An access person is one of the most important designations inside an RIA’s compliance program. Under the SEC’s Code of Ethics rule, these individuals must report personal securities holdings and transactions so the firm can monitor potential conflicts with client trading.
In theory, the requirement is straightforward. In practice, many RIAs run into questions. Who actually qualifies as an access person? What information must be collected? And what does the SEC expect firms to review and document?
This article walks through how RIAs should identify access persons, what information must be collected from them, and how compliance teams typically review that information. The goal is simple: help firms organize access person oversight in a way that holds up during an SEC examination.
What Is an Access Person Under SEC Rules?
The term access person comes from the SEC’s Code of Ethics rules for registered investment advisors. It generally refers to any Supervised person who has access to non-public information regarding client trading activity, or is involved in making securities recommendations to clients, or has access to such information. Because of that level of access, these individuals must report certain personal securities holdings and transactions.
The concept is part of Rule 204A-1 under the Investment Advisers Act of 1940, which requires RIAs to adopt and maintain a written Code of Ethics. One purpose of the rule is to give firms a way to monitor employee trading and identify conflicts with client activity.
In practice, the designation depends less on job titles and more on who can access client securities trading activity/securities recommendations. Portfolio managers and analysts are obvious examples. But access can also extend to staff who support trading systems, maintain portfolio data, or prepare client reports.
Access Person vs. Supervised Person
The phrase supervised person appears frequently in the Advisers Act and often causes confusion.
A supervised person includes anyone who works for an advisor and provides investment advice on behalf of the investment advisor, and is subject to the firm’s supervision or control. This can include employees, partners, officers, and certain contractors.
An access person is more specific. It refers to supervised persons who have access to non-public investment information or participate in making securities recommendations to clients, or have access to this information.
This distinction determines who must file holdings and transaction reports under the Code of Ethics.
Category | Description | Compliance Implication |
|---|---|---|
Supervised Person | Individuals working under the advisor’s supervision provide investment advice | Subject to firm policies and oversight |
Access Person | Supervised persons with access to trading information or securities recommendations | Must submit personal trading reports |
Why the Access Person Category Exists
The access person framework is meant to address conflicts that can arise when employees trade for their own accounts.
Someone with knowledge of upcoming trades or portfolio changes could place personal trades ahead of client orders. Even when no misconduct occurs, these situations raise regulatory concerns.
For that reason, personal trading reporting allows compliance teams to compare employee activity with client transactions. The goal is visibility. Firms need to be able to review activity and document that oversight exists.
At many fintech advisors, access to investment information spreads beyond the portfolio management team. Product engineers, data analysts, or operations staff may interact with trading data or portfolio systems. As a result, access person determinations often depend on who has access to information as it moves through the firm, not simply on formal titles.
Who Qualifies as an Access Person at an RIA?
Identifying who qualifies as an access person is an early step when implementing a Code of Ethics. The SEC definition focuses on access to investment information involving securities rather than job titles. Portfolio managers and analysts are obvious examples, but employees in operations, technology, or reporting roles may also see trading or portfolio data:
Role Category | Typical Access to Information | Typically Classified as an Access Person? |
|---|---|---|
Portfolio managers | Direct responsibility for investment decisions and client trades | Yes |
Research analysts | Work with investment ideas and recommendations | Yes |
Traders | Execute client trades and view order flow | Yes |
Client-facing advisors | Communicate recommendations to clients | Often |
Client-facing advisors | Access portfolio systems or trade reporting tools | Sometimes, depends on what information is accessible |
Technology staff | Maintain systems containing trading data | Sometimes, depends on what information is accessible |
Portfolio Managers and Investment Committee Members
Portfolio managers almost always qualify as access persons. They make or influence investment decisions and have direct visibility into client trades, portfolio holdings, and strategy changes.
Members of an investment committee typically fall into the same category. Even if they do not place trades themselves, they often participate in discussions that lead to investment recommendations. That level of involvement places them within the scope of the Code of Ethics reporting requirements.
For compliance teams, this group is usually straightforward to identify. Anyone responsible for investment decisions is generally treated as an access person.
Research, Trading, and Client-Facing Staff
Research analysts and traders also tend to qualify as access persons. Analysts develop investment ideas, evaluate securities, and often prepare recommendations that will later be presented to clients or portfolio managers.
