The RIA Annual Compliance Review Checklist for 2026
by Jump
If your annual review checklist still says the SEC requires you to document the review in writing, it's working from a rule that no longer exists. A federal court struck that requirement down in 2024. Plenty of firms, and plenty of the guides they rely on, never got the memo.
That doesn't let anyone off the hook, which is the part worth understanding. The core of Rule 206(4)-7 is untouched. You still have to keep written policies, review them at least once a year, and be ready to show a regulator that the review happened. What changed is subtle, and getting it right separates the firms that breeze through exams from the ones that sweat them.
This checklist gives you both halves. The areas to review, one at a time, the way an examiner reads them, and the documentation reality after 2024, including why your ability to prove a year of oversight now counts for more than the policies themselves.
What Rule 206(4)-7 Asks of You
Strip away the commentary and the Compliance Rule, Rule 206(4)-7, asks three things of every adviser registered with the SEC. It has done so since early 2004, and the substance hasn't softened in the years since.
- Keep written policies and procedures that are reasonably designed to stop your firm from violating the Advisers Act. The word doing the work is "reasonably." Your policies need to reflect how your firm actually operates, not a template you bought and lightly edited.
- Review those policies at least once a year, judging both whether they still fit your business and whether people are following them in practice.
- Name a Chief Compliance Officer to run the program from one day to the next.
The annual review isn't meant to be a box you tick. The SEC expects it to account for the compliance matters that came up over the past year, any changes in how your firm operates, such as a new line of business, and the regulatory changes that landed since your last look. You can do all of this in one concentrated stretch or spread it across the year, whichever fits how you work. Either way, the question underneath every line item is the same one a regulator will eventually ask. Are these policies still doing their job, and can you show it? That question sits at the heart of RIA compliance, and the rest of this checklist is built to answer it.
What Changed in 2024 (and Why Half the Checklists You'll Find Are Wrong)
If a checklist tells you the SEC now requires your annual review to be written down, set it aside. That requirement existed for about ten months and no longer does.
Here's the short history. In August 2023 the SEC adopted an amendment that would have forced advisers to document the annual review in writing, tucked into a larger package known as the Private Fund Adviser Rules. Then, on June 5, 2024, the Fifth Circuit Court of Appeals vacated those rules in full, ruling that the SEC had overstepped its authority, and the amendment to Rule 206(4)-7 went down with them. The SEC confirmed as much in an October 2024 notice, stating plainly that the change is no longer in force.
So you're off the hook for writing it down? Not really, and this is where the nuance earns its keep. The legal mandate is gone, but the SEC compliance reality on the ground hasn't moved an inch. Examiners still ask for evidence that the review happened, and an inability to show that your annual reviews actually took place has long been one of the deficiencies the SEC flags most often. What changed is the rule citation, not the expectation. If you document your review, you're doing what every well-run firm already does and what a regulator still wants to see. The smarter way to read 2024 is this. The pressure shifted from "you must write it down" to "you'd better be able to prove it."
Start Where the SEC Starts, With a Risk Assessment
Before you open the checklist, take stock of where your firm is actually exposed. A risk assessment is the step that tells you which parts of the checklist deserve real scrutiny and which ones you can confirm quickly and move past.
The reason is simple. Your risks are specific to you. An advisor managing 150 households with discretionary authority, custody through an outside dashboard, and a growing book of held-away assets is exposed in ways that a fee-only planner with a dozen clients and no custody simply isn't. Run the same generic review across both firms and you'll spend your hours in the wrong places.
A risk assessment fixes that. It maps your business lines, client types, conflicts, custody arrangements, and the vendors who touch client data, then ranks where the real exposure sits. That ranking is what lets you point your limited compliance time at the areas most likely to draw an examiner's attention. Skip it and you end up with a thorough-looking review that tested everything lightly and nothing closely, which is exactly the pattern the SEC reads as a generic program.
A Checklist Built the Way an Examiner Thinks
Once you know where your risk concentrates, work the review one area at a time. Each piece below is tied to the rule behind it and, more to the point, to the client whose outcome is on the line.
