USA compliance for independent advisors

Executive summary (short): Independent advisors (individuals and small RIA firms) must navigate a layered compliance framework: federal (SEC, FinCEN, DOL, IRS, OFAC) and state securities and insurance regulators. Core federal obligations for most RIAs include registration/notice-filing via Form ADV (IARD), establishing a written compliance program and appointing a Chief Compliance Officer (SEC Rule 206(4)-7), abiding by the Marketing Rule (amended Rule 206(4)-1) and related recordkeeping (Rule 204-2), custody rules, fiduciary/anti-fraud duties under the Advisers Act, and new AML (FinCEN) and cybersecurity expectations. States impose parallel registration/notice requirements, fees, continuing education/exam rules, and additional filings (state-specific fees, financial statements, bonding and fingerprinting in some states). Practical compliance is primarily documentation (policies & procedures), annual reviews, Form ADV maintenance, client disclosures (Part 2A/2B, Form CRS where applicable), record retention and implementing AML, privacy, and cybersecurity measures. High-level findings (detailed): - Registration & filings: Advise whether to register with SEC vs state depends on AUM and business footprint: SEC registration generally at $100M+ AUM (with exceptions); states regulate firms below that threshold and may require registration if advisor has a place of business or a threshold number of in-state clients (states vary: many use 5+ clients; New York uses 6+). Form ADV filings and annual/amendment obligations go through IARD/CRD. (See SEC/NASAA/IARD resources.) - Compliance program & CCO: Rule 206(4)-7 requires written policies & procedures, annual review, and appointment of a CCO responsible for administering the program. CCO duties include supervision, testing, recordkeeping, training, and maintaining the code of ethics and personal-trading oversight. - Marketing & recordkeeping: SEC’s Marketing Rule (amendments consolidating advertising and cash solicitation rules) is effective (adopted Dec 22, 2020); compliance date was November 4, 2022. The Rule expands advertising coverage, permits testimonials/endorsements under conditions, imposes new performance and third-party rating disclosures, and expands recordkeeping obligations (amendments to Rule 204-2 — retain copies of all advertisements and supporting documentation). - Custody & supervision: Custody Rule (Rule 206(4)-2) requires client assets be held with qualified custodians, client notices, periodic statements, and, where the adviser has custody, an annual surprise audit by an independent accountant in many cases. States use NASAA model custody guidance in examinations. - AML/BSA: FinCEN issued a final rule (Sep 4, 2024 Federal Register) extending AML/CFT program and SAR filing requirements to many registered investment advisers and exempt reporting advisers (RIAs and ERAs), with certain exemptions/exclusions (state-registered advisers largely excluded for now). Advisers in scope must adopt risk-based AML programs, customer identification/EDD procedures, and SAR filing processes. - Cybersecurity & privacy: SEC adopted cybersecurity disclosure rules for public companies (material incident reporting and annual disclosures) in 2023; for investment advisers the SEC proposed cybersecurity rules (including policies and confidential incident reporting) but took related actions and proposals through 2022–2025 (advisers should follow SEC guidance, Reg S-P privacy/safeguards expectations, and industry best practices). Even absent a final SEC rule for advisers, exam staff expect reasonable written cybersecurity policies, incident response plans and documentation. - ERISA/retirement accounts: Advisers to ERISA plans must follow DOL fiduciary rules and guidance (act in plan beneficiaries’ best interest); ERISA imposes additional recordkeeping and prohibited transaction considerations; coordinate with ERISA counsel for plan-level actions. - OFAC/sanctions & IRS: Advisors must screen clients and transactions for OFAC sanctions and maintain appropriate sanctions/AML screening programs. For tax reporting/support, advisors assist clients with tax forms and must follow IRS rules such as backup withholding and reporting (Form 1099s) where applicable. - State-level variations & practical steps: Examples: California DFPI (forms, $125 fee; local guidance); New York requires registration/notice at 6+ in-state clients and $200 fee; Texas requires IARD filings and specifies fee structure and additional documents. States differ on thresholds, exam requirements, fingerprinting, financial statement submission and bonding. NASAA and state regulator web pages are essential for state-specific filing instructions and fees. Practical compliance checklist for independent advisors (actionable): 1) Determine registration path: calculate AUM and map client locations (SEC vs state; if SEC-registered, prepare state notice filings where required). Use IARD entitlements and file Form ADV (Parts 1A/2A/2B). 2) Create/maintain written Compliance Manual: include policies for advertising & marketing (Marketing Rule compliance), AML/BSA program (if in-scope under FinCEN rule), custody, code of ethics, privacy and data security, business continuity and disaster recovery, and cybersecurity incident response. 3) Appoint a CCO and document annual review schedule and testing procedures. 4) Update Form ADV annually and whenever materially inaccurate; ensure brochure delivery obligations are met (Part 2A and 2B; Form CRS as applicable). 5) Marketing and recordkeeping: retain copies of all advertisements, maintain substantiation for performance claims, document third-party ratings and testimonials with required disclosures. 6) Custody and custodial disclosures: use qualified custodians, provide client custody notices, and arrange independent surprise audits when custody exists. 7) AML & OFAC: implement client onboarding KYC, enhanced due diligence for higher-risk clients, sanctions screening, and SAR/reporting processes if FinCEN rule makes you in-scope. 8) Cybersecurity & privacy: implement written cybersecurity policies, data protection controls, incident response and vendor oversight; document incidents and remediation. 9) ERISA clients: confirm ERISA fiduciary status and prohibited transaction compliance; use ERISA-specific policies. 10) State-specific compliance: review each state’s regulator page for filing fees, exam/education requirements, and any unique rules; maintain state notice filings via IARD and pay fees. 11) Maintain a compliance calendar and document retention schedule (per amended Rule 204-2). 12) Prepare for examinations: gather compliance program evidence, trading/communication surveillance, client files, ADV and financial records, AML program materials and cybersecurity logs.