BACK TO RESOURCES
July 7, 2025

The 3 Most Costly Compliance Gaps Facing Mid-Sized RIAs And How to Fix Them

For mid-sized RIAs, growth often brings complexity. Moreclients, more staff, and more services introduce operational and compliancechallenges that didn’t exist at smaller scales. Unfortunately, that complexityis exactly where many firms stumble, not because of bad intentions, but becausecompliance programs fail to evolve as the firm grows.

If you’re a CEO or CCO at a mid-sized RIA, ask yourself:are you scaling your compliance infrastructure at the same pace as yourbusiness? Below are three of the most common and costly gaps we see in firmsyour size and what you can do to close them before the SEC finds them for you.

1. Compliance Leadership Without Infrastructure

The Gap: Many mid-sizedRIAs appoint a CCO but fail to support that individual with the tools,documentation, or authority needed to enforce firm-wide compliance.

This isespecially common in firms where the CCO wears multiple hats — think COOs orCFOs moonlighting as compliance leads. Without a robust framework beneath them,even experienced CCOs can’t maintain oversight across departments or ensureconsistent application of policies.

What to Watch For:

  • The CCO lacks a formal budget or clearescalation authority
  • No centralizedcompliance calendar or task tracking system
  • Policies existbut aren’t translated into operational workflows
  • Training is ad hoc or delegated withoutmonitoring

What to Do: Invest in a complianceinfrastructure that scales with your growth. This includes clear reportinglines, technology for compliance task management, and regular leadershipreviews that treat compliance as a strategic function, not a back-officenecessity.

2. Inadequate Documentation ofBusiness Changes

The Gap: Mid-sizedfirms often evolve rapidly, adding services, entering new geographies, orchanging fee structures, but fail to update their compliance documentationaccordingly.

Form ADVdisclosures, internal policies, and even client agreements can lag behindwhat’s actually happening in the business. That mismatch is a red flag forregulators and a liability for your fiduciary obligations.

What to Watch For:

  • Discrepancies between how services aredelivered and how they’re described in marketing or ADV filings
  • Undocumentedchanges to investment strategies, fee schedules, or third-party partnerships
  • Lack of a formal process for mapping businesschanges to compliance updates

What to Do: Establish across-functional review process where operational and business changes areregularly flagged for compliance impact. Tie this to quarterly policy anddisclosure reviews, and document all updates, not just in filings, but ininternal controls and procedures.

3. Fragmented Marketing Oversightin the Post-Marketing Rule Era

The Gap: Since theSEC’s revised Marketing Rule came into effect, firms have significantly moreflexibility, but also more risk. Mid-sized RIAs often struggle to applyconsistent oversight across the increasing volume of digital and advisor-ledmarketing content.

The result?Teams may post performance data or testimonials without proper substantiation,disclaimers, or documentation. This isn’t just risky, it’s become one of themost scrutinized areas in recent SEC exams.

What to Watch For:

  • Marketing materials created by individualadvisors without compliance pre-review
  • Use ofhypothetical performance or third-party ratings without appropriate disclosures
  • No audit trail of who approved what or when

What to Do: Implement clearguidelines and workflows for marketing compliance, especially for digitalcontent. Use technology to track and approve materials, and ensure advisorsunderstand when compliance approval is mandatory. Your compliance team shouldbe able to produce an audit trail at any moment.

Compliance Is a Growth Lever

For mid-sized RIAs, the stakes are higher. The firm is no longersmall enough to fly under the radar, nor large enough to absorb theconsequences of regulatory missteps. The good news is that with the rightprocesses, you can build a compliance program that not only avoids risk butalso reinforces trust with clients and regulators alike.

Start with these three areas. Evaluate your current state,identify the gaps, and create a roadmap to maturity. Because when it comes tocompliance, being “almost right” is the same as being wrong.

Author:  
SurgeONE Team