%2010.svg){kind=logo}
Exam findings letter
SEC findings
Examination deficiency
What a deficiency letter contains
- Each finding described with reference to the relevant rule or section.
- Examples or specific instances supporting the finding.
- A request for a written response, usually within 30 days, addressing each finding.
- Notice of any items being referred to the Division of Enforcement (in serious cases).
Severity levels
- Technical — a missing form field, a late filing, an outdated policy reference. Easy to remedy.
- Substantive — a meaningful program failure (e.g., no evidence of annual review, inadvertent custody) that requires program-level changes.
- Referral-eligible — findings serious enough to be referred to Enforcement, often involving fraud, repeated failures, or material harm to clients.
How firms respond
The response typically:
- Acknowledges each finding without unnecessary defensive posture.
- Describes the corrective action taken — policy update, procedure change, training, system implementation.
- Provides a timeline for any actions still in progress.
- Includes evidence of completed actions where relevant.
What reduces the risk of a deficiency letter
- Continuous compliance practice rather than periodic catch-up.
- An annual compliance review that finds the firm's own gaps before the SEC does.
- A current and owned compliance calendar tied to evidence.
- Self-reporting and pre-emptive remediation when issues surface internally.
How StratiFi thinks about deficiency letters
The deficiency letter is the SEC's report card on the firm's compliance program. Most firms receive one — that fact alone is not the issue. The issue is whether the response demonstrates that the firm understood the finding, took it seriously, and has program-level discipline rather than one-off fixes. Treating the letter as a stress test of the program rather than a list of items to close is the difference between an exam that ends and an exam that escalates.
Frequently asked questions
-
How long do I have to respond to an SEC deficiency letter?
Typically 30 days from the date of the letter. Complex findings may have longer deadlines, and ongoing remediation actions may require follow-up reporting. The cover letter specifies the deadline; missed deadlines escalate the matter and can be referenced in subsequent enforcement actions. -
What are the most common SEC exam deficiencies for RIAs?
The most cited categories are: portfolio drift from the stated IPS, unexplained cash concentration, inadequate annual compliance review documentation, missing or incomplete client review records, and gaps in the marketing rule program (testimonials, performance disclosures). The first four are operational; the marketing rule failures are usually documentation gaps. -
Does a deficiency letter affect my SEC registration?
Most do not — they are confidential between the SEC and the firm and end with the firm's response. Letters with serious findings can be referred to the Division of Enforcement, which is separate from the exam process and can result in public actions, fines, or registration consequences. -
Is a deficiency letter public?
Generally no. Deficiency letters are confidential. The Form ADV does not require disclosure of the letter itself, though enforcement actions that may result from a letter become public.