Every SEC-registered investment adviser must maintain written compliance policies and procedures under Rule 206(4)-7. This is not a best practice. It is a legal requirement, and Reg S-P now adds specific mandatory written-program elements on top of it.
The most common misconception about investment adviser compliance is that it is a state of mind rather than a paper record. Firms that have been operating carefully for years sometimes discover, at their first examination, that careful operation is not the same as documented compliance. The SEC does not credit intentions. Examiners evaluate written policies, documented annual reviews, and evidence of implementation.
Rule 206(4)-7, adopted in 2003, established the foundational compliance program requirement for all SEC-registered advisers. Regulation S-P, substantially amended in 2023 and fully in force since 2026, added another layer of mandatory written policies covering information security. The result is that any SEC-registered adviser operating today without a comprehensive written compliance program is carrying two separate rule violations simultaneously.
This guide explains what a compliant program must include, how the pieces connect, and where most small firms still have gaps.
What Rule 206(4)-7 Actually Mandates
Rule 206(4)-7 has three distinct obligations, each of which SEC examiners test independently.
Adopt Written Policies and Procedures
The rule requires written policies and procedures that are "reasonably designed to prevent violations" of the Advisers Act and its rules. Two words matter here.
"Written" is literal. An undocumented policy does not exist for examination purposes. The SEC examination staff has stated this repeatedly in risk alerts and examination findings: oral instructions, informal practices, and shared understandings among staff do not satisfy the written requirement.
"Reasonably designed" sets the standard. Your policies do not need to be comprehensive enough to prevent every conceivable violation. They need to reflect the actual risks of your business and include proportionate safeguards. A $50 million RIA managing conservative equity accounts for individual clients has a different risk profile than a firm running leverage strategies for institutions. The written policies should reflect that difference.
Review Annually for Adequacy and Effectiveness
The rule requires at least annual review of written policies and procedures. The two-part test matters: adequacy (are the policies designed correctly) and effectiveness (are they actually working).
A policy that is adequate on paper but never followed fails the effectiveness test. Examiners probe this by asking how recently each policy was used, who was responsible for implementing specific procedures, and whether documented outcomes match the written process. If your breach notification policy says you will notify within 30 days but no one has ever read it since you drafted it, that is an effectiveness problem.
Designate a Chief Compliance Officer
Every SEC-registered adviser must designate a CCO who is responsible for administering the compliance program. At large firms, the CCO is typically a dedicated position. At small and solo firms, the CCO is usually a principal or owner who wears that hat alongside other responsibilities.
The SEC has clarified that there is no prohibition on serving as your own CCO. What the SEC does scrutinize is whether the CCO has actual authority, actual responsibility, and the knowledge to administer the program effectively. A CCO designation that exists only on Form ADV without substantive involvement in the compliance program is a red flag.
The Core Areas Your Written Policies Must Cover
Rule 206(4)-7 does not enumerate every required topic. It sets a standard (reasonably designed to prevent violations) and requires policies and procedures covering your firm's activities. The SEC's risk alerts, examination findings, and 2023 guidance documents identify the areas that examiners routinely review:
Portfolio Management and Trading
Policies covering how investment decisions are made, documented, and reviewed. For firms managing discretionary accounts, this includes procedures for trade allocation, best execution, and documentation of the investment rationale where material.
Fiduciary Duty and Disclosures
Investment advisers owe clients a fiduciary duty. Written policies must address how the firm identifies and manages conflicts of interest, how material information is disclosed, and how the firm ensures its advice is in clients' best interests. Form ADV is the primary disclosure document, but policies must also govern what gets updated, when, and how.
Advertising and Marketing
Following the SEC's Marketing Rule (Rule 206(4)-1), written policies must govern the review and approval of marketing materials, testimonials, performance claims, and third-party ratings. This is one of the most active examination focus areas in recent cycles.
Personal Securities Transactions
Policies governing access persons' holdings, reporting requirements, pre-clearance procedures where applicable, and prohibited transactions. The written policies must define who qualifies as an access person at your firm.
Custody
If your firm has custody of client assets, or is deemed to have custody based on client authorization arrangements, written policies must address safeguarding, surprise audits, and reporting under Rule 206(4)-2.
Business Continuity and Disaster Recovery
Written procedures for maintaining operations during disruptions, protecting client records, and communicating with clients. This overlaps with Reg S-P incident response in material ways.
Information Security and Regulation S-P
This is where most small firms have the largest current gap. The amended Regulation S-P, fully in effect since 2026, requires specific written-program elements that go beyond a general information security policy. These are described in detail below.
Where Regulation S-P Fits In Your Compliance Program
Regulation S-P is not a separate compliance project. It is a required module of your Rule 206(4)-7 compliance program, with written policies that must be reviewed annually alongside everything else.
The four written-program components Reg S-P requires are:
Written Incident Response Program. A documented procedure for detecting, containing, investigating, and notifying clients of unauthorized access to customer information. The notification requirement has a 30-day clock from the date the firm determines an incident occurred.
Service Provider Oversight Policies. Written procedures for conducting due diligence on service providers with access to customer data, requiring contractual data security obligations, and monitoring those providers on an ongoing basis. This applies to your custodian, portfolio management software, CRM, and any third-party that can reach your clients' personal financial information.
