joellewis/examination-readiness

Examination Readiness — SEC & FINRA Regulatory Examinations

Regulatory status current as of June 2026 — verify effective dates, dollar thresholds, and pending rulemakings against current SEC/FINRA/FinCEN sources before advising.

Core Concepts

SEC Examination Process (Division of Examinations)

The SEC's Division of Examinations (formerly the Office of Compliance Inspections and Examinations, or OCIE) conducts examinations of registered entities including investment advisers, broker-dealers, transfer agents, clearing agencies, and self-regulatory organizations. The Division uses a risk-based approach to select firms for examination and to determine the scope and intensity of each exam.

Risk-based selection. The Division selects firms for examination based on a range of risk indicators rather than examining every registrant on a fixed schedule. Selection criteria include:

• New registrant status — Newly registered investment advisers and broker-dealers are frequently examined within the first one to three years of registration. These initial examinations assess whether the firm has implemented the compliance infrastructure described in its registration filings.
• Risk indicators and quantitative screens — The Division uses data analytics to identify firms with characteristics associated with higher risk: rapid asset growth, concentrated portfolios, high employee turnover, customer complaint patterns, significant regulatory history, unusual fee structures, or material conflicts of interest.
• Tips, complaints, and referrals — Complaints from investors, tips from whistleblowers (including those submitted under the SEC Whistleblower Program established by Section 21F of the Securities Exchange Act of 1934), and referrals from other SEC divisions or regulatory bodies can trigger cause examinations.
• Sweep examinations — The Division periodically conducts industry-wide sweep examinations focused on a single issue or practice across many firms simultaneously. Recent sweep topics have included off-channel communications, Reg BI implementation, private fund fee practices, and ESG-related disclosures.

Types of examinations:

1. Routine/periodic examinations — Scheduled examinations conducted as part of the Division's ongoing oversight program. These typically cover a broad range of compliance topics and may review multiple years of activity.
2. Cause examinations — Triggered by a specific complaint, tip, referral, or red flag. Cause examinations are typically narrower in scope, focused on the specific issue that prompted the examination, but can expand if additional problems are discovered.
3. Sweep examinations — Industry-wide examinations focused on a single topic. Sweep exams allow the Division to assess industry-wide compliance with a particular rule or to evaluate emerging risks across many firms. Results often inform future rulemaking or guidance.

Examination lifecycle:

1. Notification letter — The examination begins with a notification letter (sometimes called an "announcement letter") sent to the firm. The letter identifies the examination team, provides an initial document request list (IDR), and specifies a deadline for document production (typically two to four weeks). For cause examinations, the notification may be abbreviated or, in rare circumstances, the examination may begin without advance notice.
2. Document production — The firm produces the requested documents, typically through a secure file-sharing platform. The initial IDR is often extensive (see the Document Production section below). The examination staff may issue supplemental document requests as they review the initial production.
3. On-site or remote examination — Examination staff conduct their review either on-site at the firm's offices or remotely (remote examinations became common during and after the COVID-19 pandemic and remain a standard option). The review includes analysis of documents, records, and data.
4. Staff interviews — Examiners conduct interviews with key personnel, typically including the Chief Compliance Officer (CCO), portfolio managers, traders, operations staff, and senior management. Interviews may be informal discussions or more structured questioning sessions. Firms should prepare interviewees by reviewing relevant policies and recent compliance activity, but should not coach witnesses to give scripted answers.
5. Follow-up requests — As the examination progresses, staff frequently issue additional document requests or ask clarifying questions based on their findings. Responsiveness and transparency during this phase are important.
6. Exit conference — Near the end of the examination, staff typically hold an exit conference with the firm to discuss preliminary observations and potential areas of concern. The exit conference is not a formal proceeding, and the observations discussed may change before a final determination is made.
7. Outcome — The examination concludes with one of several outcomes: (a) a no-action letter or no further action (the examination revealed no material issues); (b) a deficiency letter identifying compliance deficiencies and requesting a written response describing corrective actions; (c) a referral to the SEC's Division of Enforcement for potential enforcement action (reserved for more serious violations or patterns of non-compliance).

