Securities and Exchange Commission 2026 Examination Priorities Ov

The Securities and Exchange Commission’s fiscal year 2026 examination priorities offer financial firms something regulators do not always provide in abundance: a reasonably clear map of where the flashlights are likely to point. The map is not a guarantee, an exemption list, or a magical shield against difficult questions. It is, however, a practical guide to the risks that the SEC’s Division of Examinations believes deserve heightened attention.

For investment advisers, investment companies, broker-dealers, transfer agents, clearing agencies, funding portals, and other market participants, the central message is straightforward. Examiners want to see fiduciary obligations translated into real decisions, compliance policies translated into daily behavior, and new technology governed with something more substantial than enthusiasm and a glossy slide deck.

The 2026 agenda combines familiar prioritiesconflicts of interest, investor protection, custody, cybersecurity, fees, sales practices, and compliance program effectivenesswith growing scrutiny of artificial intelligence, operational resilience, privacy safeguards, complex products, private credit, and third-party technology providers. In other words, the basics still matter, but the basics now have algorithms, cloud vendors, and several additional passwords.

What the SEC’s 2026 Examination Priorities Mean

The Division of Examinations released its fiscal 2026 priorities in November 2025 for the federal fiscal year ending September 30, 2026. The Division examines SEC-registered investment advisers, investment companies, broker-dealers, clearing agencies, self-regulatory organizations, and other regulated entities.

The published priorities are not an exhaustive examination checklist. A firm may be reviewed for issues that do not appear prominently in the annual document. Examiners select and scope reviews using additional risk factors, including a registrant’s history, business model, products, client population, disciplinary information, operational changes, tips, complaints, and previous examination findings.

That distinction matters. A firm should not look at an omitted subject and conclude, “Excellent, nobody will ask about that.” Compliance is not a game of regulatory hide-and-seek, and the examiner usually knows where the curtains are.

The Big Picture: Fundamentals With More Digital Wiring

The SEC’s 2026 examination priorities can be organized around several broad themes:

• Investment advisers must demonstrate adherence to their duties of care and loyalty.
• Broker-dealers must support recommendations with a defensible Regulation Best Interest process.
• Funds must align their names, disclosures, portfolio practices, fees, and marketing claims.
• Complex, illiquid, leveraged, alternative, and expensive products require stronger analysis and supervision.
• Cybersecurity, privacy, operational resilience, and vendor oversight remain major examination concerns.
• Artificial intelligence must be inventoried, supervised, tested, accurately described, and used consistently with regulatory obligations.
• Policies must operate in practice rather than simply occupying an attractive binder.

The priorities therefore represent less of a dramatic regulatory reinvention and more of an effectiveness test. The SEC is asking whether firms can prove that their controls work under real conditions, including market volatility, cyber incidents, employee turnover, acquisitions, product expansion, and technology failures.

Investment Advisers: Fiduciary Duty Remains the Main Event

Advice Must Reflect the Client’s Best Interest

Investment adviser examinations will continue to focus on the fiduciary duties of care and loyalty, especially where retail investors are involved. Examiners may review whether an adviser considered the cost, objectives, liquidity, risks, potential benefits, volatility, expected behavior under different market conditions, investment horizon, and exit costs of a recommended strategy or product.

The inquiry is broader than whether an investment was technically permissible. An examiner may ask why a particular product was selected, what alternatives were considered, how the adviser evaluated conflicts, and whether the recommendation remained appropriate as the client’s circumstances changed.

Extra attention may be directed toward alternative investments, private credit, private funds with extended lockups, option-based exchange-traded funds, leveraged or inverse ETFs, strategies involving illiquid assets, and products with higher commissions or expenses than comparable alternatives.

Older Investors and Retirement Savers Receive Special Attention

The SEC has highlighted recommendations made to older investors and people saving for retirement. These investors may be particularly vulnerable to liquidity restrictions, complex return formulas, market volatility, high fees, and products that are difficult to exit.

Firms should be prepared to show how representatives evaluated income needs, time horizon, tax status, risk tolerance, emergency liquidity, concentration, and the investor’s ability to understand and withstand losses. A client signature is useful evidence, but it does not convert a weak recommendation into a strong one.

Conflicts Must Be Managed, Not Merely Mentioned

Examiners may scrutinize revenue sharing, compensation arrangements, account selection, product incentives, affiliated providers, allocation practices, markups, fee structures, and other economic benefits that could influence advice.

