Skills
skills/joellewis/finance_skills/examination-readiness

examination-readiness

SKILL.md

Examination Readiness — SEC & FINRA Regulatory Examinations

Purpose

Prepare registered investment advisers, broker-dealers, and their compliance teams for SEC and FINRA examinations. This skill covers the full examination lifecycle — from risk-based selection and notification through document production, staff interviews, deficiency findings, remediation, and follow-up. It provides frameworks for mock examinations, annual compliance reviews, and proactive use of published examination priorities to reduce regulatory risk.

Layer

9 — Compliance & Regulatory Guidance

Direction

prospective

When to Use

  • Receiving an SEC or FINRA examination notification letter and preparing a response
  • Organizing and producing documents in response to an initial document request list (IDR)
  • Responding to a deficiency letter or examination findings
  • Designing or conducting an internal mock examination program
  • Reviewing SEC or FINRA annual examination priorities for proactive compliance planning
  • Conducting the annual compliance review required under SEC Rule 206(4)-7
  • Assessing whether the firm's compliance program, policies, and procedures are examination-ready
  • Preparing key personnel for staff interviews during an examination
  • Evaluating remediation progress after prior examination findings
  • Building an examination readiness checklist organized by functional area
  • Advising a newly registered firm on what to expect from its first regulatory examination

Core Concepts

SEC Examination Process (Division of Examinations)

The SEC's Division of Examinations (formerly the Office of Compliance Inspections and Examinations, or OCIE) conducts examinations of registered entities including investment advisers, broker-dealers, transfer agents, clearing agencies, and self-regulatory organizations. The Division uses a risk-based approach to select firms for examination and to determine the scope and intensity of each exam.

Risk-based selection. The Division selects firms for examination based on a range of risk indicators rather than examining every registrant on a fixed schedule. Selection criteria include:

  • New registrant status — Newly registered investment advisers and broker-dealers are frequently examined within the first one to three years of registration. These initial examinations assess whether the firm has implemented the compliance infrastructure described in its registration filings.
  • Risk indicators and quantitative screens — The Division uses data analytics to identify firms with characteristics associated with higher risk: rapid asset growth, concentrated portfolios, high employee turnover, customer complaint patterns, significant regulatory history, unusual fee structures, or material conflicts of interest.
  • Tips, complaints, and referrals — Complaints from investors, tips from whistleblowers (including those submitted under the SEC Whistleblower Program established by Section 21F of the Securities Exchange Act of 1934), and referrals from other SEC divisions or regulatory bodies can trigger cause examinations.
  • Sweep examinations — The Division periodically conducts industry-wide sweep examinations focused on a single issue or practice across many firms simultaneously. Recent sweep topics have included off-channel communications, Reg BI implementation, private fund fee practices, and ESG-related disclosures.

Types of examinations:

  1. Routine/periodic examinations — Scheduled examinations conducted as part of the Division's ongoing oversight program. These typically cover a broad range of compliance topics and may review multiple years of activity.
  2. Cause examinations — Triggered by a specific complaint, tip, referral, or red flag. Cause examinations are typically narrower in scope, focused on the specific issue that prompted the examination, but can expand if additional problems are discovered.
  3. Sweep examinations — Industry-wide examinations focused on a single topic. Sweep exams allow the Division to assess industry-wide compliance with a particular rule or to evaluate emerging risks across many firms. Results often inform future rulemaking or guidance.

Examination lifecycle:

  1. Notification letter — The examination begins with a notification letter (sometimes called an "announcement letter") sent to the firm. The letter identifies the examination team, provides an initial document request list (IDR), and specifies a deadline for document production (typically two to four weeks). For cause examinations, the notification may be abbreviated or, in rare circumstances, the examination may begin without advance notice.
  2. Document production — The firm produces the requested documents, typically through a secure file-sharing platform. The initial IDR is often extensive (see the Document Production section below). The examination staff may issue supplemental document requests as they review the initial production.
  3. On-site or remote examination — Examination staff conduct their review either on-site at the firm's offices or remotely (remote examinations became common during and after the COVID-19 pandemic and remain a standard option). The review includes analysis of documents, records, and data.
  4. Staff interviews — Examiners conduct interviews with key personnel, typically including the Chief Compliance Officer (CCO), portfolio managers, traders, operations staff, and senior management. Interviews may be informal discussions or more structured questioning sessions. Firms should prepare interviewees by reviewing relevant policies and recent compliance activity, but should not coach witnesses to give scripted answers.
  5. Follow-up requests — As the examination progresses, staff frequently issue additional document requests or ask clarifying questions based on their findings. Responsiveness and transparency during this phase are important.
  6. Exit conference — Near the end of the examination, staff typically hold an exit conference with the firm to discuss preliminary observations and potential areas of concern. The exit conference is not a formal proceeding, and the observations discussed may change before a final determination is made.
  7. Outcome — The examination concludes with one of several outcomes: (a) a no-action letter or no further action (the examination revealed no material issues); (b) a deficiency letter identifying compliance deficiencies and requesting a written response describing corrective actions; (c) a referral to the SEC's Division of Enforcement for potential enforcement action (reserved for more serious violations or patterns of non-compliance).

Typical duration. SEC examinations typically last from several weeks to several months, depending on the firm's size, the scope of the examination, the complexity of issues discovered, and the responsiveness of the firm's document production.