Typical duration. SEC examinations typically last from several weeks to several months, depending on the firm's size, the scope of the examination, the complexity of issues discovered, and the responsiveness of the firm's document production.

Firms' rights during examination. Firms have the right to: receive identification of the examination staff and their supervisors; understand the general scope of the examination; request reasonable extensions for document production deadlines (extensions are granted at the staff's discretion); have counsel present during interviews (though the SEC may interview individuals separately); and receive a closing communication describing the examination outcome. Firms may also submit a response to preliminary findings discussed at the exit conference before a deficiency letter is finalized.

FINRA Examination Process

FINRA (the Financial Industry Regulatory Authority) examines its member broker-dealer firms through its Risk Monitoring and Examination programs. As a self-regulatory organization (SRO), FINRA has direct authority to examine, sanction, and discipline its members — a key distinction from the SEC, which must refer potential enforcement actions to its Division of Enforcement.

Types of FINRA examinations:

1. Cycle examinations — Regular examinations conducted on a schedule determined by the firm's risk profile. Higher-risk firms are examined more frequently (annually or even continuously for the largest firms), while lower-risk firms may be examined on a two- to four-year cycle. The cycle exam typically covers a broad range of compliance areas.
2. Cause examinations — Triggered by specific concerns such as customer complaints, tips, unusual trading patterns, financial difficulties, or referrals from other regulators. Cause exams are focused on the specific issue that prompted the examination.
3. Sweep examinations — Similar to SEC sweeps, FINRA conducts targeted reviews across multiple firms to assess industry-wide compliance with specific rules or to evaluate emerging risks.

Risk-based approach. FINRA assigns each member firm a risk rating based on a comprehensive assessment of factors including the firm's business model, product mix, customer demographics, complaint history, financial condition, regulatory history, and supervisory structure. This risk rating determines examination frequency and intensity.

• Annual risk assessment — FINRA provides firms with an annual risk assessment summary identifying the key risk areas FINRA associates with the firm's business. This summary can be a valuable tool for compliance planning.
• Examination priorities letter — FINRA publishes an annual examination and risk monitoring priorities letter identifying the topics and issues that will be focal points for the coming year. This letter is a critical compliance planning resource (see the Annual Examination Priorities section below).

Key differences from SEC examinations:

• Direct sanction authority — FINRA can impose sanctions directly through its Department of Enforcement, including fines, suspensions, bars, expulsions, and censures. The SEC, by contrast, must bring enforcement actions through its own Division of Enforcement or through administrative proceedings.
• Financial surveillance — FINRA conducts ongoing financial surveillance of member firms, including monitoring net capital compliance (SEC Rule 15c3-1), reviewing FOCUS reports (Financial and Operational Combined Uniform Single reports filed monthly or quarterly), and assessing the financial health of firms. FINRA may take emergency action if a firm's financial condition deteriorates below minimum thresholds.
• Trade surveillance — FINRA operates sophisticated market surveillance programs (including the Cross-Market Surveillance system) to detect potential market manipulation, insider trading, and other trading violations.

Annual Examination Priorities

Both the SEC Division of Examinations and FINRA publish annual examination priorities or focus areas that signal where regulatory attention will be concentrated in the coming year. These publications are among the most important compliance planning tools available.

SEC Division of Examinations annual priorities. The Division publishes its examination priorities early each calendar year — always read the current year's letter. Recurring themes from the 2023-2026 letters have included:

• Regulation Best Interest (Reg BI) compliance — Assessment of broker-dealer compliance with Reg BI's Disclosure, Care, Conflict of Interest, and Compliance Obligations (17 CFR 240.15l-1). The SEC has examined both the written policies and the actual practices of firms, with particular attention to whether recommendations are in the customer's best interest and whether conflicts are adequately disclosed and mitigated.
• Investment adviser fiduciary duty — Examination of advisers' compliance with their fiduciary obligations, including duty of care and duty of loyalty, as interpreted by the SEC in its June 2019 Fiduciary Interpretation.
• Private fund advisers — Scrutiny of fee calculations, expense allocations, performance reporting, preferential treatment of certain investors (side letters), and compliance with new rules under the Investment Advisers Act.
• ESG and sustainability claims — Review of whether advisers and funds that market themselves as ESG-focused actually implement the ESG investment processes they describe. The SEC has brought enforcement actions for "greenwashing" — claiming ESG integration that does not occur in practice.
• Cybersecurity and information security — Assessment of firms' cybersecurity programs, including governance, access controls, data loss prevention, incident response plans, vendor management, and compliance with Regulation S-P (privacy of consumer financial information) and Regulation S-ID (identity theft red flags).
• Crypto and digital assets — Examination of firms offering digital asset products or services, including custody arrangements, valuation practices, and compliance with securities laws.
• Off-channel communications — Review of whether firms are capturing and retaining business-related communications conducted through personal devices, text messages, messaging apps (WhatsApp, Signal, iMessage), or other channels outside the firm's approved communication platforms. This has been a major enforcement focus, with the SEC and FINRA imposing billions of dollars in combined penalties across dozens of firms.
• Anti-money laundering — Review of AML programs, particularly SAR filing practices, customer risk rating, and beneficial ownership due diligence.
• Marketing Rule compliance — Assessment of compliance with the SEC's Marketing Rule (Rule 206(4)-1), including performance advertising, hypothetical performance, testimonials, and endorsements.

FINRA annual examination priorities. FINRA's annual report on examination and risk monitoring activities similarly identifies key focus areas. Recurring FINRA priorities include:

• Reg BI and Form CRS — Compliance with Regulation Best Interest and the requirement to deliver and file Form CRS.
• Communications with the public — Compliance with FINRA Rule 2210, including social media supervision and digital communications.
• Market integrity — Surveillance for manipulative trading, best execution compliance, and order handling obligations.
• Financial crimes — AML program effectiveness, fraud detection, and sanctions compliance.
• Firm operations — Net capital compliance, customer protection (Rule 15c3-3), books and records, and business continuity planning.

Using exam priority letters for proactive compliance planning. Firms should treat published examination priorities as a roadmap for their own internal compliance reviews. Best practices include:

• Reading the SEC and FINRA priority letters immediately upon publication and assessing the firm's readiness in each identified area.
• Conducting targeted internal reviews or mock examinations of the highest-priority topics.
• Updating compliance policies and procedures to address new or evolving priority areas.
• Allocating compliance resources — staff time, technology, and budget — to priority areas.
• Briefing senior management and the board on examination priorities and the firm's preparedness.

Document Production and Requests

Document production is often the most operationally demanding phase of a regulatory examination. The initial document request list (IDR) sets the tone for the examination, and the quality and timeliness of the firm's response significantly influences the examination experience.

Typical items on an initial document request list. While every IDR is tailored to the specific examination, common elements include:

• Compliance program documents — Written compliance policies and procedures (the compliance manual), code of ethics, annual compliance review reports, CCO designation documentation, compliance committee meeting minutes.
• Organizational and governance documents — Organizational charts, ownership structure, affiliated entity relationships, board or governance committee minutes, management committee meeting minutes.
• Registration and regulatory documents — Current and historical Form ADV (Parts 1, 2A, 2B), Form BD, Form CRS, state registration filings, regulatory examination history, correspondence with regulators.
• Advertising and marketing materials — All advertisements, pitchbooks, fact sheets, website content, social media archives, client newsletters, performance presentations, and the advertising review log.
• Client documents — Client agreements (advisory agreements, brokerage agreements), fee schedules, client onboarding documents, suitability or Reg BI documentation, account opening documents.
• Fee and billing records — Fee calculation methodology, billing records, fee schedules, any fee adjustments or waivers, accounts with negotiated fees.
• Trading and investment records — Trade blotters, order tickets, allocation records, best execution reviews, soft dollar arrangements, brokerage committee minutes, directed brokerage documentation.
• Complaint and litigation records — Customer complaint log, complaint files, litigation and arbitration history, regulatory action history, whistleblower complaints.
• Exception reports — Trade error logs, personal trading exception reports, gifts and entertainment logs, outside business activity records, political contribution records.
• Cybersecurity and technology — Written information security policy, incident response plan, business continuity plan, vendor due diligence files, penetration testing reports, cybersecurity risk assessments, data breach history.
• AML program documents — AML compliance program, OFAC screening procedures, SAR filing records, CTR filing records, AML independent testing report.
• Books and records — Financial statements, trial balances, FOCUS reports (for broker-dealers), net capital computations, customer reserve computations.

