RIA Compliance Requirements: The Complete Checklist for New Advisers

You registered your RIA. The Form ADV is filed. You picked a custodian. Maybe you even have your first client lined up.

Now you need a compliance program, and you need it before that client signs an advisory agreement, because the SEC's FY2026 exam priorities explicitly name newly registered advisers as a target for examination.

This is the checklist. Not the aspirational version with 47 line items that looks impressive in a consultant's proposal. The practical version, in priority order, for a solo or small advisory firm that needs to get the foundation right before the first examiner walks through the door.

Before your first client

Your compliance manual is the backbone. Rule 206(4)-7 requires written policies and procedures reasonably designed to prevent securities law violations. The key word is "reasonably", your manual should describe what your firm actually does, not what a 200-person multi-strategy hedge fund does. If you manage individual portfolios using ETFs and mutual funds, your manual should reflect that scope, not include six pages on private fund compliance you'll never use.

Your Code of Ethics is a separate requirement under Rule 204A-1. Every SEC-registered adviser needs one, regardless of size. It must cover personal trading policies, reporting requirements for access persons, and a process for employees to report violations. If you're a solo adviser, you're still an access person and you still need to document your personal trading.

Your Form ADV Part 2A, the firm brochure, needs to be written and ready to deliver to clients before or at the time they sign an advisory agreement. This isn't optional and it isn't a formality. Part 2A is where you disclose your fees, your conflicts of interest, your investment strategies, and your disciplinary history. Examiners cross-reference what you say in Part 2A against what you actually do. Mismatches become deficiency findings.

Your advisory agreement template defines the legal relationship with each client. It should clearly state your fee structure, the scope of services, how either party can terminate, and whether you have discretionary authority. If your brochure says you charge 1% on AUM and your agreement says 1.25%, you have a disclosure problem.

Form CRS, Part 3 of Form ADV, is required if you serve retail investors. It's a two-page summary of your services, fees, conflicts, and disciplinary history, written in plain English. The SEC has been enforcing the formatting and content requirements aggressively since the Marketing Rule went into effect.

First 30 days of operations

Your compliance calendar should be built and running from day one. Map every recurring obligation to a specific date: annual ADV amendment (within 90 days of fiscal year-end), annual compliance review, Code of Ethics acknowledgments, brochure delivery for new clients, and personal trading report collection. A policy without a date on the calendar is a policy that doesn't get executed.

Your books and records framework needs to be in place. Rule 204-2 specifies what records you must keep and how long you must keep them. At minimum, this includes client agreements, correspondence, trading records, advisory fee calculations, and your compliance manual itself. Know where each record type lives, your CRM, your custodian platform, your email archive, or your filing cabinet, and document that mapping.

Your personal trading pre-clearance process should be active. If you're a solo adviser, yes, you pre-clear your own trades. That sounds circular, but the documentation matters. Examiners want to see that you have a process, that you followed it, and that your personal trading didn't conflict with client activity.

Your cybersecurity policies need to exist in writing. The SEC has made cybersecurity a priority in examinations for several years running. At minimum, document how you protect client data, what your incident response plan is, and how you handle multi-factor authentication, device management, and data backup. If you work from a home office, and nearly 16% of advisory offices are now in private residences, your cybersecurity documentation is even more important.

First 90 days

Your advertising and marketing review process should be established. The Marketing Rule (Rule 206(4)-1, effective November 2022) overhauled how advisers can advertise. If you use testimonials, endorsements, third-party ratings, or performance results in any marketing material, including your website and social media, you need documented policies, required disclosures, and a review process. Over 40% of SEC-registered advisers now include performance results in their advertising, and the SEC has been bringing enforcement actions around Marketing Rule compliance since 2024.

Your client onboarding workflow should be documented. Not just what happens, but in what order: suitability review, agreement execution, brochure delivery, CRS delivery, account opening, and initial portfolio construction. Each step has a compliance touchpoint, and each touchpoint should produce a record.

Your business continuity plan needs to be written and accessible. What happens if you're incapacitated and your clients can't reach you? Where are the backup records? Who has authority to act? For a solo adviser, this isn't theoretical, it's the first question a responsible client should ask you, and it's a question examiners routinely raise.

Ongoing, the stuff that keeps you compliant

The annual compliance review is required under Rule 206(4)-7. You must review the adequacy of your policies and procedures at least once a year and document the results. This means comparing what your manual says to what you actually did, identifying gaps, and updating your program. "I reviewed it and nothing changed" is not adequate documentation.

Your ADV annual amendment is due within 90 days of your fiscal year-end. Update all material changes in Part 2A and deliver a summary of changes (or a full updated brochure) to existing clients.

Code of Ethics annual acknowledgments must be collected from every supervised person. If you're the only supervised person, acknowledge your own Code of Ethics in writing and keep the record.

Personal trading reports, holdings reports are due annually and transaction reports are due quarterly for access persons. Again, even as a solo adviser, you are an access person and these reports are required.

Review your fee calculations at least quarterly. Compare what you're billing to what your advisory agreement and ADV Part 2A say you should be billing. Fee calculation errors are one of the most common SEC examination findings across firms of all sizes.

What this checklist doesn't cover

This is a starting framework, not an exhaustive compliance program. Depending on your business model, you may also need policies around custody (especially if you have direct fee deduction authority), proxy voting, trade allocation, valuation, ERISA compliance for retirement plan clients, or state-specific requirements that layer on top of federal obligations.

If you manage private funds, the compliance requirements expand significantly. If you're dual-registered as a broker-dealer, you have an entirely separate set of FINRA obligations. If you have non-U.S. clients, there may be foreign regulatory considerations.

The point of this checklist is to get the foundation right for a standard advisory practice serving individual and institutional clients. Everything else builds on top of it.

The gap this checklist exposes

Most new advisers reading this list will recognize that they have some of these items and are missing others. That's normal, and it's exactly the gap that a practitioner-built compliance kit is designed to fill. Not a $10,000 consultant engagement. Not a $3,000-per-year SaaS platform. A one-time package with the actual documents, an implementation sequence, and a calendar that maps each policy to its trigger.

That kit is coming. Subscribe below to get notified when it launches.