Traders have visibility into order flow and execution activity. They may see upcoming trades before they occur in the market.
Client-facing advisors can also fall into this category. If an advisor communicates investment recommendations or has early visibility into strategy changes, the SEC framework may treat that role as an access person with personal trading reporting obligations.
Operations, Tech, and Administrative Personnel
In some firms, operational staff may have system-level access to trading information or portfolio holdings. For example:
Operations employees may generate trade confirmations or portfolio reports
Data teams may work with portfolio analytics or performance systems
Technology staff may maintain order management or portfolio management platforms
When these roles involve access to nonpublic trading or holdings data, the firm may classify the employee as an access person. The determination often depends on the level of visibility provided by internal systems.
This is especially relevant for fintech advisors, where product and engineering teams frequently interact with trading infrastructure.
Founders, Officers, and the Presumption Rule
Rule 204A-1 includes an important presumption. If the firm’s primary business is providing investment advice, directors, officers, and partners are typically presumed to be access persons.
This does not mean every senior executive automatically reviews trades or investment data. However, leadership roles often have visibility into strategy discussions, portfolio decisions, or firm-level investment activity.
Because of that exposure, compliance programs generally classify founders and senior officers as access persons unless there is a clear reason not to.
Fintech-Specific Roles That Often Get Missed
In fintech advisory firms, information flows through systems rather than traditional departments. That can expand the range of employees who may qualify as access persons.
Examples sometimes overlooked include:
Engineers maintaining trading infrastructure
Data scientists analyzing portfolio data
Product managers working on investment features
Employees supporting automated portfolio models
These roles may not participate in investment committees, but they can still see trading information or portfolio holdings through internal tools.
For that reason, modern access person reviews often focus on system access and data visibility rather than organizational hierarchy.
—
The definition of an access person centers on access to non-public information. Portfolio managers, analysts, and traders typically fall into this category. In fintech firms, the scope may extend to engineering, operations, and product teams that interact with trading systems.
See how Regly helps RIAs manage employee compliance, reporting, and monitoring in one place →
What RIAs Must Collect From Each Access Person
Once an employee is classified as an access person, the firm must collect specific securities information under its Code of Ethics. These reports give compliance teams visibility into employee securities activity and allow comparisons with client trades and investment recommendations.
Initial Holdings Reports
An initial holdings report provides a snapshot of the access person’s existing securities holdings at the time they become subject to the Code of Ethics.
The report typically includes:
Title and type of security
Ticker symbol or CUSIP, when applicable
Number of shares or principal amount of each reportable security
Name of the broker, dealer, or bank maintaining the account
The information must generally be current within 45 days before the person becomes an access person and must be submitted within 10 days of that status change.
This baseline report allows compliance teams to understand an employee’s starting portfolio before ongoing monitoring begins.
Annual Holdings Reports
In addition to the initial report, access persons must submit an updated holdings report at least once every 12 months.
The annual report contains similar information: securities held in personal accounts and brokerage or custodial accounts, where those securities are maintained.
The purpose of the report is to maintain a current record of personal securities holdings for each access person.
Quarterly Transaction Reports
Quarterly transaction reports provide details about personal securities trades executed during the quarter. These reports must generally be submitted within 30 days after the end of each calendar quarter.
Each report typically includes:
Trade date
Security name and ticker or CUSIP
If applicable, interest rate & maturity date
Transaction type (purchase, sale, or other activity)
Number of shares or principal amount of each security
Price at which the transaction occurred
Brokerage firm or bank where the trade was effected
Date Access person submits report
These disclosures allow compliance teams to review employee trading against restricted lists, client trades, and other internal controls.
IPO and Limited Offering Pre-Approvals
Access persons must obtain approval before investing in certain private or newly issued securities. The Code of Ethics rule specifically requires pre-approval for investments in initial public offerings (IPOs) and limited offerings of securities.
Limited offerings often include private placements conducted under Regulation D. These investments can present conflicts if an employee participates in an offering related to the firm’s advisory activities.
When reviewing these requests, compliance teams typically document:
The security and issuer
The nature of the offering
The reason approval was granted or denied
The person responsible for the decision, along with the date of the decision
Maintaining records of these approvals helps demonstrate that the firm reviews employee investments in higher-risk situations.