Firms' rights during examination. Firms have the right to: receive identification of the examination staff and their supervisors; understand the general scope of the examination; request reasonable extensions for document production deadlines (extensions are granted at the staff's discretion); have counsel present during interviews (though the SEC may interview individuals separately); and receive a closing communication describing the examination outcome. Firms may also submit a response to preliminary findings discussed at the exit conference before a deficiency letter is finalized.

FINRA Examination Process

FINRA (the Financial Industry Regulatory Authority) examines its member broker-dealer firms through its Risk Monitoring and Examination programs. As a self-regulatory organization (SRO), FINRA has direct authority to examine, sanction, and discipline its members — a key distinction from the SEC, which must refer potential enforcement actions to its Division of Enforcement.

Types of FINRA examinations:

  1. Cycle examinations — Regular examinations conducted on a schedule determined by the firm's risk profile. Higher-risk firms are examined more frequently (annually or even continuously for the largest firms), while lower-risk firms may be examined on a two- to four-year cycle. The cycle exam typically covers a broad range of compliance areas.
  2. Cause examinations — Triggered by specific concerns such as customer complaints, tips, unusual trading patterns, financial difficulties, or referrals from other regulators. Cause exams are focused on the specific issue that prompted the examination.
  3. Sweep examinations — Similar to SEC sweeps, FINRA conducts targeted reviews across multiple firms to assess industry-wide compliance with specific rules or to evaluate emerging risks.

Risk-based approach. FINRA assigns each member firm a risk rating based on a comprehensive assessment of factors including the firm's business model, product mix, customer demographics, complaint history, financial condition, regulatory history, and supervisory structure. This risk rating determines examination frequency and intensity.

  • Annual risk assessment — FINRA provides firms with an annual risk assessment summary identifying the key risk areas FINRA associates with the firm's business. This summary can be a valuable tool for compliance planning.
  • Examination priorities letter — FINRA publishes an annual examination and risk monitoring priorities letter identifying the topics and issues that will be focal points for the coming year. This letter is a critical compliance planning resource (see the Annual Examination Priorities section below).

Key differences from SEC examinations:

  • Direct sanction authority — FINRA can impose sanctions directly through its Department of Enforcement, including fines, suspensions, bars, expulsions, and censures. The SEC, by contrast, must bring enforcement actions through its own Division of Enforcement or through administrative proceedings.
  • Financial surveillance — FINRA conducts ongoing financial surveillance of member firms, including monitoring net capital compliance (SEC Rule 15c3-1), reviewing FOCUS reports (Financial and Operational Combined Uniform Single reports filed monthly or quarterly), and assessing the financial health of firms. FINRA may take emergency action if a firm's financial condition deteriorates below minimum thresholds.
  • Trade surveillance — FINRA operates sophisticated market surveillance programs (including the Cross-Market Surveillance system) to detect potential market manipulation, insider trading, and other trading violations.

Annual Examination Priorities

Both the SEC Division of Examinations and FINRA publish annual examination priorities or focus areas that signal where regulatory attention will be concentrated in the coming year. These publications are among the most important compliance planning tools available.

SEC Division of Examinations annual priorities. The Division publishes its examination priorities early each calendar year. Recent recurring themes have included:

  • Regulation Best Interest (Reg BI) compliance — Assessment of broker-dealer compliance with Reg BI's Disclosure, Care, Conflict of Interest, and Compliance Obligations (17 CFR 240.15l-1). The SEC has examined both the written policies and the actual practices of firms, with particular attention to whether recommendations are in the customer's best interest and whether conflicts are adequately disclosed and mitigated.
  • Investment adviser fiduciary duty — Examination of advisers' compliance with their fiduciary obligations, including duty of care and duty of loyalty, as interpreted by the SEC in its June 2019 Fiduciary Interpretation.
  • Private fund advisers — Scrutiny of fee calculations, expense allocations, performance reporting, preferential treatment of certain investors (side letters), and compliance with new rules under the Investment Advisers Act.
  • ESG and sustainability claims — Review of whether advisers and funds that market themselves as ESG-focused actually implement the ESG investment processes they describe. The SEC has brought enforcement actions for "greenwashing" — claiming ESG integration that does not occur in practice.
  • Cybersecurity and information security — Assessment of firms' cybersecurity programs, including governance, access controls, data loss prevention, incident response plans, vendor management, and compliance with Regulation S-P (privacy of consumer financial information) and Regulation S-ID (identity theft red flags).
  • Crypto and digital assets — Examination of firms offering digital asset products or services, including custody arrangements, valuation practices, and compliance with securities laws.
  • Off-channel communications — Review of whether firms are capturing and retaining business-related communications conducted through personal devices, text messages, messaging apps (WhatsApp, Signal, iMessage), or other channels outside the firm's approved communication platforms. This has been a major enforcement focus, with the SEC and FINRA imposing billions of dollars in combined penalties across dozens of firms.
  • Anti-money laundering — Review of AML programs, particularly SAR filing practices, customer risk rating, and beneficial ownership due diligence.
  • Marketing Rule compliance — Assessment of compliance with the SEC's Marketing Rule (Rule 206(4)-1), including performance advertising, hypothetical performance, testimonials, and endorsements.

