Rule 206(4)-7 annual review is one of the most consistently cited deficiency areas in SEC examinations of registered investment advisors — not because advisors misunderstand the obligation, but because they underestimate what documenting it actually requires.
In August 2023, the SEC's Division of Examinations published a Risk Alert specifically addressing compliance program deficiencies under Rule 206(4)-7. The findings were pointed: examiners found that numerous RIAs either failed to conduct an annual review at all, or conducted an informal review that left no documentation trail an examiner could verify. The SEC followed this with similar findings in its 2024 and 2025 examination cycles, confirming that annual review deficiencies remain among the highest-frequency findings across examination types.
This guide explains what Rule 206(4)-7 requires, what the annual review must actually accomplish, how examiners assess whether the requirement is met, and how to structure a review process that satisfies the rule and produces defensible documentation.
Rule 206(4)-7 under the Investment Advisers Act of 1940 — commonly called the "Compliance Rule" — establishes three core obligations for every SEC-registered investment advisor:
| Requirement | What It Means in Practice |
|---|---|
| Written compliance policies and procedures | The firm must have documented policies reasonably designed to prevent violations of the Advisers Act |
| Chief Compliance Officer designation | The firm must designate a CCO with sufficient seniority and authority to administer the compliance program |
| Annual review | The firm must review, no less frequently than annually, the adequacy of its compliance policies and the effectiveness of their implementation |
The annual review requirement is the most operationally intensive of the three, and the one most frequently mishandled. The rule does not specify a particular format, methodology, or minimum scope — but examiners apply a substantive standard: the review must be rigorous enough to actually detect compliance problems, and it must produce a written record that evidences what was reviewed, when, and what conclusions were reached.
The SEC's interpretive guidance makes clear that an annual review under Rule 206(4)-7 is not a box-checking exercise. The review must assess two distinct questions: whether the firm's compliance policies and procedures are adequate to address the firm's specific compliance risks, and whether those policies are being implemented effectively in practice.
Adequacy means that the written policies cover the firm's actual business activities and regulatory obligations. A firm that launched an options strategy in the past year but whose compliance manual still describes only traditional equity management has a policy adequacy gap. A firm that adopted an AI-assisted portfolio screening tool but has no written procedure governing its use has an adequacy gap. The review must identify these gaps and document what changes are needed.
Effectiveness means that the policies, where they exist, are actually being followed. Are trade pre-clearance procedures being used? Are client communications reviewed by the person designated in the written procedures? Are annual client meetings being documented? The review must test whether the procedures on paper reflect what happens in practice.
When the Division of Examinations evaluates a firm's annual review compliance, examiners focus on four questions. Understanding these questions in advance allows CCOs to structure a review that answers them affirmatively.
1. Was the review conducted within the past 12 months?
The rule requires a review "no less frequently than annually." Examiners verify the review date. A review completed in March of one year and not repeated until May of the following year technically satisfies the rule — but a gap of 14 months may draw scrutiny if the firm was undergoing changes during that period.
2. Is there written documentation of the review?
An annual review that was never written down did not happen from an examiner's perspective. Documentation must include at minimum: the date the review was conducted, who conducted it, the areas reviewed, any deficiencies or weaknesses identified, and the remediation steps taken or planned.
3. Did the review address the firm's specific compliance risks?
A generic checklist downloaded from a compliance software provider is not sufficient unless it has been customized to the firm's actual business. Examiners look for evidence that the review was tailored to the firm's specific advisory services, client types, product mix, and known risk areas.
4. Did identified weaknesses result in actual program changes?
Finding a deficiency in an annual review and doing nothing about it can be worse than not finding it at all — it evidences that the CCO identified a problem and the firm chose not to fix it. Examiners look for documentation showing that findings led to policy updates, additional training, or procedural changes.
The SEC's Risk Alert and subsequent examination findings identify a recognizable set of patterns that produce deficiency letters. These failures appear repeatedly across firm sizes, business models, and registration categories.
A defensible annual review is built around a consistent process, not a template. The following framework can be adapted to firms of any size and applied each year with appropriate customization for developments during the review period.
Step 1: Set the review scope based on current business activities.