—
Collecting information from each access person is a core part of the Code of Ethics framework. Holdings reports, quarterly transaction disclosures, and pre-approvals for certain investments allow compliance teams to monitor employee trading activity.
As firms grow, managing these reports across multiple brokerage accounts and employees can become time-consuming. Many RIAs look for ways to centralize employee trade reporting and review workflows so compliance teams can track reporting deadlines and review activity more efficiently.
Regly Compliance helps RIAs centralize and streamline compliance management using AI-powered tools →
What RIAs Must Review (Not Just Collect)
Collecting reports from each access person is only part of the Code of Ethics process. Compliance teams also need to review those reports and document that the review occurred.
Review Area | What Compliance Typically Checks | Why It Matters |
|---|---|---|
Supervisory review evidence | Documentation showing reports were reviewed | Demonstrates oversight during exams |
Trade conflict analysis | Personal trades compared with client transactions | Identifies potential front-running or conflicts |
Restricted list screening | Trades compared against restricted securities | Prevents trading in prohibited securities |
CCO oversight | Independent review of the CCO’s own trading reports | Avoids self-review conflicts |
Exception documentation | Notes explaining flagged or unusual activity | Creates a clear compliance record |
Evidence of Supervisory Review
One of the most common exam questions is simple: who reviewed the reports?
Compliance teams usually maintain logs or electronic records that show when reports were reviewed and by whom. Some firms require reviewers to sign off on reports. Others maintain digital audit trails inside their compliance systems.
The goal is to maintain clear evidence that a responsible supervisor reviewed the access-person trading reports. Without that documentation, firms may struggle to demonstrate oversight during an examination.
Detecting Conflicts and Front-Running
A key part of reviewing employee trading is looking for conflicts with client activity. Compliance teams usually check personal trades against:
Client transactions
Portfolio changes
Investment recommendations
Trades executed in discretionary accounts
The goal is to see whether both the employee and client traded the same security within a similar time frame. When employee trades occur before client orders, it can raise questions about potential front-running.
Restricted Lists and Watch Lists
Many RIAs maintain restricted lists to prevent trading in securities connected to confidential information or firm activity.
During the review process, compliance teams often check employee trades against:
Restricted securities lists
Watch lists tied to research coverage
Securities subject to trading limitations
These checks allow firms to identify transactions that may violate internal policies. In larger organizations, automated screening tools may assist with these reviews.
See how Regly can help you flag potential matches to global sanctions lists →
Reviewing the CCO’s Own Reports
The Code of Ethics review process should also address the personal trading activity of the chief compliance officer.
If the CCO is an access person, their reports should be reviewed by another qualified individual. In some firms, this may be a senior executive, legal counsel, or an external compliance provider.
The objective is to avoid situations where the person responsible for oversight is reviewing their own trading activity.
Documenting Exceptions and Escalations
During the review process, compliance teams may identify trades that require clarification.
Examples include:
Trades occurring near client transactions
Investments requiring pre-approval that were not documented
Transactions involving restricted securities
When these situations occur, firms typically request an explanation from the access person and record the outcome of the review.
Maintaining written notes or system records helps demonstrate that potential conflicts or unusual activity were reviewed and addressed. This documentation often becomes important during regulatory exams or internal compliance audits.
Reportable Securities: What Counts and What Doesn’t
Access-person reporting requirements apply only to reportable securities, a category defined under the SEC’s Code of Ethics rule. Understanding which investments fall into this category determines what must appear in holdings and transaction reports.
The Definition of a Reportable Security
Under Rule 204A-1, a reportable security generally includes any security that an access person owns directly or through beneficial ownership.
Common examples include:
Publicly traded stocks
Corporate bonds
Exchange-traded funds (ETFs)
Options and other derivatives
Certain private placements or limited offerings
If an employee owns these securities in a personal brokerage account, they are typically required to disclose them through holdings or transaction reports.
In practice, most securities that could overlap with client investments are treated as reportable securities.
Common Exclusions
The Code of Ethics rule also lists several securities that are not considered reportable. These exclusions exist because the investments are less likely to create conflicts with client trading.
