Search Our Blog

The Importance of Annual Reviews and Where to Start

By Robert D. Conca, Partner of Shustak Reynolds & Partners, P.C. posted on Thursday, June 16, 2022.

Robert D. Conca

Robert D. Conca


Location: San Diego, California
Phone: (619) 696-9500 (Ext. 121)
[email protected]

As most of us know, the SEC has remained active during the “COVID Era” and has been continuously examining, investigating, and enforcing the Investment Advisers Act of 1940, as amended (“Advisers Act”). A primary objective of the SEC's Division of Examinations' oversight activities is to determine whether registered investment advisers ("RIAs") are complying with regulatory requirements. Rule 206(4)-7 under the Advisers Act[1] requires that a review of an RIA’s compliance program be conducted no less frequently than annually. To determine if firms have complied with this regulatory requirement, during routine inspections of advisers and private funds, SEC exam staff will gather and scrutinize information regarding a firm’s annual review work.[2] According to the SEC, examiners will typically ask questions in at least nine broad areas as they scrutinize a firm’s annual review: (i) who conducted the review?, (ii) what was reviewed?, (iii) when was the review conducted?, (iv) how was the review conducted?, (v) what were the findings from review work?, (vi) what recommendations were made?, (vii) what is the current status of implementing those recommendations?, (viii) what documentation was created/retained to reflect the work done?, and (ix) what was the involvement of senior management in review?[3]

Unfortunately, the Advisers Act does not provide detailed guidance to RIAs regarding the work that should be performed while conducting an annual review. Instead, RIAs and funds have flexibility in conducting their annual reviews – which reflects the fact that such reviews should cover a wide range of activities, and that each firm should establish a review process that makes sense in light of its circumstances.[4] With such a broad requirement, the question of “where to start” is often asked by Chief Compliance Officers and other compliance personnel. Fortunately, two recent releases from the SEC are notable in how they apply to and impact registered firm’s compliance programs. This article summarizes the SEC 2022 Examination Priorities[5] and a recent SEC Risk Alert relating to the Code of Ethics, and related topics, to assist Firms in prioritizing their own internal reviews.

1. SEC 2022 Examination Priorities[6]

On March 29, 2022, the SEC’s Division of Examinations finally[7] issued its annual Examination Priorities (“Exam Priorities”) for fiscal year 2022. In its 10th annual publication about examination priorities, the SEC included some familiar topics from years past as well as new focus areas, which include private funds, ESG investing, protection of retail investors, cybersecurity, FinTech, and digital assets. The following provides a summary of select priorities included in the 2022 release that RIAs[8] should expect to be included in upcoming regulatory exams, and should be reviewed as part of a firm’s annual compliance review/report.

A. 2021 Examination Metrics

The 2022 Exam Priorities begin with statistics about the SEC’s 2021 examination activity. The SEC completed 3,040 examinations (approx. 16% of all RIAs) in 2021, which amounts to a 3% increase from 2020 and about the same level of activity from 2019 (which the SEC notes was “pre-Covid 19”). The 2021 exams resulted in more than 2,100 deficiency letters and over $45 million returned to investors. Notably, the 2021 exam program led to more than 190 referrals to the SEC’s Division of Enforcement.

B. Private Funds

Not surprisingly, the SEC will continue its focus on private funds, which now comprise over 35% of all RIAs and manage about $18 trillion in assets, including private equity, hedge, and real estate funds. The SEC noted that private funds often have significant investments from state and local pensions[9], and that the private fund market has grown significantly over the past several years. In addition to how private funds disclose conflicts of interest, the SEC listed the following focus areas: (1) the calculation and allocation of fees and expenses; (2) the potential preferential treatment of certain investors to private funds that have experienced issues with liquidity (e.g. imposing gates or suspending withdrawals); (3) compliance with the Custody Rule (including the “audit exception”) and related reporting on Form ADV; (4) cross trades, principal transactions, or distressed sales; (5) conflicts around liquidity, such as adviser-led restructurings and stapled secondary transactions, and (6) private fund investments in SPACs and associated risk disclosures.

C. Environmental, Social, and Governance (“ESG”) Investing

In this increasingly popular segment of the investment space, the SEC will continue to look at ESG activity and products (e.g. mutual funds, ETFs, and private funds) with a focus on accuracy of disclosures, description of investment strategy, proxy voting procedures in line with ESG mandates, and “greenwashing” (overstating or misrepresenting the ESG factors considered in the portfolio selection process).

