Foundations, Regulatory Expectations, and 2026 Focus Areas for RIAs and Broker-Dealers

Compliance testing is often framed as a backward-looking obligation, an annual requirement under Rule 206(4)-7 and FINRA Rule 3120, or an examiner-driven exercise. In reality, a well-designed testing program is one of the most forward-looking and strategically valuable components of a firm’s compliance infrastructure. It is where policies are operationalized, risks are validated, and supervisory systems are stress-tested under real conditions.

As SEC and FINRA examinations continue to evolve, the distinction between a check-the-box testing program and a credible one has become increasingly pronounced. Regulators are no longer focused solely on whether testing exists, but on whether it is risk-aligned, evidence-based, repeatable, and capable of driving meaningful remediation.

At CRC, we believe the core attribute of an effective compliance testing program (for both RIAs and broker-dealers) is spotlighting evergreen supervisory challenges as well as emerging regulatory pressure points heading into the coming year.

I. The Core Purpose of Compliance Testing

At its foundation, a compliance testing program serves three essential functions:

Risk Validation – confirming that the firm’s risk assessment accurately reflects its business, products, and operational realities
Control Effectiveness – evaluating whether policies, procedures, and supervisory controls operate as designed
Regulatory Defensibility – producing documentation that demonstrates reasonable supervision and good-faith compliance efforts

Programs most vulnerable to regulatory criticism often share common weaknesses: testing that only mirrors policy language rather than workflows, static annual testing that does not evolve with the business, overreliance on employee attestations, or findings that are identified but not remediated or retested. Regulators increasingly view these shortcomings as indicators of weak compliance culture rather than isolated technical failures.

**II. What Actually Makes a Testing Program Great**

1. Risk-Based, Not Uniform

Effective testing programs are anchored in the firm’s risk assessment, not a generic testing checklist. Higher-risk activities are tested more frequently, more deeply, and with greater skepticism than lower-risk functions.

For RIAs, this often includes portfolio management, trading practices, fee billing, marketing, and custody-related activities. For broker-dealers, focus areas commonly include communications supervision, sales practices (including Reg BI), books and records accuracy, and financial responsibility controls.

A hallmark of a mature program is the ability to clearly articulate why certain areas receive heightened testing.

2. Workflow-Aligned, Not Policy-Driven

Regulators increasingly expect testing to follow actual business processes from start to finish. Testing that simply confirms the existence of policies is no longer sufficient.

Strong programs examine how decisions are made, where approvals occur, how exceptions are handled, and whether escalation mechanisms function in practice. This approach routinely surfaces risks that policy-based testing fails to detect.

3. Evidence-Focused and Reproducible

Testing conclusions must be supported by contemporaneous, reviewable evidence, such as data extracts, reports, reconciliations, screenshots, and annotated samples. Narrative summaries alone are insufficient.

Equally important, testing must be repeatable. Another reviewer (internal or external) should be able to understand the methodology, reproduce the test steps, and reach similar conclusions. Regulators increasingly scrutinize the process behind testing, not just the outcomes.

4. Integrated with Remediation and Retesting

Testing without remediation has little regulatory value. Effective programs include clear ownership of findings, defined remediation timelines, escalation protocols, and retesting to confirm corrective actions. Examiners routinely ask not only what issues were identified, but what changed as a result.

III. Evergreen Testing Challenges That Continue to Matter

Despite evolving regulatory priorities, several testing issues remain perennial sources of regulatory concern:

Overreliance on Attestations – Certifications are useful, but cannot replace independent, evidence-based testing.
Over-Standardization – Uniform testing across disparate business lines undermines risk-based supervision.
Lack of Independence – Testing performed exclusively by those responsible for the activity raises objectivity concerns, even at smaller firms.

These themes frequently appear in deficiency letters and enforcement actions across both RIAs and broker-dealers.

IV. 2026 Regulatory Focus Areas Impacting Testing Programs

Looking ahead, SEC and FINRA commentary, risk alerts, and enforcement trends suggest heightened scrutiny in several areas that will require more sophisticated testing approaches:

Communications and Off-Channel Activity
Testing expectations now extend beyond written prohibitions to evidence of monitoring, surveillance, and enforcement, particularly in BYOD and electronic messaging environments.

Marketing, AI, and Technology Governance
As firms deploy AI-enabled tools, regulators are focused on oversight of automated outputs, accuracy of disclosures, and governance around model use and limitations. Testing programs must evolve accordingly.

Books, Records, and Filing Accuracy
FINRA continues to emphasize that inaccurate books and records directly lead to inaccurate regulatory filings. Testing increasingly targets reconciliation processes and data integrity controls.

Vendor Oversight
Firms are expected to test not only internal controls, but also oversight of third-party service providers, particularly where critical functions or sensitive data are involved.

V. Testing as a Management Tool

The most effective firms treat compliance testing as a management tool rather than simply a regulatory obligation. Testing results inform staffing decisions, technology investments, training priorities, and strategic growth. Findings are reported to senior leadership, integrated into risk assessments, and used to shape annual compliance planning.

This approach aligns closely with regulator expectations and materially improves examination outcomes.

How Compliance Risk Concepts (CRC) Can Assist

CRC supports RIAs, broker-dealers, and dual registrants in building and executing compliance testing programs that are defensible, scalable, and aligned with regulatory expectations.

Our services include:

Risk-based testing program design tailored to firm size and business model
Independent Rule 206(4)-7 and FINRA Rule 3120 testing with examiner-ready documentation
Targeted gap analyses focused on high-risk areas such as marketing, communications, custody, Reg BI, and vendor oversight
Remediation planning and retesting support
Ongoing testing frameworks that evolve with regulatory change and business growth

By serving as an independent testing partner or augmenting internal compliance resources, CRC helps firms move beyond check-the-box reviews toward testing programs that strengthen supervision, support governance, and withstand regulatory scrutiny.