A June 2026 SEC risk alert reinforced this concern by discussing examination observations involving economic conflicts of interest. Among other matters, the alert addressed advisers’ written policies, fee and expense disclosures, recommendation incentives, and the accuracy of advisory fee calculations.

Clear disclosure remains essential, but disclosure alone may not be enough. Firms should first determine whether a conflict can be eliminated or reduced. Any remaining material conflict should be described specifically enough for a client to understand how it could affect the adviser’s conduct. A fog bank of legal vocabulary is not the same thing as informed consent.

Compliance Programs Must Match the Actual Business

The SEC will examine the effectiveness of adviser compliance programs in areas such as marketing, valuation, trading, portfolio management, regulatory filings, custody, and disclosures. Annual compliance reviews should address the firm’s current risks rather than repeat last year’s document with a new date and heroic confidence.

Examiners may compare written policies with emails, committee minutes, billing records, trading data, advertising approvals, client files, and employee behavior. They may also test whether identified problems were escalated, corrected, and monitored for recurrence.

Never-examined and recently registered advisers remain priorities. Firms that have entered new businesses, launched private funds, acquired another practice, merged systems, or started advising unfamiliar client or asset categories may also attract attention because growth can create new conflicts and operational gaps.

Investment Companies: Fees, Names, Liquidity, and Governance

Registered investment companies, including mutual funds and ETFs, remain central to the SEC’s investor-protection mission because of their importance to retirement and retail portfolios. Examinations may cover fund compliance programs, board oversight, disclosures, filings, fees, expense waivers, reimbursements, and portfolio management practices.

Examiners may compare a fund’s portfolio with its prospectus, shareholder reports, website, marketing materials, and stated investment strategy. Funds subject to the amended Investment Company Names Rule must also ensure that their names, investment policies, definitions, records, and disclosures satisfy applicable requirements.

Larger fund groups reached the principal amended Names Rule compliance date in June 2026, while smaller fund groups generally have a December 2026 date. Firms should distinguish those substantive requirements from certain Names Rule-related Form N-PORT reporting provisions, whose compliance dates were separately extended in 2026.

Additional areas of interest include fund mergers, complex or novel strategies, leverage vulnerabilities, closed-end funds with significant illiquid holdings, valuation controls, and conflicts arising during business combinations or portfolio transitions.

Broker-Dealers: Regulation Best Interest Under the Microscope

Broker-dealer examinations will continue to cover financial responsibility requirements, including net capital, customer protection, financial reporting, liquidity controls, and the reliability of records produced by outside vendors.

Retail sales practices remain especially important. Examiners may evaluate whether a broker-dealer’s recommendations comply with Regulation Best Interest, whether Form CRS is accurate, and whether conflicts are properly identified, disclosed, mitigated, or eliminated.

Complex and Tax-Advantaged Products Require Better Documentation

Products likely to receive attention include variable annuities, registered index-linked annuities, municipal securities, 529 college savings plans, private placements, structured products, alternative investments, ETFs holding illiquid assets, and products with complicated fees, unusual benchmarks, or difficult return calculations.

Examiners may ask whether representatives considered reasonably available alternatives and whether supervisors evaluated the customer’s age, financial situation, tax status, liquidity needs, objectives, experience, and risk tolerance. Recommendations involving retirement rollovers, brokerage-to-advisory conversions, margin accounts, options accounts, and self-directed IRAs may also be reviewed.

Dual registrants face an additional challenge because the same professional may operate under different standards, compensation systems, and account types. Firms need a clear process for determining why brokerage or advisory treatment is appropriate and how financial incentives were controlled.

Cybersecurity and Operational Resilience Remain Perennial Priorities

The SEC continues to regard cybersecurity as a recurring examination priority. Examiners may assess governance, access controls, account management, data-loss prevention, ransomware readiness, incident response, backup procedures, recovery capabilities, employee training, and protection of customer records and assets.

Operational resilience extends beyond preventing a breach. A firm must also consider how it would continue critical services during a cloud outage, weather emergency, vendor failure, telecommunications disruption, geopolitical event, or ransomware incident. A business continuity plan that assumes electricity, internet access, personnel, and every major vendor will remain available is less a plan and more a wish.

Vendor Oversight Is Now Part of the Firm’s Own Risk Story

Financial firms increasingly depend on portfolio systems, custodial integrations, cloud platforms, communications tools, data providers, cybersecurity vendors, and outsourced operational services. Examiners may review vendor due diligence, contract provisions, access permissions, incident-notification terms, ongoing monitoring, data disposal, and contingency arrangements.