D. Standards of Conduct: Regulation Best Interest, Fiduciary Duty, and Form CRS

This section of the Exam Priorities contains a laundry list of areas that relate to retail RIA compliance and includes: (1) consideration of alternatives (the SEC specifically mentioned the mutual fund share class issue here); (2) management of conflicts of interest; (3) trading/RIA best execution obligations; (4) Form CRS and disclosures in that document; (5) account selection (e.g., brokerage, advisory, or wrap fee accounts);, (6) account conversions and rollovers[10]; (7) effectiveness of compliance programs, testing, and training; and (8) revenue sharing arrangements.

E. Information Security and Operational Resiliency

In this section of the Exam Priorities, the SEC emphasizes the needs for RIAs to control information security (hint: this is cybersecurity, among other things) and to ensure business continuity. SEC examinations will continue to review an RIA’s actions and processes relating to: (1) safeguarding of customer accounts/ preventing unauthorized account access; (2) oversight of vendors and service providers; (3) addressing malicious email activities; (4) response to incidents (including ransomware attacks); (5) identification of red flags related to identity theft; (6) managing operational risk resulting from a remote or dispersed workforce, (7) compliance with Regulations S-P and S-ID, where applicable. The SEC exams will also focus on maturation and improvements to business continuity and disaster recovery plans over the years as well as these registrants’ ability to adapt to climate-related situations.

F. Emerging Technologies and Crypto-Assets

This exam area relates to robo-advisors and other RIAs that offer automated or digital investment advice, and the mobile apps, financial technologies (FinTech) or electronic means through with those services are offered. The SEC made a point to mention firms that are, or claim to be, offering new products and services or employing new practices (e.g., fractional shares, “Finfluencers,” or digital engagement practices), as well as custody of crytpo assets. The exams will focus on: (1) existence of controls in place that are consistent with disclosures made and the standard of conduct owed to investors; (2) whether advice and recommendations, including by algorithms, are consistent with investment strategies and the standard of conduct owed to investors; and (3) whether controls take into account the unique risks associated with such practices.

G. Summary – RIAs Need Strong Compliance Programs

While the annual examination topics provide insight into immediate areas of interest to the SEC, RIAs still need a smartly designed, comprehensive and risk-based compliance program to cover all of an RIA’s obligations under the Advisers Act. The SEC directs the RIA community on this point in the Exam Priorities, which states that SEC examiners “will review whether the firm has implemented oversight practices to mitigate any heightened risks.” The SEC even mentions three examples of heightened risks RIAs might encounter, citing: (1) heightened oversight of individuals with prior disciplinary histories; (2) analysis of whether it is in a client’s best interest to transition accounts if an RIA migrates from a broker-dealer business model; (3) review and oversight of branch office adherence to compliance programs. Additionally, the SEC reminds RIAs that advisory fees and processes are critical to a strong compliance program, stating that exam teams would be prioritizing advisory fee and expense issues, including disclosure, fee calculation, tiered fee errors, householding of accounts, failure to refund prepaid fees and failure to pro-rate fees for onboarding clients.[11]

2. Risk Alert: Code of Ethics and Material Non-Public Information

On April 26, 2022, the SEC’s Division of Examinations issued a Risk Alert relating to Code of Ethics issues with a focus on use of material non-public information (“MNPI”).[12] It is no coincidence that this Risk Alert[13] was released less than a month after the announcement of the 2022 Exam Priorities as MNPI is specifically mentioned in the sections of the 2022 Exam Priorities that discuss private funds and the examination programs relating to RIAs.