Common exclusions include:
Direct obligations of the US government
Bankers’ acceptances and bank certificates of deposit
Commercial paper and other high-quality short-term debt instruments
Shares of money market funds
Shares of open-end funds other than reportable funds
Shares issued by unit investment trusts that are exclusively invested in one or more open-end funds, none of which are reportable funds
These securities are generally excluded because their structure or liquidity reduces the risk of conflicts with advisory activity.
Beneficial Ownership Rules
Reportable securities are not limited to accounts held directly in an employee’s name. The Code of Ethics also considers beneficial ownership, which can expand the scope of what must be reported.
Beneficial ownership typically includes securities held in:
Accounts owned jointly with a spouse
Accounts controlled by the access person
Accounts where the employee has influence over investment decisions
If an employee benefits from the investment or can influence trading decisions, the security may fall within the reporting requirement.
Household and Family Accounts
Family accounts often raise questions during Code of Ethics reviews. In many cases, accounts held by a spouse or dependent family member may be considered beneficially owned by the access person.
For example, reporting obligations may apply to:
Joint brokerage accounts with a spouse
Investment accounts held for dependent children
Family accounts where the employee directs trading activity
Firms typically address these situations directly in their Code of Ethics policies to avoid confusion about reporting obligations.
Edge Cases: 529 Plans, Private Funds, SPVs
Certain investments fall into gray areas that require additional review.
Examples may include:
529 college savings plans
Interests in private funds
Investments made through special purpose vehicles (SPVs)
Whether these investments are reportable can depend on factors such as the underlying securities and the employee’s ability to influence trading decisions.
Compliance teams often review these situations individually because the reporting obligation may depend on the structure of the investment.
Digital Assets and Token Investments
Digital assets introduce additional complexity when applying access-person reporting rules. Some tokens may be treated similarly to securities, while others may not fall within traditional securities classifications.
Because the regulatory treatment can vary, firms often address crypto holdings directly in their internal policies. Many fintech advisors include guidance in their Code of Ethics explaining when an access person must report digital asset investments.
—
The concept of reportable securities determines what an access person must disclose through holdings and transaction reports. Public securities, derivatives, and certain private investments are commonly included. Other instruments, such as US government obligations and money market funds, are typically excluded.
Understanding these distinctions helps compliance teams determine which investments should appear in access-person reporting and which do not.
See how Regly helps RIAs manage employee compliance and reporting requirements →
Access Person Recordkeeping Requirements
RIAs must maintain records documenting how access-person reporting and reviews are handled. These recordkeeping obligations come from the Code of Ethics rule and the Advisers Act books and records requirements. During SEC exams, regulators often review these materials to understand how the firm monitors employee trading activity.
Code of Ethics Distribution and Acknowledgments
RIAs must provide their Code of Ethics to all supervised persons and collect written acknowledgment that the policy was received.
Many firms collect these acknowledgments during onboarding and then repeat the process annually or when amendments to the Code are implemented. The documentation typically includes confirmation that the employee received the Code of Ethics.
This acknowledgment helps demonstrate that employees were informed about personal trading rules and reporting responsibilities.
See how Regly’s employee compliance module helps RIAs manage forms, attestations, and outside accounts →
Maintaining an Access Person Roster
Firms are also expected to maintain a current list of individuals classified as access persons.
This roster usually includes:
Employee name and role
Date the individual became an access person
Any changes to the status over time
The roster helps compliance teams track who must submit reports and which employees fall within the Code of Ethics monitoring program. Regulators often request this list during exams to confirm that the firm has properly identified its access persons.
Retaining Reports and Brokerage Statements
Access-person reporting generates several types of records that must be retained.
These typically include:
Initial holdings reports
Annual holdings reports
Quarterly transaction reports
Brokerage statements or trade confirmations
Many firms store these documents electronically within their compliance systems. The important point is that records must be organized and accessible if regulators request them during an examination.
Maintaining Violation Logs
Compliance teams also need to keep records when access-person policies are not followed. This often involves maintaining a violation log that tracks issues such as late reporting, missing disclosures, or trades that occurred without the required approval. Each entry typically notes when the issue occurred, what happened, and how it was addressed.
These records help demonstrate that compliance concerns were identified and handled through the firm’s supervisory process.
Form ADV Disclosure Obligations
RIAs must also disclose information about their Code of Ethics in Form ADV.
