Utah RIA Compliance Framework

1 Executive Summary

Utah’s RIA compliance regime directly incorporates SEC standards through Rule R164-5-1, making federal compliance best practices mandatory for state-registered advisers. This framework optimizes ECIC’s compliance approach while preparing for growth and SEC transition.

Key Finding: Utah Rule R164-5-1 states that advisers “shall make, maintain and preserve books and records in compliance with SEC Rule 204-2” - making our current SEC-based framework appropriate, not over-compliance.

2 Utah Regulatory Framework

2.1 Governing Authorities

• Primary Regulator: Utah Division of Securities (Department of Commerce)
• Legal Foundation: Utah Uniform Securities Act (Title 61, Chapter 1)
• Administrative Rules: Utah Code R164 (Securities)
• Federal Integration: Direct adoption of SEC rules by reference

2.2 Fiduciary Duty Standard

Utah maintains the overarching fiduciary duty requiring advisers to: - Act in clients’ best interests - Maintain duty of care and loyalty - Justify all actions as consistent with fiduciary obligations

Recent Example: August 2025 - Division removed hourly fee caps but increased scrutiny of “reasonable” fees during examinations.

3 Core Compliance Obligations

3.1 1. Registration & Disclosure (Form ADV)

Utah Requirement: Filed via IARD system with federal standards

Component	Utah Requirement	Action Required
Form ADV Part 1	Annual amendment within 90 days of fiscal year-end	Automated reminder system
Form ADV Part 2A	Material changes filed “promptly”	Change detection process
Form ADV Part 2B	Individual adviser supplements	Current for all IARs
Client Contracts	Written contracts required by Utah Uniform Securities Act	Template alignment verification

Critical Issue: Mismatch between Form ADV fee schedules and client contracts is most common examination deficiency.

3.2 2. Custody Requirements (Rule R164-2-2)

Custody Triggers: - Direct holding of client funds/securities - Authority to obtain possession - Hidden trigger: Possessing client login credentials = custody

If ECIC Has Custody: - [ ] Qualified custodian maintenance - [ ] Quarterly client statements (direct from custodian) - [ ] Annual surprise examination by independent CPA - [ ] Audited balance sheet filed within 90 days of fiscal year-end

3.3 3. Cybersecurity Requirements

Utah Standard: Written cybersecurity policy required Best Practice Standard: SEC Regulation S-P model (recommended by Division)

Required Components: - [ ] Written Incident Response Program - [ ] Client notification within 30 days of breach determination - [ ] Vendor due diligence and monitoring - [ ] Regular testing and CCO oversight

3.4 4. Annual Requirements

• License Renewal: Payment due mid-December ($40 RIA + $30 per IAR)
• IAR Continuing Education: 12 hours annually (6 products/practices + 6 ethics)
• Form ADV Annual Amendment: Within 90 days of fiscal year-end

4 Record-Keeping Compliance Matrix

4.1 Utah Rule R164-5-1 = SEC Rule 204-2

Direct adoption means federal standards are Utah requirements.

Record Category	SEC Requirement	Retention Period	ECIC Status	Action Required
Financial Records	Journals, ledgers, bank statements	5 years (2 on-site)	✅ Compliant	Monthly reconciliation
Trade Records	Order memoranda, execution details	5 years (2 on-site)	✅ Automated	Verify trade blotter archive
Client Communications	All written communications	5 years (2 on-site)	✅ Automated	Email archival system active
Advertising	All marketing to 2+ persons	5 years from last use	✅ Compliant	Central advertising file
Disclosure Documents	Form ADV, contracts, delivery dates	5 years from last use	🔍 Audit needed	CRM delivery tracking
Code of Ethics	Code + violations + acknowledgements	5 years from last effective	🔍 Audit needed	Annual attestations
Personal Trading	Access person transactions/holdings	5 years from report	🔍 Audit needed	Quarterly review system