Form ADV and Form CRS
Confirm that Parts 1, 2A, 2B, and your Form CRS still describe the firm you run today, not the one you ran two years ago. Fees, conflicts, and disciplinary history all need to match reality, and your annual updating amendment is due within 90 days of your fiscal year-end. When a prospect reads your ADV, it should answer the questions they would otherwise have to ask you twice.
Marketing and Advertising
Pull your website, social posts, pitch decks, and any one-to-many communications and read them against the Marketing Rule, 206(4)-1. Performance figures need net shown alongside gross, testimonials and endorsements need their disclosures, and every claim needs something behind it. Worth remembering that the Marketing Rule survived the 2024 court ruling untouched and still sits near the top of the SEC's exam list, so this is not the area to wave through.
Code of Ethics and Personal Trading
Check that your code of ethics has gone out, been acknowledged, and still reflects how your access persons actually behave. Their initial holdings reports were due within ten days of becoming access persons, with annual holdings reports and quarterly transaction reports after that. The point isn't paperwork. It's being able to show that nobody at your firm is trading ahead of, or against, the clients who trust them.
Custody, Best Execution, and Fee Billing
Settle the custody question first, because the answer drives everything from the surprise exam to the qualified custodian requirements. Then test your billing the way an examiner would, by pulling a sample of invoices and confirming the fee charged matches both the advisory agreement and the ADV. Review your best execution practices and any soft dollar arrangements while you're in there. A fee billed wrong is the fastest way to turn a routine review into a refund and a finding.
Cybersecurity and Client Data
Hold your written information security program up against the 2024 Regulation S-P amendments, which tightened expectations around incident response and breach notification, and run your identity-theft red flags under Regulation S-ID. Confirm that your vendor due diligence is current and your access controls still make sense. This is a stated 2026 exam priority, and it's also the area where a single lapse becomes a client's problem overnight.
Books, Records, and Business Continuity
Make sure your Rule 204-2 records are complete and, just as important, retrievable on short notice. Then look hard at your business continuity and transition plan. If you were out for a month, or for good, could the firm keep serving clients, and could someone find what they needed? Succession is a compliance question as much as a business one.
How to Prove the Program Works
A review that only confirms your policies exist on paper isn't a review. It's an inventory. The part that carries weight with a regulator is testing, which means going and checking whether the policy held up when it met the real world.
Two kinds of testing matter. The first is the spot test, where you pull a sample and inspect it. Take twenty client invoices and confirm each fee matches the agreement, or pull a quarter's worth of marketing posts and check that every performance claim has support behind it. The second is trend testing, where you step back and look across the year for patterns, the slow drift that no single transaction would reveal on its own.
The cleanest way to run both is a simple testing matrix. For each area you flagged as higher risk, write down the procedure, the sample size, and what you expect to find. Weight it toward the exposures your risk assessment surfaced rather than spreading it evenly across everything. Done this way, testing stops being busywork and starts doing what it's for, which is catching the billing error or the stale disclosure before a client does, and well before an examiner asks.
Write Down What You Found and How You'll Fix It
Even though the rule no longer forces it, write down what you reviewed, what you found, and how you're fixing it. When an examiner shows up, this report is the first thing they ask for, and it's what turns a list of findings into actual remediation rather than good intentions.
Good documentation is plainer than most people fear. It names the scope of what you tested, the findings, any deficiencies, and the fixes, with a person attached to each fix and a date by which it's done. Then it gets signed off. There's no mandated format, so use whatever you'll actually keep current, whether that's a narrative report, the testing matrix you already built, or a blend of the two.
One thing separates the firms that breeze through this from the ones that dread it. The first group documented as they went. The second is reconstructing a year of activity from memory in the final weeks, which is slower, thinner, and far easier for an examiner to poke holes in.
The Deficiencies the SEC Keeps Citing
Year after year, examiners write up the same short list of failures. None of them are exotic, which is the encouraging part, because it means the checklist you're already working through heads most of them off.