FINRA annual examination priorities. FINRA's annual report on examination and risk monitoring activities similarly identifies key focus areas. Recurring FINRA priorities include:

  • Reg BI and Form CRS — Compliance with Regulation Best Interest and the requirement to deliver and file Form CRS.
  • Communications with the public — Compliance with FINRA Rule 2210, including social media supervision and digital communications.
  • Market integrity — Surveillance for manipulative trading, best execution compliance, and order handling obligations.
  • Financial crimes — AML program effectiveness, fraud detection, and sanctions compliance.
  • Firm operations — Net capital compliance, customer protection (Rule 15c3-3), books and records, and business continuity planning.

Using exam priority letters for proactive compliance planning. Firms should treat published examination priorities as a roadmap for their own internal compliance reviews. Best practices include:

  • Reading the SEC and FINRA priority letters immediately upon publication and assessing the firm's readiness in each identified area.
  • Conducting targeted internal reviews or mock examinations of the highest-priority topics.
  • Updating compliance policies and procedures to address new or evolving priority areas.
  • Allocating compliance resources — staff time, technology, and budget — to priority areas.
  • Briefing senior management and the board on examination priorities and the firm's preparedness.

Document Production and Requests

Document production is often the most operationally demanding phase of a regulatory examination. The initial document request list (IDR) sets the tone for the examination, and the quality and timeliness of the firm's response significantly influences the examination experience.

Typical items on an initial document request list. While every IDR is tailored to the specific examination, common elements include:

  • Compliance program documents — Written compliance policies and procedures (the compliance manual), code of ethics, annual compliance review reports, CCO designation documentation, compliance committee meeting minutes.
  • Organizational and governance documents — Organizational charts, ownership structure, affiliated entity relationships, board or governance committee minutes, management committee meeting minutes.
  • Registration and regulatory documents — Current and historical Form ADV (Parts 1, 2A, 2B), Form BD, Form CRS, state registration filings, regulatory examination history, correspondence with regulators.
  • Advertising and marketing materials — All advertisements, pitchbooks, fact sheets, website content, social media archives, client newsletters, performance presentations, and the advertising review log.
  • Client documents — Client agreements (advisory agreements, brokerage agreements), fee schedules, client onboarding documents, suitability or Reg BI documentation, account opening documents.
  • Fee and billing records — Fee calculation methodology, billing records, fee schedules, any fee adjustments or waivers, accounts with negotiated fees.
  • Trading and investment records — Trade blotters, order tickets, allocation records, best execution reviews, soft dollar arrangements, brokerage committee minutes, directed brokerage documentation.
  • Complaint and litigation records — Customer complaint log, complaint files, litigation and arbitration history, regulatory action history, whistleblower complaints.
  • Exception reports — Trade error logs, personal trading exception reports, gifts and entertainment logs, outside business activity records, political contribution records.
  • Cybersecurity and technology — Written information security policy, incident response plan, business continuity plan, vendor due diligence files, penetration testing reports, cybersecurity risk assessments, data breach history.
  • AML program documents — AML compliance program, OFAC screening procedures, SAR filing records, CTR filing records, AML independent testing report.
  • Books and records — Financial statements, trial balances, FOCUS reports (for broker-dealers), net capital computations, customer reserve computations.

Scope management. Effective scope management is critical to a successful examination response:

  • Understand the request — Before gathering documents, carefully read each IDR item to ensure you understand what is being asked. If an item is ambiguous, seek clarification from the examination staff promptly.
  • Gather documents systematically — Assign responsibility for each IDR item to specific individuals, with clear deadlines. Use a tracking spreadsheet or project management tool to monitor completion.
  • Quality review before production — Before submitting documents, a senior compliance person (ideally the CCO or outside counsel) should review the production for completeness, accuracy, and consistency. Look for inadvertent production of privileged documents.
  • Privilege considerations — Attorney-client privileged documents and attorney work product should be identified and withheld from production. Prepare a privilege log if withholding documents on privilege grounds. Inadvertent production of privileged documents can result in waiver of the privilege.
  • Document hold obligations — Upon receiving an examination notification, the firm should implement a document hold to ensure that no relevant documents are destroyed, altered, or deleted during the examination. This includes suspending automatic deletion policies for emails and electronic records within the scope of the examination.

Electronic document production. Examination staff increasingly expect electronic production:

  • Documents should be produced in their native format or as searchable PDFs, organized by IDR item number.
  • Metadata should be preserved unless the examination staff specifies otherwise.
  • Email production should include headers, attachments, and threading information.
  • Large productions are typically submitted through SEC or FINRA secure file-sharing platforms.
  • Maintain an index of all documents produced, cross-referenced to each IDR item.

Common Deficiency Findings

Understanding the most frequently cited deficiency areas allows firms to focus their compliance efforts where examination risk is highest. Across SEC and FINRA examinations, the following categories consistently generate the most findings.

(a) Compliance program gaps. Deficiencies in the overall compliance program are among the most common findings:

  • Outdated policies and procedures that have not been revised to reflect current regulations, business practices, or organizational changes.
  • Policies that do not match actual practices — "paper compliance" where written procedures exist but are not followed in practice.
  • Failure to conduct the annual compliance review required under SEC Rule 206(4)-7, or conducting a review that is superficial and does not meaningfully assess the adequacy of the compliance program.
  • Insufficient compliance resources — a CCO without adequate time, authority, budget, or staff to implement the compliance program effectively.

