Compliance Procedures and Practices of Registered Investment Advisers
SEC Rule 206-4-7, codified at 17 C.F.R. § 275.206(4)-7 under the Investment Advisers Act of 1940, requires every investment adviser registered or required to be registered under Section 203 of the Advisers Act to adopt and implement written policies and procedures reasonably designed to prevent violations of the Act and the rules the Commission has adopted under it by the adviser and its supervised persons, to review those policies and procedures at least annually to assess their adequacy and the effectiveness of their implementation, and to designate a supervised person as chief compliance officer responsible for administering the policies and procedures.
Rule 206(4)-7 — universally known as the Compliance Rule — is the foundational governance standard for the registered investment advisory industry's compliance infrastructure, the regulatory provision that transformed compliance from a voluntary best practice into a mandatory operational requirement and that established the chief compliance officer role as a defined position of institutional significance within every SEC-registered advisory firm.
Adopted in December 2003 simultaneously with Rule 38a-1 under the Investment Company Act — the parallel compliance programme requirement for registered investment companies — Rule 206(4)-7 was specifically designed to ensure that every registered adviser maintained the internal governance mechanisms necessary to identify, prevent, and respond to violations of the federal securities laws before those violations caused harm to clients, rather than relying on the Commission's reactive enforcement programme to detect violations only after investor harm had occurred.
The rule's brief and principles-based operative text — three paragraphs establishing the compliance programme obligation, the annual review requirement, and the CCO designation — deliberately avoids prescribing the specific content of required compliance policies, recognising that the appropriate policies and procedures for a two-person wealth management firm managing retail separately managed accounts differ fundamentally from those required for a multi-billion-dollar private equity adviser managing complex alternative investment structures.
The September 2023 amendment's attempted addition of a written documentation requirement for annual compliance reviews — the most recent significant attempt to modify the rule's operative framework — was vacated in its entirety by the Fifth Circuit Court of Appeals on June 5, 2024, returning the rule to its original 2003 framework and establishing a significant judicial precedent regarding the limits of the Commission's rulemaking authority under the Advisers Act's anti-fraud provisions.
Overview and Regulatory Purpose
Prior to Rule 206(4)-7's adoption in 2004, registered investment advisers were not required by any specific regulation to maintain written compliance policies and procedures, to conduct periodic reviews of their compliance practices, or to designate a person specifically responsible for compliance oversight.
The Commission's examination programme had identified the absence of formal compliance infrastructure as a recurring factor in investment adviser violations — advisers that lacked written policies, designated compliance personnel, and systematic review processes were more likely to permit violations to develop and persist than advisers that had invested in building genuine compliance capabilities, and the absence of formal compliance structures made the Commission's own examination efforts less productive by making it difficult to assess what compliance expectations the adviser had established for itself.
The mutual fund market timing and late trading scandals of 2003 — which revealed that fund management companies had permitted systematic violations of fundamental investor protection rules in exchange for profitable business relationships with favoured institutional clients, while their advisers and their boards remained unaware of the prohibited practices — provided a decisive regulatory impetus for both Rule 206(4)-7 and its simultaneous companion, Rule 38a-1.
The Commission's post-scandal analysis identified inadequate compliance infrastructure as a primary enabling condition for the market timing abuses: fund management companies that had written policies prohibiting market timing but lacked systematic monitoring, testing, and enforcement procedures to implement those policies were unable to detect or prevent the prohibited arrangements that their own sales forces were making on a systematic basis.
Rule 206(4)-7's regulatory response was to move the compliance infrastructure question from the domain of voluntary best practice to the domain of mandatory regulatory obligation — making the failure to maintain adequate policies and procedures an independent securities law violation regardless of whether any underlying substantive violation had occurred, and thereby creating a structural incentive for every registered adviser to invest in genuine compliance capabilities rather than treating compliance infrastructure as optional overhead.
Statutory Authority and Rulemaking History
Rule 206(4)-7 derives its statutory authority from Section 206(4) of the Investment Advisers Act of 1940, which makes it unlawful for any investment adviser to engage in any act, practice, or course of business that is fraudulent, deceptive, or manipulative, and authorises the Commission to define and prescribe means reasonably designed to prevent such acts, practices, or courses of business.
