From Forecast to Reality: Practical Interpretation of the SEC’s 2026 Exam Priorities for RIAs and Broker-Dealers
The SEC's 2026 Exam Priorities confirm a shift that Compliance Risk Concepts (CRC) anticipated in our earlier analysis [KW1] of what 2026 would bring: after several years of rapid rulemaking and high-profile enforcement, the Division of Examinations is re-centering its program around foundational regulatory risks, and applying them through a modern lens shaped by evolving technology and product complexity.
Fiduciary conduct, Reg BI, trading practices, valuation, cybersecurity, operational resiliency, and AML form the spine of the 2026 agenda. What is relatively novel is the expectation that firms demonstrate credible governance, conflict management, and operational discipline in these areas, supported by documentation, testing, and cultural accountability.
The SEC’s Priorities reflect a continuation, and intensification, of the Commission’s risk-based regulatory philosophy. This year’s priorities reveal how the SEC intends to weave technology governance, cybersecurity, AML/CFT expectations, conflict-of-interest oversight, and retail-investor protections into the heart of every exam module. For registered investment advisers and broker-dealers, this integrated lens signals a year in which operational transparency, data stewardship, and the real-world effectiveness of compliance programs will matter more than ever.
The SEC frames exams in 2026 around the interconnectedness of modern financial infrastructures. Cybersecurity impacts vendor oversight; vendor oversight impacts safeguarding and Reg S-P; safeguarding affects marketing, trading, advisory recommendations, and client communications. The Commission is no longer treating risk domains as isolated silos. Instead, the Division of Examinations is applying a holistic approach in which technology, operations, conflicts, and investor protection inform the overall exam approach. This shift has direct implications for RIAs and BDs navigating complex products, digital systems, multi-vendor environments, and a rapidly expanding landscape of regulatory expectations.
For investment advisers, fiduciary duty remains a foundational focus. Examiners will scrutinize how advisers evaluate product costs and characteristics, especially when complex, illiquid, or alternative products are deployed in retail or retirement accounts. The SEC will expect advisers to demonstrate that they have assessed liquidity, volatility, redemption limitations, embedded leverage, and exit costs, and that these considerations are clearly documented. Conflicts of interest remain a core theme, whether tied to compensation structures, revenue-sharing, affiliated custodians or broker-dealers, soft-dollar arrangements, or the use of third-party service providers who may touch client data or influence product availability.
Advisers that have merged with or acquired other advisory firms also appear prominently in the priorities for 2026. The SEC acknowledges that RIA consolidation can create operational strain, integration risk, inconsistent policies, and new conflicts. These conditions tend to expose weaknesses in compliance programs, making these firms likely exam targets. Likewise, dual registrants and firms relying on third-party access to client accounts will be asked to demonstrate clear supervisory structures, conflict mitigation, and documentation supporting the separation (or integration) of advisory and brokerage services.
The SEC devotes significant attention to the effectiveness of adviser compliance programs. Examiners will evaluate whether written policies reflect the firm’s actual business model rather than generic templates or outdated frameworks. Marketing practices remain under scrutiny, including the use of hypothetical performance, testimonials and endorsements, third-party ratings, and digital advertising. Trading, valuation, custody, disclosures, and the accuracy of Form ADV are all part of the SEC’s continuing effort to ensure that advisers not only maintain policies but operationalize them.
Firms newly registered or never examined will receive heightened exam coverage. The SEC’s risk calculus continues to prioritize registrants experiencing rapid growth, launching new business lines, adopting digital engagement tools, or implementing automated investment processes. These firms often lack mature compliance infrastructures and benefit most from targeted gap analyses and mock exams before the SEC arrives.
Broker-dealers will also face intensified scrutiny across familiar areas: financial responsibility rules, customer protection, net capital, prime brokerage relationships, sweep-account practices, liquidity management, and vendor oversight. The Division will explore the operational controls underpinning these requirements, paying particular attention to firms relying heavily on external service providers.