(b) Books and records violations. Books and records deficiencies are pervasive:

  • Incomplete records, including missing trade confirmations, account statements, or client correspondence.
  • Communication archiving failures — failure to capture and retain business-related communications, particularly those conducted through personal devices, text messages, or unapproved messaging platforms. This has been one of the most heavily penalized areas in recent years, with the SEC and FINRA imposing penalties exceeding $2 billion across more than 60 firms for off-channel communication recordkeeping failures.
  • Failure to maintain required books and records in the format and for the retention periods specified by SEC Rules 17a-3, 17a-4 (broker-dealers) and Rule 204-2 (investment advisers).

(c) Advertising violations. Advertising deficiencies are a top examination focus:

  • Misleading performance presentations, including showing gross-only performance without corresponding net performance, cherry-picking favorable time periods, or presenting backtested performance without required disclosures.
  • Testimonials without required disclosures under the SEC Marketing Rule (Rule 206(4)-1).
  • Social media posts by associated persons that were not reviewed, approved, or archived by the firm.
  • Failure to maintain the advertising review log or to document the compliance review process for marketing materials.

(d) Custody rule issues. Custody deficiencies arise frequently for investment advisers:

  • Inadvertent custody — situations where an adviser has custody of client assets without recognizing it (e.g., through authority to deduct fees from client accounts, serving as trustee of a client trust, or controlling a client's bill-paying service).
  • Failure to comply with the surprise examination requirement when the adviser has custody.
  • Failure to ensure that qualified custodians send account statements directly to clients at least quarterly.

(e) Fee calculation errors. Fee-related deficiencies are a recurring concern:

  • Overbilling clients due to incorrect asset valuations, failure to apply fee breakpoints, or charging fees on assets that should be excluded (such as legacy positions or cash).
  • Failure to calculate fees consistent with the methodology described in the advisory agreement or Form ADV Part 2A.
  • Not refunding overbilled fees promptly upon discovery.

(f) Code of ethics violations. Code of ethics deficiencies include:

  • Unreported personal trading by access persons in violation of SEC Rule 204A-1.
  • Failure to obtain pre-clearance for personal trades in reportable securities.
  • Inadequate monitoring of gifts and entertainment, particularly from broker-dealers, custodians, or other service providers.
  • Failure to collect and review initial and annual holdings reports and quarterly transaction reports from access persons.

(g) Cybersecurity weaknesses. Cybersecurity deficiencies have become increasingly prominent:

  • Lack of a written information security policy or a policy that is not tailored to the firm's specific technology environment and risks.
  • Inadequate access controls, including failure to implement multi-factor authentication, excessive user privileges, and lack of timely deprovisioning of former employee accounts.
  • Failure to conduct regular vulnerability assessments or penetration testing.
  • Inadequate incident response planning and testing.
  • Insufficient vendor due diligence for third-party service providers with access to firm systems or client data.

Deficiency letter structure. A deficiency letter from the SEC Division of Examinations typically identifies each deficiency by category, describes the specific factual findings, cites the applicable rule or statutory provision, and requests a written response within 30 days (or another specified period) describing the corrective actions the firm has taken or plans to take. FINRA deficiency letters follow a similar format. The letter may also note areas where the staff observed practices that, while not rising to the level of a deficiency, could be improved.

Deficiency Response and Remediation

How a firm responds to a deficiency letter is a critical determinant of whether the matter is resolved at the examination stage or escalated to enforcement.

Responding to a deficiency letter:

  • Timeline — Deficiency letters typically require a written response within 30 days. If additional time is needed, request an extension promptly and explain the reason. Most examination staff will grant reasonable extensions, particularly if remediation is complex.
  • Content of the response — The response should address each deficiency finding individually and include: (1) an acknowledgment of the finding (or, if the firm disagrees, a clear and respectful explanation of why); (2) a description of the corrective action already taken; (3) a timeline for completing any remediation not yet finished; (4) identification of the person or persons responsible for each corrective action; (5) a description of any enhanced controls or monitoring implemented to prevent recurrence.
  • Tone — The response should be professional, thorough, and constructive. Defensive or dismissive responses increase the risk of escalation. Where the firm agrees with a finding, acknowledge it directly. Where the firm disagrees, present the factual and legal basis for the disagreement clearly, without being adversarial.
  • Legal review — Have compliance counsel (internal or external) review the response before submission. The response becomes part of the firm's regulatory record and may be referenced in future examinations or enforcement proceedings.

Remediation best practices:

  • Root cause analysis — For each deficiency, identify the root cause — not just the symptoms. Was the deficiency caused by a policy gap, a training failure, a technology limitation, a staffing shortfall, or a failure of supervisory oversight? Effective remediation requires addressing the underlying cause.
  • Policy updates — Revise policies and procedures to address the identified deficiency. Ensure the revised policy is specific and actionable, not merely aspirational.
  • Enhanced training — Provide targeted training to the personnel involved in the deficiency area. Document the training content, attendees, and date.
  • Monitoring for recurrence — Implement testing or monitoring procedures to verify that the corrective action is effective and that the deficiency does not recur. For example, if a deficiency involved fee calculation errors, implement a periodic fee billing audit.
  • Testing effectiveness — After a reasonable period (typically 60 to 90 days), test whether the remediation is working as intended. Document the testing results.
  • Documentation — Maintain a comprehensive remediation file for each deficiency, including the original finding, root cause analysis, corrective actions taken, policy revisions, training records, monitoring results, and effectiveness testing. This file should be readily available for the next examination.