The Commission relied on Section 206(4)'s broad anti-fraud and anti-manipulation authority as the statutory basis for requiring compliance programmes, reasoning that the absence of adequate compliance infrastructure creates conditions that facilitate fraud and that requiring such infrastructure is therefore a means reasonably designed to prevent fraudulent practices.
Rule 206(4)-7 was adopted December 17, 2003 — Advisers Act Release No. IA-2204, published at 68 FR 74714, December 24, 2003 — in the same rulemaking that adopted Rule 38a-1 under the Investment Company Act. The rule became effective February 5, 2004, with a compliance date of October 5, 2004 — giving registered advisers nine months to design, implement, and document the compliance policies and procedures the rule required.
The rule's most consequential post-adoption amendment attempt was the September 2023 addition of a written documentation requirement for annual compliance reviews, adopted as part of the Private Fund Adviser rulemaking package — Advisers Act Release No. IA-6383 — with an effective date of November 13, 2023.
This amendment added the phrase and document in writing to Rule 206(4)-7(b)'s annual review requirement, replacing the prior language that simply required advisers to review their policies and procedures annually. The written documentation requirement was intended to give the Commission's examination staff direct access to advisers' own assessments of their compliance programme adequacy, enabling more effective examination of whether advisers' annual reviews were genuinely substantive rather than perfunctory.
The Fifth Circuit's unanimous June 5, 2024 decision in National Association of Private Fund Managers v. SEC, No. 23-60471, vacated the entire Private Fund Adviser rulemaking package — including not only the new private fund-specific rules but also the amendment to Rule 206(4)-7(b)'s annual review documentation requirement.
The Fifth Circuit held that the SEC exceeded its statutory authority under Section 206(4) in adopting the Private Fund Adviser rules because the Commission failed to adequately define the fraudulent conduct the rules were designed to prevent and because the rules did not establish a rational connection between the compliance obligations they imposed and the prevention of fraud or deception.
As a result of the vacatur, Rule 206(4)-7 reverted to its pre-September 2023 form — without the written documentation requirement — and no further amendment to the rule has been adopted. The Commission has not appealed the Fifth Circuit's decision or proposed reproposal of the vacated provisions.
Key Provisions and Operative Requirements
Rule 206(4)-7 establishes three operative requirements in a remarkably concise three-paragraph structure whose principles-based character is both its greatest strength and its primary compliance challenge.
Rule 206(4)-7(a) — the written policies and procedures requirement — provides that it shall be unlawful for a registered investment adviser to provide investment advice to clients unless the adviser has adopted and implemented written policies and procedures reasonably designed to prevent violation, by the adviser and its supervised persons, of the Advisers Act and the rules the Commission has adopted under it.
The reasonably designed standard is the operative compliance concept — the rule does not prescribe what specific policies must cover, but rather requires that the policies and procedures adopted be sufficiently tailored to the adviser's specific business activities and risk profile that they would, if properly implemented, prevent violations of the Advisers Act.
A generic compliance manual that addresses theoretical regulatory requirements without reflecting how the adviser actually conducts its business does not satisfy the reasonably designed standard, because policies that describe processes the adviser does not use cannot prevent violations that arise from the adviser's actual practices.
The Commission's adopting release identified a non-exhaustive list of areas that a registered adviser's policies and procedures should address, calibrated to the specific nature of the adviser's business: portfolio management processes, including how investment opportunities are allocated among clients and how portfolios are maintained consistent with clients' investment objectives, the adviser's disclosures, and applicable regulatory restrictions; trading practices, including procedures by which the adviser satisfies its best execution obligation, uses client brokerage to obtain research and other services through soft dollar arrangements, and allocates aggregated trades among clients; proprietary trading of the adviser and personal trading activities of supervised persons; the accuracy of disclosures made to investors, clients, and regulators, including account statements, advertisements, and regulatory filings; the safeguarding of client assets from conversion or inappropriate use by advisory personnel; the accurate creation of required records and their maintenance in the manner required by the Advisers Act and its rules; marketing and solicitation practices; and valuation of client assets where the adviser is responsible for or involved in that valuation.