Breach Notification Procedures. Pre-drafted templates and a documented process for notifying affected customers when an incident triggers the notification requirement. Having these ready before an incident materially reduces the risk of missing the 30-day window.
Recordkeeping Procedures. Written policies covering how you retain compliance records, for how long (five years, first two in accessible form), and who is responsible for maintaining them. Rule 204-2 sets the underlying record retention requirements; your written policies must address how you meet them.
Each of these must be in your written policies and procedures document. Each must be tested as part of your annual Rule 206(4)-7 review. A compliance program that addresses trading, fiduciary duty, and advertising but does not include written Reg S-P policies is incomplete under current rules, and SEC examiners will find that gap.
For a detailed breakdown of what the Reg S-P annual review must cover, see the Reg S-P and annual Rule 206(4)-7 review guide.
What the Written Policies Actually Need to Say
Compliance policies should be specific enough to be actionable. The most common deficiency SEC examiners note is policies that describe an intention without specifying implementation.
"The firm will protect client data" is not a policy. A policy names who is responsible, what the trigger is, what the specific steps are, and what documentation results. "In the event of a suspected unauthorized access to customer information, the Chief Compliance Officer will within 24 hours initiate containment steps including [x, y, z], document the incident, and begin the 30-day notification clock" is closer to a policy.
Useful framing tests for each policy:
- Can a new employee follow this procedure without asking anyone?
- Would an SEC examiner reading this understand what actually happens at the firm?
- Is there a documented way to prove the procedure was followed?
Policies that fail any of these three tests need revision.
What SEC Examiners Request in a Compliance Program Review
When the SEC initiates an examination, the document request list typically includes the compliance program materials from the opening letter. Based on published risk alerts and deficiency letter patterns, examiners routinely request:
- The current written compliance policies and procedures document
- The most recent annual review report, including the date, who conducted the review, what was tested, what gaps were found, and what remediation was taken
- Evidence that the CCO reviewed and approved the policies
- Any written updates to policies made during the examination period
- Reg S-P-specific documentation: the incident response policy, the service provider inventory and due diligence records, any breach notifications sent, and the breach notification template
The most common pattern in deficiency letters is not a firm with obviously wrong policies. It is a firm with policies that have not been updated since the firm was founded, or policies that describe procedures the firm no longer follows, or a compliance program that has no Reg S-P component despite the rule being in force.
An examiner who finds that you have not updated your written policies to incorporate amended Reg S-P will note a violation of both Regulation S-P and Rule 206(4)-7. That is two separate rule failures from one documentation gap.
For a detailed look at how examination deficiency letters work and how to respond, see the SEC Reg S-P deficiency letter guide.
The Solo and Small Firm Reality
For a two-person RIA, building a written compliance program can feel like compliance infrastructure built for a Goldman-sized firm. The SEC is aware of this perception, and the rule's reasonableness standard accounts for it.
What reasonableness does not mean: smaller firms are exempt from written policies, or that the CCO designation is a formality. The written policies can be shorter and less complex. The annual review can take a day rather than a quarter. But the documentation must exist, and the review must happen.
The practical reality for solo and small firms is that the CCO is usually the owner or managing partner. That person has to conduct the annual review, update the written policies when the business changes, and be able to explain the compliance program to an examiner. RegShield's compliance documents are designed for exactly this situation: examination-ready written policies that a solo CCO can maintain without outside help.
For the particular compliance challenges solo advisers face, see the Reg S-P compliance guide for solo RIAs.
Building vs. Buying Your Written Policies
For the four Reg S-P-specific written-program requirements, small firms have three options:
Build from scratch. Draft policies yourself using SEC release language and published examination findings. This can work for a former compliance professional. For principals without compliance backgrounds, the risk is drafting policies that sound complete but miss examination-specific requirements.
Hire a compliance consultant or attorney. Typically $3,000 to $15,000 for initial drafting of an investment adviser compliance manual. More expensive for ongoing updates and review support.
Use a purpose-built service. RegShield generates the four Reg S-P-specific documents that small advisers most commonly lack: the incident response plan, vendor oversight policies, breach notification templates, and recordkeeping procedures. At $299 for all four, it covers the Reg S-P gap in your compliance program in about 15 minutes.
The Reg S-P documents RegShield generates are designed to slot into your existing compliance program. They give you the written policies for the highest-risk current gap without requiring you to rebuild the full compliance manual from scratch.
To see the full list of documents RegShield generates and how the process works, visit the start page.
Frequently Asked Questions
See the FAQ section above for answers to common questions about Rule 206(4)-7 written compliance programs, small firm obligations, what areas must be covered, and how Reg S-P fits in.
Related Resources
- Reg S-P and Your Annual Rule 206(4)-7 Compliance Review
- What SEC Examiners Look For in a Reg S-P Examination
- SEC Regulation S-P Compliance Checklist for Small Investment Advisers
- Reg S-P Compliance for Solo RIAs: The One-Person Firm's Complete Guide
- SEC Rule 204-2: Investment Adviser Books and Records Requirements Explained
- SEC Reg S-P Deficiency Letters: What Happens After an Examination and How to Respond
Frequently Asked Questions
Rees Calder
Rees is the founder of RegShield and CEO of Levity Leads Ltd. He works with small registered investment advisers to simplify SEC compliance, with a focus on making Regulation S-P requirements accessible and actionable for firms that lack dedicated compliance departments.