Most RIAs that receive deficiency letters after an SEC examination didn’t know they had a problem. That is not a defense. It is the pattern. The findings that show up most consistently in RIA exams are not the result of intentional shortcuts or deliberate non-compliance. They’re the result of compliance programs that were built carefully at one point in time and then quietly drifted from what the firm actually does.
The SEC’s Division of Examinations publishes its annual examination priorities, and the deficiency categories that appear in those letters track the priorities closely. What follows is a plain-language breakdown of where RIA exams find problems most consistently, not to catalog every possible finding, but to name the specific failure modes that show up at firms that believed they were compliant.
Fiduciary Duty and Conflict of Interest Disclosures
This is the category that has generated the most significant enforcement consequences in recent examination cycles, and it’s the one where the gap between “we disclosed it” and “we disclosed it adequately” is most consequential.
The fiduciary standard requires RIAs to act in clients’ best interests and to disclose material conflicts of interest clearly enough that clients can understand them and make informed decisions. Examiners find deficiencies here not primarily at firms with undisclosed conflicts. Most firms have some version of conflict disclosure language in their ADV. They find them at firms where the disclosure exists in form but fails in substance.
The specific failures that generate findings: compensation arrangements described in general terms without sufficient specificity for a client to understand their significance. Revenue sharing arrangements that are disclosed somewhere in the ADV but not connected clearly to the specific recommendations affected. Proprietary product recommendations where the firm’s financial interest in the recommendation isn’t foregrounded in client communications.
The Vanguard and Cutter Financial cases from FY2025 enforcement results made this explicit. Neither involved fraud in the traditional sense. Both involved disclosures that an examiner concluded were inadequate: present, but not substantive enough to satisfy the fiduciary standard.
The practical test: read your Form ADV Part 2A disclosures as a client would, not as the person who wrote them. If a reasonable client couldn’t identify the specific conflicts your firm has and understand how those conflicts might affect the advice they receive, the disclosure isn’t adequate regardless of how thoroughly it was drafted.
Compliance Program Deficiencies Under Rule 206(4)-7
Rule 206(4)-7 requires RIAs to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act, designate a CCO, and conduct an annual review of the program’s adequacy.
Examiners find deficiencies here in three consistent forms.
The first is policies that don’t match practice. The written supervisory procedures describe a marketing review process, a trade surveillance workflow, or a supervision structure that the firm is not actually following, either because the procedures were never fully implemented, because the firm’s operations evolved without corresponding updates to the WSP, or because the person who built the procedures left and the institutional memory of why they were written that way left with them.
The second is annual reviews that happened but weren’t documented as formal deliverables. The CCO conducted the review, identified some areas for improvement, made some updates. There’s no written record of the review’s scope, methodology, findings, and conclusions that could be produced independently. Under examination, an undocumented annual review is indistinguishable from no annual review.
The third is CCOs without sufficient authority or resources. A CCO who is two levels removed from senior management, whose recommendations get deprioritized when they conflict with business objectives, or who does not have access to the information needed to perform the compliance function are structural deficiencies that examiners flag as program inadequacies, regardless of what the written procedures say.
Marketing Rule Violations
The SEC Marketing Rule has been fully enforced since 2024 and it has been a consistent examination focus since. The deficiency categories examiners find most frequently fall into three groups.
Performance advertising that doesn’t meet the presentation standards. Net performance presented without corresponding gross performance. Time periods selected to show favorable results without adequate disclosure of how the period was chosen. Hypothetical performance without the required disclosures and policies governing its use.
Testimonials and endorsements without the required disclosures. A client testimonial on the firm’s website that doesn’t identify the person as a client, doesn’t disclose whether compensation was paid, and doesn’t include language about whether the testimonial reflects a representative experience.
Third-party ratings and rankings displayed without substantiation. A “top advisor” designation displayed without disclosing the criteria used, the date of the rating, and the firm’s relationship to the rating organization.