This non-exhaustive list represents the Commission's identification of the areas in which Advisers Act violations are most likely to occur — the areas where a registered adviser's operations present the greatest potential for harm to clients and the greatest regulatory vulnerability.
An adviser whose compliance policies do not specifically address the areas of its operations that present the highest compliance risk has policies that are not reasonably designed to prevent the violations most likely to occur in its specific business.
Rule 206(4)-7(b) — the annual review requirement — provides that the adviser must review, no less frequently than annually, the adequacy of the policies and procedures established under paragraph (a) and the effectiveness of their implementation.
The annual review requirement has two distinct analytical components. The adequacy review assesses whether the policies and procedures are sufficiently comprehensive and appropriately calibrated to the adviser's current business activities and risk profile — a review that may identify policies that were reasonably designed when adopted but have become inadequate because the adviser's business has changed, the regulatory environment has evolved, or new risks have emerged that the original policies did not address.
The effectiveness review assesses whether the policies and procedures that exist on paper are actually being followed in practice — a review that requires testing and monitoring rather than mere reading of the policy manual.
While the Fifth Circuit's vacatur of the September 2023 amendment removed the explicit written documentation requirement from Rule 206(4)-7(b)'s text, the Commission's examination programme has consistently treated the annual review as an area of compliance focus and has expected advisers to maintain evidence — including written records — demonstrating that genuine, substantive annual reviews have been conducted. Multiple enforcement actions have cited as an aggravating factor the absence of meaningful documentation of the annual review process, establishing in practice a documentation expectation that persists in the absence of the vacated written documentation mandate.
An adviser that conducts genuine annual reviews but maintains no records of them faces significant examination risk — the absence of records makes it difficult to distinguish the adviser with a genuine review process from one that has merely checked a compliance calendar box without performing substantive review.
Rule 206(4)-7(c) — the chief compliance officer requirement — provides that the adviser must designate an individual — who is a supervised person within the meaning of the Advisers Act — responsible for administering the policies and procedures adopted under paragraph (a). The CCO is the operational centre of the compliance programme — the person whose day-to-day activities translate the written compliance manual into an active, functioning programme that identifies and addresses violations as they occur, rather than permitting them to develop and compound.
The adopting release articulated the Commission's expectations for CCO qualifications and authority: the CCO should be competent and knowledgeable regarding the Advisers Act; should be empowered with full responsibility and authority to develop and enforce appropriate policies and procedures; and should have a position of sufficient seniority and authority within the organisation to compel others to adhere to the compliance policies and procedures.
The CCO role under Rule 206(4)-7 is distinct from the CCO role under Rule 38a-1 — the companion compliance programme rule for registered investment companies — in a critical governance respect.
Rule 38a-1's CCO is subject to appointment, removal, and compensation oversight by the fund's board of directors including a majority of independent directors, a governance structure that institutionally insulates the CCO from management pressure. Rule 206(4)-7's CCO has no equivalent board-level protection — the adviser's CCO is hired, compensated, and can be removed by the firm's management without any board-level governance constraint.
This governance asymmetry reflects the Investment Company Act's stronger independent director governance framework for registered funds and the Advisers Act's more limited formal governance requirements for advisory firms.
The CCO designation requirement does not require that the CCO be a full-time dedicated compliance professional — the rule permits the adviser to designate a person with other responsibilities within the firm to serve simultaneously as CCO, a common arrangement at smaller advisory firms that may lack the resources to support a dedicated full-time compliance officer.
It also does not prohibit outsourcing — advisers may engage external compliance consultants to perform CCO functions, provided those consultants are supervised persons of the adviser and the adviser retains genuine oversight and accountability for the programme's implementation.
The SEC's examination programme has assessed the adequacy of outsourced CCO arrangements with particular attention to whether the outsourced CCO has sufficient knowledge of the adviser's specific business, sufficient time allocated to the engagement, and sufficient access to the adviser's personnel and records to administer a genuinely effective compliance programme.
