When Your Compliance Bill Doubles but Your Value Doesn’t
- Corrie Scoby
- Oct 27
- 8 min read
By Corrie Scoby • Chief Consultant & Owner, Three Lumos Consulting, LLC
Ever opened an invoice from your compliance consultant and thought, “Wait—what exactly am I paying for?” The shock of seeing costs climb while you feel no added value is all too familiar. It’s not just the line item on the invoice; the real cost includes the hours you spend away from clients and the risk of missteps in an increasingly complex regulatory landscape.
Quick navigation:
The Real Cost of Compliance
For many small RIA owners, compliance is more than a line item—it can consume nearly half the principal’s time. Some estimates show that solo RIAs spend up to 40 % of their working hours on compliance-related activities. Even if you reduce that to 20 hours per month, the cost of compliance for an independent firm may exceed what you’d spend by joining a larger platform. When an SEC exam arrives, the direct financial impact is staggering: participating in an exam can cost around $70,000 and the median fine for enforcement actions is $550,000[1].
The risk is growing: in 2024 the SEC ordered financial companies to pay $8.2 billion in fines and penalties—a 67 % increase from the previous year[2]. Many of these fines are a result of inadequate compliance programs. The SEC’s 2025 examination priorities add new layers of complexity. EXAMS announced that it will focus on the use of artificial intelligence, digital engagement practices, complex products, cybersecurity, outsourcing, private fund advisers and compliance with new and amended rules—such as recent amendments to Regulation S‑P and the T+1 settlement cycle[3]. For RIAs, staying ahead of these priorities requires more time and resources or risk costly penalties.
On June 12 2025 the SEC withdrew 14 rule proposals from 2022–2023 covering AI, cybersecurity, custody, ESG disclosures and outsourcing[4].Even with these withdrawals, examiners will scrutinize advisers’ use of AI and digital tools, test cybersecurity programs and vendor risk controls and ensure compliance with the new T+1 settlement cycle and amended Regulation S‑P incident‑response requirements[3].
Shifting Regulatory Landscape
Regulatory changes aren’t just accelerating; they’re taking unexpected turns. In June 2025, the SEC withdrew 14 rule proposals that had been published in 2022 and 2023[4]. The withdrawn proposals covered hot‑button issues such as conflicts of interest related to predictive data analytics, safeguarding advisory client assets, cybersecurity risk management for advisers and investment companies, enhanced ESG disclosures and outsourcing requirements[4]. The Commission signaled that it does not intend to issue final rules on those proposals and that any future regulatory actions would start with new proposals[4]. This deregulatory step removes some of the immediate burdens that firms had been preparing for; however, it also creates uncertainty about how and when these issues might resurface.
Even with the withdrawals, the SEC continues to enforce existing rules aggressively. The marketing rule remains a prime example: since its adoption, the SEC has conducted sweep examinations and charged over 20 firms for misrepresentations, resulting in hundreds of thousands of dollars in fines. Recordkeeping violations and off‑channel communications fines have reached multi‑million‑dollar levels. Changes like the T+1 settlement cycle and new Regulation S‑P requirements for incident response programs are also moving forward[3]. Firms must keep pace with these updates even as other proposals are withdrawn.
Recent Enforcement Actions (Summer–Fall 2025)
Miscalculated fees & conflicts (Aug 15, 2025): In the Matter of TZP Management Associates, LLC, the SEC alleged that an RIA miscalculated management fees and failed to disclose conflicts of interest. The firm agreed to pay more than $683,877 in disgorgement and civil penalties. This case marked the eighth enforcement action against an RIA since January 2025, signaling that the new administration continues to pursue fee‑ and conflict‑related cases[5].
Custody & trading rules (Early Aug 2025): The SEC settled charges with two advisers for failing to comply with the Custody Rule and for violating Rule 105 of Regulation M, resulting in penalties of $50,000 and $250,000.
Compensation‑driven conflicts (Aug 29, 2025): Two separate actions against a registered investment adviser and an affiliated broker‑dealer resulted in combined monetary relief exceeding $25 million after the firms failed to disclose incentives that encouraged employees to enroll clients in fee‑based advisory programs [6].
Marketing & books and records (Sept 4, 2025): Meridian Financial, LLC agreed to a $75,000 penalty for violations of the marketing rule, books and records rule and compliance rule after claiming it “refused all conflicts of interest” while failing to substantiate those claims and maintain accurate advertising records [7].
Compliance takeaway: Although several proposed rules were withdrawn in mid‑2025, the rules still in force are not optional. The enforcement actions above illustrate that the SEC continues to pursue advisers who miscalculate fees, obscure conflicts or neglect custodial and record‑keeping obligations[5][6][7]. The perceived “chaos” of shifting proposals does not excuse non‑compliance. Failure to adhere to existing rules invites fines, disgorgement and reputational damage.
Common Compliance Pitfalls
Many firms underestimate the operational discipline needed to stay compliant. Nearly 43 % of small RIAs lack a formal compliance calendar[8], leaving them vulnerable to missed deadlines and late filings. State regulators report that registration lapses account for 23 % of compliance issues; incomplete books and records make up 17 %, and inadequate supervision accounts for 16 %[2]. In examinations of state‑registered advisers, books and records deficiencies were found in 17 % of cases[2].
Cybersecurity has become a central focus. EXAMS will review registrants’ policies and procedures, governance practices, data loss prevention, access controls and responses to cyber incidents. The Division will also assess how firms manage third‑party vendor risks and protect customer information. Compliance with the newly amended Regulation S‑P requires firms to establish incident‑response programs to detect, respond to and recover from unauthorized access to customer information[3]. Meanwhile, the Division’s focus on AI and digital‑engagement practices means advisers using automated tools must have adequate policies and controls to prevent “AI washing” and ensure recommendations align with investors’ profiles[3]. These evolving expectations add to the complexity, but ignoring them can lead to enforcement actions and reputational damage.
