Investment Advisor Regulation: SEC and State Rules for RIAs
Sep 11, 2025
·
15 min read
Contents
Navigating investment advisor regulation is one of the earliest and most critical steps for firms offering investment advice in the US. Whether you are launching a digital advisory platform or scaling a hybrid model with both human and automated advice, understanding the federal and state regulatory structure is foundational.
This article breaks down how investment advisors are regulated, who needs to register, and what ongoing obligations apply once you are in business. We will cover the distinctions between SEC and state registration, how thresholds and exemptions work, and the compliance lifecycle for a Registered Investment Advisor (RIA).
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013. If you need assistance with compliance or fintech regulations, click here.
How Investment Advisors Are Regulated
Investment advisors in the United States are regulated under a dual system of federal and state oversight. The applicable rules depend primarily on the firm’s size, scope, and location.
At the federal level, the Investment Advisers Act of 1940 governs advisors registered with the US Securities and Exchange Commission (SEC). These are typically larger firms, managing $100 million or more in client assets. Smaller firms, usually with less than $100 million in assets under management (AUM), fall under state securities regulators, each of which enforces its own rules, often based on the Uniform Securities Act.
Advisors must navigate more than just the registration threshold. There are different filing systems, disclosure obligations, exam regimes, and rules around advertising, custody, and more, depending on whether the firm is federally or state-regulated.
Understanding where your advisory firm fits in this framework is the first step to building a compliant operation. Missteps in this early phase can delay product launches, trigger audits, or create long-term regulatory risk.
Who Needs to Register as an Investment Advisor?
In general, any person or firm providing investment advice about securities for compensation is subject to investment advisor regulation. That includes traditional wealth managers, robo-advisors, portfolio managers, and fintech platforms offering personalized investment recommendations.
You likely need to register if you are offering/receiving:
Advice related to securities (not just budgeting or financial literacy)
Personalized or client-specific guidance
Compensation in any form, including fees, commissions, or indirect benefits
RIAs that meet SEC thresholds must register federally. Learn more about RIA SEC registration steps and requirements →
Common exemptions include:
Banks and bank holding companies acting in a fiduciary capacity
Certain professionals (e.g., lawyers, accountants) whose advice is incidental to their primary role
Publishers and broadcasters that offer impersonal, general investment content
Family offices serving only family clients under specific SEC rules
Foreign private advisors with limited US clients and assets
Robo-advisors that provide investment advice exclusively through a digital platform, without human personalization (Learn more about the Internet Adviser Exemption here)
These exemptions are narrowly defined. Misapplying them is a common source of early-stage compliance risk.
Grey Areas
Founders often assume that platforms offering "general information" or "financial education" are exempt from regulation. But if your product suggests specific securities based on user input, or uses algorithms to generate personalized portfolios, you are likely offering investment advice under US law.
Labels like “advisor,” “coach,” or “consultant” do not change the substance of the service. Regulators focus on what your firm does, not what it calls itself. Disclaimers will not override the function, either.
This is where early legal and compliance input is critical, especially for fintechs building novel business models around data, automation, or hybrid advice.
Unsure if your business needs investment advisor registration? Learn how InnReg guides investment advisor registration and helps fintechs determine what licences they need →
RIA vs. IAR: What’s the Difference?
When registering and building your advisory team, it is important to understand the distinction between a Registered Investment Advisor and an Investment Advisor Representative (IAR). Although the terms are often used interchangeably, they refer to two different regulatory roles.
What Is an RIA?
An RIA is the firm itself. It is the legal entity, whether a corporation, LLC, or sole proprietorship, that registers with the SEC or state regulators to offer investment advisory services. The RIA holds the license, manages the compliance program, and is responsible for client disclosures, policies, and regulatory filings.
RIAs can be independent firms or fintech platforms providing advice through human advisors, algorithms, or a combination of both.
RIAs can provide a wide range of services, including investment management, portfolio construction, and financial planning. However, determining how much to charge can be a challenge, especially when clients have varying levels of complexity. To support transparent and scalable pricing, InnReg created a free RIA Financial Planning Calculator that helps advisors build structured, client-specific fee models.
What Is an IAR?
An IAR is the individual providing advice on behalf of the RIA. IARs must meet qualification standards (typically passing the Series 65 or Series 7 & 66 exam) and are registered at the state level, even if the firm is SEC-registered.
Each IAR must be properly registered in every state where they have a client, with some states not requiring registration if they meet the de minimis exemption threshold. This becomes especially important for remote teams, hybrid business models, or firms expanding across jurisdictions.
While a firm may meet its regulatory obligations at the entity level, it can still face compliance issues if its Investment Advisor Representatives are not appropriately registered. This is a frequent exam finding, especially for firms operating across multiple jurisdictions or experiencing rapid growth.
