Securities and Exchange Commission’s 2026 Examination Priorities

The SEC’s 2026 Examination Priorities are not exactly beach reading, unless your ideal vacation includes a highlighter, a compliance manual, and a suspicious amount of coffee. But for investment advisers, broker-dealers, funds, and other market participants, this annual roadmap matters a lot. It signals where exam staff are likely to spend their time, what kinds of questions firms should expect, and where sloppy controls can turn into very expensive headaches.

The big picture for 2026 is clear: the SEC is still focused on investor protection, but the way it talks about risk feels a bit sharper and more practical. The familiar themes remain in place: fiduciary duty, disclosure quality, conflicts of interest, retail investor protection, and strong compliance programs. At the same time, the 2026 priorities give more texture to technology risk, operational resiliency, AI governance, and the way firms manage increasingly complex products. In other words, the SEC still cares about the basics, but the basics now come with algorithms, third-party vendors, ransomware, extended-hours trading, and products that can make even seasoned compliance officers sigh dramatically into their spreadsheets.

This article breaks down what the 2026 examination agenda really means, what changed from the prior year, and how firms can prepare without turning their compliance departments into permanent triage centers.

Why the 2026 priorities matter

The SEC’s Division of Examinations publishes these priorities to show registrants and investors which risks, practices, products, and services appear most likely to draw scrutiny. The report is not exhaustive, and it does not mean every exam will look the same. But it does offer a very useful clue: if a topic made the list, firms should assume it may come up in document requests, interviews, testing, or follow-up questions.

For firms, that means the priorities are less like a crystal ball and more like a weather alert. You do not know exactly where the storm will hit, but you do know it is smart to check the roof, test the backup generator, and stop pretending the leak will fix itself.

Investment advisers: the SEC still cares deeply about fiduciary duty

Investment advisers remain front and center in the 2026 priorities, especially where retail investors are involved. The SEC continues to emphasize the adviser’s duty of care and duty of loyalty, which means exam staff will be looking closely at whether recommendations, disclosures, and practices line up with what fiduciary duty actually requires in real life, not just in theory or in marketing copy polished to a showroom shine.

What the SEC appears most interested in

First, advisers should expect continued scrutiny of conflicts of interest and whether those conflicts influence supposedly impartial advice. The SEC is also focused on how advisers evaluate the total package behind an investment recommendation. Cost, liquidity, volatility, risks, possible benefits, time horizon, special features, and the cost of getting out all matter. Best execution remains very much alive as a priority, too, which means firms need to show not only that they have policies, but that those policies actually drive decisions.

Second, the 2026 priorities pay special attention to certain investment products and recommendations. The SEC points to alternative investments such as private credit and private funds with long lock-up periods, complex products such as option-based ETFs and ETF wrappers on less liquid strategies, and products with higher costs such as rich commissions or unusually high expenses. Translation: if a product is hard to understand, hard to value, hard to exit, or expensive to own, the SEC would like a word.

Third, the Division is signaling a strong interest in how advisers serve older investors and people saving for retirement. That focus is paired with scrutiny of advisers working across multiple client types and structures, especially advisers to private funds that also manage separately managed accounts or newly registered funds. The SEC is clearly sensitive to allocation favoritism, side letter issues, fee disclosures, liquidity management, and whether advisers are stepping into unfamiliar asset classes or structures without enough regulatory muscle memory.

Compliance programs are not background scenery

The 2026 priorities also reinforce that an adviser’s compliance program must be more than a decorative binder. The SEC is interested in whether policies and procedures are actually implemented and enforced, whether annual reviews are meaningful, and whether core areas such as marketing, valuation, trading, portfolio management, filings, disclosures, and custody are addressed in a way that matches the firm’s real operations.

That matters especially for advisers that have changed business models, merged, expanded into new services, or started advising new types of assets. Growth may be exciting, but from the SEC’s perspective, growth without upgraded controls is basically an engraved invitation to an awkward exam.