Part 2A of Form ADV typically describes:
The firm’s Code of Ethics
Policies addressing employee trading
How clients can request a copy of the Code of Ethics
This disclosure connects the firm’s internal policies with its public regulatory filings. The SEC expects that the practices described in Form ADV align with the firm’s actual compliance procedures.
Common Access Person Compliance Failures in SEC Exams
SEC examinations frequently review how firms monitor access-person trading activity. In many cases, the issue is not the absence of a policy. The problem is how the policy operates in practice.
The areas below reflect issues that regulators commonly identify during compliance reviews.
Failure to Identify All Access Persons
One of the most common findings is the incomplete identification of access persons. Firms sometimes classify only investment professionals while overlooking other employees who have access to trading information.
For example, operations staff, technology teams, or employees responsible for reporting and analytics may still see portfolio holdings or transaction data. If these roles have visibility into investment activity, they may fall within the access person definition.
Misclassification can lead to missing reports and incomplete monitoring of employee trading activity.
Late or Missing Reports
Another frequent issue involves reporting deadlines. Initial holdings reports, annual holdings updates, and quarterly transaction reports all have specific timing requirements under the Code of Ethics framework.
Problems often arise when employees open new brokerage accounts, change custodians, or forget to submit quarterly reports. In some cases, firms rely on manual processes that make it difficult to track deadlines across multiple employees.
Late or missing access-person reports are often cited during SEC exams because they suggest weaknesses in the reporting process.
Inadequate Review Documentation
Collecting employee trading reports is only one part of the process. Regulators also expect firms to demonstrate that the reports were reviewed.
In some cases, firms maintain the reports but lack evidence showing when the review occurred or who performed it. Without documentation, it can be difficult to demonstrate that the supervisory review actually took place.
Examiners often focus on whether the firm can show a consistent review process for access-person trading activity.
CCO Self-Review Problems
The chief compliance officer is often classified as an access person, which creates a practical challenge. If the same person responsible for oversight is also subject to reporting requirements, the firm must address how their reports are reviewed.
Some firms overlook this issue and allow the CCO to review their own trading disclosures. During an exam, regulators may question whether the review process provides appropriate independence.
Many firms address this by assigning review responsibility to another senior employee, legal counsel, or an external compliance provider.
Weak Controls Around Private Investments
Private placements and limited offerings require pre-approval under the Code of Ethics rule. In practice, these approvals are sometimes handled informally or recorded inconsistently.
SEC examinations sometimes identify cases where employees participated in private investments without documented approval. In other situations, firms approved the investment but failed to maintain records explaining the decision.
Because private investments can present conflicts with advisory activities, regulators often review these approvals closely during exams.
Access Person Compliance Checklist for RIAs
Many RIAs review their access person program periodically to confirm that reporting, supervision, and recordkeeping procedures are working as expected. A structured checklist can help compliance teams identify gaps before they appear during an SEC examination.
Below is a practical framework often used when evaluating access person oversight within an RIA compliance program:
Classification Review: Confirm that all employees who can access client trading information or investment recommendations are correctly classified as access persons. This review typically looks at job responsibilities, system access, and changes in employee roles.
Report inventory Check: Verify that each access person has submitted the required disclosures. This includes initial holdings reports, annual holdings updates, and quarterly transaction reports or brokerage statements.
Review Documentation Test: Confirm that the access person reports were actually reviewed by compliance or supervisory staff. Documentation should show when the review occurred and who performed it.
Pre-clearance Sampling: Review a sample of transactions requiring pre-approval, such as private placements or limited offerings. The goal is to confirm that approvals were requested in advance and properly documented.
Record Retention Audit: Check that key compliance records are maintained and accessible. This usually includes access person lists, trading reports, Code of Ethics acknowledgments, and documentation of policy violations.
—
The access person framework plays an important role in monitoring employee trading and managing conflicts within an RIA. Rule 204A-1 requires firms to collect specific disclosures, review trading activity, and maintain records that demonstrate oversight.
While the regulatory requirements are well defined, the operational side often creates challenges. Firms must track multiple reporting deadlines, review trading activity against client transactions, and maintain documentation that regulators can evaluate during an examination.
For many RIAs, the goal is to build a process that allows access-person reporting, review, and recordkeeping to function consistently as the firm grows.
Ready to Get Started?
Schedule a demo today and find out how Regly can help your business.