RIA Code of Ethics: SEC Rule 204A-1 Requirements Explained
Oct 21, 2025
·
14 min read
Contents
The RIA Code of Ethics is a cornerstone of compliance for registered investment advisors (RIAs). Required under SEC Rule 204A-1, it sets the ethical standards reflecting firms’ fiduciary obligations along with the supervision of personal securities trading.
For founders and executives building or scaling RIAs, understanding this rule is a foundation for a culture of integrity that regulators, investors, and partners expect.
This article explains what the RIA Code of Ethics is, why it matters, and what the SEC requires.
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013. If you need assistance with compliance or fintech regulations, click here.
What Is the RIA Code of Ethics?
Designed to prevent misconduct before it occurs, the RIA Code of Ethics is a written set of standards that every SEC-registered investment advisor must adopt under Rule 204A-1. It acts as both a statement of principles and a compliance tool.
The code outlines the professional conduct expected of the firm’s employees and provides a framework for supervising and surveilling personal securities transactions.
For registered investment advisors, the Code of Ethics is the framework that defines how a firm treats clients (i.e., fiduciary obligations). It should reflect the culture of the firm and guide day-to-day decisions.
For fintechs, the stakes are even higher. Innovative business models frequently push the boundaries of existing regulations. If a platform offers digital advice, alternative assets, or hybrid investment products, regulators will look closely at how the firm handles conflicts, personal trading, and access to sensitive information. A clear Code of Ethics helps mitigate the risk of regulatory findings while also signaling to investors and partners that a firm operates with discipline.
See how InnReg helps registered investment advisors navigate compliance challenges →
Regulatory Background and Who Must Comply
Registered investment advisors who manage $100 million or more in assets are regulated primarily by the US Securities and Exchange Commission (SEC). Smaller advisors typically fall under state securities regulators. Both SEC-registered and state-registered firms must maintain a Code of Ethics, although the specific requirements may vary depending on jurisdiction.
Learn more about SEC RIA registration steps and requirements →
SEC vs. State-Registered RIAs
SEC registration brings firms under the full scope of Rule 204A-1, which requires a written Code of Ethics with detailed reporting and monitoring provisions.
State regulators often impose similar obligations, but requirements can differ. For example, some states mandate the reporting of personal securities transactions but do not require firms to adopt a comprehensive Code of Ethics, as the SEC does.
Some fintech advisors initially qualify for state registration but later transition to SEC oversight, often through the Internet Adviser Exemption. This exemption is particularly relevant to digital platforms providing advice exclusively online. Firms pursuing this path must still meet Rule 204A-1 obligations, making it critical to build scalable compliance systems early.
Learn more about Internet Adviser Exemption →
Startups that begin under state oversight may need to update or expand their compliance framework once they grow and transition to SEC registration.
Relevant Regulators and Oversight
The SEC examines firms regularly to test whether their Code of Ethics is not only written but also enforced. State regulators follow similar practices. Oversight often focuses on personal trading, handling of material nonpublic information, and how violations are reported and addressed.
Alongside Rule 204A-1, RIAs also need to understand the SEC’s Marketing Rule, governing client communications, performance advertising, and use of testimonials. This rule often intersects with fiduciary obligations outlined in the Code of Ethics.
Read our article to learn more about the SEC Marketing Rule →
Consequences of Non-Compliance
Failing to adopt or enforce a compliant Code of Ethics can result in SEC deficiency letters, sanctions, or fines. In recent enforcement actions, firms have been cited not only for missing provisions in their codes but also for ignoring violations once they occurred. The message is clear: regulators treat the Code of Ethics as a core compliance obligation, not a formality.
Core Requirements Under SEC Rule 204A-1
The Code of Ethics rule is detailed but practical in its expectations. The SEC designed it to require standards reflecting the firm’s fiduciary obligations. At a minimum, every RIA’s code must address seven specific areas.