And yes, never-examined and recently registered advisers remain a priority. If your firm is new, assume the SEC may stop by to say hello. Not a warm hug hello. More of a “please upload these 47 documents by Friday” hello.

Investment companies: mutual funds and ETFs stay on the radar

The SEC continues to prioritize registered investment companies, including mutual funds and ETFs, largely because they matter so much to ordinary investors, especially retirement savers. That means the agency is still looking carefully at compliance programs, governance practices, disclosures, filings, and how fund operations work in practice.

Fees and expenses remain a classic focus area, including waivers and reimbursements. Portfolio management practices and related disclosures are also key, particularly where a fund’s actual strategy or holdings may drift away from the story told in filings, marketing materials, or its name. The amended fund “Names Rule” adds another layer here: if a fund name implies a specific investment focus, the SEC expects the strategy, holdings, and disclosures to support that implication.

The 2026 priorities also call out several developing areas of interest. Funds involved in mergers or similar transactions may draw attention because operational integrations tend to create the kind of compliance messes that begin with optimism and end with remediation memos. Funds using complex strategies or holding significant less liquid or illiquid investments are also likely to be examined closely, as are funds with novel strategies or leverage vulnerabilities. Newly registered and never-before-examined registered investment companies are also likely to receive extra attention.

Broker-dealers: capital, trading, retail sales practices, and disclosures

For broker-dealers, the 2026 priorities keep one foot in classic financial responsibility and the other in modern market structure and retail conduct. That combination is important because it shows the SEC is not treating this as an either-or exercise. A firm can have a flashy digital front end and still get examined on net capital, customer protection, liquidity, order routing, and plain old supervisory controls.

Financial responsibility and trading-related reviews

The SEC says it will continue focusing on compliance with the net capital rule, the customer protection rule, related controls, and timely financial notifications and filings. It also highlights operational resiliency, vendor oversight, change management, and stress-event liquidity planning. Cash sweep programs and prime brokerage activities are named specifically, with a focus on concentration, liquidity, and counterparty credit risk.

Trading-related practices are also a clear focus for 2026. The SEC points to equity and fixed income trading, extended-hours trading, municipal securities, variable rate demand obligations, priority of orders, mark-ups disclosure, best execution, pricing and valuation of illiquid instruments, and disclosures relating to order routing and execution. Alternative trading systems are still in the mix, especially confidentiality safeguards, disclosure alignment, and risk controls.

Retail sales practices and Regulation Best Interest

Where the 2026 priorities become especially practical is retail sales practice. The SEC continues to focus on Regulation Best Interest and wants to see how broker-dealers handle recommendations involving products, strategies, accounts, and rollovers. Examiners are likely to review conflict identification and mitigation, processes for considering reasonably available alternatives, and how firms satisfy the Care Obligation based on a customer’s profile and the characteristics of the product or account.

The list of products that may draw extra scrutiny is telling. It includes variable and registered index-linked annuities, ETFs with less liquid underlying assets, municipal securities such as 529 plans, private placements, structured products, alternative investments, and other offerings with complicated fee structures, exotic benchmarks, or limited liquidity. Recommendations to older investors, retirement savers, and college savers are likely to be examined with extra care.

Form CRS remains part of the picture as well. The SEC plans to look at how broker-dealers describe services, fees, conflicts, and disciplinary history in relationship summaries. In short, plain-English disclosure still has to be plain, English, and true. All three parts matter.

Cybersecurity, operational resiliency, and data protection are now table stakes

If there is one area where the 2026 priorities sound especially urgent, it is information security and operational resiliency. Cybersecurity remains a perennial SEC priority, but this year’s language makes clear that the agency is paying attention not only to breach prevention but also to governance, resilience, and recovery.

The SEC says it will examine practices designed to prevent interruptions to mission-critical services and protect investor information, records, and assets. It specifically mentions governance practices, data loss prevention, access controls, account management, and responses to cyber incidents, including ransomware. It also points to operational disruption risks arising from cyberattacks, dispersed operations, weather events, and geopolitical concerns.

