SEC Rule 204-2 is the primary recordkeeping rule for registered investment advisers. If your firm is SEC-registered, Rule 204-2 defines what records you must make, what records you must keep, and for how long. It is one of the most frequently examined areas during SEC inspections, and recordkeeping deficiencies are among the most common findings in SEC examination reports.
This article explains what Rule 204-2 requires, how the retention periods work, how Regulation S-P adds a parallel recordkeeping obligation for your information security program, and what SEC examiners look for when they review your books and records.
What Rule 204-2 Covers
Rule 204-2 under the Investment Advisers Act of 1940 requires SEC-registered investment advisers to make and preserve specific categories of books and records. The rule is organized around the types of records that reflect an adviser's core advisory activities and business operations.
The main categories include:
Client records. Advisory contracts or agreements with each client. Client account records. Any written communications with clients, including emails, letters, and account statements. Documentation of investment recommendations and the basis for those recommendations.
Trading and portfolio records. Order tickets and trade confirmations. Records of discretionary versus non-discretionary trades. Account statements for client accounts maintained at the firm. Records of any securities that the firm holds in custody.
Financial records. Trial balances. Income and expense records. Check books and bank statements. Bills and invoices. Financial statements. Records of compensation received, including fees, commissions, and soft dollars.
Compliance records. Written compliance policies and procedures required under Rule 206(4)-7. Records of your annual compliance review. Records of any compliance violations found and the corrective actions taken. The firm's code of ethics and records of required code of ethics reports.
Marketing and performance records. Advertisements and marketing materials, including website content and presentations. Performance records supporting any performance claims, with enough underlying data to verify the calculations.
Organizational records. Partnership agreements, articles of incorporation, minute books, and other organizational documents. These are generally kept for the life of the firm plus three years.
Retention Periods Under Rule 204-2
Rule 204-2 establishes a tiered retention framework.
Five-year retention. Most records required by Rule 204-2 must be retained for a minimum of five years from the end of the fiscal year in which the document was created or the fiscal year to which the record relates. This covers client correspondence, trade records, financial records, and compliance records.
Easily accessible for first two years. Within the five-year retention period, records must be maintained in an easily accessible place for the first two years. This means the firm can produce them promptly during an SEC examination without needing to retrieve them from off-site storage. Electronic records stored in cloud systems accessible to firm personnel satisfy this requirement, provided the system can produce records in a legible format on request.
Life of firm plus three years. Partnership agreements, corporate charters, minute books, and similar organizational documents must be retained for the life of the entity plus three years after dissolution.
Seven-year retention for Reg S-P records. Regulation S-P imposes a longer seven-year retention period for records related to the information security program, including the written incident response program, risk assessments, service provider oversight documentation, and breach response records. Where a record could be required under both Rule 204-2 and Reg S-P, the longer Reg S-P retention period applies.
How Electronic Storage Works Under Rule 204-2
Most investment advisers store records electronically rather than in paper form. Rule 204-2 permits electronic storage under specific conditions.
Records stored electronically must be maintained in a manner that preserves the original content and cannot be altered without detection. The most common method is write-once, read-many (WORM) storage, which creates a non-rewritable, non-erasable archive. Alternatively, firms can use electronic storage systems that maintain a complete audit trail showing any modifications made to a record after initial storage.
Electronic records must be readily accessible and retrievable. If the SEC issues a document request list during an examination, the firm must be able to produce requested records in a legible, printable format within the timeframe the examiners specify, typically within a few business days.
Firms using cloud storage must be able to confirm they retain control of the records and that the storage provider will preserve access for the full retention period. Losing access to records because a software vendor discontinued a product is not an acceptable explanation for failing to produce documents during an examination.
Reg S-P's Recordkeeping Obligation
Regulation S-P imposes a parallel and in some respects more demanding recordkeeping obligation focused specifically on the firm's information security program.
The amended Reg S-P rule, effective for smaller investment advisers as of June 3, 2026, requires firms to document:
The written incident response program. The program itself is a required record. It must describe the firm's policies and procedures for detecting, responding to, and recovering from unauthorized access to or use of customer information. This document must be tailored to the firm's specific operations, not a generic template.
The cybersecurity risk assessment. Reg S-P requires that the incident response program be based on a risk assessment of the firm's specific threat environment. The risk assessment document, and any annual updates to it, are required records.