Main Requirements Under SEC Rule 204A-1 | ||
|---|---|---|
Requirement | What It Means | Why It Matters |
Standards of Business Conduct & Fiduciary Duty | Sets expectations for honesty, fairness, and prioritizing client interests | Reinforces fiduciary duty central to RIA compliance |
Compliance with Federal Securities Laws | Requires adherence to Federal securities laws | Connects ethics to legal obligations |
Personal Securities Transactions & Reporting | Access persons must submit holdings and transaction reports | Allows for surveillance of the advisor's personal securities trading |
Pre-Approval of IPOs & Limited Offerings | Access persons need approval before certain investments | Addresses potential conflicts by requiring approval before access persons participate in certain offerings |
Reporting of Violations | Requires employees to escalate Code breaches | Encourages early detection and remediation |
Distribution & Acknowledgment | Code must be distributed and acknowledged in writing | Demonstrates employees are aware of obligations |
Recordkeeping | Maintain records of the Code, reports, and acknowledgments | Creates a documented history of the firm’s Code of Ethics and related activities for compliance review. |
The main Code of Ethics requirements are:
1. Standards of Business Conduct and Fiduciary Duty
The code must define how supervised persons are expected to behave in their professional roles. This standard reflects an advisor’s fiduciary duty: prioritizing client interests over personal or firm gain.
Regulators look for explicit language that requires honesty, fairness, and loyalty in all client interactions.
See also:
2. Compliance With Federal Securities Laws
The code must require all employees to comply with federal securities laws, including the Advisers Act and related federal rules. This provision reinforces that violations of insider trading laws, market manipulation, or disclosure rules are also violations of the Code of Ethics.
Need help with RIA compliance?
Fill out the form below and our experts will get back to you.
3. Personal Securities Transactions and Reporting Obligations
Advisors must identify “access persons” and require them to report their securities holdings and transactions. This includes:
Initial holdings report (upon becoming an access person)
Quarterly transaction reports (submitted within 30 days of quarter end)
Annual holdings report (covering current positions)
The advisor must review these reports for inappropriate trading activity, including potential conflicts with customer transactions, such as front-running or improper trading alongside clients.
Learn how InnReg helps fintech by providing outsourced chief compliance officer services →
4. Pre-Approval of IPOs and Private Placements
Access persons cannot invest in IPOs or specific limited offerings without pre-clearance. This prevents employees from taking investment opportunities that should be available to clients or using inside knowledge for personal benefit.
5. Reporting of Violations
The code must require supervised persons to report any violations of the Code to compliance. This can include self-reporting or escalating concerns about others.
Firms should create clear reporting channels so that employees know how to raise issues if they arise.
6. Distribution and Employee Acknowledgment
Each supervised person must receive a copy of the Code of Ethics and confirm in writing that they have it. This is not a one-time step at onboarding, and acknowledgments should also be updated when the code changes. Many advisors treat annual re-acknowledgment as a routine way to reinforce compliance expectations across the team.
7. Recordkeeping Duties
RIAs need to keep records of the Code of Ethics, any amendments, employee acknowledgments, and all personal trading reports. Records generally must be retained for five years, with the first two years kept in an easily accessible location.
Who Is an Access Person Under SEC Rule 204A-1?
Rule 204A-1 uses the term “access person” to describe individuals who must follow stricter reporting and oversight rules under the Code of Ethics.
Fintech firms often underestimate the broad scope of the definition of an access person. It is not limited to portfolio managers or investment staff. Anyone with visibility into client holdings, trading activity, or recommendations may fall into this category.
That can include technical teams, client-facing staff, or even founders who have wide system access. The designation is based on actual access to information, not job title.
Regulators have flagged firms for overlooking individuals who clearly met the definition but were excluded from reporting requirements. For startups, this typically results in more people qualifying as access persons than expected, making it especially important to have practical reporting procedures in place from the beginning.
See also:
Practical Challenges in Implementing an RIA Code of Ethics
Fintechs often face resource constraints, lean compliance teams, and fast-moving product cycles that make it difficult to apply Rule 204A-1 consistently, even when the written code looks solid.
The most common challenges include:
Identifying and Monitoring Access Persons
One of the first hurdles is determining who qualifies as an access person. In traditional firms, this is usually straightforward: portfolio managers, analysts, and traders. In fintech environments, it gets more complicated. Developers may have system access to client trades, founders may oversee operations, and client support staff may view holdings.
Without a process for regular review, employees with new responsibilities may be omitted. That can leave the firm exposed if those individuals trade personally without being subject to reporting requirements.
A practical approach is to treat access person identification as an ongoing control, not a one-time decision. Many firms conduct quarterly or semi-annual reviews of roles and system access. In fintech startups, where employees often wear multiple hats, erring on the side of inclusion is usually safer. It avoids the risk of missing someone who should be covered under the rule.
Collecting and Reviewing Personal Trade Reports
Rule 204A-1 requires initial, quarterly, and annual reports, but keeping this process organized is where many firms stumble. Missing deadlines, overlooking accounts held by spouses, or failing to review reports carefully are all common issues flagged by regulators.