Management should know which vendors store sensitive information, which services are mission-critical, who can access client accounts, and how the firm would operate if a provider became unavailable. “The vendor handles that” is not a complete control description.

Regulation S-ID and Regulation S-P

Identity-theft controls under Regulation S-ID remain relevant, particularly for detecting account takeovers, fraudulent transfers, unusual credential changes, and other red flags. Firms should maintain an appropriately designed written identity-theft prevention program and train employees to recognize suspicious activity.

The amended Regulation S-P requirements also receive substantial attention. Covered institutions must maintain safeguards and incident-response procedures addressing unauthorized access to or use of customer information, including notification processes where required. Larger entities generally reached their compliance date in December 2025, and smaller entities reached theirs in June 2026. By this point, examiners can reasonably expect implementation rather than a calendar reminder and a hopeful expression.

Artificial Intelligence: Innovation Does Not Cancel Supervision

The 2026 priorities expand the SEC’s focus on automated investment tools, trading algorithms, artificial intelligence, alternative data, fraud detection systems, back-office automation, anti-money-laundering technology, and other emerging financial technologies.

Examiners may ask whether public statements about AI capabilities are fair and accurate. A firm describing a service as “AI-powered,” “predictive,” or “intelligent” should be able to explain what the technology actually does. Marketing language should not outrun the product by three city blocks.

Firms may also need to demonstrate that:

• AI systems and automated tools have been inventoried.
• Responsible owners and approval processes have been assigned.
• Input data is appropriate, secure, and sufficiently reliable.
• Outputs are tested and subject to meaningful human supervision.
• Recommendations remain consistent with investor profiles and stated strategies.
• Model changes, errors, overrides, and exceptions are documented.
• AI-generated communications pass applicable advertising, recordkeeping, privacy, and supervisory controls.
• Cybersecurity training addresses AI-enabled phishing, impersonation, and polymorphic malware.

The practical lesson is that AI is neither forbidden nor magical compliance fairy dust. It is another business tool, and the firm remains responsible for what the tool produces, how it is described, and how it affects investors.

Other Market Participants Are Also in Scope

The 2026 priorities extend well beyond advisers and broker-dealers. Clearing agencies may be examined for financial resources, default management, credit risk, operational controls, margin practices, settlement risk, and remediation of previous findings.

Municipal advisers may face reviews of fiduciary obligations, conflicts, documentation, professional qualifications, supervision, recordkeeping, and compliance with applicable Municipal Securities Rulemaking Board standards.

Transfer agents may be examined for safeguarding assets, processing transfers, record retention, regulatory filings, emerging technology, and Regulation S-P compliance. Funding portals may face questions about investor funds, third-party arrangements, required records, privacy safeguards, and the design of their compliance procedures.

Security-based swap dealers and execution facilities remain subject to scrutiny involving transaction reporting, capital, margin, segregation, risk management, trading surveillance, operational risk, and correction of previously identified deficiencies. The SEC will also continue oversight of FINRA, securities exchanges, Regulation SCI entities, and applicable anti-money-laundering programs.

What the 2026 Priorities Do Not Emphasize

Unlike some previous examination agendas, the fiscal 2026 document does not include a separate section devoted to crypto assets. It also does not present private fund advisers as a stand-alone category.

Those omissions should be interpreted carefully. Crypto-related activity may still be examined through custody, disclosure, fiduciary duty, valuation, advertising, cybersecurity, recordkeeping, or other applicable requirements. Private fund issues appear throughout the priorities, particularly in discussions of private credit, extended lockups, valuation, allocations, side-by-side management, new fund launches, fees, liquidity, and differential treatment of investors.

A topic can leave the headline without leaving the examination room.

A Practical SEC Examination Readiness Plan

1. Map the priorities to the business.
   Identify which products, client groups, technologies, vendors, compensation systems, and operational changes create the firm’s greatest exposure.
2. Test evidence instead of admiring policies.
   Sample client files, recommendations, fees, advertisements, access logs, vendor reviews, trade allocations, incident records, and employee communications.
3. Review conflicts product by product.
   Document compensation, revenue sharing, affiliated relationships, fee differences, allocation incentives, rollover benefits, and reasonably available alternatives.
4. Inventory AI and automated tools.
   Include official systems, vendor features, pilot projects, employee-created tools, and generative AI used for client or marketing content.
5. Run incident and outage exercises.
   Test cyber response, customer notification, vendor escalation, backup access, communications, and recovery of mission-critical services.
6. Update the annual compliance review.
   Connect testing results to actual changes in the business, assign responsible owners, set deadlines, and verify remediation.
7. Conduct a mock examination.
   Practice producing documents promptly, answering questions accurately, tracking requests, escalating concerns, and explaining the rationale behind key decisions.

