In our recent webinar, 2026 FINRA & SEC Exam Priorities: Where Compliance Should Focus, industry experts Lori Weston, Head of Compliance at Compliance Advisor, a Division of STP Investment Services, and Stephen Murphy, CFA, Managing Director at Integrated Compliance Consulting, unpacked what regulators are signaling for the year ahead—and how firms should interpret those signals.
While the headlines may shift from year to year, one thing remains consistent: regulators expect firms to translate stated priorities into real-world supervisory and compliance practices. Here’s a recap of the key themes discussed, along with additional focus areas firms should not overlook heading into 2026.
Reading Between the Lines of the Priority Letters
A change in SEC administration does not mean a wholesale reset of regulatory expectations. As discussed during the webinar, many themes carry over year after year—including conflicts of interest, best execution, Reg BI, net capital, and cybersecurity.
What stood out this year?
- Continued scrutiny of dual registrations and fiduciary disclosures
- Ongoing focus on conflicts and best execution
- Increased attention around AI and M&A activity among RIAs
- Recurring themes like cybersecurity and data protection
Reviewing priority letters year over year can also help firms identify themes that may no longer be highlighted. Changes in emphasis—or the absence of previously recurring topics—can provide insight into how regulatory focus is shifting.
On the FINRA side, formatting changes highlighted bullet points, and clearer rule cross-references make it easier to identify applicable risks. One pattern worth paying attention to: when a topic appears on FINRA’s priority list for three consecutive years, it often signals sustained regulatory concern and potential exam scrutiny. Right now, that pattern applies to generative AI, CAT, and cybersecurity, three areas firms should treat as active exam risk, not background noise.
What Regulators Are Actually Testing
One of the most practical parts of the discussion centered on what examiners are actually asking for.
Firm size matters in some areas, but business model often matters more. For example:
- Custody practices
- Billing procedures
- AI governance and oversight
- Conflicts tied to non-advisory services (insurance, tax, etc.)
A recurring theme was documentation. Regulators think in terms of process and minutia. If something isn’t documented, it may not receive credit during an exam.
As Stephen put it, exam problems tend to follow a 99/1 rule — 99% of your exam issues often come from just 1% of your business activities. A mismatch between written supervisory procedures (WSPs) and actual firm practices continues to be a major exam vulnerability. The question regulators are really asking is: does what you do match what your WSPs say you do?
Capital Formation and Growth Scrutiny
Both FINRA and the SEC appear focused on facilitating capital formation, including potential modernization of certain rule frameworks. However, this does not signal relaxed enforcement.
Exams may be triggered by events such as:
- M&A activity
- Rapid headcount growth
- New products
- New affiliations or custodians
Regulators are not penalizing growth itself—but they will examine whether supervision and compliance evolve alongside business changes. The standard of “reasonably designed” supervision remains central, particularly under FINRA Rule 3110.
Investor Protection Remains Front & Center
Investor protection continues to anchor both FINRA and SEC priorities in 2026. As firms expand access to private placements, alternative investments, and self-directed platforms, regulators are paying close attention to how retail investors are being served.
Expanding Product Access = Expanding Scrutiny
Increased access to complex products has created more exposure. Regulators are watching how firms:
- Disclose risks tied to private placements and alternatives
- Supervise communications around complex products
- Address suitability and Reg BI obligations
- Handle conflicts of interest in dual-registered environments
What makes this area especially important is not just product complexity — it’s investor accessibility. The easier access becomes, the more regulators expect firms to clearly document how risks are communicated and mitigated.
Senior & Vulnerable Investor Focus
FINRA’s continued emphasis on senior and vulnerable investors remains strong, and the SEC continues to echo those themes through fiduciary duty reviews and Reg BI exams.
Key areas of regulatory attention include:
- Trusted contact procedures
- Escalation protocols for suspected exploitation
- Supervision of financial professionals interacting with seniors
- Complaint patterns involving alternative or high-risk products
With an aging investor population, this focus is unlikely to soften.
With continued regulatory focus on investor protection, firms should reinforce training around Reg BI, conflicts of interest, and senior investor safeguards. For additional guidance, learn more about our course Prioritizing Clients: Best Practices in Conflict Management, designed for Firm Element programs.