Clear delineation between firm-level responsibilities and individual licensing requirements is essential for maintaining regulatory compliance across the organization.
SEC vs. State Regulation: Who Regulates What?
Investment advisor regulation is split between the US Securities and Exchange Commission (SEC) and state securities authorities.
The SEC regulates larger firms, typically those managing $100 million or more in client assets. These advisors register federally and follow a unified set of federal rules under the Investment Advisers Act of 1940.
State regulators oversee smaller firms, usually those under the $100 million AUM threshold. States enforce their own rules, many based on the Uniform Securities Act, with some variation in application, especially around advertising, custody, and bonding requirements.
Federal registration generally preempts state registration, but state notice filings are still required in each state where the advisor has clients. The split is straightforward in principle but nuanced in execution. As firms grow or expand geographically, they may need to shift registration or comply with both federal and multiple state requirements.
See also:
States Imposed Registration
Some firms are required to register with state regulators even if they fall outside the typical federal/state thresholds. These situations can arise based on a firm’s location, business model, or the specific rules of a given state.
Even without a large client base, an RIA may need to register in a state if it has a physical office or regularly solicits business there. Most states impose registration once an advisor reaches more than five clients in that state (known as the de minimis exemption, as outlined below).
As each state applies its own interpretation of investment advisor regulation, firms operating nationally must evaluate state-specific thresholds, exemptions, and additional requirements (such as bonding, net worth minimums, or mandatory filings like Form U4 for IARs).
Need help with RIA compliance?
Fill out the form below and our experts will get back to you.
Dual Compliance
Some firms find themselves subject to both SEC and state-level compliance obligations (dual compliance). This happens more frequently than many founders expect, especially as firms grow, decentralize, or operate across multiple states.
Common scenarios in which dual compliance often applies include:
Remote teams with IARs in multiple states
Nationwide client base that exceeds de minimis exemptions
Hybrid models combining federal registration with IAR licensing across multiple jurisdictions
When dual compliance applies to a business, a registered SEC advisor must typically:
file notice registrations in each state where it has clients;
register individual IARs at the state level;
and comply with state-specific rules.
In practice, this requires building a compliance program that tracks and adapts to jurisdiction-specific obligations. Learn how InnReg helps fintechs build jurisdiction-specific compliance workflows.
SEC Registration Requirements for Investment Advisors
A firm must register with the SEC as a Registered Investment Advisor if it manages $100 million or more in regulatory assets under management (AUM) and is not otherwise exempt. Once AUM reaches $110 million, registration with the SEC becomes mandatory. If AUM drops below $90 million, the firm may need to switch to state registration.
SEC Registration Process
Registering with the SEC as an investment advisor is primarily done through the Investment Adviser Registration Depository (IARD) system. The process centers around submitting a multi-part registration application, known as Form ADV.
To complete registration, a firm must file:
Form ADV Part 1: A structured application disclosing business details, ownership, types of clients, and disciplinary history.
Form ADV Part 2A: A narrative brochure describing services, fees, investment strategies, and conflicts of interest.
Form ADV Part 2B: Brochure supplement with background information on advisory personnel (delivered to client, not submitted to SEC).
Form ADV Part 3 (Form CRS): A relationship summary of the firm’s services, fees, conflicts of interest, and obligations (required if advising retail clients).
The SEC expects a firm to have its compliance infrastructure in place at the time of registration. This includes written policies and procedures, a Code of Ethics, a designated Chief Compliance Officer (CCO), and internal controls to support advisory operations from day one.
Once the application is submitted, the SEC has up to 45 days to approve or reject it. In practice, many applications are approved more quickly, but firms should be ready to respond to follow-up questions during the review period.
Other Triggers
While AUM is the most common factor in determining SEC registration, several non-AUM scenarios can also make federal registration applicable:
New York-based advisors: New York generally does not register advisors with between $25 million and $100 million in AUM. If your firm falls into this range and operates out of New York, you are required to register with the SEC.
Multi-state operations: If your firm would be required to register in 15 or more states, you may elect to register with the SEC instead. This exception exists to reduce the administrative burden of maintaining multiple state-level registrations.
Internet-only advisors: Firms offering investment advice exclusively through a qualified interactive website, with no human interaction, or tailored advice, can qualify for federal registration under the SEC’s “internet advisor” exemption, even without reaching the $100M threshold. (Learn more about the SEC's "internet adviser" exemption)
State Registration Requirements and the De Minimis Rule
Firms that fall below the SEC’s registration threshold typically register with one or more state securities regulators. Each state has its own requirements, although many follow a similar framework based on the Uniform Securities Act.