Scope of Application
Rule 206(4)-7 applies to every investment adviser registered or required to be registered with the Commission under Section 203 of the Advisers Act — the universe of approximately 15,000 SEC-registered investment advisers managing in aggregate trillions of dollars in client assets across every category of advisory business, from large institutional asset managers and private fund advisers to small independent registered investment advisers providing wealth management services to individual retail clients.
The rule applies regardless of the adviser's size, the nature of its clients, the type of assets it manages, or the regulatory history of the firm — compliance programme obligations under Rule 206(4)-7 apply with equal force to a new advisory firm in its first year of registration as to a decades-old multi-strategy manager with hundreds of employees.
The principles-based character of the reasonably designed standard means that the specific content of required policies and procedures scales with the adviser's business — a large adviser with diverse investment strategies, multiple client types, proprietary trading activities, and complex compensation arrangements will require more comprehensive and detailed policies than a small adviser providing portfolio management services to a limited number of high-net-worth clients using a straightforward investment approach.
The Commission has consistently taken the position that this calibration to the adviser's specific business is a feature rather than a limitation of the rule — a compliance programme that duplicates generic template language without tailoring it to the adviser's actual operations does not satisfy the reasonably designed standard even if it is comprehensive in length.
Relationship to Related Rules and Regulations
Rule 206(4)-7's companion provision Rule 38a-1 — the compliance programme rule for registered investment companies — was adopted simultaneously and addresses the equivalent compliance infrastructure requirement for the registered fund structure. Where Rule 206(4)-7 applies to the investment adviser as a legal entity, Rule 38a-1 applies to each registered investment company that the adviser manages as a separate legal entity. For advisers that simultaneously manage registered funds and separately managed accounts, both rules apply — the adviser must maintain a Rule 206(4)-7-compliant compliance programme for its advisory business generally, and each registered fund it manages must have a Rule 38a-1-compliant compliance programme specifically addressing the fund's compliance with the Investment Company Act and the rules thereunder.
Rule 206(4)-7's compliance programme for a registered investment adviser must specifically address compliance with every substantive Advisers Act rule applicable to the adviser's business, including the Marketing Rule under Rule 206(4)-1, the Custody Rule under Rule 206(4)-2, the proxy voting rule under Rule 206(4)-6, the performance fee conditions under Rule 205-3, and the recordkeeping requirements of Rule 204-2.
A compliance programme that does not specifically address each of these substantive rules — particularly the Marketing Rule and Custody Rule, which present significant investor protection risk and have been prominent enforcement priorities — does not satisfy the reasonably designed standard applicable to an adviser for whom those rules create significant compliance obligations.
Rule 204-2's recordkeeping requirements interact directly with Rule 206(4)-7 through the adviser's obligation to maintain records of the compliance programme, including the compliance policies and procedures in effect and any written documentation of annual reviews or compliance programme modifications.
A compliance programme whose implementation is not documented in a manner satisfying Rule 204-2's recordkeeping standards exposes the adviser to independent recordkeeping violations alongside any deficiencies in the programme's substantive adequacy.
The Off-Channel Communications enforcement programme — addressed in connection with Rule 204-2 in this dictionary — is one of the most significant enforcement developments affecting Rule 206(4)-7 compliance programmes. An adviser whose Rule 206(4)-7 compliance programme does not specifically address the off-channel communications risk — including policies governing the use of personal devices and unapproved messaging platforms for business-related communications — has a compliance programme that is not reasonably designed to prevent the specific category of violation that has been the subject of the Commission's most sustained recent enforcement programme.
Amendment History and Regulatory Evolution
Rule 206(4)-7's operative framework has remained in its original December 2003 form following the Fifth Circuit's June 2024 vacatur of the September 2023 written documentation amendment.
The rule's single formal amendment in its two decades of operation — the September 2023 addition of the written documentation requirement — was itself motivated by the Commission's examination experience identifying substantive deficiencies in how registered advisers were conducting annual compliance reviews, and the Fifth Circuit's vacatur of that amendment removed a requirement whose investor protection rationale was sound even if its statutory grounding was found insufficient.