SEC Focus: Regulation S-P & Data Protection
Regulation S-P is clearly one of the most important SEC priorities heading into 2026. Recent data incidents and increasing cybersecurity expectations have elevated scrutiny around how firms safeguard client information.
Beyond the Written Policy
Regulators are looking beyond whether a policy exists and focusing on whether data protection controls are integrated into daily operations.
Areas of heightened attention include:
- Incident response planning and testing
- Vendor data access controls
- Client notification processes
- Disposal and retention procedures
- Ongoing monitoring of cybersecurity risks
Smaller firms should take note: the compliance deadline for full Regulation S-P compliance is June 3, 2026. Larger advisers (those with $1.5 billion or more in AUM) have already passed their December 3, 2025, deadline, and smaller firms would be wise to learn from their experience. Documentation and preparedness are critical regardless of firm size.
Data protection and client privacy remain critical regulatory priorities. To help financial professionals understand their responsibilities under Regulation S-P and related cybersecurity expectations, explore our course Regulation S-P Essentials: Protecting Customer Information, available for Firm Element training.
Vendor Overlap
Regulation S-P scrutiny also intersects directly with vendor due diligence. If a third-party provider experiences a data incident, regulators will evaluate how the firm assessed and monitored that risk.
Data protection is no longer siloed within IT, it is firmly within the compliance function’s oversight.
Vendor Due Diligence and Third-Party Risk
Vendor oversight has moved higher on the regulatory priority list—particularly for vendors handling sensitive data or supporting mission-critical functions.
Firms should:
- Conduct due diligence prior to engagement
- Maintain standardized vendor review checklists
- Reassess vendors annually
The emergence of generative AI tools within vendor platforms adds an additional layer of risk consideration. While technology can streamline diligence efforts, firms should not blindly rely on AI outputs without independent evaluation.
Annual vendor reviews can also serve as a strategic opportunity to renegotiate contracts, consolidate services, or identify operational improvements.
Marketing Rule: Ongoing Guidance and Exam Findings
Despite being several years into implementation, the SEC Marketing Rule continues to generate guidance and exam findings.
Areas of continued attention include:
- Testimonials and endorsements
- Required disclosures
- Performance advertising
- Referral arrangements and indirect compensation
Because the rule combines elements of the former Advertising and Solicitors Rules, some firms are still adjusting to the defined steps required to permissibly use testimonials and endorsements.
The SEC Marketing Rule continues to generate exam findings. To help teams understand advertising requirements and expectations, Quest CE has released it’s newest SEC Marketing Rule course, Practical Insights into the SEC Marketing Rule, availble to add to your Firm Element program.
Books and Records
Books and records obligations remain on regulators’ radar, and the focus has expanded beyond off-channel communications. Increasingly, regulators want to see not just what decision was made, but why. Documenting the rationale behind compliance and supervisory decisions is becoming a meaningful part of what examiners look for during reviews. If your records only capture the outcome, they may not tell the full story regulators are looking for. This is especially relevant when it comes to suitability determinations, due diligence decisions, and escalation actions.
Anti-Money Laundering
AML remains a longstanding focus area, yet regulators continue to cite recurring deficiencies. While many broker-dealers do not handle cash directly, AML obligations extend beyond traditional money laundering to encompass suspicious activity monitoring more broadly under BSA requirements. A practical starting point for firms is the required independent AML review. Addressing findings promptly and proactively can significantly reduce exam exposure.
AML and senior investor protection remain long-standing exam priorities. Quest CE provides AML training and senior investor protection courses to help firms reinforce monitoring and escalation procedures. Explore our full AML catalog here.
Final Takeaway: Align Practice with Procedure
If there was one unifying message from the webinar, it was this: Read your WSPs, and ensure what you do matches what they say.
Regulators expect programs to be reasonably designed, tailored to the firm’s risks, and supported by documentation. Growth, innovation, and evolving business models are not inherently problematic, but compliance and supervision must evolve alongside them.
If you missed the live session, you can view the recording here. To learn more about how these regulatory themes may impact your firm, contact Quest CE to discuss compliance training, supervisory solutions, and ongoing regulatory support.
For questions regarding this or other Firm Element courses, please contact us here. To view Quest CE’s Firm Element course catalog, click here.
