I run compliance for a $3.4B AUM registered investment adviser registered with both the SEC and FINRA. Our team is eight people. We monitor roughly 340 regulatory publications per month. Do the math. That is not a staffing problem you solve by hiring faster.
Here's the thing most firm leadership doesn't fully grasp: regulatory publication volume is not proportional to firm size. A $2B AUM RIA and a $20B AUM RIA receive essentially the same flood of SEC releases, FINRA notices, and state bulletins. The regulatory universe does not care how large your book is. You are registered with the same bodies. You are subject to the same rulebook. You get the same firehose.
We tracked this directly. Over a six-month period, we catalogued every regulatory publication potentially relevant to our registrations. The count was 287 items across SEC, FINRA, and two state regulators. Of those, roughly 19% required some action on our part, 31% needed to be monitored for further development, and the rest were informational or clearly out of scope. The problem is that the 50% you can safely ignore looks identical to the 50% you cannot, until you read it.
That is the compliance bandwidth trap. Every item looks like it might matter until you determine that it doesn't. And you can only determine that by reading it.
When we calculated honest analyst hours, we found that monitoring each regulatory body we track costs between 8 and 12 analyst hours per week. Not per month. Per week. That includes retrieving publications, logging them, doing initial triage, forwarding relevant items to the right business lines, and documenting the decision trail.
Across four major regulatory bodies, that is roughly 40 hours per week minimum. One full-time position, doing nothing but watching for new rules. In practice, that work is distributed across the team in fragments, which is worse. Fragmented attention is how things get missed.
I have seen triage failure happen in a very specific pattern. An analyst picks up a batch of 30 publications. She starts reading sequentially. By item 15, she is behind on three other open items and slightly fatigued. Items 16 through 22 are routine. Item 23 is the FINRA Notice that actually requires a response within 60 days. She logs it correctly, but the urgency doesn't register because it arrived embedded in a wall of non-urgent material. The deadline surfaces three weeks later during a calendar review. That's not incompetence. That is what volume does to human attention.
The framework we use sorts every incoming publication into one of three buckets before any substantive analysis happens. Not after. The categories are:
Tier 1 — Directly applicable. Final rules, effective date notices, examination priorities, risk alerts that name our registration type or business lines explicitly. These get same-day logging, a responsible analyst assigned within 24 hours, and a response timeline entered into our compliance calendar immediately.
Tier 2 — Monitor. Proposed rules in comment period, concept releases, guidance that may affect our activities depending on how a final rule lands. These go into a watch folder with a 90-day review trigger. We don't act, but we don't ignore them either.
Tier 3 — Informational. Publications that relate to registration types, product structures, or business lines we don't have. Industry context, educational bulletins, guidance addressed to broker-dealers when we are advisory-only. We log these and move on. Minimal time.
The discipline is in the triage, not the analysis. A correct Tier 3 classification saves two hours of analyst time. An incorrect one creates the deadline problem above.
The fastest way to train your team on triage is to anchor the criteria to your specific registrations and business lines. Abstractions don't help. Checklists do.
For an SEC-registered investment adviser, the fast screen is: Does this publication come from the Division of Investment Management or the Office of Compliance Inspections and Examinations? Does it reference the Investment Advisers Act of 1940? Does it mention separately managed accounts, model portfolios, or wrap fee programs if those are your structures? If yes to any, Tier 1 or Tier 2. Otherwise, default to Tier 3 pending a fast read of the subject line and opening paragraph.
For FINRA, similar logic applies. Notices addressed to member firms in your category, regulatory notices with a comment or response deadline, examination findings that name practices you have in place. These are automatic Tier 1. Investor education bulletins, guidance for firms with product lines you don't carry, retrospective enforcement summaries, these are usually Tier 3.
Build the criteria list once, review it annually, and train every new analyst to it before they touch a publication queue. This is not glamorous work. It is the thing that keeps the team from drowning.
Our rhythm is fixed. Every Monday morning, two analysts run the weekly regulatory digest. Fixed time. Fixed format. Two hours maximum. The output is a one-page summary: items received, tier assignments, action items with owners and deadlines, monitor items with next review dates. That document goes to me and the CCO before noon.
The fixed format is non-negotiable. In our experience, open-ended review sessions are where scope creep and rabbit holes live. When every analyst knows the session ends in two hours and the deliverable is a one-pager, the triage instinct sharpens. They are not writing an analysis. They are making sorting decisions.
Escalation works through the same document. If an analyst is unsure about a tier assignment, they flag it. It lands on my desk flagged. I make the call. This prevents the instinct to over-classify to Tier 1 out of anxiety, which would defeat the whole framework.
Honestly, the ritual matters as much as the format. Compliance work that happens ad-hoc, as publications arrive, produces inconsistent outcomes. The weekly anchor creates a predictable cadence that the whole team can orient around.
The question we use internally: Is this a question about what the rule means, or is this a question about what we should do about it?
Interpretation questions, particularly around new final rules with ambiguous application scope, novel guidance on areas where we have limited precedent, or any situation where our practice is potentially inconsistent with a recent examination finding, those go to outside counsel. That is their function.
Implementation questions, workflow adjustments, policy updates, documentation changes, training rollouts, those stay in-house. We are fully capable of executing once we understand the requirement. Paying outside counsel to run implementation is where compliance costs spiral unnecessarily at mid-size firms.
The test takes about 30 seconds and saves thousands of dollars per year. Real talk: most compliance teams at our size use outside counsel too broadly in the early stages and then cut them too aggressively after budget reviews. Neither extreme is right. Narrow scope, specific questions, clear deliverables. That is the right model.
I don't expect our team to double in the next two years. The regulatory volume will not decrease. What we can control is the operating model: disciplined triage, fixed routines, clear escalation paths, and honest decisions about when external expertise earns its cost.
A team of eight managing 340 publications per month is not an anomaly at mid-size financial firms. It is close to the norm. The difference between teams that stay on top of it and teams that don't is almost never headcount. It is whether they have built a system or are just reading everything and hoping nothing slips through.
Hope is not a compliance strategy.
Ruleward monitors regulatory publications across SEC, FINRA, and state regulators and automatically surfaces Tier 1 items by your firm's registration profile. Request a demo to see how it applies to your compliance setup.