Annual Review Best Practices – Do You Know What to Look For?

In this episode Oyster CEO Buddy Doyle and other Oyster experts discuss best practices for conducting broker-dealer and investment advisor annual reviews. Topics include testing your compliance program, including reviewing your compliance calendar to maximize the use of your time and resources, new products, system implementations and taking into account what’s different in today’s environment. Buddy and Polly also discuss how Oyster Solutions software can make producing your annual review a much more efficient process.

Oyster Solutions is one “solution” for many systems: 

  • A system to track various workflows and processes across multiple departments.
  • Advertising submission tracking including teaching your employees how to submit “compliant” pieces
  • A system that produces metrics and reporting dashboards for management to assess progress
  • Trade monitoring and best interest alert system to advise when portfolios fall out of line
  • System(s) for tracking employee attestations and training throughout the calendar year
  • A system to keep in line policies with procedures and ensure one doesn’t exist without the other


Speaker 1: 0:05

Welcome to this week’s serving of Oyster Stew, a mix of financial services, commentary and insights. Each week we’ll discuss what is happening in the industry based on what we see as we work with regulators and clients. We hope you come away with the knowledge and tools to help you make the best decisions for your firm’s future.

Polly Cordle: 0:24

Hi Buddy. How are you doing?

Buddy Doyle: 0:25

Doing well Polly , how are you?

Polly Cordle: 0:28

I’m good. It’s been awhile since we got to talk on one of these. I hope that’s not a bad sign that they don’t want us to do these.

Buddy Doyle: 0:34

I think that hopefully everyone is enjoyed the podcasts that have been coming since the last time Polly and I got together to record one.

Polly Cordle: 0:43

Hopefully they’ve been helpful. I know I enjoy the podcast, but I might be a biased participant. So, we’re coming up on rounding out ADV season, and I know we used to run firms on a BD 3120/3130 cycle at the end of March. Some firms run it on a different cycle now, but it seems like a good time for folks to be looking at their overall annual reviews. So I was wondering if you could give firms kind of some best practices, some ideas of what to be looking at as they’re doing their annual reviews?

Buddy Doyle: 1:21

Yeah, well I think first, to your point, Polly, when Rule 3012, which was the predecessor of 3120 first came out, it had a 3/31 deadline, and then required you to test your program, certain aspects of your program, at least annually. And what has happened as a result is that a lot of firms sort of adopted that 3/31 deadline for 3120s or 3012s in the in the past and have never really changed their calendar around, which I think is fine if you’re a broker dealer that doesn’t have a registered investment advisor attached to it. But to your point, it is ADV season and one of the things that compliance officers often get trapped into is the crunch time deadline, pulling it out of the hat at the last minute approach to managing your calendar, and you don’t have to do that. Within 3120 it does require you to test at least annually on investment a dvisors. You have to review your compliance program at least annually, but there isn’t a prescribed date and there isn’t a prescribed process necessarily to follow. There are things you need to do as a matter of course, but you don’t have to necessarily stay tied in to a particular deadline like 3/31, so one of the best practices that we have is looking at your compliance calendar. If you don’t have a compliance calendar, you should really consider getting one and asking yourself, have you spread the workload out appropriately so that you can maximize the use of your time and resources to accomplish the most you can.

Polly Cordle: 3:24

Yeah, that’s a great point. Spreading it out across the year especially. I know we encourage, at least I encourage my clients to kind of split the work up, don’t do it all at once. And we kind of put it in chunks throughout the year. And then when you’re doing your annual review, bring that review back in. I always felt it was interesting that we did branch exams once a year so that people had the opportunity to do things wrong for 364 days, and then find out, “Hey, you’ve been doing it wrong for 364 days,” when it really made more sense to me that we look at small pictures each of the 12 months and catch something within 30 days. So yes, spreading it out over the year and then bringing it in in the annual review is always my kind of preferred method.

Buddy Doyle: 4:12

Yeah. And the other thing about 3120s in particular is within broker dealers. There are control principles where you can assign policies and procedures to certain areas of the firm, certain principles within those firms. And I think it’s important first and foremost, as you’re starting your process for your annual review on a broker dealer in particular, to engage your control principles and talk to them about sort of what they’ve gone through in the prior year as it relates to business changes, and how the business has evolved over time. Are there new products and services that you’re offering your clients? Are there new system implementations that have occurred? What’s different in today’s environment outside of the external market factors and regulatory factors, but what’s different in the way the firm operates? And that is true not only for broker dealers where you would have a control principle involved, but in the registered investment advisors as well, where you’re going to be talking to leaders in your organization who run portfolios or managed trades or work in operations or marketing. It’s, that’s a really great place to start.

Polly Cordle: 5:38

Yeah. And another great reason to jump off of your ADV work that you’ve just done, because a lot of those answers feed into the ADV responses you’re putting in now. And then you know, your new business channels, those sorts of things feed right into your ADV, and you can use that information to jump right into the next step.

