Industry-Specific Compliance Notes (Financial Advisory)

Financial advisory firms operate under a regulatory microscope. SEC and FINRA violations carry six-figure fines, client lawsuits, and registration suspensions. This guide provides the specific compliance controls you need to implement today.

Registration Threshold: Register with the SEC if you manage $110 million or more in assets under management (AUM). Below that threshold, register with your state securities regulator unless you qualify for an exemption.

Form ADV Filing Requirements:

• File Form ADV Part 1 within 90 days of becoming an investment adviser
• Update Part 1 annually within 90 days of fiscal year-end
• Update Part 1 promptly (within 30 days) for material changes to disciplinary history, ownership structure, or custody arrangements
• Deliver Form ADV Part 2A (brochure) to all new clients at or before entering into an advisory contract
• Deliver Part 2A annually to existing clients or provide a summary of material changes with an offer to deliver the full brochure

Books and Records Retention Schedule:

• Advisory agreements: Life of agreement plus 5 years
• Client communications (emails, letters, meeting notes): 5 years, first 2 in principal office
• Trade confirmations and account statements: 5 years
• Performance calculations and marketing materials: 5 years
• Compliance policies and procedures: 5 years from last use

Custody Rule Compliance: If you have custody of client assets (direct access to client accounts, standing letters of authorization, or fee deduction authority), you must:

1. Use a qualified custodian (Schwab, Fidelity, Pershing, etc.)
2. Deliver account statements to clients quarterly
3. Undergo an annual surprise examination by an independent public accountant
4. File Form ADV-E within 120 days of fiscal year-end

Exception: If you only deduct fees and clients receive statements directly from the qualified custodian, you avoid the surprise exam requirement.

FINRA Rule 2210 governs all member communications. Violations result in fines starting at $5,000 per violation.

Three Communication Categories:

Retail Communications (distributed to more than 25 retail investors in 30 days):

• Must be approved by a registered principal before first use
• File with FINRA within 10 business days of first use if the communication includes performance rankings, comparisons, or projections
• Retain for 3 years from last use

Correspondence (distributed to 25 or fewer retail investors in 30 days):

• Review and supervision required but not pre-approval
• Retain for 3 years

Institutional Communications (distributed only to institutional investors):

• Review and supervision required
• No filing requirement
• Retain for 3 years

Prohibited Content:

• Predictions or projections of investment performance
• Promissory language ("guaranteed returns", "risk-free")
• Testimonials from clients (with narrow exceptions for certain institutional communications)
• Unsubstantiated claims about firm rankings or awards
• Performance data without required disclosures

Required Disclosures for Performance Advertising:

• Time period covered
• Whether performance is gross or net of fees
• Material market or economic conditions during the period
• Whether results are actual or hypothetical
• Statement that past performance does not guarantee future results

Social Media Specific Rules:

• LinkedIn recommendations count as testimonials (generally prohibited)
• Third-party posts on your firm's page are attributable to your firm
• Hyperlinks to third-party content require the same review as original content
• Static content (profile pages) requires principal approval before posting
• Interactive content (posts, comments) requires supervision and post-review

Implementation Steps:

1. Designate a registered principal as advertising supervisor
2. Create an advertising approval log tracking date, approver, and filing status
3. Use a compliance platform (Smarsh, Global Relay, Hearsay Systems) to archive social media
4. Establish a 24-hour review SLA for social media posts flagged by your archiving system

Regulation S-P requires investment advisers to protect client information and notify clients of privacy practices.

Privacy Notice Requirements:

• Deliver initial privacy notice at the time you establish a customer relationship
• Deliver annual privacy notice to all customers (note: SEC eliminated this requirement for advisers who don't share information with non-affiliates, but state laws may still require it)
• Include: categories of information collected, categories of affiliates and non-affiliates with whom you share information, security measures in place

Safeguards Rule Compliance: Implement a written information security program that includes:

1. Designated Security Coordinator: Assign a qualified individual to oversee the program
2. Risk Assessment: Document specific risks to client information in your environment
3. Safeguard Design: Implement controls proportionate to identified risks
4. Service Provider Oversight: Require contractual security obligations from vendors with access to client data
5. Program Evaluation: Test and monitor the effectiveness of safeguards annually

Minimum Technical Controls:

• Encrypt all client data at rest using AES-256
• Encrypt data in transit using TLS 1.2 or higher
• Implement multi-factor authentication for all systems containing client data
• Deploy endpoint detection and response (EDR) software on all workstations
• Maintain offline, encrypted backups with 30-day retention
• Patch critical vulnerabilities within 30 days of vendor release

Access Control Matrix:

• Advisers: Full access to assigned client records only
• Operations staff: Read-only access to client records, write access to billing systems
• Compliance: Full access for examination purposes
• IT administrators: System access only, no business data access without documented need

Vendor Due Diligence Checklist: Before engaging any vendor with access to client data:

• Obtain SOC 2 Type II report (issued within last 12 months)
• Review business continuity and disaster recovery plans
• Confirm cyber liability insurance coverage of at least $5 million
• Execute Business Associate Agreement (if handling health information) or Data Processing Agreement
• Document annual review of vendor security posture

Reportable Incidents (notify SEC within 48 hours):

• Unauthorized access to client account credentials
• Ransomware affecting client data
• Data exfiltration of 500+ client records
• Disruption of critical business operations for 4+ hours

Incident Response Steps:

1. Contain (Hour 0-2): Isolate affected systems, disable compromised credentials
2. Assess (Hour 2-8): Determine scope of breach, identify affected clients
3. Notify (Hour 8-48): Report to SEC via FINRA Gateway, notify affected clients
4. Remediate (Day 2-30): Implement corrective controls, engage forensics firm
5. Document (Day 30-60): Prepare incident report, update response procedures

Client Notification Template: "On [DATE], we discovered unauthorized access to our systems that may have exposed your [SPECIFIC DATA TYPES]. We have no evidence your information has been misused. We have implemented [SPECIFIC REMEDIATION STEPS]. We are offering [12/24] months of credit monitoring through [PROVIDER]. To enroll, call [NUMBER] by [DATE]."

Time-Weighted Return Calculation: Use the Modified Dietz method or daily valuation for composite performance. Do not cherry-pick best-performing accounts.

Composite Construction Rules:

• Include all fee-paying, discretionary accounts managed to the same strategy
• Do not exclude accounts due to poor performance
• Document composite definition in writing
• Maintain composite from inception forward (no retroactive changes)

Model vs. Actual Performance:

• Clearly label model performance as "hypothetical"
• Disclose material assumptions (rebalancing frequency, transaction costs, tax treatment)
• Include disclaimer: "Model performance does not represent actual trading and may not reflect the impact of material economic and market factors"

Third-Party Ratings Disclosure: If advertising Barron's ranking, Investopedia award, or similar recognition:

• Disclose methodology (assets under management, client retention, regulatory record)
• State whether you paid to participate
• Note the date of the ranking
• Include: "Rankings and recognition from third parties are not indicative of future performance"

Required Review Elements (document completion by December 31):

• Review of all advertising and marketing materials used in the past year
• Testing of trade allocation procedures for fairness
• Verification of custody arrangements and client statement delivery
• Assessment of conflicts of interest and disclosure adequacy
• Evaluation of business continuity plan effectiveness
• Review of personal trading by access persons
• Assessment of Code of Ethics compliance

Documentation Requirements: Prepare a written annual review report that includes:

• Summary of testing performed
• Deficiencies identified
• Corrective actions implemented
• Recommended policy updates
• Sign-off by Chief Compliance Officer

File this report with board minutes or maintain in compliance files for SEC examination.