Distinction between outcomes:

  • Deficiency letter (requiring response) — The most common outcome when issues are identified. The firm must respond in writing describing corrective actions.
  • Examination findings with no further action — The examination staff may communicate observations informally (at the exit conference or in a closing letter) without issuing a formal deficiency letter. These observations should still be taken seriously and addressed proactively.
  • Referral to enforcement — In cases involving serious violations, patterns of non-compliance, harm to investors, fraud, or failure to remediate prior deficiencies, the examination staff may refer the matter to the SEC Division of Enforcement or FINRA's Department of Enforcement for potential formal action. Referrals may result in civil penalties, disgorgement, cease-and-desist orders, censures, suspensions, or bars.

Mock Examination Frameworks

Internal mock examinations are one of the most effective tools for maintaining examination readiness and identifying compliance gaps before regulators do.

Designing a mock examination program:

  • Frequency — Conduct mock examinations at least annually. Higher-risk areas or areas where deficiencies were previously identified should be reviewed more frequently (semi-annually or quarterly).
  • Scope selection — Use the SEC and FINRA annual examination priorities as a starting point for selecting mock exam topics. Also consider areas where the firm has experienced compliance incidents, client complaints, or operational changes.
  • Simulate the document request — Prepare a mock IDR modeled on actual SEC or FINRA document request lists. Issue the mock IDR to the relevant business units and compliance personnel with a realistic deadline.
  • Test document retrieval and production capabilities — Evaluate whether the firm can locate, compile, and organize the requested documents within the specified timeframe. Identify bottlenecks in document retrieval — areas where records are disorganized, incomplete, or difficult to access.
  • Interview key personnel — Conduct mock interviews with personnel who would be interviewed during an actual examination (CCO, portfolio managers, traders, operations staff). Assess whether they can articulate the firm's compliance practices, describe their roles accurately, and respond to probing questions without becoming defensive or evasive.
  • Identify gaps — Document all gaps, weaknesses, and areas for improvement identified during the mock examination. Categorize findings by severity (critical, significant, minor) and functional area.
  • Report results — Prepare a written report summarizing the mock examination findings and recommendations. Present the report to senior management, the compliance committee, or the board of directors, as appropriate. The report should include specific remediation recommendations with assigned owners and deadlines.
  • Track remediation — Follow up on remediation of mock examination findings using the same discipline applied to actual regulatory findings.

Using compliance consultants. Firms may engage external compliance consultants to conduct independent mock examinations. External mock exams provide several benefits: the consultant brings fresh perspective and experience from examinations at other firms; the exercise is more realistic because business personnel interact with an unfamiliar examiner; and the results carry more weight with senior management. When selecting a consultant, prioritize individuals with recent SEC or FINRA examination experience.

Annual Compliance Review (Rule 206(4)-7)

SEC Rule 206(4)-7 under the Investment Advisers Act of 1940 requires every registered investment adviser to: (1) adopt and implement written policies and procedures reasonably designed to prevent violation of the Advisers Act and its rules; (2) designate a chief compliance officer responsible for administering the compliance program; and (3) review the adequacy of the policies and procedures and the effectiveness of their implementation at least annually.

Conducting the annual review. The annual compliance review is a regulatory requirement, not a discretionary exercise. It should be documented in writing and presented to senior management. The review should assess:

  • Regulatory changes — Identify new rules, rule amendments, SEC guidance, no-action letters, and enforcement actions that may require updates to the firm's policies and procedures. Each regulatory change should be mapped to the specific policy or procedure it affects.
  • Compliance incidents and outcomes — Review all compliance incidents that occurred during the review period, including trade errors, policy violations, customer complaints, regulatory inquiries, and the outcomes of those incidents. Assess whether the incidents reveal patterns or systemic weaknesses.
  • Testing results — Summarize the results of compliance testing conducted during the review period, including trade surveillance testing, advertising review, fee billing audits, code of ethics monitoring, and any mock examination findings.
  • Training completion — Confirm that all required compliance training was completed during the review period. Identify any personnel who did not complete required training and the steps taken to address the gap.
  • Vendor oversight — Review the firm's oversight of third-party service providers, including custodians, sub-advisers, technology vendors, and other material service providers. Assess whether vendor due diligence was conducted and whether vendor performance and compliance were monitored.
  • Technology changes — Evaluate whether changes to the firm's technology environment (new systems, platform migrations, cybersecurity incidents) require updates to compliance policies or procedures.
  • Organizational changes — Assess the impact of any organizational changes — new business lines, personnel changes, office openings or closings, mergers or acquisitions — on the compliance program.
  • Recommendations — The annual review should conclude with specific, actionable recommendations for improving the compliance program, along with a timeline and responsible persons for implementation.

Documentation. The annual compliance review must be documented. While the SEC does not prescribe a specific format, the documentation should be sufficient to demonstrate that a thorough review was conducted. SEC examination staff regularly request the annual compliance review report as one of their first IDR items.

Examination Readiness Checklist

The following checklist, organized by functional area, identifies key documents and evidence that should be organized, current, and readily accessible at all times — not assembled only when an examination is announced.