That is already a serious list, and then 2026 adds another wrinkle: artificial intelligence and polymorphic malware. Yes, even the malware is now trying to be innovative. The SEC wants to know whether firms are training staff and deploying security controls to identify and mitigate emerging AI-related cyber risks, and whether they are operationalizing information from threat intelligence sources in a meaningful way.

Regulation S-ID and Regulation S-P

The SEC’s focus on Regulations S-ID and S-P is also significant. On the S-ID side, examiners will look for written identity theft prevention programs that are designed to detect, prevent, and mitigate identity theft involving covered accounts, including risks tied to account takeovers and fraudulent transfers. Employee training is part of that review.

On the S-P side, the agency is looking at incident response readiness, vendor oversight, governance, internal controls, and whether firms have implemented the administrative, technical, and physical safeguards required under the updated rule. This means firms should be prepared to show not only that they have a plan, but that they know who owns it, how it works, and what happens on a bad day when the bad day is no longer hypothetical.

AI and emerging financial technology: no more “trust us, it’s smart” compliance

The 2026 priorities make it clear that the SEC is not allergic to innovation, but it does expect firms to govern it properly. The Division remains focused on automated investment tools, AI technologies, trading algorithms or platforms, and alternative data. In reviews, exam staff will assess whether representations are fair and accurate, whether operational controls match disclosures, whether algorithmic outputs align with investor profiles or stated strategies, and whether automated recommendations comply with regulatory obligations.

This is a meaningful signal for firms that like to describe tools as AI-powered, machine-learning-enhanced, next-generation, or whatever phrase made the marketing team clap. The SEC appears less interested in the buzzwords than in whether the tool works as described, whether the controls are real, whether human supervision exists, and whether investors are getting advice that actually fits their needs.

That scrutiny extends beyond front-office tools. The priorities also point to AI and automation used in fraud detection, back-office operations, AML, and trading. So a firm cannot hide weak governance by saying the sensitive AI system lives in operations instead of client-facing functions. The SEC is reading the whole map.

Other market participants should not feel left out

The 2026 priorities also cover self-regulatory organizations, clearing agencies, municipal advisors, transfer agents, funding portals, security-based swap dealers, and security-based swap execution facilities. For these groups, the SEC highlights risk management, operational controls, recordkeeping, supervisory requirements, conflict disclosures, vendor oversight, and remediation of prior findings.

Two details stand out. First, municipal advisors remain subject to fiduciary-duty review and MSRB Rule G-42 scrutiny. Second, the SEC expects to begin conducting examinations of registered security-based swap execution facilities, signaling that newer market structures are moving from setup mode into exam mode. That is always an important regulatory milestone.

AML remains on the list as well. The SEC says it will review whether applicable firms tailor AML programs to business-specific risks, conduct independent testing, maintain adequate customer identification procedures, meet suspicious activity reporting obligations, and monitor OFAC sanctions compliance. If a firm’s AML program still reads like it was written for a different business in a different decade, 2026 may be a rough year.

What changed from 2025 to 2026?

The most talked-about shift is what is not in the 2026 report as standalone sections. Unlike 2025, the 2026 priorities do not include separate headline sections devoted specifically to private fund advisers or crypto-assets. That does not mean those issues have vanished. Private fund-related risks still show up in adviser-focused priorities, and technology-driven risks remain present through the sections on emerging financial technology, cybersecurity, conflicts, disclosure accuracy, and complex products.

Still, the change matters. It suggests the SEC’s 2026 examination agenda is framed less around splashy labels and more around durable regulatory themes: fiduciary duty, retail investor protection, disclosure accuracy, operational resilience, governance, and whether firms can support their claims with controls and records. In some ways, that makes the agenda more practical and possibly more dangerous for firms that were preparing for the wrong version of the test.

How firms should prepare now

Smart preparation for a 2026 SEC exam is not about producing prettier policies. It is about matching reality to documentation. Firms should start by identifying their highest-risk products, client segments, business changes, and technology uses. After that, they should review whether their disclosures match operations, whether annual compliance reviews are substantive, whether conflict mitigation actually works, and whether supervisory evidence exists.