Trading practices and market conduct remain a major focus for broker-dealer examinations, particularly in the context of fixed income and municipal securities trading, best execution, order routing, ATS operations, and the offering of complex or illiquid products. The SEC continues to highlight the importance of accurate and transparent disclosures regarding trading practices and routing arrangements.
Regulation Best Interest is again a centerpiece of the broker-dealer exam program for 2026. The Commission will review rollover recommendations, alternative-investment sales practices, structured products, and other illiquid or high-risk instruments. Dual registrants, remote supervisory structures, and revenue-sharing arrangements will receive elevated scrutiny. Examiners will expect broker-dealers to maintain thorough documentation of investor profiling, alternatives considered, comparative analysis, and the rationale supporting recommendations, particularly for retirement accounts or vulnerable investor populations.
Across both RIAs and BDs, the SEC has firmly embedded cybersecurity, technology governance, and data-protection expectations into mainstream exam practice. Regulation S-P, now strengthened by the amended Safeguards and Disposal rules, as well as Regulation S-ID, are central components of the 2026 priorities. The SEC will examine whether firms have conducted data mapping, implemented classification frameworks for sensitive and nonpublic client information, conducted vendor risk assessments, maintained adequate incident-response plans, and documented their operational implementation. Evidence of monitoring, logging, access controls, encryption, MFA, identity-verification procedures, and incident-response testing will be standard exam artifacts.
Firms leveraging emerging technologies (automated investment engines, predictive analytics, alternative data, algorithmic trading tools, or AI-assisted platforms) should expect examiners to evaluate the accuracy of any statements made about technology, the controls applied to these systems, and the conflicts that may arise from their use. These reviews will also consider the risks that automation may pose for seniors, vulnerable clients, or investors with limited financial sophistication.
The SEC’s 2026 AML/CFT priorities largely reaffirm the key elements emphasized in 2025, particularly for broker-dealers. Examiners will focus on whether AML programs are adequately tailored to firms’ specific risk profiles, moving beyond templates and generic checklists to demonstrate effective risk-based implementation. Reviews will assess the sufficiency of AML risk assessments, the quality and rigor of independent testing, and the effectiveness of Customer Identification Program. The SEC also highlighted a continued focus on the accuracy, timeliness, and completeness of required filing, including SARs, as well as the operation of OFAC controls and transaction-monitoring systems.
Although advisers have traditionally had more limited AML obligations, and FinCEN’s RIA AML Rule has been deferred until 2028, the Commission’s sustained emphasis on financial-crime prevention and beneficial-ownership transparency indicates that firms should revisit internal policies, onboarding processes, and cross-functional risk-management practices.
In this environment, firms preparing for 2026 examinations should begin with a refresh of their compliance risk assessment to account for private fund exposure, alternative and complex products, business growth through mergers and acquisitions, technology dependencies, data flows, and digital engagement tools. A targeted, priority-aligned gap analysis is often the most efficient next step, enabling firms to map their operations to the SEC’s risk framework. Documentation will be essential, ranging from alternatives comparisons and rollover rationales to vendor reviews, cyber-testing evidence, and marketing-material approvals. Firms should also confirm that compliance programs reflect real practice rather than aspirational descriptions.
Technology governance deserves particular attention. Firms should revisit vendor due-diligence processes, incident-response frameworks, Reg S-P Safeguards readiness, and data-mapping inventories. Policies should be clear, accurate, and implementable: firms must be able to demonstrate how each policy is executed through controls, workflows, and monitoring.
Mock examinations remain one of the most effective tools to prepare for the Division’s 2026 approach, particularly for newly registered advisers, hybrid firms, those involved in M&A, and broker-dealers offering alternative investments or operating in remote supervisory environments.
As always, CRC is well-positioned to help firms navigate the SEC’s expectations, whether through gap analyses, mock exams, Reg S-P and cybersecurity implementation support, marketing and Reg BI testing, AML program development, vendor-oversight playbooks, RIA M&A integration support, or broader compliance-program modernization efforts.