Registration and organizational:

  • Current Form ADV Parts 1, 2A, 2B (and all amendments filed during the review period)
  • Current Form CRS (for dual registrants)
  • Form BD and FINRA membership documents (for broker-dealers)
  • Organizational charts reflecting current structure
  • Ownership and control documentation
  • List of affiliated entities and related persons
  • State registration filings

Compliance program:

  • Written compliance policies and procedures (current version with revision history)
  • Code of ethics (current version)
  • CCO designation documentation
  • Annual compliance review report (current and prior two years)
  • Compliance committee or management meeting minutes
  • Compliance calendar showing scheduled activities and deadlines
  • Compliance testing reports and results
  • Regulatory correspondence file (all communications with SEC, FINRA, state regulators)
  • Prior examination deficiency letters and the firm's responses
  • Remediation tracking documentation

Trading and investments:

  • Trade blotters and order tickets
  • Trade allocation records and allocation policies
  • Best execution review documentation
  • Soft dollar arrangement records and Section 28(e) analysis
  • Brokerage committee or trading committee minutes
  • Directed brokerage documentation
  • Error correction log and resolution documentation

Advertising and marketing:

  • Advertising review log (all materials reviewed, with dates, reviewer, and disposition)
  • Copies of all advertisements disseminated (print, digital, social media, email)
  • Social media archives (all platforms used by the firm and associated persons)
  • Performance calculation support (worksheets, data sources, methodologies)
  • Hypothetical performance policies and procedures

Custody and client assets:

  • Custody determination analysis
  • Surprise examination engagement letter and report (if applicable)
  • Qualified custodian statements (confirming direct client delivery)
  • Fee deduction authorization documentation

AML and financial crimes:

  • AML compliance program (written procedures)
  • AMLCO designation
  • AML independent testing report (current and prior year)
  • AML training records
  • SAR filing records and supporting documentation
  • OFAC screening records and procedures
  • Customer risk rating documentation

Cybersecurity:

  • Written information security policy
  • Incident response plan (current, tested)
  • Business continuity plan (current, tested)
  • Vulnerability assessment and penetration testing reports
  • Vendor due diligence files for technology service providers
  • Data breach notification records (if any)
  • Employee cybersecurity training records

Books and records:

  • Financial statements (current and prior two years)
  • FOCUS reports (broker-dealers)
  • Net capital computations (broker-dealers)
  • Customer reserve computations (broker-dealers)
  • Client agreements (advisory and brokerage)
  • Fee schedules and billing records
  • Complaint log and complaint files
  • Personal trading reports (initial and annual holdings, quarterly transactions)
  • Gifts and entertainment log
  • Outside business activity records
  • Political contribution records

Worked Examples

Example 1: Newly registered RIA receives first SEC examination notification

Scenario: A registered investment adviser that has been in operation for 18 months and manages $350 million in client assets receives its first SEC examination notification letter. The firm has four employees: the founder/portfolio manager (who is also the designated CCO), a junior analyst, an operations manager, and an administrative assistant. The initial document request list contains 45 items spanning compliance policies, trading records, advertising materials, fee calculations, and cybersecurity documentation. The firm has 21 calendar days to produce the documents. The CCO has never been through a regulatory examination.

Compliance Issues:

  • New registrants are a high-priority examination category for the SEC Division of Examinations. The staff will assess whether the firm has actually implemented the compliance program described in its Form ADV.
  • A firm with the founder serving as both portfolio manager and CCO presents an inherent conflict of interest — the CCO is overseeing the compliance of the person who also manages the firm and makes investment decisions. SEC staff will scrutinize whether the compliance function is genuinely independent and effective.
  • With only four employees, the firm has limited resources to manage a 45-item document request while continuing normal operations.
  • New registrants frequently have compliance policies that were adopted at registration but never updated or tailored to reflect the firm's actual practices as the business developed during its first 18 months.

Analysis: The CCO should take the following steps immediately upon receiving the notification letter. First, engage outside compliance counsel or a compliance consultant with SEC examination experience — attempting to navigate a first examination without experienced guidance significantly increases risk. Second, assign responsibility for each IDR item to a specific person with a clear internal deadline (at least five days before the SEC deadline to allow for quality review). Third, conduct a rapid self-assessment: compare the firm's written compliance policies to its actual practices and identify any material gaps. If the compliance manual was adopted at registration but not updated since, this gap will be apparent to examiners and should be acknowledged proactively. Fourth, prepare for staff interviews — the SEC will almost certainly interview the CCO/founder at length about the compliance program, fee calculations, trading practices, and advertising. The founder should be able to articulate the firm's investment process, compliance controls, and how conflicts of interest (including the dual PM/CCO role) are managed. Fifth, review the firm's Form ADV for accuracy — the examination staff will compare the ADV disclosures to actual practices, and any inconsistencies will generate findings. Common mistakes first-time examinees make include: producing documents without a quality review (resulting in incomplete or disorganized productions that frustrate staff and extend the examination); becoming defensive during interviews rather than being forthcoming and professional; failing to request a reasonable extension when the production deadline is genuinely unachievable (most examination staff will grant a short extension for first-time examinees if asked promptly and with good reason); and neglecting to implement a document hold, resulting in the routine deletion of emails or records within the scope of the examination.