Buddy Doyle: 5:56

Yeah, it’s really amazing how many people approach a compliance program as a standalone thing, when in reality it’s just meant to make sure you operate well within the rules and risk parameters that you’ve set for your firm. And once you’ve decided that that’s your approach, let’s do it right the first time. Then you have the business involved in an ownership capacity of getting this done. Well, business folks do not want to violate rules. That’s not a goal. They need to be educated on how to do their job efficiently and correctly the first time because it’s so much harder to go back and make changes once you’ve implemented something new. It’s a good idea to have recurring conversations with folks you know, so that they feel comfortable coming to you before they decide to do a project or change a platform. But as part of the annual review process, even in that environment where you feel like you’re a collaborative unit with your business, it is important to go back and just sort of recheck that step one.

Polly Cordle: 7:08

Sure. Are there other areas that you recommend firms look into? I mean, new business channels, new lines of business, other areas that you recommend they go into as they’re doing an annual review?

Buddy Doyle: 7:20

Well, the second component of an annual review, that’s kind of the easy starting point, is what rules and regulations have changed or what major interpretive guidance has come out that might shift your thinking on a particular topic. And so you’ll want to go back through the SEC website or through FINRA’s Notices to Members and take a look at what’s happened in the regulatory environment, and then go back and ask yourself how does that apply to your business and if it is applicable to the kind of business that you do. Then you’ll want to sort of take a look at the, again, the new things that are coming out, to see how you did a nd getting your control environment established, and not just did you have a good plan, but did you execute that plan? A nd, in hindsight, is that plan effective?

Polly Cordle: 8:18

Ah, yes. Is the plan effective? Good point. You should definitely have a testing component to these things too. And that’s a big point that you need to go back and not just look at what you’ve put in place, but then test what you’ve put in place as well.

Buddy Doyle: 8:34

Yeah. And that testing part is really important. You can leverage testing that you do throughout the year and refer to it in your reports that you’re going to be writing. We do write annual reports with our clients to document the testing that’s been done. But that testing could have happened three months, four months, six months before. And what we really want to understand is what were the findings in that test? What were the recommendations of that test and where a re they implemented? And what did you do in response to that? Did you offer training to your employees? Did you change some system parameters? It’s a good time to go through and document, “we did this, this is what we found, this is how we dealt with it. This is how we plan on moving forward. And this is our focus for the foreseeable future on this particular topic.”

Polly Cordle: 9:38

So I know I run across a lot of clients who feel like it’s a little redundant to read their policies as they’re doing their annual review. How do you feel about that?

Buddy Doyle: 9:48

Oh my, it’s a cover to cover review when I do it.

Polly Cordle: 9:52

I agree. I have to say, no matter how many times I read them, I find something every time.

Buddy Doyle: 9:57

It is really important to understand how you’ve written the document that describes not only what you do and why you do it from a policy perspective, and what you’re not allowed to do from a policy perspective. But getting into the procedures is where the rubber hits the road. When you look at your procedures, ask yourself the really tough questions: “Am I doing these procedures? Are these procedures being followed in the way that they’re designed? Or have people found maybe better ways of implementing those procedures that you’ll want to amend your documents to match your processes? Or are they just not doing it at all?” And you’ve just left yourself in a trap of an aspirational procedure that you’re never really going to follow, and violating your procedures is not a good thing. So you’ll want to make sure that you feel confident that the way you operate is the way you document how you operate, and when it’s not. You’ve got to sync those things up.

Polly Cordle: 11:11

All right , sounds good. Anything else you can offer us on annual reviews?

Buddy Doyle: 11:15

Well, I think the big thing is, remember you’ve got leaders in your organization who are concerned about risk and how risk impacts their organization. And you’ll want to be able to talk to the CEO, the CFO, the chief operating officer within your organization in a way that’s meaningful to them so that they can understand why there is a need to change. If there is a need to change and they really want to understand what the big, what is right, what do I have to do to make my firm’s safer, what do I need to do to make sure that when we’re engaging our clients that we do it really well. Don’t get too bogged down in the minutia in your reports with them, but make sure you’re communicating to them in a way that that is compelling beyond just a “because I said so” kind of approach. It’s amazing how many people think “because I said so” is is an effective way of driving change within an organization. But if you want to drive change in an organization as a result of your testing, you may have to change some beliefs in the leadership of that organization, and beliefs are not easy things to change even with new compelling data. And so ask yourself, what is the big deal to a CEO? Put yourself in their chair and realize that there are a bunch of things on their plate that they have to deal with. And how do you make sure that you address the major risks, the major topics, the major transformational things that you feel like you need to do in your program? If there are any in a way that will actually end up in a positive outcome.

