Your Annual Compliance Review Is a Document Problem

Ankit Dhiman, Co-founder & CTOJuly 13, 20268 min read
Editorial illustration of compliance evidence documents flowing into an annual review dossier

Key takeaways

  • SEC Rule 206(4)-7 requires every RIA to conduct and document a written annual compliance review, not just a best-practice recommendation.
  • The SEC's December 2025 risk alert found firms that updated compliance policies on paper but never implemented them in practice.
  • The SEC's FY2026 exam priorities, announced November 2025, now explicitly check whether a firm's actual AI use matches its disclosures.
  • A defensible annual review pulls evidence from the CRM, portfolio platform, email archive, and marketing files, then reconciles it against the compliance manual.
  • Firms typically don't add a dedicated compliance hire until north of roughly $2 million in revenue, leaving the review as one job among several for one person.

Ask a compliance officer at a mid-market RIA what their least favorite month of the year is, and most of them will tell you it's whichever month their annual compliance review falls in. Not because the rule is confusing — it isn't, particularly. Because doing it properly means pulling records out of five or six different systems, reading through a year's worth of them, and proving that what actually happened matches what the firm's own policies say should have happened. That's not a compliance problem. It's a document problem wearing a compliance costume.

What the rule actually requires

SEC Rule 206(4)-7 — sometimes just called "the Compliance Rule" — requires every registered investment adviser to review its own compliance policies and procedures at least once a year, and to document that the review happened. Not a suggestion, not a best practice. A firm without a documented annual review has a real, citable deficiency the moment an examiner asks for it.

What actually goes into that review is where it gets heavy. A proper review means pulling the firm's financial and accounting records, its marketing and advertising materials along with whatever performance data was used to substantiate any claims in them, the trade blotter and client correspondence, and personal trading records for anyone at the firm who might be positioned to trade ahead of clients. Then it means going line by line through the compliance manual itself — every control, every certification, every "we do X annually" — and checking whether X actually happened, who did it, and whether there's a record proving it.

The part nobody talks about: most firms don't actually finish it

We read the SEC's own examination risk alert on this rather than take anyone's summary of it, because this finding is worth being precise about. In a risk alert published in December 2025, SEC examiners reported finding advisers who had never updated their written policies to cover newer requirements like the Marketing Rule, and — more striking — advisers who had updated the paperwork but never actually implemented what it said. The policy existed. The practice it described didn't.

That's the real headline here, and it's not a headline about bad actors. It's what happens when a legally mandated, once-a-year task requires pulling structured evidence out of systems that were never built to talk to each other, and the person responsible for it is also doing two or three other jobs at the firm. The review doesn't get skipped because nobody cares. It gets skipped, or done superficially, because doing it properly is a multi-week manual research project layered on top of somebody's actual day job.

Why this is exactly the wrong year to let it slide

The SEC's own fiscal year 2026 examination priorities, announced in November 2025, add a specific new wrinkle: examiners are now explicitly looking at whether a firm's actual use of AI matches what it has told clients and regulators it does. If your ADV or your marketing says AI plays a role in research or portfolio decisions, an examiner now has a stated mandate to check whether that's genuinely true, or whether it's supplemental research being described as something bigger. The Division has also been explicit that assessing the overall effectiveness of a firm's compliance program remains a "fundamental part of the examination process." Both of those raise the bar on the same review that most firms were already struggling to finish properly.

There's a practical implication buried in that priority that's worth calling out directly: firms are increasingly expected to maintain something like an AI inventory as part of this — a plain list of every tool in the firm's workflow that touches machine learning or generative AI, what it actually does, who's responsible for supervising it, and whether its use is disclosed anywhere. If a firm can't produce that list quickly when asked, that's its own finding, independent of whatever else the review turns up.

Where the actual time goes

It's worth being specific about what eats the weeks, because it's rarely the analysis itself — a compliance officer who's been doing this for years usually knows what "good" looks like the moment they see the data. What eats the time is getting the data into a state where it can be looked at at all: exporting trade records from the portfolio system, pulling marketing materials from wherever they actually live (which, for most firms, is scattered across email, a shared drive, and whatever the marketing person's laptop has on it), cross-referencing client correspondence against a CRM that's only partially up to date, and manually checking personal trading records against a list of restricted securities that changes throughout the year.