Experience-Based Lessons From SEC Examination Preparation

The following composite examples reflect recurring lessons seen in examination-readiness projects. They do not describe any single firm, but they illustrate how an apparently respectable compliance program can develop uncomfortable squeaks when someone begins opening the doors.

Consider a mid-sized investment adviser that has recently acquired two smaller practices. Its policy manual is polished, its chief compliance officer is experienced, and its annual review says the right things. During a mock examination, however, the team discovers that the acquired offices use different fee schedules, different client-risk questionnaires, and different methods for documenting rollover recommendations. One office also continues to use an old marketing presentation containing performance figures that the central compliance department has never approved.

The problem is not that the firm lacks policies. The problem is that operational integration has not caught up with corporate integration. A useful response would include centralized billing tests, revised supervisory procedures, consistent client documentation, updated advertising controls, employee retraining, and a written remediation record. Examiners generally find a documented problem with credible corrective action more reassuring than a firm that insists everything is perfect while the spreadsheets quietly disagree.

In another common scenario, a broker-dealer has strong written Regulation Best Interest procedures but weak evidence of how representatives considered alternatives. Files contain product brochures, customer signatures, and generic statements that a recommendation was “suitable and in the client’s best interest.” What they do not contain is an explanation of why a high-cost or illiquid product was preferable to simpler alternatives for a retiree who may need access to cash.

The practical fix is not to create a 47-page form that employees will complete by copying yesterday’s answer. Better documentation asks targeted questions about cost, liquidity, surrender restrictions, tax consequences, risk, time horizon, alternatives, and compensation. Supervisors should challenge inconsistent answers and record the basis for approval.

Technology reviews frequently produce a different surprise: the compliance department knows about the firm’s official AI platform, but not about the browser-based generative AI tools employees use to summarize research, draft client emails, or prepare marketing content. That creates possible confidentiality, accuracy, supervision, advertising, and recordkeeping problems. An effective AI inventory therefore begins with actual employee behavior rather than the software listed in the technology budget.

Cybersecurity exercises offer another valuable lesson. A firm may have an incident-response plan that assigns every important decision to a chief information officer who happens to be unavailable during the simulation. The backup contact cannot access the vendor list, legal counsel is unsure when customer notification analysis begins, and the communications team drafts a statement before anyone has confirmed what data was affected. A tabletop exercise exposes those gaps cheaply. A real breach exposes them loudly.

Finally, examination readiness is partly an organizational skill. Successful teams establish one intake channel for document requests, preserve original files, maintain a response log, assign knowledgeable reviewers, and answer only after confirming the facts. They avoid guessing, volunteering contradictory explanations, or sending an enormous data dump without context. Promptness matters, but accuracy matters more.

A practical 90-day readiness effort might begin with a risk assessment and document inventory, move into testing of fees, recommendations, advertising, cybersecurity, privacy, AI, and vendors, and conclude with remediation and a mock request process. The objective is not to manufacture a perfect record. It is to demonstrate a thoughtful program that identifies weaknesses, fixes them, and protects investors while the business continues to operate.

Conclusion

The Securities and Exchange Commission’s 2026 examination priorities reward firms that can connect obligations, controls, evidence, and investor outcomes. Fiduciary duty, Regulation Best Interest, fees, conflicts, privacy, cybersecurity, operational resilience, complex products, and AI are not isolated compliance islands. They intersect whenever a firm recommends a product, adopts a technology, hires a vendor, acquires a business, or communicates with a client.

The strongest preparation strategy is therefore not a frantic policy rewrite after an examination letter arrives. It is a continuous process of identifying risk, testing controls, correcting deficiencies, documenting decisions, and making sure the firm’s public story matches its operational reality. Examiners may bring the questions, but a well-run firm should already know most of the answers.

Note: This article provides general educational information and does not constitute legal, regulatory, investment, or compliance advice. Firms should evaluate their obligations with qualified counsel and compliance professionals based on their specific activities.