Pomegra Wiki

Compliance Program for a Small Investment Adviser

A compliance program for a small investment adviser is a written set of policies and procedures required by the SEC to prevent violations of the Advisers Act and rules. The scope shrinks with firm size, but smaller advisers cannot skip it entirely—the rule applies to all registered advisers regardless of assets under management.

The SEC’s Scaled Approach

The SEC does not publish a one-size-fits-all template. Instead, Rule 206(4)-7 requires each adviser to design a program proportionate to its specific risks. A 20-person firm running index portfolios faces different hazards than a solo adviser offering concentrated stock-picking or managing restricted securities. The rule assumes you know your own business and can articulate which rules matter most to it.

Smaller advisers often ask: what is the minimum? The answer is “adequate to your operation.” The SEC’s examination staff has cleared compact programs at ultra-small shops—a 2-person adviser with a 15-page manual covering portfolio management, trading, custody, and conflicts can satisfy the rule if it covers what that firm actually does. But pruning all sections because you’re small is a common failure. The SEC will still expect you to address advisory fees, client disclosures, brokerage selection, and personal trading, even if those sections are brief.

Written Policies and Procedures

The rule requires you to write down what you do and why. The document should include:

  • Advisory role and services — what you actually offer (separately managed accounts, pooled funds, financial planning, robo-advisers, etc.)
  • Portfolio management and trading — how you construct portfolios, rebalance, handle trade execution, and manage conflicts when allocating trades across clients
  • Proxy voting — how you vote securities (or whether you delegate it)
  • Custody and safekeeping — how you ensure client assets stay protected and segregated
  • Client disclosure — how you inform clients about fees, conflicts, performance, and material changes
  • Brokerage practices — how you select brokers, negotiate commissions, and handle soft dollars
  • Personal trading and conflicts — how you prevent your own portfolio decisions from conflicting with client advice
  • Gifts and entertainment — what you permit staff to accept and from whom
  • Investment restrictions and exceptions — how you handle client-specific constraints or adviser-imposed limits

Small advisers typically condense these into one integrated manual rather than separate handbooks. The key is completeness within scale: a solo adviser with three clients can have a simpler section on “allocation of trades” than a multi-client firm, but the section must exist.

Risk Assessment

Rule 206(4)-7 requires you to conduct a documented review of the risks to your business and clients. This should address:

  • Operational risks — IT infrastructure, backup systems, record-keeping, staff turnover
  • Compliance risks — overlooked regulatory obligations, misunderstandings of client suitability, delayed disclosures
  • Market and custody risks — counterparty failure, market disruption, advisor-custodian conflicts
  • Reputational risks — conflicts of interest that could undermine client trust

Small advisers sometimes view this as box-ticking, but the SEC views it as the intellectual foundation of the program. If you run a concentrated portfolio strategy and hold significant illiquid securities, you should identify “liquidity risk” in your assessment. If you delegate custody to a single custodian, note it. The purpose is to force you to think before writing policies—not to add inches to your manual.

Testing and Supervision

You must establish procedures to verify that your program actually works. This includes:

  • Periodic reviews — at least annually, review client files for completeness and accurate fee application
  • Testing of specific controls — e.g., spot-check that custody statements are received and reviewed, that brokerage invoices are reconciled, that personal trading reports are filed on time
  • Documentation of testing — record what you tested, when, what you found, and what corrective action (if any) you took
  • Escalation procedures — define when a compliance issue gets flagged to ownership or the CCO

In a small firm, the owner often wears the compliance hat. You can still test yourself, but document that you did. The SEC expects evidence—not perfection, but a paper trail showing you were paying attention.

Chief Compliance Officer

All registered advisers must designate a chief compliance officer (CCO). In a 5-person firm, the CCO might be the owner or a part-time appointee who also handles operations. The CCO is responsible for:

  • Implementing and updating the compliance program
  • Investigating potential violations
  • Supervising compliance across the firm
  • Reporting violations to the investment adviser (and ultimately to senior management)
  • Certifying the program annually

The CCO does not need to be a full-time dedicated employee, but you cannot leave the role vacant or unnamed. The SEC wants to know who is accountable.

Annual Certification

At least once per calendar year, the adviser (usually the owner or board) must:

  1. Review the compliance program
  2. Assess whether it remains adequate given regulatory changes, new services, mergers, or operational shifts
  3. Update it as needed
  4. Document who performed the review and what changes were made

This does not require external audit, though some advisers do engage counsel or compliance consultants. A competent annual review—and a dated memo saying “reviewed, updated, no material changes needed” or “added section X”—satisfies the rule.

Common Small-Firm Gaps

Examination experience shows recurring oversights:

  • Ambiguous personal-trading rules — “staff may trade if not in conflict” is vague; specify how you know if it conflicts (list restricted securities, define lookback periods)
  • Missing custody procedures — stating that the custodian is “responsible for assets” is not enough; you must document how you verify custody statements and confirm no unauthorized access
  • Undefined client suitability — small advisers sometimes assume their clients are “all sophisticated” and skip suitability checks; Rule 206(4)-7 says you must define your process
  • No trade allocation logic — if you manage multiple clients, state whether you allocate pro-rata, by account size, by client entry date, or some other method; the absence of a rule invites scrutiny

Scaling Your Program

A solo adviser managing five accounts can write a lean, honest program. A 15-person firm running a registered mutual fund must be more elaborate. The rule does not prescribe depth—only adequacy. Ask:

  • What regulatory obligations apply to my specific services?
  • What are my top three operational risks?
  • How do I prevent or catch lapses?
  • How often will I test and update this?

If you can articulate answers and document them, you have a defensible compliance program. If you have adopted a template from an industry body (like AIMA or SIFMA) and customized it to your business, you are on solid ground. If you have written nothing, or a generic statement that “we comply with the law,” you fail the rule.

See also

  • Securities and Exchange Commission — federal regulator of advisers and broker-dealers
  • Investment Company Act of 1940 — foundational statute governing investment companies and advisers
  • Conflict of interest — central risk that compliance programs must address
  • Custody and safekeeping — standard compliance obligation for client assets

Wider context

  • Hedge Fund — commonly unregistered advisers with tailored compliance models
  • Fiduciary duty — underlying legal obligation that compliance programs operationalize
  • Regulatory approval process — initial registration and ongoing oversight