Scope management. Effective scope management is critical to a successful examination response:

• Understand the request — Before gathering documents, carefully read each IDR item to ensure you understand what is being asked. If an item is ambiguous, seek clarification from the examination staff promptly.
• Gather documents systematically — Assign responsibility for each IDR item to specific individuals, with clear deadlines. Use a tracking spreadsheet or project management tool to monitor completion.
• Quality review before production — Before submitting documents, a senior compliance person (ideally the CCO or outside counsel) should review the production for completeness, accuracy, and consistency. Look for inadvertent production of privileged documents.
• Privilege considerations — Attorney-client privileged documents and attorney work product should be identified and withheld from production. Prepare a privilege log if withholding documents on privilege grounds. Inadvertent production of privileged documents can result in waiver of the privilege.
• Document hold obligations — Upon receiving an examination notification, the firm should implement a document hold to ensure that no relevant documents are destroyed, altered, or deleted during the examination. This includes suspending automatic deletion policies for emails and electronic records within the scope of the examination.

Electronic document production. Examination staff increasingly expect electronic production:

• Documents should be produced in their native format or as searchable PDFs, organized by IDR item number.
• Metadata should be preserved unless the examination staff specifies otherwise.
• Email production should include headers, attachments, and threading information.
• Large productions are typically submitted through SEC or FINRA secure file-sharing platforms.
• Maintain an index of all documents produced, cross-referenced to each IDR item.

Common Deficiency Findings

Understanding the most frequently cited deficiency areas allows firms to focus their compliance efforts where examination risk is highest. Across SEC and FINRA examinations, the following categories consistently generate the most findings.

(a) Compliance program gaps. Deficiencies in the overall compliance program are among the most common findings:

• Outdated policies and procedures that have not been revised to reflect current regulations, business practices, or organizational changes.
• Policies that do not match actual practices — "paper compliance" where written procedures exist but are not followed in practice.
• Failure to conduct the annual compliance review required under SEC Rule 206(4)-7, or conducting a review that is superficial and does not meaningfully assess the adequacy of the compliance program.
• Insufficient compliance resources — a CCO without adequate time, authority, budget, or staff to implement the compliance program effectively.

(b) Books and records violations. Books and records deficiencies are pervasive:

• Incomplete records, including missing trade confirmations, account statements, or client correspondence.
• Communication archiving failures — failure to capture and retain business-related communications, particularly those conducted through personal devices, text messages, or unapproved messaging platforms. This has been one of the most heavily penalized areas: in the 2021-2024 off-channel communications sweep, the SEC and FINRA imposed penalties exceeding $2 billion across more than 60 firms (figures as of year-end 2024 — verify current totals and enforcement posture).
• Failure to maintain required books and records in the format and for the retention periods specified by SEC Rules 17a-3, 17a-4 (broker-dealers) and Rule 204-2 (investment advisers).

(c) Advertising violations. Advertising deficiencies are a top examination focus:

• Misleading performance presentations, including showing gross-only performance without corresponding net performance, cherry-picking favorable time periods, or presenting backtested performance without required disclosures.
• Testimonials without required disclosures under the SEC Marketing Rule (Rule 206(4)-1).
• Social media posts by associated persons that were not reviewed, approved, or archived by the firm.
• Failure to maintain the advertising review log or to document the compliance review process for marketing materials.

(d) Custody rule issues. Custody deficiencies arise frequently for investment advisers:

• Inadvertent custody — situations where an adviser has custody of client assets without recognizing it (e.g., through authority to deduct fees from client accounts, serving as trustee of a client trust, or controlling a client's bill-paying service).
• Failure to comply with the surprise examination requirement when the adviser has custody.
• Failure to ensure that qualified custodians send account statements directly to clients at least quarterly.

(e) Fee calculation errors. Fee-related deficiencies are a recurring concern:

• Overbilling clients due to incorrect asset valuations, failure to apply fee breakpoints, or charging fees on assets that should be excluded (such as legacy positions or cash).
• Failure to calculate fees consistent with the methodology described in the advisory agreement or Form ADV Part 2A.
• Not refunding overbilled fees promptly upon discovery.

