal trading
  • Copies of Form ADV and all amendments

Retention period: five years minimum, with the first two years in an accessible location.

Electronic communications are within scope — including messages on personal devices or unapproved platforms. The SEC charged 26 firms in 2024 for off-channel communication failures.

"I used my personal phone" is not a defense. If the communication related to advisory business, it must be retained and retrievable.

Marketing and Advertising Compliance (Rule 206(4)-1)

The modernized Marketing Rule, adopted in 2020 with a compliance date of November 2022, permits things the old rule prohibited — testimonials, endorsements, third-party ratings, performance advertising — but with conditions. What remains prohibited:

  • Materially misleading statements or omissions
  • Cherry-picked performance results
  • False impressions of the firm's capabilities or track record

Social media posts, comments, and direct messages related to advisory services carry the same marketing compliance and recordkeeping obligations as any other advertisement. In recent examination cycles, the SEC's exam staff has flagged inadequate substantiation of performance claims and missing disclosure of material conflicts as the most common Marketing Rule failures.

The Chief Compliance Officer: Roles, Requirements, and Alternatives

What the Rule Requires

Rule 206(4)-7 requires every SEC-registered adviser to designate a CCO. That person must:

  • Be competent and knowledgeable about the Advisers Act
  • Have sufficient authority within the firm to enforce compliance policies
  • Operate with independence from revenue-generating functions
  • Have access to information needed to do the job — trading exception reports, client complaints, personnel records

The SEC has flagged situations where CCOs lacked authority, were buried under too many competing responsibilities, or couldn't access basic information. Having a CCO in title is not the same as having a functioning compliance program.

The Full-Time Hire vs. Fractional Reality

At smaller firms, the adviser-owner often serves as CCO — which the rules permit. But the role carries real responsibility, and smaller firms frequently lack the bandwidth or budget for a dedicated full-time executive. According to Schwab's 2024 RIA Compensation Report, dedicated CCO roles appear at roughly 40% or more of firms with $500M–$1B+ in AUM, and far less frequently at firms below $250M.

CCO compensation varies considerably by firm size, complexity, and geography. For current figures, consult a dedicated compensation survey or request direct quotes before budgeting.

The Fractional CCO Model

When the full-time salary isn't justified, fractional CCO services offer a credible middle ground. The model places an experienced compliance director on a monthly retainer — acting as named CCO, attending meetings, owning the compliance function, and representing the firm to regulators and counterparties.

Fraxtional, for example, provides a Fractional Advisory model where clients receive a dedicated Director with named title use — including CCO — without a permanent hire. Their team holds specialized expertise in SEC and RIA compliance, including the Investment Advisers Act of 1940 and Form ADV filings, with the Director embedded in day-to-day operations rather than appearing only for periodic check-ins.

This structure works particularly well for:

  • Early-stage firms building their compliance program from scratch
  • Growing advisory practices that haven't justified a full-time C-suite hire
  • Firms preparing for their first SEC examination

Fraxtional fractional CCO advisory service team working with RIA compliance client

One caveat: regardless of engagement model, the SEC holds the firm accountable for compliance quality. Examiners will evaluate whether the CCO — in-house, outsourced, or fractional — has genuine authority, independence, and resources. The title alone doesn't satisfy the rule.

Preparing for an SEC Examination

What Triggers an Exam

No firm is exempt from examination. The SEC's exam program focuses on:

  • Newly registered advisers — the SEC has prioritized reviewing new registrants within a reasonable period after registration, a stated priority since 2013
  • Never-examined advisers — firms that have been registered without ever receiving an examination
  • Risk-based triggers — complex strategies, custody arrangements, conflicts of interest, marketing, and filing accuracy
  • Thematic sweeps — industry-wide reviews of specific practices (valuation, fee billing, electronic communications)

The FY2026 examination priorities include fiduciary duty, compliance program effectiveness, marketing, and Schedules 13D/13G and Form 13F accuracy.