When State Registration Applies
If your firm has less than $100 million in AUM and doesn’t qualify for a federal exemption, state registration is generally required in your home state and in any other state where you have a meaningful client presence.
Most states also require:
Registration of each IAR operating within its jurisdiction
Submission of Form ADV through the IARD
Compliance with local bonding or net capital requirements (especially if the firm has custody or discretionary authority)
Understanding the De Minimis Exemption
Most states provide a de minimis exemption that allows advisors to serve a small number of clients without needing to register. The standard threshold is usually five or fewer clients, but not all states follow this rule.
For example:
Texas and Louisiana may require registration for just one client
Other states apply the de minimis exemption only to specific types of clients (e.g., institutional vs. retail)
Firms operating in multiple states should review each state's position carefully. Relying on incorrect assumptions can trigger registration violations, fines, and delays during state audits.
How to Register as an Investment Advisor (Step-by-Step)
The registration process for investment advisors follows a structured sequence.
Whether you are registering with the SEC or a state, the core components are similar:
Determine whether SEC or state registration applies: Use your regulatory AUM as the starting point, but also consider any exemptions, the nature of your platform, and your geographic footprint.
Prepare and file Form ADV Parts 1 and 2 via the IARD system: Part 1 is the application for registration, requiring firm details. Part 2A is a brochure describing your services, fees, and conflicts. Some states also require you to file Part 2B for your advisory personnel.
Meet any financial, bonding, or compliance officer requirements: Depending on your regulator, you may need to demonstrate minimum net worth, post a surety bond, or provide audited financials. You’ll also need to designate a Chief Compliance Officer with meaningful authority.
Register investment advisor representatives (IARs) and complete required exams: Most IARs must pass the Series 65 exam or an equivalent, unless they qualify for a waiver through certain designations like the CFA or CFP.
Implement written compliance policies before onboarding clients: Regulators expect your compliance program to be fully operational from day one. This includes a compliance manual, code of ethics, cybersecurity protocols, supervisory systems, and recordkeeping procedures.
See also:
Ongoing Compliance Obligations Under Investment Advisor Regulation
Once registered, RIAs must meet a range of ongoing compliance requirements. These obligations are not one-time tasks, but recurring, enforced, and reviewed during audits or exams.The main obligations include:
1. Fiduciary Duty
RIAs have a fiduciary obligation to act in their clients’ best interests. This includes making suitable recommendations, avoiding conflicts of interest where possible, and clearly disclosing those that remain.
Firms must also align internal incentives, compensation structures, and portfolio decisions with this standard.
2. ADV Updates
Form ADV must be kept current.
Keeping the form up-to-date includes annual updates and material amendments. The form must be submitted within 90 days of the fiscal year end, and also whenever business practices change in a way that affects the disclosures.
This applies to both SEC and state-registered advisors, though timing and format expectations may differ.
3. Annual Review
Firms registered with the SEC are required to conduct and document a full review of their compliance program each year. States often expect the same, even when not explicitly mandated.
Reviews should assess:
Effectiveness of current policies
Implementation gaps
New risks or changes in operations
4. CCO Requirement
Every RIA must designate a qualified Chief Compliance Officer. The CCO is responsible for administering the compliance program and must have the authority and resources to do so effectively.
Many firms, especially startups or high-growth fintechs, outsource the CCO role to specialized providers. This can offer access to deeper expertise at a lower cost than hiring in-house.
Compliance leadership doesn’t have to be a bottleneck. InnReg’s outsourced CCO services integrate directly into your operations →
5. Code of Ethics
Registered Investment Advisors are required to adopt a written code of ethics that sets clear expectations for professional conduct and personal trading. This document is a formal part of the compliance program that outlines how advisory personnel should act in situations where conflicts of interest might arise.
The code must address three key areas:
Standards of conduct that apply across the firm
Reporting requirements for personal securities transactions and holdings
Access person rules, including pre-approval and periodic reporting obligations
Firms are also responsible for reviewing and enforcing the code. That means establishing systems to track and monitor compliance, investigate violations, and apply consequences when needed. Regulators routinely examine whether firms are actively administering their ethics program.
6. Books and Records
All RIAs are subject to extensive recordkeeping requirements under federal and state rules. These records must demonstrate the firm’s advisory activities, internal controls, and compliance efforts.
Core record categories include:
Trade and transaction logs showing how client accounts are managed
Client communications, including emails, disclosures, and agreements
Compliance documentation, such as internal reviews and training records
Marketing materials distributed to prospective or existing clients
Most records must be retained for at least five years, with the first two years kept in a location that allows for immediate access. For firms using cloud-based platforms, this means keeping records organized, time-stamped, and easily retrievable for audits or regulatory exams.