(f) Code of ethics violations. Code of ethics deficiencies include:

• Unreported personal trading by access persons in violation of SEC Rule 204A-1.
• Failure to obtain pre-clearance for personal trades in reportable securities.
• Inadequate monitoring of gifts and entertainment, particularly from broker-dealers, custodians, or other service providers.
• Failure to collect and review initial and annual holdings reports and quarterly transaction reports from access persons.

(g) Cybersecurity weaknesses. Cybersecurity deficiencies have become increasingly prominent:

• Lack of a written information security policy or a policy that is not tailored to the firm's specific technology environment and risks.
• Inadequate access controls, including failure to implement multi-factor authentication, excessive user privileges, and lack of timely deprovisioning of former employee accounts.
• Failure to conduct regular vulnerability assessments or penetration testing.
• Inadequate incident response planning and testing.
• Insufficient vendor due diligence for third-party service providers with access to firm systems or client data.

Deficiency letter structure. A deficiency letter from the SEC Division of Examinations typically identifies each deficiency by category, describes the specific factual findings, cites the applicable rule or statutory provision, and requests a written response within 30 days (or another specified period) describing the corrective actions the firm has taken or plans to take. FINRA deficiency letters follow a similar format. The letter may also note areas where the staff observed practices that, while not rising to the level of a deficiency, could be improved.

Deficiency Response and Remediation

How a firm responds to a deficiency letter is a critical determinant of whether the matter is resolved at the examination stage or escalated to enforcement.

Responding to a deficiency letter:

• Timeline — Deficiency letters typically require a written response within 30 days. If additional time is needed, request an extension promptly and explain the reason. Most examination staff will grant reasonable extensions, particularly if remediation is complex.
• Content of the response — The response should address each deficiency finding individually and include: (1) an acknowledgment of the finding (or, if the firm disagrees, a clear and respectful explanation of why); (2) a description of the corrective action already taken; (3) a timeline for completing any remediation not yet finished; (4) identification of the person or persons responsible for each corrective action; (5) a description of any enhanced controls or monitoring implemented to prevent recurrence.
• Tone — The response should be professional, thorough, and constructive. Defensive or dismissive responses increase the risk of escalation. Where the firm agrees with a finding, acknowledge it directly. Where the firm disagrees, present the factual and legal basis for the disagreement clearly, without being adversarial.
• Legal review — Have compliance counsel (internal or external) review the response before submission. The response becomes part of the firm's regulatory record and may be referenced in future examinations or enforcement proceedings.

Remediation best practices:

• Root cause analysis — For each deficiency, identify the root cause — not just the symptoms. Was the deficiency caused by a policy gap, a training failure, a technology limitation, a staffing shortfall, or a failure of supervisory oversight? Effective remediation requires addressing the underlying cause.
• Policy updates — Revise policies and procedures to address the identified deficiency. Ensure the revised policy is specific and actionable, not merely aspirational.
• Enhanced training — Provide targeted training to the personnel involved in the deficiency area. Document the training content, attendees, and date.
• Monitoring for recurrence — Implement testing or monitoring procedures to verify that the corrective action is effective and that the deficiency does not recur. For example, if a deficiency involved fee calculation errors, implement a periodic fee billing audit.
• Testing effectiveness — After a reasonable period (typically 60 to 90 days), test whether the remediation is working as intended. Document the testing results.
• Documentation — Maintain a comprehensive remediation file for each deficiency, including the original finding, root cause analysis, corrective actions taken, policy revisions, training records, monitoring results, and effectiveness testing. This file should be readily available for the next examination.

Distinction between outcomes:

• Deficiency letter (requiring response) — The most common outcome when issues are identified. The firm must respond in writing describing corrective actions.
• Examination findings with no further action — The examination staff may communicate observations informally (at the exit conference or in a closing letter) without issuing a formal deficiency letter. These observations should still be taken seriously and addressed proactively.
• Referral to enforcement — In cases involving serious violations, patterns of non-compliance, harm to investors, fraud, or failure to remediate prior deficiencies, the examination staff may refer the matter to the SEC Division of Enforcement or FINRA's Department of Enforcement for potential formal action. Referrals may result in civil penalties, disgorgement, cease-and-desist orders, censures, suspensions, or bars.