Cyber and vendor governance should get immediate attention. So should AI inventories, algorithm oversight, and the controls around automated recommendations or operational tools. Advisers should revisit high-cost and complex products, allocation practices, side letters, valuation controls, and best execution. Broker-dealers should pressure-test Reg BI workflows, rollover documentation, alternative analysis, Form CRS content, and extended-hours or complex product supervision.

The simplest rule is this: if the SEC can ask, “Show me how this works,” your firm should be able to answer with more than a meeting invite and a confident shrug.

Practical experiences from the compliance trenches

In real-world exam preparation, the biggest surprises usually are not exotic. They are ordinary processes that looked fine from a distance but fell apart the moment someone asked for proof. A firm says it reviews conflicts annually, but the supporting memo is generic and three business models out of date. A broker-dealer says it evaluates reasonably available alternatives, but the file shows little more than a box checked by habit. An adviser says an AI-assisted tool is “supervised,” yet no one can clearly explain who validated the output, how exceptions are escalated, or when the model was last tested. These are the kinds of gaps that feel small until an examiner starts connecting them to investor impact.

Another common experience is the painful discovery that growth outran governance. A firm acquires another business, launches a new strategy, expands into private credit, adds more retirement accounts, or introduces a new digital workflow. Everyone is busy. Revenue looks good. The website gets updated. Then compliance tries to map the new reality and finds three different account opening paths, four versions of one disclosure, two overlapping vendor contracts, and a supervisory chain that exists mostly in folklore. The SEC’s 2026 priorities read like a warning against exactly that kind of drift.

Cyber readiness also tends to reveal whether a firm is disciplined or merely hopeful. Plenty of firms have incident response plans. Fewer have decision trees that match their actual systems, third-party relationships, and escalation practices. Fewer still have clear evidence of tabletop exercises, training completion, access reviews, or data-loss controls that work the way the written policy says they work. In exams, operational resiliency is rarely judged by the elegance of the PDF. It is judged by whether people know what to do at 2:17 a.m. when a vendor outage or suspicious transfer request lands at exactly the wrong time.

Retail recommendations create another recurring pattern. Firms often believe their process is solid because advisers or representatives are experienced and well-intentioned. But examiners are not testing good intentions. They are testing whether the file shows a product match, whether alternatives were considered, whether costs were weighed, whether conflicts were mitigated, and whether the recommendation made sense for that customer at that moment. A recommendation can sound reasonable in a meeting and still look flimsy in a record set.

One of the most useful lessons from recent exam cycles is that firms do better when compliance is embedded early instead of invited late. When product, operations, legal, technology, and compliance talk before launch, the documentation tends to match reality. Disclosures are tighter. Controls are easier to explain. Testing is less chaotic. Vendor oversight is more than ceremonial. By contrast, when compliance enters the story after the business decision is final, the result is usually patchwork. Patchwork may pass a style review. It does not always survive an SEC exam.

So the practical experience takeaway for 2026 is simple: firms should prepare like examiners will compare promises to practice line by line. Because that is exactly what happens. And when the records are current, the owners are clear, the controls are tested, and the disclosures match the business, an exam becomes far more manageable. Not fun, exactly. But manageable, which in compliance is sometimes the closest thing to luxury.

Conclusion

The SEC’s 2026 Examination Priorities do not reinvent the exam program, but they do sharpen it. The familiar pillars are still there: fiduciary duty, investor protection, disclosure accuracy, and strong compliance programs. What makes 2026 feel different is the way those pillars now connect more explicitly to operational resiliency, AI governance, vendor oversight, complex product risk, and practical implementation. Firms that treat the priorities as a checklist will probably miss the point. Firms that treat them as a test of whether their real-world operations match their stated obligations will be much better positioned.

The headline for 2026 is not “the SEC likes new themes.” It is “the SEC still cares about old obligations, and now it expects firms to manage them in a more complex market.” That is a tougher challenge, but it is also a clearer one. And clarity, unlike surprise deficiency letters, is always welcome.