4.2 Off-Channel Communications Risk

High Priority: SEC enforcement actions for unapproved messaging platforms Required Controls: - [ ] Written policy prohibiting personal messaging for business - [ ] Annual training and attestations - [ ] Periodic surveillance of approved channels - [ ] Documented disciplinary procedures

5 Examination Readiness Framework

5.1 Utah Division Examination Process

1. Pre-Exam: Document request list (often advance notice)
2. On-Site: CCO interview, premises tour, document review
3. Post-Exam: Additional requests continue for weeks
4. Resolution: No action letter or deficiency letter with required response

5.2 Primary Examination Focus Areas

Area	Common Deficiencies	ECIC Preparedness
Policies & Procedures	Generic manual not tailored to business	✅ Customized manual
Form ADV Accuracy	Discrepancies between ADV and actual practices	🔍 Verification needed
Client Files	Missing contracts, suitability docs, delivery records	🔍 File audit required
Billing Practices	Fee calculation errors, unreasonable fees	🔍 Sample verification needed
Record Keeping	Inadequate client suitability documentation	✅ Hooks system compliant

5.3 Exam-Ready Best Practices

• Annual Mock Audits: Internal examination simulation
• Centralized Compliance File: Single location for all compliance docs
• Exam Coordinator: CCO as single point of contact
• Staff Training: Examination process and interaction protocols

6 Scaling Strategy & AUM Thresholds

6.1 State to Federal Registration Transition

AUM Level	Registration Status	Required Action	ECIC Strategy
Under $90M	Utah mandatory	Maintain state compliance	Perfect Utah framework
$90M - $100M	Utah mandatory	Prepare for SEC transition	Draft SEC-level policies
$100M - $110M	Eligible for SEC	Optimal transition window	Proactive SEC registration
Over $110M	SEC mandatory	Must register within 90 days	Mandatory compliance

6.2 Multi-State Expansion Framework

De Minimis Rule: Up to 5 clients per state without registration (no in-state office)

ECIC Multi-State Strategy: 1. Client Tracking: CRM system tracks all client state residency 2. Internal Trigger: Begin registration process with 4th client in new state 3. Proactive Registration: Complete before 5th client triggers requirement 4. Most Restrictive Standard: Adopt highest compliance standard across all states

7 Immediate Implementation Priorities

7.1 High Priority (Next 30 Days)

• Form ADV Audit: Verify all disclosures match actual practices
• Client File Review: Ensure contracts, suitability docs, delivery records complete
• Billing Verification: Sample audit of fee calculations vs. contracts
• Off-Channel Communications Policy: Implement and document enforcement

7.2 Medium Priority (60-90 Days)

• Mock Examination: Internal audit using typical document request list
• Personal Trading System: Implement quarterly reporting and review process
• Annual Attestations: Code of Ethics and communications policy acknowledgements
• Cybersecurity Enhancement: Upgrade to SEC Regulation S-P model

7.3 Ongoing Monitoring

• AUM Tracking: Monthly monitoring for SEC registration thresholds
• Multi-State Client Counts: Automated alerts for de minimis limits
• Regulatory Updates: Monitor Utah Division and SEC developments
• Annual Compliance Review: Required comprehensive assessment and documentation

8 Integration with Existing Systems

8.1 Hooks Data Catalog Compliance

• ✅ Electronic Records: DuckDB system meets SEC Rule 204-2(g) requirements
• ✅ Communication Archival: Gmail metadata capture (180 days rolling)
• ✅ Audit Trail: Complete execution tracking for compliance verification
• 🔍 Missing: Personal trading pre-clearance and reporting system

8.2 LACRM CRM Integration

• ✅ Client Contracts: Storage and version control
• ✅ Disclosure Delivery: Date tracking capability
• 🔍 Enhancement Needed: Suitability information documentation
• 🔍 Enhancement Needed: Billing calculation verification

This framework positions ECIC for sustainable growth while maintaining Utah compliance excellence and preparing for federal registration transition.