Begin with a current description of the firm's advisory services, client types, products used, personnel, and affiliated entities. Compare this to the prior year. Identify every area where the business changed, and add those areas to the review scope explicitly.
Step 2: Test written procedures against actual practices for each compliance area.
For each compliance area — fiduciary duty, fees, marketing, trading, custody, supervision — identify the written procedure and then test whether it reflects what the firm actually does. Interviewing personnel, reviewing trade records, and sampling client files are all appropriate testing methods.
Step 3: Review disclosures for accuracy and completeness.
Assess whether Form ADV Part 1, Part 2A, and Part 2B are current and accurate. Review all client-facing disclosures — fee schedules, client agreements, marketing materials — for consistency with written procedures and current business activities.
Step 4: Document findings and assign remediation responsibility.
Record every gap, inconsistency, or weakness identified in the testing process. For each finding, assign a responsible person and a target remediation date. This documentation serves as the working paper for the review and the evidence base for any regulatory inquiry.
Step 5: Update policies and procedures based on review findings.
Implement changes to written procedures identified as inadequate during the review. Date and version-control updated policies so there is a clear record of when changes were made and what they addressed.
Step 6: Prepare a written annual review report.
Produce a concise written summary that covers: date of review, scope, testing methodology, findings, and remediation actions taken or planned. This document does not need to be lengthy — but it must exist, it must be specific, and it must be signed or otherwise attributed to the CCO. Retain it for a minimum of five years.
Rule 206(4)-7 annual review compliance is not a complicated obligation — but it is a frequently underexecuted one. The firms that consistently satisfy examiners are not those with the most elaborate review processes; they are the ones that conduct a genuine assessment of their compliance program each year, document what they found, and fix what they identified. Examiners can read the difference between a substantive review and a formality.
StratiFi's compliance monitoring infrastructure helps CCOs maintain the continuous oversight necessary to make the annual review a genuine diagnostic rather than a documentation exercise. If you're building out a more defensible review process or preparing for an upcoming examination, we're glad to walk you through how our platform supports that work.
Is there a specific format the SEC requires for the Rule 206(4)-7 annual review?
No. The rule does not mandate a particular format, length, or methodology. The SEC's guidance requires that the review be substantive — assessing both adequacy and implementation effectiveness — and that it be documented. A one-page memo can satisfy the documentation requirement if it covers the essential elements: date, scope, findings, and remediation.
Can a third-party compliance consultant conduct the annual review instead of the CCO?
Yes. Firms frequently engage outside compliance consultants to support or conduct the annual review, particularly when the CCO lacks bandwidth or specific technical expertise. However, the designated CCO remains responsible for the adequacy of the review and must be involved in reviewing findings and authorizing any program changes that result.
What happens if the annual review identifies a serious compliance violation?
If the review reveals a material compliance failure, the CCO has an obligation to escalate it to senior management or the board (if applicable) and to take prompt remediation steps. Deliberate concealment of a known compliance violation compounds the regulatory exposure significantly. Prompt self-reporting to regulators may be appropriate in certain circumstances and should be evaluated with legal counsel.
Does the annual review requirement apply to state-registered advisers?
Rule 206(4)-7 applies only to SEC-registered investment advisors. State-registered advisors are subject to comparable requirements under their respective state securities laws, but the specific rule text, documentation standards, and examination approaches may vary by state.
How long should we retain annual review documentation?
Advisers Act books and records rules generally require retention of compliance records for five years, with the most recent two years in an easily accessible location. Annual review documentation — including working papers, testing results, findings, and the final review report — should be retained for the full five-year period.
Can we use the same review template every year?
A template can provide useful structure for an annual review, but it must be meaningfully customized each year to reflect the firm's current business activities, personnel, and identified risk areas. Using an identical template year after year without customization is a pattern examiners recognize and associate with nominal compliance rather than genuine assessment.
What is the relationship between the annual review and Form ADV annual amendment?
The annual review and the Form ADV annual amendment are separate obligations, but they should be coordinated. The annual review typically identifies disclosure updates needed in Form ADV — stale service descriptions, missing conflicts, outdated fee disclosures. Aligning the annual review timeline with the ADV amendment window (which must be filed within 90 days of fiscal year-end) allows firms to address both obligations in a single coordinated cycle.