The 2026 exam cycle makes one point exceptionally clear: the SEC expects firms to demonstrate operational resilience, clear conflict management, high-quality data and technology governance, and a compliance program that meaningfully reflects how the business actually functions. Firms that proactively align their internal frameworks with these expectations will not only withstand regulatory scrutiny, but strengthen their governance, investor protections, and long-term operational stability.
The SEC’s 2026 Examination Priorities reflect a regulatory environment that is changing quickly beneath the surface, even as the exam program appears to return to fundamentals. What stands out is how closely these priorities align with the trends CRC has been tracking across enforcement actions, risk alerts, rulemakings, and market behavior over the past year.
Our early observations around the durability of the core risk areas are reflected throughout the SEC’s 2026 priorities, which continue to anchor examinations in these foundational themes, despite broader political and regulatory shifts. The Commission’s heightened attention to private funds, alternative products, and complex ETFs also tracks with the trends that we have seen across clients navigating product complexity, market pressures, and conflict oversight. Similarly, the SEC’s emphasis on cyber governance, vendor oversight, and the amended Reg S-P rule aligns with developments we have been monitoring closely, including the expectation that incident response planning and identity theft programs become elemental within the exam framework. The integration of technology and AI across suitability, AML, trading, fraud, and marketing risks further reflects a broader reality; these tools now influence governance across the entire compliance lifecycle.
This alignment is less about prediction and more about perspective: our work sits at the intersection of regulatory evolution, operational realities, and emerging risk. That vantage point consistently allows us to see where the regulatory focus is heading before the priorities are formally published, and to prepare our clients accordingly.
For our clients, the alignment between CRC’s early analysis and the SEC’s finalized priorities translates directly into a service advantage. Our strength is not prediction for prediction’s sake; it is the ability to recognize emerging regulatory patterns early, interpret how they will be enforced, and operationalize that insight for clients, even before it becomes an exam expectation.
CRC’s value lies in our ability to operate at the point where regulation, risk, and real-world operations intersect. Because we follow regulatory priorities as they take shape through rule proposals, enforcement trends, exam sweeps, public remarks, and global standard-setting, our guidance positions clients for the environment the SEC will examine next, not the one it examined last year. This approach strengthens governance, escalation discipline, documentation, and firmwide accountability long before an exam notice arrives, allowing clients to enter examinations with mature, explainable frameworks that exam teams recognize as credible. It also builds resiliency in areas where most firms remain exposed (cyber oversight, technology governance, private-fund operations, valuation, vendor management, and sanctions compliance) reducing the last-minute scramble that many are now facing as these expectations become not only baseline exam criteria, but client expectation. Most importantly, it helps clients see how these obligations intersect: cyber shaping custody, AI influencing supervision, vendor oversight driving financial-responsibility outcomes, and private-fund practices informing conflicts and valuation. The result is an integrated, durable compliance program designed to withstand the increasing complexity of the regulatory landscape.
The SEC’s 2026 Exam Priorities reflect a return to the fundamentals of fiduciary duty, financial responsibility, and market integrity, combined with a forward-looking focus on technology, operational resiliency, and governance.
For compliance leaders, 2026 is not simply a year of check-the-box preparedness; it is a year to demonstrate that the firm’s culture, governance, and controls meaningfully support client protection, operational integrity, and regulatory obligations in a cohesive, integrated manner.
Compliance Risk Concepts (CRC) stands ready to help firms translate these priorities into a coherent, exam-ready compliance strategy grounded in real-world operations, defensible governance, and practical implementation.
Artificial intelligence has entered the compliance landscape with unusual speed. AI-driven tools now appear across […]
Cybersecurity is often framed as a technological challenge. In practice, for investment advisers, broker-dealers, and […]
Strengthening Compliance Through Independent, Risk-Based Testing Regulatory expectations for investment advisers and broker-dealers continue to […]
Artificial intelligence has entered the compliance landscape with unusual speed. AI-driven tools now appear across […]
Cybersecurity is often framed as a technological challenge. In practice, for investment advisers, broker-dealers, and […]
Strengthening Compliance Through Independent, Risk-Based Testing Regulatory expectations for investment advisers and broker-dealers continue to […]