Example 2: Deficiency letter with six findings requiring structured response

Scenario: A mid-size investment adviser ($2 billion AUM, 30 employees) receives a deficiency letter from the SEC Division of Examinations following a routine examination. The letter identifies six deficiency findings: (1) custody rule violations — the adviser has inadvertent custody over three client accounts where it serves as trustee, but has not obtained a surprise examination or ensured independent verification under Rule 206(4)-2; (2) advertising compliance — the firm's website includes backtested performance for a model portfolio without required disclosures regarding methodology, assumptions, limitations, or risks, and without net performance alongside gross performance, in violation of Rule 206(4)-1; (3) incomplete books and records — the firm failed to retain business-related text messages exchanged between the portfolio manager and a broker-dealer counterparty, in violation of Rule 204-2; (4) code of ethics — two access persons failed to submit quarterly transaction reports for three consecutive quarters, and the firm had no process to identify or follow up on missing reports, in violation of Rule 204A-1; (5) annual compliance review — the firm's most recent annual review under Rule 206(4)-7 was a two-page summary that did not assess the adequacy of any specific policy or procedure; (6) cybersecurity — the firm had no written incident response plan and had not conducted a risk assessment of its information technology systems. The firm has 30 days to respond.

Compliance Issues:

  • Six findings spanning multiple compliance areas suggest systemic compliance program weaknesses rather than isolated lapses.
  • The custody rule violation is the most serious finding because it directly affects client asset safety. Failure to comply with Rule 206(4)-2 is an area where the SEC has historically pursued enforcement action.
  • The off-channel communications finding (failure to retain text messages) aligns with a major SEC enforcement priority — the Division of Enforcement has brought dozens of actions against firms for recordkeeping failures related to off-channel communications.
  • The inadequate annual compliance review finding suggests that the firm's overall compliance oversight is deficient, which undermines the credibility of the firm's compliance program as a whole.

Analysis: The firm should structure its response as follows. First, engage compliance counsel to assist in drafting the response — given the number and seriousness of the findings, professional guidance is important. Second, address each finding individually in the order presented in the deficiency letter. For each finding, the response should: acknowledge the finding (or explain the basis for disagreement, if applicable); describe the root cause; detail the specific corrective actions already taken; provide a timeline for any remaining remediation; and identify the responsible person.

For finding (1) (custody), the firm should immediately engage an independent public accountant to conduct the required surprise examination under Rule 206(4)-2(a)(4), or alternatively, ensure that the trustee accounts are subject to an annual audit by an independent public accountant with the results distributed to the beneficiaries. The response should confirm the engagement, provide the accountant's name, and state the expected completion date. For finding (2) (advertising), the firm should remove the non-compliant backtested performance from its website immediately and describe the process for revising the content to include net performance, methodology disclosures, risk and limitation disclosures, and audience access controls as required by Rule 206(4)-1. For finding (3) (books and records), the firm should implement an approved communication platform, deploy mobile device management technology to capture text messages, issue a revised communication policy prohibiting business communications through unapproved channels, and train all employees. For finding (4) (code of ethics), the firm should collect the missing quarterly transaction reports retroactively, implement an automated tracking system that flags missing reports and escalates to the CCO, and discipline or counsel the access persons who failed to file. For finding (5) (annual compliance review), the firm should engage an external compliance consultant to conduct a comprehensive annual review covering all required elements under Rule 206(4)-7, with the results documented in a detailed written report presented to management. For finding (6) (cybersecurity), the firm should engage an information security consultant to conduct a risk assessment and develop a written incident response plan, with testing scheduled within 90 days. The firm should prioritize the custody finding and the off-channel communications finding, as these carry the highest enforcement risk, and ensure that corrective actions for these items are completed — not merely planned — before submitting the response.

Example 3: CCO building the business case for a mock examination program

Scenario: The Chief Compliance Officer of a mid-size broker-dealer (150 registered representatives, 12 branch offices) wants to implement an annual mock examination program. The firm's last FINRA cycle examination, two years ago, resulted in a deficiency letter with findings in trade surveillance, communications supervision, and branch office inspection procedures. The CCO has proposed a budget of $75,000 for annual mock examinations (including external consultant fees) and has presented the proposal to the firm's executive committee. The CEO and head of sales view the program as unnecessary overhead, arguing that the firm "already has a compliance department" and that the prior deficiency findings were "minor." They have asked the CCO to justify the expenditure.

Compliance Issues:

  • The firm received deficiency findings in its last examination, which means the next FINRA examination will almost certainly include a review of whether those deficiencies were remediated effectively. Failure to demonstrate effective remediation increases the risk of escalation to formal enforcement.
  • FINRA's risk-based examination approach means that firms with prior deficiency findings may be examined more frequently and with greater intensity.
  • The firm's characterization of prior findings as "minor" is a red flag for compliance culture — deficiency findings should be taken seriously regardless of perceived severity.
  • Under FINRA Rules 3110 (Supervision) and 3120 (Supervisory Control System), the firm is required to test and verify its supervisory procedures. A mock examination program is an effective means of satisfying this obligation.

Analysis: The CCO should build the business case on three pillars: risk reduction, cost avoidance, and regulatory expectation. On risk reduction: the firm's prior deficiency findings create a heightened examination risk profile. FINRA will expect to see documented evidence that the firm identified the root causes of the deficiencies, implemented corrective actions, and tested the effectiveness of those actions. A mock examination program produces exactly this evidence. Without it, the firm enters its next examination unable to demonstrate that it has improved — and if the same deficiencies recur, the likelihood of formal enforcement action (fines, censure, individual sanctions) increases substantially. On cost avoidance: the $75,000 annual investment in mock examinations should be compared to the cost of regulatory enforcement. FINRA fines for supervisory failures regularly exceed $500,000 and can reach millions of dollars for larger firms. Beyond fines, enforcement actions generate legal fees (typically $200,000 to $1 million or more to defend a FINRA enforcement proceeding), reputational damage, increased E&O insurance premiums, and potential loss of clients. The mock examination program is a fraction of the cost of a single enforcement action. On regulatory expectation: both FINRA Rule 3120 (requiring an annual report by designated supervisory control persons certifying the adequacy of supervisory controls) and FINRA's examination priorities consistently emphasize the importance of testing supervisory systems. A mock examination program demonstrates to FINRA examiners that the firm takes its supervisory obligations seriously and proactively identifies and addresses issues.