Mock Examination Frameworks

Internal mock examinations are one of the most effective tools for maintaining examination readiness and identifying compliance gaps before regulators do.

Designing a mock examination program:

• Frequency — Conduct mock examinations at least annually. Higher-risk areas or areas where deficiencies were previously identified should be reviewed more frequently (semi-annually or quarterly).
• Scope selection — Use the SEC and FINRA annual examination priorities as a starting point for selecting mock exam topics. Also consider areas where the firm has experienced compliance incidents, client complaints, or operational changes.
• Simulate the document request — Prepare a mock IDR modeled on actual SEC or FINRA document request lists. Issue the mock IDR to the relevant business units and compliance personnel with a realistic deadline.
• Test document retrieval and production capabilities — Evaluate whether the firm can locate, compile, and organize the requested documents within the specified timeframe. Identify bottlenecks in document retrieval — areas where records are disorganized, incomplete, or difficult to access.
• Interview key personnel — Conduct mock interviews with personnel who would be interviewed during an actual examination (CCO, portfolio managers, traders, operations staff). Assess whether they can articulate the firm's compliance practices, describe their roles accurately, and respond to probing questions without becoming defensive or evasive.
• Identify gaps — Document all gaps, weaknesses, and areas for improvement identified during the mock examination. Categorize findings by severity (critical, significant, minor) and functional area.
• Report results — Prepare a written report summarizing the mock examination findings and recommendations. Present the report to senior management, the compliance committee, or the board of directors, as appropriate. The report should include specific remediation recommendations with assigned owners and deadlines.
• Track remediation — Follow up on remediation of mock examination findings using the same discipline applied to actual regulatory findings.

Using compliance consultants. Firms may engage external compliance consultants to conduct independent mock examinations. External mock exams provide several benefits: the consultant brings fresh perspective and experience from examinations at other firms; the exercise is more realistic because business personnel interact with an unfamiliar examiner; and the results carry more weight with senior management. When selecting a consultant, prioritize individuals with recent SEC or FINRA examination experience.

Annual Compliance Review (Rule 206(4)-7)

SEC Rule 206(4)-7 under the Investment Advisers Act of 1940 requires every registered investment adviser to: (1) adopt and implement written policies and procedures reasonably designed to prevent violation of the Advisers Act and its rules; (2) designate a chief compliance officer responsible for administering the compliance program; and (3) review the adequacy of the policies and procedures and the effectiveness of their implementation at least annually.

Conducting the annual review. The annual compliance review is a regulatory requirement, not a discretionary exercise. It should be documented in writing and presented to senior management. The review should assess:

• Regulatory changes — Identify new rules, rule amendments, SEC guidance, no-action letters, and enforcement actions that may require updates to the firm's policies and procedures. Each regulatory change should be mapped to the specific policy or procedure it affects.
• Compliance incidents and outcomes — Review all compliance incidents that occurred during the review period, including trade errors, policy violations, customer complaints, regulatory inquiries, and the outcomes of those incidents. Assess whether the incidents reveal patterns or systemic weaknesses.
• Testing results — Summarize the results of compliance testing conducted during the review period, including trade surveillance testing, advertising review, fee billing audits, code of ethics monitoring, and any mock examination findings.
• Training completion — Confirm that all required compliance training was completed during the review period. Identify any personnel who did not complete required training and the steps taken to address the gap.
• Vendor oversight — Review the firm's oversight of third-party service providers, including custodians, sub-advisers, technology vendors, and other material service providers. Assess whether vendor due diligence was conducted and whether vendor performance and compliance were monitored.
• Technology changes — Evaluate whether changes to the firm's technology environment (new systems, platform migrations, cybersecurity incidents) require updates to compliance policies or procedures.
• Organizational changes — Assess the impact of any organizational changes — new business lines, personnel changes, office openings or closings, mergers or acquisitions — on the compliance program.
• Recommendations — The annual review should conclude with specific, actionable recommendations for improving the compliance program, along with a timeline and responsible persons for implementation.