The subtler version of this deficiency that catches firms that have invested in their review process: the audit trail. A firm can conduct thorough marketing reviews and still receive a finding if the documentation of those reviews doesn’t survive examination. A review that happened over email, in a verbal conversation, or through a comment on a shared document without a timestamped record attached to the specific piece of content does not demonstrate compliance. It demonstrates that someone remembers reviewing it.
Custody Rule Compliance
The Custody Rule requires RIAs that have custody of client assets to meet specific safeguarding requirements, including surprise examinations by an independent accountant. Deficiency findings in this category cluster around two misunderstandings.
The first is not recognizing that custody exists. Many RIAs hold custody without intending to, through online access to client accounts with the ability to withdraw funds, through serving as trustee for a client’s trust account, or through certain fee arrangements that allow direct deduction from client accounts without client confirmation. Firms that don’t recognize these arrangements as custody don’t implement the required safeguards.
The second is firms that recognize custody, implement some safeguards, and miss the requirement for annual surprise examinations by a qualified independent accountant. The surprise examination requirement is straightforward on paper and consistently found as a deficiency in practice, often because it was implemented initially and then allowed to lapse, or because the arrangement that created custody changed without triggering a review of the custody requirements.
Recordkeeping Failures Under Rule 204-2
Recordkeeping deficiencies are among the most consistently cited findings across examination cycles and firm sizes. The pattern is familiar: the records exist but aren’t in a form that can be produced promptly, aren’t indexed in a way that allows efficient retrieval, or aren’t retained for the required period.
The specific categories where examiners find gaps most often: off-channel communications. Text messages, personal email, and unapproved messaging platforms used for business communications that were never retained. The SEC has brought significant enforcement actions specifically for this failure and has signaled clearly that it remains a focus.
Marketing materials and the performance documentation that supports them. Firms that maintain records of approved content but not the supporting data that substantiates performance claims, or that maintain the final approved version without retaining the draft versions that show the review process.
Code of ethics records. Employee acknowledgments that were collected but not retained in a form tied to a specific cycle, access person reports that were filed but not indexed by employee and date in a way that allows efficient retrieval, personal trading records that exist in individual brokerage statements but haven’t been consolidated into a reviewable format.
Supervision of Supervised Persons
Supervision deficiencies cover the gap between having a supervision structure on paper and demonstrating that it actually functions. The most common findings: outside business activities that were disclosed but not reviewed against the firm’s policies and documented as either approved or denied. Personal securities transactions that were reported but not compared against client holdings or restricted lists. New hires who were onboarded and registered but whose ongoing supervision, including annual compliance training, periodic review of their client communications, and attestation of the code of ethics, was not maintained at the same level as longer-tenured employees.
The supervision deficiency that’s grown in frequency in recent examination cycles: digital communications. Advisors using social media, texting clients, and using messaging platforms that the firm’s supervision structure wasn’t designed to cover. The supervision procedures that worked when client communication happened primarily by phone and email haven’t kept pace with how advisors actually communicate.
What These Findings Have in Common
Every deficiency category on this list shares a structural characteristic: the compliance obligation was known, the intention to meet it was genuine, and the gap opened somewhere between the intention and the evidence.
Disclosures written but not substantive enough. Reviews conducted but not documented. Procedures written but not followed. Records retained but not retrievable. Supervision structured but not demonstrated.
The finding examiners are actually making in most of these cases isn’t “this firm doesn’t care about compliance.” It’s “this firm’s compliance program produces activity but not evidence.” Those are different problems, and the second one is more common, more correctable, and more preventable than the first.
The firms that come out of SEC examinations with no deficiencies, or with findings that are narrow and quickly resolved, are not uniformly better resourced or more sophisticated. They’re the ones whose compliance programs were built to produce evidence continuously rather than reconstruct it when asked.
That’s the standard worth building toward. Not compliance in principle, but compliance that can be proven.