Although some proposed rules were withdrawn, the SEC’s enforcement posture remains active.
In July 2025, SolarWinds reached a preliminary settlement with the SEC in a first‑of‑its‑kind case alleging the company misrepresented its cybersecurity practices; the suit also marked the first time the Commission named a chief information security officer as an individual defendant. The case underscores that misstatements about cybersecurity controls can result in personal liability[9]. A mid‑year update from Gibson Dunn reports that no new cyber‑breach disclosure cases were filed in the first half of 2025, but notes that the SolarWinds settlement may signal a return to evaluating good‑faith disclosure judgments rather than second‑guessing them[10]. Regulators have also begun targeting so‑called “AI‑washing.” In April 2025 the SEC and DOJ filed parallel actions against the founder of e‑commerce startup Nate Inc. for allegedly misleading investors about the company’s AI capabilities; this followed a January 2025 settlement involving similar misrepresentations by Presto Automation[11]. While no additional AI‑washing cases have been announced, authorities warn they will pursue misrepresentations about emerging technologies[11]. Finally, September 2025 brought an enforcement action against Meridian Financial for marketing‑rule and record‑keeping violations: the adviser relied on a third‑party website vendor to maintain advertisements yet failed to retain copies or obtain contractual assurances, resulting in a $75,000 penalty[12]. These cases illustrate that even amid regulatory changes, ignoring existing rules and controls invites enforcement and reputational harm.
A Better Way: Support, Structure & Service
At Three Lumos Consulting, we believe compliance shouldn’t feel like a black hole. It should be a strategic advantage[13]. That’s why we built our approach around three guiding lights:
Support
You deserve a consistent point of contact who knows your business and responds promptly. True partnership means having a responsive ally who participates in your leadership meetings, provides clear guidance when issues arise and checks in proactively rather than reacting after something goes wrong.
Structure
Without structure, even the best tools fail. An effective program uses templates, dashboards and centralized systems to track reviews, filings and documentation deadlines. Compliance should be proactive, not a scramble before exams. Proper structure prevents registration lapses and recordkeeping gaps and keeps your team exam‑ready[2].
Service
The right engagement model fits your firm’s size, complexity and goals. Whether you need targeted mock audits, ongoing oversight or a hybrid “shadow CCO” arrangement, your service should deliver clear deliverables and scope. It should consider your business model, clients and cybersecurity practices, eliminating surprise add‑ons and long response times. Fit‑for‑purpose service provides a roadmap for growth.
Evaluating Your Partner
How do you know if your compliance partner actually supports your growth? Our Three Lights checklist asks targeted questions across support, structure and service to help you evaluate whether your current approach is adding value. If you can’t confidently answer “yes” to most of these questions—such as whether you have a dedicated point of contact, a proactive communication schedule, a structured calendar and technology tools and a clear engagement model tailored to your firm—it may be time to explore a better partnership. The checklist isn’t just about ticking boxes; it’s about revealing whether your consultant is truly helping you stay ahead of regulatory changes and run your firm efficiently. Download the free checklist to see how your current partner measures up.
Evaluate your current consultant by downloading our Three Lights checklist. If you answer “no” to more than one or two questions, it’s time to explore a compliance partner who can turn compliance from a cost center into a competitive advantage.
Lighting the Way Forward
Increasing compliance costs and heightened regulatory scrutiny can make you feel powerless. But with the right guidance, you can turn compliance into a competitive advantage. By investing in support, structure and service, you protect your firm and reclaim your time.
At Three Lumos Consulting, we’re here to help you navigate this landscape. Our tailored approach helps small RIAs stay compliant without sacrificing growth. Download our free checklist and see how your current compliance partner measures up.
When your bill doubles but your value doesn’t, it’s time to bring light back to compliance.
About the Author
Corrie Scoby
Chief Consultant & Owner, Three Lumos Consulting, LLC
We guide RIAs with clarity, integrity, and partnership—so you can spend less time on compliance and more time serving clients.
Note: This article provides general information and does not constitute advice. Consult your compliance team for guidance specific to your firm.
Sources
[1] Calculating the Cost of Compliance for Starting an RIA
[2] Complete Guide to Conducting Your 2025 Annual RIA Compliance Review Under SEC Rule 206(4)-7
[3] SEC Division of Examinations Announces 2025 Exam Priorities | Insights | Mayer Brown
[4] Investment-Management---July-2025.pdf
[5] Recent SEC Enforcement Actions Highlight Enforcement Risks for Investment Advisers
[6] SEC Enforcement Actions Target Inadequate Disclosures on Conflicts of Interest by Advisory Firms and Broker-Dealers
[7] Investment Management & Funds Regulatory Update - September 2025 | Davis Polk
[8] 7 Costly Compliance Gaps DIY Teams Miss—and How an Always-On Fractional CCO Saves 62% in Remediation Fees (2025 Data)
[9] Important Development in Landmark Cybersecurity Case as SEC and SolarWinds Reach Preliminary Settlement
[10] Securities Enforcement 2025 Mid-Year Update
[11] Evolution of AI Washing Enforcement: DOJ Enters the Picture https://corpgov.law.harvard.edu/2025/05/22/evolution-of-ai-washing-enforcement-doj-enters-the-picture
[12] When Marketing Meets Compliance: Lessons from the SEC’s First Marketing Rule Case https://sec3compliance.com/when-marketing-meets-compliance-lessons-from-the-secs-first-marketing-rule-case/
[13] How RIAs Can Find the Right Compliance Consultant: Support, Structure & Service
© Three Lumos Consulting, LLC. All rights reserved.
Comments