Service provider oversight documentation. Records of due diligence conducted on service providers, vendor contracts with required security provisions, and ongoing monitoring activities must be maintained.
Breach response records. If a covered data breach occurs, the firm must document: when the breach was detected, what information was affected, the notification decisions made, the content of any customer notifications sent, and the corrective actions taken. These records support both the SEC's examination process and any regulatory reporting obligations.
All of these Reg S-P records must be maintained for seven years from the date of creation.
What SEC Examiners Look For in Recordkeeping Reviews
When the SEC examines an investment adviser's books and records, examiners typically issue a document request list before arriving at the firm. This list covers specific Rule 204-2 categories tailored to the firm's type and business activities.
Common exam findings in the recordkeeping area:
Missing trade records. Examiners compare account statements against trade confirmations. Missing or incomplete trade records, particularly for discretionary accounts, are a frequent deficiency.
Incomplete client files. Advisory agreements that are unsigned, outdated, or do not reflect the current fee arrangement are a common finding. Client files should include the current advisory agreement, the current Form ADV Part 2 delivery confirmation, and correspondence relevant to the advisory relationship.
Code of ethics gaps. Firms must maintain records of required access person reports under the code of ethics, including personal securities transaction reports. Missing or incomplete access person records are frequently cited.
Compliance review not documented. Rule 206(4)-7 requires an annual review of the compliance program. If that review was not reduced to writing and retained as a record, the firm cannot demonstrate it occurred.
Reg S-P policies not current. Examiners now specifically request the firm's Reg S-P incident response program and the underlying risk assessment. Firms that have a generic policy that predates the amended rule, or that cannot locate their policy, face an immediate deficiency finding.
No disposal procedures. Reg S-P requires documented procedures for disposing of customer information in a manner that protects against unauthorized access. Firms that lack a written data destruction or disposal policy are cited both for the missing policy and for any recordkeeping of disposal activities.
The Connection to Your Annual 206(4)-7 Compliance Review
Rule 206(4)-7 requires registered investment advisers to review their compliance policies and procedures at least annually. That review must be documented, and the documentation is itself a Rule 204-2 record.
A thorough annual compliance review covers the recordkeeping program as a standing agenda item. The review should confirm:
- All required Rule 204-2 record categories are being maintained
- Electronic storage systems meet the non-alteration and accessibility requirements
- Retention schedules are current and reflect any changes to the firm's business activities
- Reg S-P policies are reviewed, updated if the firm's technology or vendors have changed, and the risk assessment reflects the current threat environment
- Records of the Reg S-P review, including the date and the names of personnel involved, are retained
A firm that can show a documented annual compliance review addressing recordkeeping specifically is in a substantially stronger position during an SEC examination than one that handles recordkeeping informally.
Building a Recordkeeping Program That Holds Up to Examination
A recordkeeping program that passes SEC examination scrutiny has three components.
A written recordkeeping policy. The policy identifies each Rule 204-2 record category applicable to the firm's business, specifies the retention period for each category, and designates the responsible personnel. It also addresses electronic storage standards and the process for producing records during an examination.
A records retention schedule. A living document that maps each record type to its retention period, storage location, and destruction date. The schedule should be updated whenever the firm's business activities change.
An annual review of the program. At least once a year, the CCO or designated compliance personnel should confirm that all required records are being maintained, that no records have been inadvertently deleted, and that the electronic storage system continues to meet Rule 204-2 requirements. This review should be documented.
For most small investment advisers, the Reg S-P recordkeeping obligation is the newest and least-established part of the compliance program. Firms that already have a functioning Rule 204-2 recordkeeping program can add Reg S-P compliance by creating the required written policies, documenting the annual risk assessment update, and logging any service provider due diligence activities or breach events.
RegShield generates all four required Reg S-P documents, including a compliant recordkeeping procedures policy, in about 15 minutes. Visit regshield.co/start to generate your firm's compliance documents.
Frequently Asked Questions
Frequently Asked Questions
Rees Calder
Rees is the founder of RegShield and CEO of Levity Leads Ltd. He works with small registered investment advisers to simplify SEC compliance, with a focus on making Regulation S-P requirements accessible and actionable for firms that lack dedicated compliance departments.