Polly Cordle: 13:23

All right , well thank you Buddy. Sure. And Polly, I know you work in Oyster Solutions , routinely with our clients , kind of day-in day-out. Are there things that you’ve done and seen , happen in that are sort of different from your experience that you had with them before they had these automated testing tools? Sure. So one of the things that we really encourage clients to do in Solutions is put everything into Solutions if it touches the compliance program. And not necessarily just the compliance program. We do encourage them to put other workflows in there. But definitely, if it touches the compliance program, we encourage them to put it into the one location, do everything in that one place. And what we find is then when you go to do your annual review, it’s all right there. So rather than tracking down these documents from ten different people or five different people or waiting on requests, you don’t have to do that anymore. You can go and search these workflows yourself and see where the branch exam was done and the findings from the branch exams. Or you can go and see where surveillance reports were run and what the findings of those reports were. Or you can go see the annual attestations, and if there were any concerns identified there; or the continuing education. You can pull all of that yourself without having to go and then track down all of these records, which is a big efficiency, and then being able to just say, “Here’s our policy.” So we have a big belief that every policy should have a procedure that enforces it. That’s kind of the perfect policy guide. There’s a policy and a procedure that enforces it, and then a workflow that makes that happen. And so you can run reports that say, here are the workflows. These ran, these didn’t. You can say these ran and got finished on time. These ran and got finished past due, and those past due ones, those are the ones I really like to focus on in an annual review and encourage clients to say, “Hey, look at these and say to yourself, is this something we don’t need to be doing? And that’s why it wasn’t a priority. Is this a regulatory issue and we have something we really need to be paying attention to and make this a priority.” You know, it really gives you a good look at what’s going on holistically in your compliance program and where you need to focus your attention. And having i t all in one place, it really makes a big difference. Being able to see it without having to go and drag it from multiple locations, even from network folders, not having to remember, “where did I put this?” Or “where did I put that?” Just being able to say, “Oh, I need marketing r equests. ” I s earch marketing requests. There they are. It makes a big difference and it makes it all much more efficient. And then we’ve built in workflows that just simply ask you these are the things you need to look at, what was the result? And then build the report for you so that in the end you have a draft report that’s b uilt f or you. And even that becomes much more efficient.

Buddy Doyle: 16:48

And I think one of the things that I think about a lot, and I am a Chief Executive Officer , in addition to being a compliance professional, and when I think about things that happen at Oyster in particular where I’m CEO, I’m responsible for all of it. And one of the things that comes out of these testing processes is, particularly in the broker dealer Rule 3130, is the CEO certification, and when a CEO certifies a control environment and that things are moving along. One of the things that I often recommend to firm, depending on their structure and how spread out they are and how big they are and complex their businesses, is to get a certification by the control principles , by the people running certain areas of the firm, to help that Chief Executive Officer understand that when they are making that statement and their certifications that they’ve been reviewed and that it’s reasonably designed, that they have assurances from their team in writing that their component of the firm , their section of that organization, is also compliant, and that that CEO can take some confidence that they’ve put themselves on the line with you. And so I know Polly, you’ve got certifications in Solutions for that to happen. I like that as being part of the annual review process.

Polly Cordle: 18:30

Yes, we do. We have workflows in there that will allow those principals to sign off on their responsibilities and send that to the CEO. So they’re aware that it’s been certified, and then they can do their certification. We also allow our firms to attach a responsible party to each individual policy. And then they’re able to run a report to see who those people are and make sure that they’re covering all of them in those certifications. So you can not only have a process that say Buddy Doyle is responsible for that process, but then be able to identify him as you’re getting your certifications.

Buddy Doyle: 19:09

And so as you’re going through this, I think one of the keys to being successful is making sure that you have well-documented tests, which we’ve talked about, regardless of when they took place throughout the year; that you have people certifying to the fact that they are compliant, that they’ve dealt with the issues, that they’ve closed down any gaps, that they’ve implemented all the new rules, and they’ve gone through the process as it relates to products. And then having a well-written report that documents what you’ve done with all of that together. You can feel pretty good about your annual review process at that point.

Polly Cordle: 19:52

Oh yeah, absolutely. And in particular for our Solutions clients, we feel like we’ve done a thorough job of reviewing those rules. What I’ve seen, some of the hiccups for clients before we had Solutions in place for them, would be missing parts of what the rule required that the report includes for certain firms. You have to include a review of your complaints and firms might miss that, not realizing that it was actually required. And so we take that into account as we’re building out their workflow for the annual review . So, little things like that that, that you don’t realize are there. It’s really important and it can end up catching you . All right. Well Buddy, thank you so much. This has been great. I have enjoyed talking to you again. Hopefully we’ll talk again soon.

Buddy Doyle: 20:44

You as well. And if you have any questions about your review, feel free to reach out to myself, Polly, or one of our relationship managers.

Speaker 1: 20:53

Thanks again for listening to the Oyster Stew podcast. Don’t forget to subscribe so we can continue to bring you resources to help you make the best decisions for your firm. If you’re struggling with a topic and you’d like us to do a podcast on it, or you’d like a free consultation, feel free to reach out to us at (804) 965-5400 or by visiting our website at

About The Author

As CEO of Oyster Consulting, Buddy Doyle has led the charge to create a successful organization built on the belief that transforming experienced industry practitioners into consultants adds more value to our clients.


Learn how Oyster Solutions creates an efficient, effective compliance program that protects your firm and provides value.