For program design, the CCO should propose a proportionate program: conduct one comprehensive annual mock examination covering the highest-risk areas (selected based on FINRA's published examination priorities, the firm's prior deficiency history, and any new business activities), supplemented by targeted quarterly reviews of specific compliance functions. The annual mock exam should simulate a FINRA cycle examination, including a mock IDR, document production exercise, and interviews with branch managers and supervisory personnel. Engage an external compliance consultant with FINRA examination experience for the annual comprehensive exam to ensure objectivity and credibility. The quarterly targeted reviews can be conducted internally by the compliance team, focusing on areas such as communications supervision (one quarter), trade surveillance (another quarter), branch office inspections (another quarter), and AML/financial crimes (another quarter). This phased approach distributes the workload across the year and ensures continuous monitoring rather than a single point-in-time assessment. The CCO should present the mock examination results to the executive committee after each exercise, creating a documented record of management engagement with compliance findings — a factor that FINRA considers favorably during examinations.

Common Pitfalls

  • Treating examination preparation as a reactive exercise — scrambling to organize documents only after receiving a notification letter, rather than maintaining examination readiness as an ongoing practice.
  • Failing to read and act on SEC and FINRA annual examination priority letters, which are effectively advance notice of what regulators plan to focus on.
  • Producing documents to regulators without a quality review, resulting in incomplete, disorganized, or inadvertently privileged materials that extend the examination and create negative impressions.
  • Coaching interviewees to give scripted or evasive answers rather than preparing them to respond honestly and knowledgeably — examiners are experienced at detecting rehearsed responses, and evasiveness raises red flags.
  • Responding to deficiency letters with vague promises ("we will enhance our procedures") rather than specific, concrete corrective actions with assigned owners and completion dates.
  • Failing to conduct root cause analysis for deficiency findings, resulting in superficial fixes that do not address the underlying problem and lead to recurring findings in subsequent examinations.
  • Treating the annual compliance review under Rule 206(4)-7 as a check-the-box exercise rather than a genuine assessment of the compliance program — examiners can easily distinguish between a substantive review and a perfunctory one.
  • Allowing the CCO to be marginalized or under-resourced, which examiners will identify through interviews and organizational analysis as evidence of inadequate compliance culture.
  • Failing to implement a document hold upon receiving an examination notification, resulting in the destruction of potentially relevant records.
  • Not tracking and following up on remediation of prior deficiency findings — regulators will specifically review whether prior findings were addressed, and unresolved prior findings significantly increase enforcement risk.
  • Conducting mock examinations but failing to document findings and remediation, negating much of the program's value as evidence of proactive compliance.
  • Ignoring "informal" observations communicated at the exit conference or in a closing letter simply because they were not included in a formal deficiency letter — these observations frequently become formal findings in the next examination if not addressed.

Cross-References

  • books-and-records (Layer 9) — Records readiness is the foundation of examination readiness; the ability to produce complete, accurate, and well-organized records in response to document requests is the single most important factor in examination outcomes.
  • advertising-compliance (Layer 9) — Advertising and marketing materials are a top SEC and FINRA examination focus area; Marketing Rule compliance and FINRA Rule 2210 supervision are routinely reviewed.
  • privacy-data-security (Layer 9) — Cybersecurity is a recurring SEC examination priority; firms' information security programs, incident response plans, and vendor oversight are regularly examined.
  • anti-money-laundering (Layer 9) — AML program review is a standard component of FINRA examinations and an increasingly common focus of SEC examinations; AML independent testing reports and SAR filing practices are frequently requested.
  • conflicts-of-interest (Layer 9) — Conflict identification, disclosure, and management is examined closely in both SEC and FINRA examinations, particularly in the context of fee arrangements, compensation structures, and affiliated transactions.
  • client-disclosures (Layer 9) — Disclosure document completeness and accuracy (Form ADV, Form CRS, brochure supplements) are routinely reviewed; discrepancies between disclosures and actual practices are a common deficiency finding.
  • reg-bi (Layer 9) — Regulation Best Interest compliance is a current top examination priority for both the SEC and FINRA; examinations assess both written policies and actual recommendation practices.
  • sales-practices (Layer 9) — Supervision of sales practices, suitability determinations, and supervisory control systems are core FINRA examination areas under Rules 3110 and 3120.
  • fiduciary-standards (Layer 9) — Fiduciary duty compliance, including duty of care and duty of loyalty, is assessed during investment adviser examinations; the SEC's Fiduciary Interpretation provides the framework examiners apply.
Weekly Installs
11
Repository
joellewis/finance_skills
GitHub Stars
12
First Seen
Feb 19, 2026
Security Audits
Gen Agent Trust HubPass
SocketFail
SnykPass
Installed on
opencode11
gemini-cli11
github-copilot10
codex10
kimi-cli10
amp10