SOX Compliance Checklist for Financial Advisors

Investment advisers with custody of client assets must maintain client funds and securities with a qualified custodian (bank, registered broker-dealer, or futures commission merchant), send clients quarterly account statements, and undergo annual surprise examination by an independent public accountant — unless an exception applies. The surprise exam requirement is strictly enforced; a single missed year constitutes a violation. Maintain a written custodial arrangement agreement and document all third-party custodial relationships.

Investment advisers must maintain comprehensive records for 5 years (first 2 years in office): client contracts, powers of attorney, correspondence, financial statements, trade order tickets, portfolio records, bank account records, client receipts, and marketing materials. Records must be maintained in an organized and easily accessible manner and produced within 24 hours of an SEC examination request. Electronic records must be stored in a non-rewritable, non-erasable format (WORM) for broker-dealers. Recordkeeping failures are the most common SEC examination deficiency.

Every registered investment adviser must designate a CCO responsible for administering the compliance program. The CCO must be a supervised person with sufficient competence and authority. Written compliance policies and procedures must be reasonably designed to prevent violations of the Advisers Act. The CCO must conduct an annual review of the compliance program's adequacy and effectiveness and document the findings in writing. CCOs cannot delegate their compliance obligations to third parties without retaining supervisory responsibility.

Broker-dealers must establish, maintain, and enforce written supervisory procedures (WSPs) covering each type of business in which the firm engages. WSPs must identify the supervisor responsible for each business activity and the supervisory controls for each. FINRA requires branch office inspection at least annually (or every 3 years for limited-activity offices). All customer complaints must be routed to supervisors, investigated, and retained. Supervisory failures are the single most common basis for FINRA disciplinary actions.

Broker-dealers making recommendations to retail customers must act in the best interest of the customer, not merely a suitable recommendation. Reg BI requires: disclosure of conflicts of interest, care obligation (reasonable basis for the recommendation), conflict of interest obligation (policies to identify, disclose, and mitigate conflicts), and compliance obligation (written policies and records). Firms must also deliver Form CRS (Customer Relationship Summary) to each retail customer at or before the first recommendation.

Investment advisers subject to the 2023 Marketing Rule (Rule 206(4)-1) must ensure all advertisements: include required disclosures, do not contain materially misleading statements, do not present extracted performance without total portfolio performance, include required net performance if gross performance is shown, and do not use third-party ratings without specified disclosures. All advertisements must be approved by a designated reviewer before use. Maintain copies of all advertisements and approvals for 5 years.

Registered investment advisers must file Form ADV (Parts 1, 2A brochure, 2B brochure supplements) with the SEC through the IARD system. Initial registration requires filing before conducting advisory business. Annual amendments must be filed within 90 days of fiscal year-end. Material changes require prompt amendment filing. Part 2A must be delivered to all clients initially and annually thereafter (or provide a summary of changes with offer to deliver full brochure). Untimely filing and delivery are enforcement priorities.

The SEC's 2023 cybersecurity disclosure rules require registered advisers and broker-dealers to adopt written cybersecurity policies, maintain records of cybersecurity incidents, and report significant cybersecurity incidents on Form ADV. Broker-dealers are subject to Regulation S-P (customer data protection), requiring a written information security program. All firms must conduct annual cybersecurity risk assessments and maintain incident response plans with defined RTO/RPO objectives. Business continuity and disaster recovery plans must address cybersecurity incidents.

The annual review must assess the adequacy of the compliance program and the effectiveness of its implementation. The review should cover: the adequacy of written policies and procedures, any compliance violations that occurred during the year, changes to the firm's business that require policy updates, regulatory developments requiring policy changes, and training effectiveness. The CCO must present findings to senior management. Document the review scope, findings, and any remediation actions in a written report retained for 5 years.

Broker-dealers are required by the Bank Secrecy Act to establish a written AML program covering: internal controls reasonably designed to achieve compliance, a designated AML compliance officer, ongoing employee training, independent testing at least annually, and customer identification procedures (CIP/KYC). Suspicious activity reports (SARs) must be filed within 30 days of detecting suspicious transactions above $5,000. Currency transaction reports (CTRs) are required for cash transactions exceeding $10,000. Investment advisers are not yet required to maintain AML programs but proposed rules would change this.

All firms handling material non-public information must maintain written insider trading policies prohibiting trading on or tipping MNPI. Policies must cover: information barriers between departments, pre-clearance requirements for personal trading in securities on restricted or watch lists, blackout periods for access persons, and quarterly reporting of personal account holdings and transactions by access persons. Investment adviser access persons must report initial holdings within 10 days of becoming an access person and annually thereafter.

Investment advisers have a fiduciary obligation to seek best execution of client transactions. This requires conducting a best execution analysis at least annually for all types of client transactions. The analysis must consider: execution quality (price, speed, certainty of execution), commission rates, soft dollar arrangements (must benefit clients), and directed brokerage arrangements. Document all best execution reviews and maintain records. Soft dollar arrangements must be disclosed in Form ADV Part 2A.

All registered representatives must maintain active FINRA registrations through the Central Registration Depository (CRD). Series licenses must be maintained with current knowledge through Regulatory Element continuing education (within 120 days of 2-year anniversary of registration and every 3 years thereafter) and Firm Element continuing education (annual training program developed by the firm). Representatives who fail to complete Regulatory Element CE are suspended. Track all CE completions and maintain records for 6 years.

Supervisors must conduct periodic reviews of customer account activity to detect patterns indicating unsuitable trading, excessive commissions (churning), unauthorized transactions, or concentration in high-risk securities. For broker-dealers, this review must be documented. Reviewers must be adequately trained to identify red flags. Customer complaints about account activity must be investigated and resolved with written documentation maintained. Heightened supervision procedures must be implemented for registered representatives with prior complaints or regulatory history.

The SEC's examination program for investment advisers and broker-dealers has increased in scope and frequency. Maintain examination readiness by: conducting annual mock examinations using SEC National Examination Program (NEP) focus areas, ensuring all required records are organized and accessible within 24 hours, training staff on what to do and not do during an examination, reviewing prior deficiency letters and confirming remediation is complete, and maintaining a clean Form ADV with no material inaccuracies. Respond to deficiency letters within 30 days with written corrective action plans.