For fintech firms, this can be even more complex. Employees often hold accounts across multiple platforms, and without a consistent process, compliance teams may struggle to have a clear overview of personal trading.
To mitigate these risks, fintech should:
Set clear deadlines for report submissions.
Use standardized templates for holdings and transactions.
Assign a compliance officer or an external compliance partner to review reports.
Document the review process, including any follow-up questions or findings.
Transaction reporting under the Code of Ethics aligns closely with the monitoring expectations in the new AML rules. Treating these processes together can reduce gaps and improve efficiency.
Read our article to learn more about AML compliance requirements →
Managing IPO/Limited Offerings Pre-Clearance
Access persons must obtain approval before investing in IPOs or certain limited offerings, such as private placements. However, employees may not recognize that an investment opportunity qualifies as a limited offering, or they may bypass the step altogether, treating it as administrative rather than central to compliance.
For fintech firms, the challenge is even greater. Employees may participate in early-stage token offerings, private crypto funds, or friends-and-family startup rounds. Each of these scenarios raises the same concern the SEC aimed to address with pre-clearance: preventing advisors from personally benefiting from opportunities that should first be available to clients.
Firms that manage this requirement effectively usually make the pre-clearance process straightforward. Instead of complex paperwork, employees are given a simple way to check in with compliance and receive an answer. The rules are explained clearly, so staff know exactly what counts as an IPO or limited offering, and every decision is documented and retained in compliance files.
Enforcing Policies Consistently
Regulators expect firms to show evidence that they are monitoring compliance, following up on red flags, and applying policies fairly across the organization.
Without clear accountability, compliance checks may slip through. For example, personal trade reports might be collected but never reviewed, or pre-clearance requests might be granted informally without proper documentation. These gaps can quickly become regulatory findings.
Consistency comes from process. When reviews are scheduled, documented, and repeated the same way every time, regulators see that the Code of Ethics is being applied in practice.
Best Practices for an RIA Code of Ethics
Meeting the rule’s minimum standards is only part of the picture. Fintechs that shape their Code of Ethics around their real risks and workflows are better able to address regulator expectations and practical challenges.
To move beyond the rule’s minimum standards, firms should consider these best practices for strengthening their Code of Ethics:
Tailoring the Code to Your Business Model: Fintechs often operate in areas where traditional templates fall short. A code tailored to the firm’s products, systems, and clients is more credible to regulators and easier to enforce internally. As such, fintechs should use customized policies that reflect real workflows and conflicts.
Training and Employee Engagement: For a Code of Ethics to be effective, staff need more than a copy of the document. They need training that explains their responsibilities and how the rules apply in practice. Regular refreshers and simple reminders help employees connect compliance requirements to real-world situations.
Leveraging Technology and Outsourcing: Technology can streamline monitoring and reporting, especially when employees trade across multiple platforms. Automated tools for trade review, restricted lists, and acknowledgment tracking reduce errors and save time. For early-stage fintechs without a full compliance team, outsourcing parts of the process to experienced compliance partners provides both expertise and scalability.
Building a Compliance-First Culture: Tone at the top matters. When leadership treats the Code of Ethics as central to the firm’s operations, employees follow suit. A compliance-first culture encourages staff to raise concerns, reduces shortcuts, and shows regulators that ethics are embedded in decision-making rather than treated as an afterthought.
Encouraging Reporting of Violations: Encouraging reporting is not just about catching misconduct. It also helps identify weaknesses in processes. Firms that foster a “speak up” culture build resilience into their compliance program and demonstrate to regulators that their Code of Ethics is more than a document on file.
—
The RIA Code of Ethics under SEC Rule 204A-1 is more than a regulatory requirement. It is a framework that shapes how advisors operate, manage conflicts, and demonstrate fiduciary duty.
For fintech firms, the rule has added significance, as innovative business models often create complex compliance risks.
By tailoring the code to their operations, investing in training, using technology and outsourcing wisely, and building a compliance-first culture, firms can meet expectations in a way that supports growth.
How Can InnReg Help?
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013.
We are especially effective at launching and scaling fintechs with innovative compliance strategies and delivering cost-effective managed services, assisted by proprietary regtech solutions.
If you need help with RIA compliance, reach out to our regulatory experts today:
Published on Oct 21, 2025
Last updated on Oct 21, 2025
Related Articles
Featured LinkedIn Posts