Documentation. The annual compliance review must be documented. While the SEC does not prescribe a specific format, the documentation should be sufficient to demonstrate that a thorough review was conducted. SEC examination staff regularly request the annual compliance review report as one of their first IDR items.

Examination Readiness Checklist

For the full functional-area checklist of documents that must be organized, current, and readily accessible at all times (registration, compliance program, trading, advertising, custody, AML, cybersecurity, books and records), load references/exam-readiness-checklist.md when assembling or auditing exam-ready files.

Worked Examples

For three worked scenarios (a newly registered RIA's first SEC exam, a six-finding deficiency-letter response, and a CCO's business case for a mock examination program), load references/examples.md when the user needs scenario-level analysis.

Common Pitfalls

• Treating examination preparation as a reactive exercise — scrambling to organize documents only after receiving a notification letter, rather than maintaining examination readiness as an ongoing practice.
• Failing to read and act on SEC and FINRA annual examination priority letters, which are effectively advance notice of what regulators plan to focus on.
• Producing documents to regulators without a quality review, resulting in incomplete, disorganized, or inadvertently privileged materials that extend the examination and create negative impressions.
• Coaching interviewees to give scripted or evasive answers rather than preparing them to respond honestly and knowledgeably — examiners are experienced at detecting rehearsed responses, and evasiveness raises red flags.
• Responding to deficiency letters with vague promises ("we will enhance our procedures") rather than specific, concrete corrective actions with assigned owners and completion dates.
• Failing to conduct root cause analysis for deficiency findings, resulting in superficial fixes that do not address the underlying problem and lead to recurring findings in subsequent examinations.
• Treating the annual compliance review under Rule 206(4)-7 as a check-the-box exercise rather than a genuine assessment of the compliance program — examiners can easily distinguish between a substantive review and a perfunctory one.
• Allowing the CCO to be marginalized or under-resourced, which examiners will identify through interviews and organizational analysis as evidence of inadequate compliance culture.
• Failing to implement a document hold upon receiving an examination notification, resulting in the destruction of potentially relevant records.
• Not tracking and following up on remediation of prior deficiency findings — regulators will specifically review whether prior findings were addressed, and unresolved prior findings significantly increase enforcement risk.
• Conducting mock examinations but failing to document findings and remediation, negating much of the program's value as evidence of proactive compliance.
• Ignoring "informal" observations communicated at the exit conference or in a closing letter simply because they were not included in a formal deficiency letter — these observations frequently become formal findings in the next examination if not addressed.

Cross-References

• books-and-records (Layer 9) — Records readiness is the foundation of examination readiness; the ability to produce complete, accurate, and well-organized records in response to document requests is the single most important factor in examination outcomes.
• advertising-compliance (Layer 9) — Advertising and marketing materials are a top SEC and FINRA examination focus area; Marketing Rule compliance and FINRA Rule 2210 supervision are routinely reviewed.
• privacy-data-security (Layer 9) — Cybersecurity is a recurring SEC examination priority; firms' information security programs, incident response plans, and vendor oversight are regularly examined.
• anti-money-laundering (Layer 9) — AML program review is a standard component of FINRA examinations and an increasingly common focus of SEC examinations; AML independent testing reports and SAR filing practices are frequently requested.
• conflicts-of-interest (Layer 9) — Conflict identification, disclosure, and management is examined closely in both SEC and FINRA examinations, particularly in the context of fee arrangements, compensation structures, and affiliated transactions.
• client-disclosures (Layer 9) — Disclosure document completeness and accuracy (Form ADV, Form CRS, brochure supplements) are routinely reviewed; discrepancies between disclosures and actual practices are a common deficiency finding.
• reg-bi (Layer 9) — Regulation Best Interest compliance is a current top examination priority for both the SEC and FINRA; examinations assess both written policies and actual recommendation practices.
• sales-practices (Layer 9) — Supervision of sales practices, suitability determinations, and supervisory control systems are core FINRA examination areas under Rules 3110 and 3120.
• fiduciary-standards (Layer 9) — Fiduciary duty compliance, including duty of care and duty of loyalty, is assessed during investment adviser examinations; the SEC's Fiduciary Interpretation provides the framework examiners apply.