SEC Examination Data Preparedness for Investment Advisers
The chief compliance officer at a $1.2 billion RIA received the SEC examination notice on a Tuesday morning. The initial document request letter listed 23 items. Twelve of them were data requests โ trade blotters, performance records, fee billing calculations, access logs for client data systems. Her firm had all of the data. But it was scattered across four systems, maintained by three different staff members, and in several cases had never been formally reconciled to custodian records. What should have been a straightforward production turned into six weeks of manual reconstruction, two amended responses, and a follow-up examiner call. The firm received a deficiency letter. The findings were about documentation, not the underlying conduct.
SEC examinations of registered investment advisers are a regular feature of the regulatory landscape. The Investment Adviser Examination Program โ formerly run by OCIE, now the Division of Examinations โ examines advisers on a risk-based cycle, with larger and higher-risk advisers examined more frequently. Advisers managing over $1 billion can expect examination every 3-5 years. Advisers with prior deficiencies or regulatory red flags can expect more frequent contact.
Data management and technology systems have become a significant examination focus area. Understanding what examiners look for โ and having the infrastructure to respond โ is a core component of examination readiness.
What Examiners Look for in Data Systems
SEC examiners have become increasingly sophisticated about data management systems. Key focus areas:
Books and records compliance: Rule 17a-3 and 17a-4 require specific records to be maintained in specific formats for specific retention periods. Examiners verify that required records exist, are complete, and are accessible. "We have it somewhere" is not the same as "we can produce it in 24 hours."
Data integrity: Examiners assess whether the adviser has controls that ensure data accuracy โ quality checks, reconciliation processes, and exception handling for data errors. The question is not just "is your data accurate?" but "how do you know your data is accurate?"
Data access controls: Who has access to client and proprietary data? Is access controlled on a minimum-necessary basis? Are access logs maintained? Examiners will ask for access logs going back 12-24 months. If you do not have them, that is itself a finding.
Technology security: Following SEC guidance on cybersecurity, examiners assess whether advisers have adequate security controls for systems containing client data. Annual cybersecurity assessments and documented incident response procedures are now baseline expectations.
Conflict of interest: Examiners look for situations where data management practices could create or mask conflicts โ for example, if performance reporting data can be manipulated to present favorable results without an audit trail showing who changed what and when.
Vendor oversight: Examiners assess whether advisers maintain appropriate oversight of third-party technology vendors โ including reviewing SOC 2 reports and understanding the controls that vendors maintain. If your data platform does not have a current SOC 2 report and you cannot produce it, expect a finding.
Common Examination Findings Related to Data
The SEC regularly publishes examination priorities and risk alerts identifying common deficiencies. Data-related findings consistently appear at the top. Here is what shows up most often:
Missing or incomplete required records: Records required by Rule 17a-3 or 17a-4 that are missing, incomplete, or not accessible in a reasonable time. "Reasonable time" in examiner practice means 24-48 hours, not two weeks.
Inadequate performance calculation documentation: Performance records that are not reproducible or that lack documentation of the calculation methodology. If you cannot walk an examiner through exactly how a client's reported return was calculated โ from source data to final output โ this becomes a finding.
Data security weaknesses: Inadequate encryption for client data, weak access controls, or absence of breach response procedures. Firms still using shared login credentials for data systems are a consistent examination target.
Vendor management gaps: Failure to review SOC 2 reports from technology vendors, or absence of vendor security assessments. If you are using a data platform that handles client information and you have never reviewed their SOC 2 report, you have a vendor management gap.
Retention failures: Data that should be retained under books and records rules has been inadvertently deleted, or data is stored in formats that are not non-rewritable and non-erasable as required. Cloud storage with deletion enabled by default is a common configuration error.
Before You Receive an Examination Notice
Here is the question to ask before you ever get that initial document request letter: if the SEC asked you today to produce all performance records for the past three years โ source data, calculation methodology, reconciliation to custodian records โ how long would it take?
If the honest answer is longer than 48 hours, or if the answer involves asking a specific staff member to "put it together," your examination infrastructure needs work. The firms that handle examinations efficiently are the ones where producing records is a configuration task, not a reconstruction task.
Building Examination-Ready Data Infrastructure
Books and records automation: Ensure that all required records are generated automatically as part of normal operations โ not assembled manually before an examination. The examination request for books and records should be satisfiable by running a report, not by manually gathering documents across systems. Advisers who can respond to document requests same-day consistently receive better examination outcomes.
Performance record retention: Performance records, including the underlying data and calculation methodology, must be retained for the appropriate period. Automated retention of all inputs to performance calculations โ position data, benchmark data, fee calculations โ is the standard approach. Retaining only the output reports without the underlying data is insufficient.
Audit trail: Every action involving client data should be logged โ data access, data modification, data deletion. Logs should be tamper-resistant and retained for the appropriate period. An audit trail that can be edited by the same users it logs is not an audit trail.
Documentation readiness: The ability to explain, on demand, how any number in any client report was calculated โ from the source data through the calculation methodology to the final output. Data lineage capabilities enable this without manual reconstruction. Manual reconstruction for an examiner typically takes 40-80 hours of operations and compliance staff time per filing period reviewed.
