NASAA Model Rule

NASAA Written Policies & Procedures Rule

The NASAA Model Rule on Written Supervisory Procedures requires state-registered investment advisors to adopt and implement written policies and procedures reasonably designed to prevent violations of applicable securities laws. This parallels the SEC's compliance rule (Rule 206(4)-7) but is tailored to the state-registration context, with attention to the operational realities of smaller advisory firms.

Key Requirements

Written Compliance Policies

Firms must maintain written policies and procedures addressing each area of their business that presents compliance risk. These policies must be specific to the firm's actual operations — generic templates are not sufficient.

Annual Review Requirement

Policies and procedures must be reviewed at least annually for adequacy and effectiveness. The review should consider regulatory changes, business changes, compliance incidents, and examination findings.

Chief Compliance Officer Designation

Firms must designate a chief compliance officer (or equivalent) responsible for administering the compliance program. This person must have sufficient authority, resources, and access to carry out the role.

Risk-Based Coverage Areas

Policies must cover key risk areas including portfolio management, trading practices, advertising and marketing, custody of client assets, privacy, business continuity, and books and records.

Employee Training and Acknowledgment

Firms must ensure that supervised persons understand and acknowledge the policies. Training should occur at onboarding and periodically thereafter.

Documentation of Implementation

It is not enough to have policies on paper. Firms must document that procedures are actually being followed, including records of supervisory reviews, approvals, and exception handling.

State Adoption Status

6 states confirmed (CO, MI, NE, NV, OK, WA)

Adoption of NASAA model rules varies by state. Some states adopt the model rule directly, while others have their own rules covering the same requirements.

Visit the State Adoption Tracker for a complete per-state breakdown. Data sourced from NASAA model rule matrix and NV 2024 Legislative Survey. Last verified March 2026.

Common Violations

Avoid these frequently cited deficiencies during state examinations.

Boilerplate Policies Not Tailored to the Firm

Using off-the-shelf compliance manuals without customizing them to reflect the firm's actual business activities, client base, and risk profile.

Failure to Conduct Annual Reviews

Missing or superficial annual reviews. Regulators look for documented evidence that the review was thorough and resulted in meaningful updates.

No Evidence of Implementation

Having detailed written policies but no evidence that they are being followed in practice — sometimes called the "paper compliance" problem.

Outdated Policies After Business Changes

Failing to update policies when the firm adds new services, changes fee structures, hires new personnel, or adopts new technology.

Best Practices

Tailor your compliance manual to your specific business model, services, and client types
Schedule the annual review early in Q1 and treat it as a formal project with documented findings
Keep a change log showing when policies were updated and why
Require all employees to sign an annual acknowledgment of the compliance manual
Map each policy section to the specific regulatory requirement it addresses
Use checklists or workflows to verify that procedures are followed consistently

Frequently Asked Questions

Ready to transform your compliance workflow?

Be among the first to experience AI-powered compliance technology.

Join the WaitlistBook a Demo