What RIAs Need to Know About the SEC’s 2026 Examination Priorities

Practical Guidance for Small Advisory Firms Navigating the Year Ahead

Every fall, the SEC’s Division of Examinations releases its priorities for the coming fiscal year — and every year, RIAs ask the same question:

“What does this actually mean for my firm?”

The 2026 Examination Priorities document isn’t meant to scare advisers. In fact, the leadership team makes it clear that its goal is to promote compliance, prevent fraud, inform policy, and monitor risk — and that examiners see compliance professionals as “partners” in protecting investors.

Still, the message is unmistakable: expect deeper reviews of your compliance program, cybersecurity readiness, conflicts management, and the quality of your disclosures.

Quick navigation:

The SEC is doubling down on your fiduciary obligations

Expect closer evaluation of your compliance program — not just your manual

Never-examined and newly registered advisers will continue to be prioritized

Cybersecurity and operational resilience remain top-tier risks

Regulation S-P and S-ID compliance will be tested more rigorously

Emerging technology — especially AI — is squarely on the SEC’s radar

AML expectations remain unchanged — but the bar is higher

The Bottom Line for RIAs

Below is a breakdown of what matters most for small, independent RIAs — and where your firm should focus now.

The SEC is doubling down on your fiduciary obligations

Focus Area: Duty of Care & Duty of Loyalty

The SEC will continue scrutinizing whether advisers act in the best interest of clients and whether your disclosures match your actual practices. Examiners will look closely at:

• How you consider costs, liquidity, volatility, and risks when making recommendations.

• Whether complex or higher-cost products are being recommended appropriately.

• Whether advice aligns with each client’s objectives and risk tolerance — with extra scrutiny on older investors and those saving for retirement.

What RIAs should do

• Revisit your client recommendation rationale templates. Are they detailed enough?

• Confirm that all financial conflicts of interest are clearly disclosed — especially revenue-sharing, rollover recommendations, or product-specific incentives.

• Validate your best execution policies and documentation.

  
  

Expect closer evaluation of your compliance program — not just your manual

Focus Area: Program Effectiveness

The SEC will review whether your compliance program is actually working, including:

• Annual reviews

• Marketing practices

• Valuation

• Trading

• Portfolio management

• Custody

• Accuracy of disclosures and SEC filings

The SEC specifically calls out advisers whose business models have changed — for example, launching a private fund, adding new asset classes, or expanding services.

What RIAs should do

• Make sure your annual review is substantive, not a summary.

• Test whether your policies are implemented and enforced, not just written.

• Review your marketing files, including third-party tools and performance reporting.

Never-examined and newly registered advisers will continue to be prioritized

Focus Area: Examination Selection

If you’ve never been examined — or were recently registered — expect your number to come up.

What RIAs should do

• Conduct a mock exam to identify gaps before the SEC does.

• Ensure your Form ADV is current, consistent, and free of legacy disclosures.

Cybersecurity and operational resilience remain top-tier risks

Focus Area: Information Security & Cyber Practices

This is one of the largest sections of the priorities document — and it shows.

The SEC will examine whether your firm:

• Can prevent and recover from cybersecurity incidents

• Maintains access controls and data loss prevention tools

• Trains employees on cybersecurity risks

• Manages vendor risk appropriately

• Addresses AI-related cyber threats, including polymorphic malware

• Maintains operational resilience during disruptions

What RIAs should do

• Confirm that your incident response plan is updated and tested.

• Strengthen vendor oversight with consistent due-diligence reviews.

• Address insider threats and account takeover risks.

• Document cybersecurity training — frequency and content.

Regulation S-P and S-ID compliance will be tested more rigorously

Focus Area: Privacy, Identity Theft & Data Protection

Expect examiners to ask about:

• Identity Theft Prevention Programs (Red Flags Rule)

• Administrative, technical, and physical safeguards for customer information

• Incident response procedures (especially with 2024 amendments coming into effect)

What RIAs should do

• Confirm your Red Flags Program is active, not dormant.

• Update your Reg S-P policies to address:

  • Sensitive data categories

  • Breach notifications

  • Vendor access

  • Physical security

• Ensure your staff can articulate the firm’s data protection protocols.

Emerging technology — especially AI — is squarely on the SEC’s radar

Focus Area: Automated Tools, AI, and Algorithmic Recommendations

Examiners want to know whether:

• You use AI tools responsibly

• Your disclosures about AI are fair and accurate

• Automated advice aligns with client investment profiles

• Supervisory controls can detect errors, drift, or unintended outcomes

What RIAs should do

• Inventory all AI or automated tools, including vendor platforms.

• Review disclosures to avoid “AI washing.”

• Strengthen oversight of AI-driven insights or recommendations.

AML expectations remain unchanged — but the bar is higher

Focus Area: AML Programs

Broker-dealers and certain types of RICs must maintain AML programs, but advisers who rely on custodians still have risk-based responsibilities — especially around suspicious activity monitoring and sanctions compliance.

What RIAs should do

• Confirm your OFAC monitoring processes are documented and tested.

• Revisit AML controls if your model has international clients or complex entities.

The Bottom Line for RIAs

The SEC’s 2026 priorities reinforce a familiar truth: Good compliance is operational, not theoretical.

For small RIAs, the firms most likely to struggle are those relying on outdated manuals, inconsistent procedures, or infrequent testing. The SEC is looking closely at how firms implement compliance — not just how they write about it.

If your firm needs help preparing for these priorities, Three Lumos Consulting can assist with:

• Mock examinations

• Annual reviews

• Cybersecurity and vendor-risk enhancements

• Disclosure cleanup

• Compliance program modernization

• Policy and procedure refreshes

Corrie Scoby

Chief Consultant & Owner, Three Lumos Consulting, LLC

We guide RIAs with clarity, integrity, and partnership—so you can spend less time on compliance and more time serving clients.

📩 contact@threelumosconsulting.com   

🌐 www.threelumosconsulting.com

Note: This article provides general information and does not constitute advice. Consult your compliance team for guidance specific to your firm.