The Risk Alert discusses deficiencies observed during recent RIA examinations relating to violations of the Rule 204A-1 (“Code of Ethics Rule”) of the Advisers Act. Select items described in the Risk Alert are summarized below. The Risk Alert provides the following examples of deficiencies relating to the use of MNPI:

i. Use of Alternative Data and the Potential Risk of Receiving MNPI via Alternative Data Sources

As used in the Risk Alert, examples of “Alternative Data” include information gleaned from satellite and drone imagery of crop fields and retailers’ parking lots, analyses of aggregate credit card transactions, social media and internet search data, geolocation data from consumers’ mobile phones, and email data obtained from apps and tools that consumers may utilize.

ii. Inadequate Policies Relating to “Value-Add Investors”

RIAs had lacking (or missing) policies and procedures regarding investors who are likely to possess MNPI, including officers or directors at a public company, principals or portfolio managers at asset management firms, and investment bankers.

iii. Policies and Procedures Related to “Expert Networks”

The SEC made it clear that well-designed and implemented policies and procedures are required for RIAs that utilize expert networks, which may have (or have access to) MNPI. The Risk Alert specifically mentions that the missing provisions from policies relating to logging calls with experts, reviewing notes from expert calls and reviewing trading activity of access persons that communication with the expert consultants.

B. General Code of Ethics Matters

The Risk Alert also contains a section devoted to more broadly applicable Code of Ethics matters and the deficiencies that SEC exam staff has encountered:

i. Identification of Access Persons

RIAs did not identify and supervise certain employees as access persons in accordance with the Code of Ethics Rule.

ii. Pre-approval for Personal Trading

SEC staff observed that access persons did not obtain required pre-approval for personal trades involving initial public offerings (“IPOs”) and limited offerings, noting that some RIAs do not even have a provision in their codes requiring pre-approval before directly or indirectly purchasing  such investments.

iii. Personal Securities Transactions and Holdings

SEC staff observed deficiencies related to the access persons and their personal holdings reports required by the Code of Ethics, that include: (a) RIAs not able to provide evidence that a supervisory review of holdings and transaction reports was performed; (b) policies/procedures that did not provide for a different employee to review the Chief Compliance Officer’s personal trading and reporting; (c) policies that did not require access persons to submit reports and/or late submission of reports; (d) policies that did not require reporting of all data required by the Code of Ethics Rule.

iv. Restricted List

The Risk Alert raises the topic of a restricted list practice. In this context, a “restricted list” is a list of companies about which the RIA has (or potentially has) inside informatio. Staff stated that RIAs should consider whether to incorporate restricted list provisions into their Code of Ethics, and be diligent about enforcing any trading of investments on an RIA’s restricted list.

v. Allocation of Investment Opportunities

The Commission stated that RIAs should consider incorporating procedures to ensure that investment opportunities must first be offered to clients before the RIA or its employees may act on them, noting observations from examination where the RIA or its employees purchased investments at a better price, ahead of the clients.


While the specific facts, circumstances, and timing of an annual review is left for each firm to establish, the goal is the same for all firms – to determine if the firm's compliance program continues to reasonably and effectively prevent compliance issues from happening, detect those compliance issues that do happen, and promote the prompt correction of the issues that do occur. Firms also must draft a report detailing what was done as part of such annual reviews.

The priorities listed herein are not exhaustive, and they do not represent the only areas the SEC will consider in assessing the efficacy of a firm’s annual review. Designing and implementing a compliance program and preparing for SEC and other regulatory examinations are critical to the success of any advisory business. We can help.


Shustak Reynolds & Partners, P.C. focuses its practice on securities and financial services law and complex business disputes.
We represent many investment advisors, financial professionals, broker-dealers, registered representatives, investors, and businesses.
Attorney Robert D. Conca can be reached in the firm’s San Diego office at (619) 696-9500.


[1] Rule 38a-1 under the Investment Company Act of 1940 similarly requires that funds perform a review of their compliance program no less than annually.

[3] Id.

[4] Id.

[6] Unless otherwise noted, all statistics and data referenced in this section is from the SEC 2022 Examination Priorities.

[7] March 30 is the latest date that the Exam Priorities have been announced since the SEC began publishing them in 2013.

[8] The Examination Priorities also discuss issues relating to exams of broker-dealers, which are outside the scope of this article.

[9] Private fund advisers who seek investments from government clients should take note and ensure that their pay to pay procedures are well-designed and implemented effectively.

[10] We recently wrote on this topic, see:

[11] The SEC released a Risk Alert devoted to advisory fee calculation issues in November 2021.

[12] See Though this risk alert relates to MNPI in its title, the Code of Ethics Rule and requirements are mentioned significantly throughout. Unless otherwise noted, all statistics and data referenced in this section is from the Rik Alert.

[13] In keeping with the intent not to be a “gotcha” regulator, this was the second SEC Risk Alert of 2022 and 11th since January 2021.

Share This Article linkedin