See also:
7. Custody Rules
If an advisor has custody of client funds or securities, additional controls apply.
These may include:
Use of qualified custodians
Annual surprise exams by an independent CPA
Enhanced client disclosures
Even a fee deduction authority may trigger custody rules in some jurisdictions.
8. Privacy and Data Security
Registered Investment Advisors are required to comply with Regulation S-P, which governs how firms collect, store, and share clients’ personal financial information. This regulation applies to both SEC- and state-registered firms and is a core part of any advisor’s compliance program.
Firms must deliver initial and annual privacy notices to clients that explain how their personal data is handled, including whether it’s shared with third parties and how clients can opt out of such sharing.
In addition to disclosures, RIAs are expected to adopt written policies and procedures designed to protect client information. These policies should reflect appropriate administrative, technical, and physical safeguards, such as secure access controls, encryption, data retention limits, and internal training.
9. Advertising and Marketing
The SEC’s updated Marketing Rule governs how investment advisors promote their services across websites, social media, investor presentations, and client communications. This rule modernized decades-old guidance and introduced more flexibility, along with clearer conditions for use.
Under the rule, advisors may now use:
Testimonials and endorsements, provided that disclosures are clear and prominently placed
Performance advertising, including actual, hypothetical, or extracted performance, if strict requirements are met
Third-party ratings, as long as the advisor discloses any material connections and the methodology used
However, these marketing practices are subject to detailed compliance conditions. For example, hypothetical performance can only be used with a defined audience and appropriate disclosures. Paid testimonials must clearly indicate that compensation was provided and whether the endorser is also a client.
Common Compliance Challenges for RIAs
Even well-prepared advisory firms encounter operational friction once they are live. Compliance obligations affect hiring, client onboarding, marketing, and business scaling.
Below are common issues that trip up both new and growing RIAs:
1. Switching Jurisdictions
As firms grow past the $100 million AUM threshold or enter new states, their registration status often changes. Moving from state to SEC registration (or the reverse) brings a new set of rules, filing schedules, and examiner expectations. Transition missteps, like missing a required ADV update or failing to register IARs in new states, are frequent sources of deficiencies.
2. Underestimating Operational Complexity
Building a compliance program is not the same as maintaining it. Many startups launch with a strong foundation but struggle to keep up as client volume increases or new services are added. Compliance tasks like marketing reviews, client disclosures, or cybersecurity updates can pile up quickly without dedicated ownership or processes in place.
3. Gaps in Marketing, Custody, and Billing Controls
Marketing and performance advertising are common flashpoints. Firms that use testimonials, influencers, or hypothetical returns without proper disclosures risk violating the SEC’s Marketing Rule or state equivalents.
Custody-related issues are another frequent problem, especially for advisors who deduct fees directly from client accounts or gain authority over client assets through login credentials or standing letters of authorization. If not handled properly, these can trigger unexpected audit or surprise exam requirements.
Fee billing errors also appear in exams. Inaccurate calculations, inconsistent invoicing, or misalignment between ADV disclosures and client agreements can all raise red flags.
3. Adapting Compliance to the Business Model
No two advisory firms operate the same way, and neither should their compliance programs. Yet many firms adopt generic templates that do not reflect their actual operations. That disconnect creates risk. For example, a firm using a custom-built trading engine or API-based onboarding process may need controls that off-the-shelf policies don’t account for.
This is especially true for fintechs building hybrid models, automated rebalancing tools, or modular advice offerings. Each feature may have its own regulatory implications.
4. Scaling Without Compromising Controls
As firms grow, the informal systems that worked at launch often break down. Marketing reviews get delayed, cybersecurity reviews go stale, and compliance becomes siloed from product decisions. This causes issues to surface, either during routine exams or, worse, through client complaints.
Successful firms invest early in compliance workflows that scale. That might include assigning ownership across teams, automating reviews where appropriate, and partnering with experienced compliance professionals who know how to keep up with fast product cycles.
—
Navigating investment advisor regulation requires more than just understanding AUM thresholds. From determining the right registration path to managing ongoing compliance obligations, RIAs must operate within a multi-layered and evolving regulatory structure. Federal and state rules do not just overlap; they diverge in ways that impact how you register, advertise, safeguard client data, and run daily operations.
For fintechs and fast-growing advisory firms, the challenge is not just regulatory complexity. It is building a scalable compliance program that fits your business model without stalling innovation.
How Can InnReg Help?
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013.
We are especially effective at launching and scaling fintechs with innovative compliance strategies and delivering cost-effective managed services, assisted by proprietary regtech solutions.
If you need help with RIA compliance, reach out to our regulatory experts today:
Published on Sep 11, 2025
Last updated on Sep 11, 2025
Related Articles
Featured LinkedIn Posts
