SEC Rule 206(4)-7

Rule 206(4)-7 is commonly called the Compliance Rule. This regulation requires registered investment advisers to create and follow comprehensive compliance programs. These programs must include written policies and procedures that are specifically designed to prevent violations of the Investment Advisers Act and its related rules.

A registered investment adviser is any firm that provides investment advice to clients for compensation and manages more than $100 million in assets. This includes many hedge fund managers. The Compliance Rule fundamentally changed how these firms handle regulatory compliance by establishing specific requirements for how they oversee and manage compliance within their organizations.

The Compliance Rule requires each investment adviser to designate one person as the (CCO). This person must be a "supervised person," which means they work under the firm's control and supervision. Under the , supervised persons include partners, officers, directors, employees, and other individuals who provide investment advice on behalf of the firm.

Choosing a CCO is a critical decision for hedge fund managers. The CCO must have extensive knowledge of securities laws and stay current with regulatory changes. Just as importantly, this person needs enough time and resources to effectively run the firm's compliance program. When SEC examiners review a firm, they closely evaluate whether the CCO has the right qualifications and sufficient resources. This assessment helps them determine if the firm's overall compliance program is adequate.

The Compliance Rule gives advisers flexibility in designing their policies and procedures. Rather than providing a checklist of specific requirements, the rule establishes a general principle: policies must be reasonably designed to prevent violations by the adviser and its supervised persons.

Each firm should start by identifying the specific compliance risks in its operations, the it faces, and the regulatory obligations that apply to its business model. Policies and procedures must then directly address these identified risks.

When the SEC adopted this rule, they explained that advisers should take a customized approach. They recognized that different business models create different compliance challenges. The SEC has also indicated that advisers cannot satisfy the rule by using generic, off-the-shelf compliance manuals without making substantial modifications to match the firm's particular operations. SEC examination staff increasingly expects compliance policies to be specific, detailed, and clearly connected to actual business practices. This trend has revealed widespread problems where policies lack sufficient detail or fail to accurately describe what the firm actually does.

The SEC has indicated that advisers' policies and procedures should, at a minimum, address the following areas to the extent they are relevant to that adviser's operations:

1. Portfolio management processes, including fair allocation of investment opportunities among clients, consistency of portfolios with client objectives, accuracy of adviser disclosures, and compliance with regulatory restrictions
2. Trading practices including standards, aggregation and allocation procedures, , , affiliated brokerage relationships, and trade error handling
3. by the adviser and personal securities trading by supervised persons
4. Accuracy of disclosures made to clients and regulators
5. Safeguarding client assets from misappropriation or improper use by firm personnel
6. Accurate record creation and maintenance practices that prevent unauthorized alteration and protect against premature destruction
7. Marketing practices and advertising of advisory services, including use of third-party solicitors
8. Valuation methodologies for client holdings and fee calculations based on those valuations
9. Confidentiality and information security protections for client data
10. Business continuity and disaster recovery planning
11. Management and disclosure of conflicts of interest
12. Cybersecurity protection measures
13. Client privacy safeguards

Investment advisers must conduct annual reviews to evaluate whether their compliance policies remain adequate and whether their implementation efforts are actually effective. SEC examiners have identified common problems where advisers cannot prove that reviews actually happened, failed to address risks relevant to their business model, or ignored significant compliance issues.

The SEC has emphasized that annual reviews represent the minimum requirement. Advisers should also consider whether they need interim reviews in response to major compliance events, significant business changes, or important regulatory developments. There is no required format for annual reviews, and the rule does not specify what documentation must result from the review process. Hedge fund managers should structure their annual reviews to match their specific business model and investment strategies, ensuring the review provides genuine insight into whether the compliance program is working as intended.

It should be noted that in August 2023, the SEC adopted amendments to the Compliance Rule that would have required written documentation of annual reviews. However, in June 2024, the U.S. Court of Appeals for the vacated these amendments, ruling that they exceeded the SEC's statutory authority. As a result, the written documentation requirement amendment is no longer in effect. The basic requirement for annual reviews remains unchanged: advisers must conduct them at least annually, though SEC staff continues to expect that advisers maintain some records showing that reviews occurred.

A CCO's job goes far beyond just writing policies. The CCO must actively manage the compliance program on a day-to-day basis. This includes making sure all employees receive proper training on applicable laws, regulations, and the firm's specific policies and procedures.

The CCO also plays a central role in testing whether the compliance program actually works. This involves conducting reviews both as part of the required annual assessment and through targeted evaluations throughout the year based on specific risks. This hands-on approach allows the CCO to determine whether the firm is actually following the procedures it has documented, rather than just having policies that exist on paper.

In November 2020, the SEC's Division of Examinations issued important guidance that clarified what they expect from chief compliance officers. The SEC explained that their examinations had revealed common problems where compliance officers lacked sufficient authority within their firms, were stretched too thin across too many responsibilities, or were marginalized rather than empowered to make firm-wide compliance improvements.

The SEC made clear that while CCOs should not be solely responsible for every compliance matter, they must have the organizational standing and resources needed to work effectively with senior management. The guidance signaled that the SEC takes a critical view of compliance functions that appear underfunded or disconnected from firm leadership.

The SEC staff expects compliance policies to reflect a firm's particular business practices and circumstances. The examination staff has noted that relying on standardized compliance manuals without meaningful customization can itself be a compliance violation. A consistently common examination finding is that advisers' compliance policies lack the specificity and detail necessary for supervised persons to understand and consistently follow them.

An particularly important enforcement trend is that the SEC holds firms accountable not just for developing policies but for actually implementing them. Examination staff regularly observe that advisers fail to execute required compliance actions, allow policies to become outdated, or maintain documentation that no longer reflects actual business practices. This persistent focus on the gap between stated policies and actual practice represents an ongoing priority for SEC examiners, who view compliance program failures as appropriate targets for independent enforcement action regardless of whether the policy deficiency has caused other violations.