None of that is judgment work. It's retrieval and reconciliation work, done by someone qualified enough that their time is expensive, on a task that has to happen whether or not anything interesting actually gets found.

What automating this actually looks like

The version of this that works isn't "an AI writes your compliance review." It's a system that does the retrieval and first-pass reconciliation automatically — pulling records from the CRM, the portfolio management platform, the email archive, and wherever marketing content lives, matching them against what the compliance manual says should exist, and surfacing the specific gaps: the certification nobody signed, the marketing claim with no substantiation file behind it, the personal trade that never got pre-cleared. A person — the actual compliance officer, who understands the judgment calls a rule like this always involves — reviews what the system found and writes the actual assessment. The system does the part that's mechanical and exhausting. The person does the part that requires actually knowing the firm.

That division of labor matters for a reason beyond convenience. An examiner isn't going to accept "the AI said it was fine" as a defensible review. They will accept a review where a qualified person made the final call, backed by evidence a system assembled faster and more completely than a person could have done by hand. That's the same pattern that's proving out across the rest of financial services automation right now — the system gathers and flags, the person decides.

What this doesn't replace

It's worth saying plainly: no automated system should be making the actual compliance judgment calls, and the tools already built specifically for this — platforms like Hadrius and Greenboard, which focus on exactly this kind of continuous evidence-gathering and audit-readiness for RIAs — are built the same way, as oversight and preparation layers sitting underneath a human sign-off, not a replacement for one. The value isn't removing the compliance officer from the loop. It's making sure that when they sit down to do the review, they're starting from an organized, largely complete evidence file instead of a blank spreadsheet and a list of systems to log into.

Who's actually doing this at a firm your size

At most firms in the hundred-million-to-a-few-billion range, a full-time, dedicated compliance officer with nothing else on their plate doesn't tend to show up until a firm is well past that range — a firm typically doesn't bring on a dedicated operations or compliance hire until it's north of roughly two million dollars in revenue. Below that, whoever owns the annual review is usually wearing that hat alongside running trading, managing client service, or acting as the firm's de facto ops manager. That's the person you're asking to also become, once a year, a part-time forensic auditor of the firm's own records.

That structural reality is exactly why this tends to slip. It's not that the rule is unclear or that anyone's being careless. It's that the task doesn't map cleanly onto a role that exists at most mid-market firms, so it competes for time against three or four other jobs the same person is already doing — and it's usually the one that loses, right up until an exam notice changes the priority overnight.

Frequently Asked Questions

What exactly does SEC Rule 206(4)-7 require?

It requires every registered investment adviser to review the adequacy of its compliance policies and procedures at least annually, and to document that the review took place in writing. It's a legal requirement, not a recommended practice, and examiners will ask to see the documentation directly.

Do SEC examiners actually check whether firms did this properly?

Yes. The SEC's own December 2025 risk alert specifically flagged advisers who either never updated their compliance policies for newer rules or updated the paperwork without actually implementing the described practices. The FY2026 exam priorities add explicit scrutiny of whether a firm's AI use matches what it discloses.

Can AI actually do a compliance review, or just help with it?

Just help with it, and that's by design. The defensible pattern is a system that gathers and cross-references the evidence — trade records, marketing substantiation, personal trading logs, certifications — and a qualified compliance officer who reviews the findings and makes the actual determination. An examiner wants to see a human made the call, backed by complete evidence.

What's the single biggest time sink in the annual review?

Pulling structured, verifiable evidence out of systems that don't talk to each other — the CRM, the portfolio platform, the email archive, wherever marketing materials actually live — and reconciling it against what the compliance manual claims happens. It's retrieval work, not judgment work, and it's the part that scales the worst as a firm grows.

See what this would actually cost you to fix

We built a free calculator that estimates what manual document handling costs a firm per year, using industry-standard per-document handling rates — the same kind of handling that eats most of an annual compliance review. It takes about two minutes and doesn't require your email to see the number. Try the Document Processing Cost Calculator, or if you'd rather just talk through what your own review actually looks like, book 30 minutes with us.

Get new articles when they publish

One email per post. No pitch, no spam.

Document Processing Cost Calculator Or book a free callMore articles