The recurring ones are familiar. Compliance functions that are under-resourced and stretched too thin. A CCO who holds the title but not the authority to actually change anything. Firms that can't demonstrate their annual reviews happened at all. Policies bought off the shelf that describe a generic adviser instead of the one being examined. And marketing controls that haven't kept pace with what's actually going out the door. The SEC laid most of these out in its 2020 Risk Alert on adviser compliance programs, and they've barely shifted since.
Read that list again and notice something. Every item on it is answered by the work in the sections above. A real risk assessment, honest testing, and a documented review aren't there to satisfy a rule. They're how you keep from being the firm in next year's deficiency report.
What the 2026 Exam Priorities Tell You to Add This Year
The SEC publishes its exam priorities every fall, and they read like a map of where examiners will push hardest. The 2026 list, released in November 2025, gives you a few specific places to add testing this cycle.
For advisers, the throughlines are familiar but worth heeding. Fiduciary duty stays front and center, with particular attention to conflicts, best execution, and whether your advice fits the client in front of you, especially retail and older clients. The agency also signaled close looks at marketing, valuation, portfolio management, disclosure, and custody, and it continues to focus on newly registered and never-examined firms. Cybersecurity under the 2024 Regulation S-P amendments and anti-money-laundering programs both carry over, though the AML compliance date for advisers has been pushed out to January 2028.
The genuinely new note is artificial intelligence. Examiners have said they'll look closely at how firms govern AI and similar tools used in advice, trading, and compliance work. If you've added any of that to your practice, build its oversight into this year's review. That last point connects directly to how the sharpest firms now handle their documentation.
Your Evidence Trail Decides Whether the Review Holds
Here's the shift the 2024 court ruling really forced, and almost no one is saying it out loud. The question stopped being whether you must write your review down and became whether you can prove the year of oversight sitting underneath it. A checklist tells you what to review. Your evidence trail decides whether that review survives an exam.
Most firms don't fail because a policy was missing. They fail because it's December and they're trying to reconstruct a client meeting from March, working off a thin calendar entry and their own memory. The fix isn't more diligence in the final weeks. It's changing when the work happens, so the annual review becomes the byproduct of records you were already keeping rather than a year of archaeology compressed into a fortnight.
Call it a continuous evidence trail. Every client conversation where you discussed a recommendation, weighed suitability, or delivered a disclosure is a compliance event. If those moments are captured as they happen and made searchable, testing a quarter of your client interactions turns into a query instead of a weekend. The documented review you owe nearly writes itself, because the evidence was accumulating all along.
This is where RIA software earns its place. Tools built for advisors, including platforms like Jump that generate structured, time-stamped records of client meetings, turn scattered recollection into something you can actually pull up and hand over. The same capability is what draws the SEC's 2026 attention to AI governance, which means whatever you lean on needs its own guardrails around access, accuracy, and how long records are kept. Used with that care, the payoff lands where it should. You spend less time proving the past and more time in the conversations that deepen client relationships and grow the book in the first place.
When the Review Stops Being a Scramble
The firms that move through an exam without losing sleep aren't the ones with the longest checklists. They're the ones whose ordinary week already produces the record the review asks for. Work the areas in order, test against your real risks, and write down what you found, and most of the annual review takes care of itself.
What changes when you get this right has less to do with compliance and more to do with where your time goes. The annual review stops being a deadline you brace for in the final weeks and turns into a summary of work you'd done all along. That leaves you where you'd rather be, across the table from a client instead of buried in a file reconstructing the past.
That's the case for letting Jump, an AI assistant for financial advisors, carry the documentation weight. When every client conversation is captured as it happens, structured, time-stamped, and searchable, your evidence trail builds itself while you stay focused on the advice, and the review becomes a matter of pulling records rather than recreating them. Advisors who run their practice this way walk into exams with the proof already in hand and walk into client meetings with their full attention on the person across the table. See what that looks like in your own practice and book a Jump demo today.