SOC 2 report collection: For every technology vendor that handles client data, maintain current SOC 2 reports. Review reports for exceptions and document how exceptions are addressed. A binder (or folder) containing current SOC 2 reports for all data vendors is a simple, visible indicator of vendor management discipline that examiners notice.
Access control documentation: Maintain current documentation of who has access to client data, through what systems, with what permissions. Access reviews should be regular โ at minimum quarterly โ and documented. User accounts for former employees with active data access are a common examination finding that reflects poorly on the firm's controls even when no misuse occurred.
Response to an Examination Request
When the SEC initiates an examination, advisers typically receive a document request letter identifying records to be produced. For data management-related requests:
Immediate response capability: The ability to produce any requested record within 24-48 hours is important. Advisers who take weeks to produce basic records signal records management weaknesses even before examiners review the substance of what is produced.
Completeness verification: When producing records, verify that the production is complete โ all records for the requested period, across all required accounts. Incomplete productions followed by supplements are evidence of records management problems. A supplement is not a neutral event; it is an indication that your production process is not systematic.
Format compliance: Records must be produced in accessible formats. Archived data that requires special tools to access, or that was stored in proprietary formats that are no longer supported, creates production problems that reflect badly on the firm. Standard formats โ CSV, PDF, Excel โ are expected.
Privilege review: Before producing records, ensure appropriate privilege review for any communications that may be attorney-client privileged. Data exports often sweep up internal email threads. Review before production, not after.
The advisers who navigate SEC examinations most effectively treat examination readiness as an ongoing state, not a periodic scramble. Building examination-ready data infrastructure โ and maintaining it continuously โ is ultimately less expensive than the cost of a difficult examination. A deficiency letter, a follow-up examination, or an enforcement referral costs far more than the infrastructure that would have prevented it.
The Hard Truth About SEC Examination Readiness
| What teams assume | What actually happens |
|---|---|
| We have all the required records | Records exist across multiple systems in inconsistent formats โ production under time pressure reveals gaps that were invisible during normal operations |
| We can reconstruct records if needed | Manual reconstruction for a 3-year look-back period takes 40-80 staff hours per filing period, creates errors under deadline pressure, and gives examiners reason to probe further |
| Our data vendor is SOC 2 certified | Certification was from two years ago, the report has material exceptions, and no one at the firm has read it โ this is a vendor management finding waiting to happen |
| Access logs satisfy the audit trail requirement | Many access logs capture only login events, not data queries or exports โ examiners ask for the latter and a login-only log does not satisfy the requirement |
| An exam takes a few weeks and then it's over | Firms with documentation gaps receive deficiency letters that require written responses, remediation plans, and sometimes follow-up examinations โ the process can extend 6-12 months |
FAQ
How often does the SEC examine registered investment advisers?
The examination cycle varies by firm size, risk profile, and prior examination history. Large advisers โ over $1 billion in AUM โ can expect examination every 3-5 years under normal circumstances. Firms with prior deficiencies, concentrated strategies, or rapid AUM growth are examined more frequently. Some advisers go more than a decade without examination; others receive annual contact.
What is the most common reason RIAs receive examination deficiency letters?
Books and records deficiencies are consistently the leading category. Performance advertising and marketing rule issues have increased significantly since the 2023 marketing rule amendments. Cybersecurity and vendor management deficiencies are the fastest-growing category over the past three years.
Do we need to produce records immediately when we receive an examination notice?
The initial examination notice typically requests records within 10-20 business days. However, examiners remember how quickly firms respond, and the speed and completeness of your initial production sets the tone for the examination. Firms that respond promptly with complete records are treated differently than firms that are slow, incomplete, or require multiple follow-ups.
What does "non-rewritable and non-erasable" storage actually require?
Rule 17a-4 requires that electronic records be stored in a format that prevents alteration or deletion โ commonly called WORM (Write Once, Read Many) storage. Major cloud storage providers offer WORM-compliant configurations. Firms using standard cloud storage without WORM configuration, or local file storage with write permissions for multiple users, typically have a retention compliance gap.
How should we handle vendor management for data platforms?
At minimum: collect current SOC 2 reports annually, review them for exceptions (not just the opinion letter โ read the control descriptions and any exceptions noted), document how your firm addresses any exceptions, and include data vendors in your annual technology risk review. If a vendor cannot provide a SOC 2 report, document why and what compensating controls you have reviewed.
What is the difference between an examination finding and an enforcement referral?
An examination finding โ documented in a deficiency letter โ is a regulatory communication that identifies control gaps and requires a response describing remediation. An enforcement referral happens when examiners identify conduct they believe may constitute a legal violation, typically involving harm to clients or intentional misconduct. Data management deficiencies almost always result in examination findings, not enforcement referrals, unless the data errors were used to benefit the adviser at client expense.
FyleHub provides the data infrastructure components that support SEC examination readiness โ immutable audit trails, access controls, and data lineage. Learn more about FyleHub's compliance capabilities.