What Examiners Look At

Knowing what triggers an exam is only half the picture. Examiners arrive with a specific checklist in mind:

  • Written policies vs. actual practice — do they match?
  • Books and records completeness and retrievability
  • Marketing materials and required disclosures
  • Supervision of electronic communications
  • CCO authority, resources, and independence

The four most commonly cited deficiency areas are inadequate recordkeeping, marketing rule violations, supervision failures, and policies that exist on paper but aren't followed in practice. These are exactly what your preparation steps should address.

Practical Preparation Steps

  1. Maintain organized records — every required category, promptly retrievable, across the full retention period
  2. Conduct internal reviews — document what you found and what you fixed, not just that you looked
  3. Train staff regularly — examiners treat undocumented training as no training at all
  4. Rehearse the information request process — know who responds, what's required, and how quickly you can produce it
  5. Test your policies against operations — walk through your compliance manual against what actually happens in practice

Five-step SEC examination preparation checklist for registered investment advisers

Ongoing RIA Compliance Obligations

Compliance doesn't end after registration. The calendar-driven obligations include:

Annual:

  • Form ADV annual amendment: due within 90 days of fiscal year-end
  • Form ADV Part 2 brochure: clients with material changes must receive the updated brochure or a summary of changes within 120 days of fiscal year-end, per Rule 204-3
  • Rule 206(4)-7 annual review: must be formally conducted and documented

Periodic Filings (Where Applicable):

Form Threshold Deadline
Form 13F $100M+ in Section 13(f) securities 45 days after each calendar quarter
Schedule 13G 5%+ beneficial ownership in a covered equity class 45 days after quarter-end (revised deadlines effective Sept. 2024)
Form PF $150M+ in private fund AUM Varies by fund type
Form 13H (Large Trader) 2M shares or $20M in a single day; 20M shares or $200M in a month Promptly after threshold; annual update within 45 days of year-end

Prompt (Throughout the Year):

  • Material changes to Form ADV must be amended promptly — not held for the annual update
  • Any compliance gaps identified during testing or the annual review must be remediated with a clear timeline and documented

These deadlines are just the floor. Firms that treat compliance as a static annual exercise — file the ADV, check the box, move on — consistently produce the most examination findings. Compliance is a living function: the program needs to keep pace with both regulatory updates and changes to your own business activities.

Frequently Asked Questions

What is RIA compliance?

RIA compliance covers every regulatory obligation registered investment advisers must meet under the Investment Advisers Act of 1940 and SEC rules — from Form ADV disclosures and fiduciary duty to recordkeeping, marketing, and exam readiness. It's an ongoing program, not a one-time filing.

What are the 4 phases of compliance?

The four phases are: (1) assessment and risk identification, (2) policy development and implementation, (3) monitoring and testing, and (4) remediation and annual review. All four must be documented to satisfy Rule 206(4)-7 and hold up during an examination.

How much does an RIA compliance consultant cost?

Costs vary based on firm size, AUM, complexity, and engagement model — project-based, retainer, or fractional CCO arrangements each carry different pricing. Fractional models typically cost less than a full-time CCO salary; contact providers directly for quotes specific to your firm's scope.

When must an RIA register with the SEC vs. state regulators?

Advisers with $110M+ RAUM generally must register with the SEC; those with $100M–$110M may choose SEC registration. Advisers below $100M generally register at the state level. Exceptions apply for advisers to investment companies, multi-state advisers registered in 15+ states, and certain internet-only advisers. Consult SEC Form ADV instructions and your specific state's rules for your situation.

What is Form ADV and why is it important?

Form ADV is the primary registration and disclosure document for RIAs. Part 1A covers firm data and ownership; Part 2A is the client-facing brochure covering services, fees, and conflicts; Part 3 (Form CRS) summarizes services for retail investors. Keeping it current is an ongoing obligation — material changes require prompt amendment, and an annual update is required within 90 days of fiscal year-end.

What triggers an SEC RIA examination?

Common triggers include routine reviews for newly registered firms, risk-based focus on complex strategies or conflicts, thematic industry sweeps, and filing inconsistencies. Every registered firm is subject to examination at any time — size and newness offer no protection.