Reg BI Audit-Readiness Scorecard
An SEC examiner walking a Reg BI exam asks the same kinds of questions across the four obligations: did the firm have the data, did the firm use it, and is the audit trail of the recommendation process structurally documented? This scorecard reads the firm's posture on each obligation, surfaces the weakest, and links every gap to the dataset or checklist that closes it.
What you walk away with
~10 min · 4 categories · 17 items- A defensibility index across all four Reg BI obligations.
- A radar chart showing where evidence is thinnest (Disclosure vs. Care vs. Conflict vs. Compliance).
- A ranked remediation list — every gap maps to a Wealth Data Set or the Reg BI Audit Data Checklist field that closes it.
- Calibration anchored against published SEC Reg BI sweep findings (2021-2024).
Answer every item (0 of 17 so far) to lock in a banded score and unlock the remediation roadmap. Live category scores update as you go.
Disclosure Obligation
0 / 4 answeredWhether the firm makes full and fair disclosure of all material facts relating to the scope and terms of the relationship and conflicts of interest, before or at the time of recommendation.
- Form CRS is current and the firm can prove delivery
Form CRS is filed and current. Delivery is logged per relationship with timestamp. Re-delivery on material change is logged.
- Fee and cost disclosures are captured per recommendation
For each recommendation event, the disclosed fee structure (advisory, transactional, embedded) is captured and reconcilable to the eventual transaction.
- Account-type and service-scope disclosures are documented
Brokerage vs. advisory boundary is disclosed at relationship inception and at any in-flight recommendation that crosses the line.
- IPO / restricted-product disclosures are linked to suitability fields
When the firm offers IPO allocations or restricted products, the disclosure event is captured and reconciled against the client's documented sophistication and risk profile.
Care Obligation
0 / 5 answeredWhether the firm exercises reasonable diligence, care, and skill — investigates the client, evaluates the recommendation, and the result fits the client's profile.
- KYC profile is structurally complete per FINRA Rule 2090
Every relationship has a current risk-tolerance score, time horizon, liquidity needs, investment objectives, experience, and tax status. Senior-client (65+) cognitive flags + trusted contact per FINRA 4512.
- Each recommendation links to the suitability evidence used
Every recommendation event captures the structured rationale: which suitability fields were considered, what the alternative was, and why the recommended path won.
- Rollover recommendations capture the comparative analysis
Every rollover recommendation captures the comparison between the existing plan and the rollover destination — fees, services, investment options — with sources cited.
- Concentration limits are evaluated and logged
Pre-recommendation, the system evaluates single-position concentration, sector concentration, and account-level liquidity exposure. The check + result is logged.
- Senior-client recommendations get heightened supervision
Recommendations to clients age 65+ trigger a supervisory review event with timestamp, reviewer identity, and outcome.
Conflict of Interest Obligation
0 / 4 answeredWhether the firm establishes, maintains, and enforces written policies and procedures reasonably designed to identify, disclose or eliminate, and mitigate conflicts of interest.
- A written conflict inventory exists and is reviewed annually
The firm has a current, written inventory of all material conflicts (proprietary products, revenue sharing, third-party payments, employee compensation structures). It's reviewed annually and on material change.
- RR / IAR compensation conflicts are captured at recommendation time
The recommending representative's compensation structure is disclosed when material to the recommendation. The disclosure event is logged.
- Sales contests and quotas are structurally prohibited or mitigated
The firm either prohibits product-specific sales contests or has documented mitigation (cap on incentive-driven recommendations, supervisory review, post-hoc audit).
- Proprietary-product recommendations are flagged
When a recommendation is for a proprietary or revenue-sharing product, the event is structurally flagged and additional supervisory review fires.
Compliance Obligation
0 / 4 answeredWhether the firm maintains written policies and procedures, surveillance, training, and supervisory controls that operationalize Reg BI day-to-day.
- Written supervisory procedures are current and Reg BI-specific
WSPs name Reg BI explicitly, tie each obligation to a control, and were updated within the last 12 months.
- Surveillance covers the full recommendation universe
Automated surveillance reviews recommendations across all channels (advisor, digital, hybrid). Coverage gaps are documented and remediated.
- Reg BI training is documented and on cadence
Every covered employee has documented Reg BI training within the last 12 months. New-hire onboarding includes Reg BI.
- Reg BI exceptions are logged, reviewed, and remediated
When the firm makes a recommendation that's an exception to standard policy, the exception is logged, reviewed by a supervisor, and either remediated or documented as approved.
Banded score reference
Findings Likely
0–35%Multiple Reg BI obligations have structural gaps. An SEC examination would surface findings the firm cannot defend from the data alone.
Next step: Stand up the Reg BI audit-data schema; bundle with the Reg BI Suitability Audit Pack.
Findings Possible
35–60%Core obligations are covered but evidence is uneven. An exam would likely produce findings on at least one obligation.
Next step: Close the lowest-scoring obligation first; the remediation list ranks them.
Defensible
60–85%All four obligations have structured evidence. Most exam questions can be answered from the recommendation event log alone.
Next step: Rehearse the auditor walkthrough; tighten exception-handling and senior-supervision.
Audit-Ready
85–100%Reg BI is operationalized end-to-end. Surveillance, training, evidence packaging, and exception handling are all version-pinned and reviewable.
Next step: Operate the steady-state. Re-run the scorecard semi-annually to detect drift.
Key takeaways
- Care Obligation is where most firms fail — not because they lack KYC data, but because the recommendation event log doesn't link suitability fields to the recommendation outcome.
- Disclosure findings are usually about delivery proof, not the disclosure itself. If the firm can't prove the client received Form CRS, the firm has a finding.
- Conflict findings are increasingly about mitigation evidence — a written policy is necessary but not sufficient.
- Compliance findings concentrate on surveillance gaps. If a recommendation channel exists outside surveillance, examiners will find it.
FAQ
Is this scoped to broker-dealers only?
Reg BI applies to broker-dealers and their associated persons, but dual-registrants and hybrid firms increasingly use Reg BI patterns for the brokerage side of their business. RIAs operating under the fiduciary standard can use the scorecard structurally — the obligations map cleanly to the IA fiduciary framework.
What if the firm uses a third-party recommendation engine?
The firm is responsible regardless of the source. Score the obligations as if the engine is part of your evidence. If the engine vendor can't produce the recommendation rationale per event, that's a Care Obligation gap — and a vendor-management gap.
How often should we re-run this?
Quarterly while gaps exist; semi-annually once Audit-Ready. Always re-run after a major SEC enforcement action in the firm's product line — sweep findings shift the bar.