The post-vacatur regulatory landscape for Rule 206(4)-7 reflects the interplay between the formal rule's three-paragraph operative framework — which says remarkably little about specific compliance programme requirements — and the accumulated body of Commission examination findings, enforcement actions, risk alerts, and interpretive guidance that has progressively elaborated what the reasonably designed standard requires in practice.
The November 2020 Division of Examinations Risk Alert — which identified the most common Rule 206(4)-7 deficiencies observed in examinations — and the ongoing priority given to compliance programme adequacy in the Division's annual examination priorities have shaped the practical compliance programme standard that registered advisers must meet, independent of any formal rule amendment.
Enforcement Context and SEC Action Patterns
Rule 206(4)-7 enforcement operates on two distinct levels that reflect the rule's dual function as both a standalone investor protection requirement and a systemic amplifier of other Advisers Act violations.
The first level is standalone Rule 206(4)-7 enforcement — charges specifically addressing the inadequacy of the adviser's compliance programme as an independent violation, without necessarily alleging any underlying substantive Advisers Act violation.
These standalone charges arise where the Commission's examination identified a compliance programme so deficient — lacking written policies in key areas, failing to conduct genuine annual reviews, or designating a CCO without providing the authority, resources, or knowledge to administer the programme effectively — that the programme's inadequacy itself represents the actionable harm, since the absence of adequate compliance infrastructure creates systematic risk of future investor harm even in the absence of a current identified violation.
The second level involves Rule 206(4)-7 charges as a companion to substantive Advisers Act violation charges — cases where the underlying violation was both a breach of the specific substantive provision and evidence that the adviser's compliance programme was inadequate to prevent it.
A Marketing Rule violation in the context of an adviser that had no compliance policies addressing advertisement review simultaneously demonstrates a breach of Rule 206(4)-1 and a failure of the compliance programme under Rule 206(4)-7 to include the policies and procedures that would have prevented the marketing violation.
The Commission's enforcement record reveals several recurring compliance programme deficiency categories: policies that describe general principles without providing actionable procedures for implementation; annual reviews that are documented only by a certification that the review occurred without any substantive assessment of the adequacy or effectiveness of specific compliance measures; CCOs who lack the authority to enforce compliance requirements against firm principals or senior investment professionals; and compliance programmes that were designed for the firm's original business model and never updated to address the compliance risks created by subsequent business changes.
Examination Relevance and Key Takeaways
Rule 206(4)-7 is examined at the Series 65 and Series 66 levels as the foundational compliance standard for registered investment advisers. The three-element framework — written policies and procedures, annual review, and CCO designation — is the primary structural examination content.
The reasonably designed standard's requirement that policies be tailored to the adviser's specific business rather than based on generic templates is a consistently examined substantive standard, illustrating the Commission's principles-based approach to compliance programme regulation.
The distinction between Rule 206(4)-7's CCO governance framework — designating a supervised person without board-level independence protections — and Rule 38a-1's CCO governance framework — requiring board approval including a majority of independent directors for CCO appointment and removal — is a consistently examined governance contrast at the Series 65 level, reflecting the different governance structures applicable to investment advisers and registered investment companies under the Advisers Act and Investment Company Act frameworks respectively.
The key points to retain are these. Rule 206(4)-7 requires every SEC-registered investment adviser to adopt and implement written compliance policies and procedures reasonably designed to prevent violations of the Advisers Act and its rules by the adviser and its supervised persons — policies that must be tailored to the adviser's specific business activities and risk profile rather than based on generic templates.
The adviser must review at least annually the adequacy of those policies and the effectiveness of their implementation.
A supervised person must be designated as chief compliance officer responsible for administering the programme, with sufficient seniority, authority, and knowledge to develop and enforce the policies effectively.
The rule was adopted December 2003 and became operative October 2004. The September 2023 amendment adding a written annual review documentation requirement was vacated in its entirety by the Fifth Circuit Court of Appeals on June 5, 2024 in National Association of Private Fund Managers v. SEC, reverting the rule to its original three-element framework. No changes have been made to Rule 206(4)-7's current operative provisions up to the present time.
