In October, our team attended the National Society of Compliance Professionals (NSCP) conference. This year’s agenda reflected what compliance teams are dealing with in real time: AI tools rolling out faster than policies can keep up, marketing rules that still trip up firms, and regulators working to clarify crypto oversight. Between booth conversations and packed sessions, we gathered insights that compliance teams can apply to their firms right now. Below are the standout insights our team brought home.

1. Artificial Intelligence: How Firms and Regulators Are Responding

AI was one of the most talked-about topics at NSCP, with many speakers noting that firms are adopting new tools faster than their compliance programs can adapt. Several panelists compared today’s AI environment to the early stages of the pandemic, when collaboration platforms were rolled out quickly and formal oversight came later.

Before exploring specific use cases, regulators emphasized several baseline expectations that firms should already be building into their programs:

  • Firms need to understand and be able to explain how an AI tool reaches its conclusions
  • Risk controls must apply to vendor-provided AI tools, not just those developed internally
  • AI-generated content is subject to existing supervision and recordkeeping rules, including the SEC’s Books and Records requirements

Rapid Adoption, Limited Controls

Many firms are actively experimenting with AI tools like ChatGPT, Copilot, and Claude, though approaches vary widely. Some paused usage entirely until they could complete internal testing, while others moved ahead with broader pilots. Once testing was complete, firms were able to roll out policies and training quickly. A key theme across those trainings was simple but critical: do not input PII or sensitive client information into public-facing AI tools.

Managing Third-Party and Meeting Risks

AI notetakers are increasingly present in meetings, but their presence is not always welcome. Several compliance officers shared that they speak more cautiously when an automated notetaker is in the room, largely because they do not know how that vendor stores, uses, or analyzes captured data. These concerns have prompted many firms to revisit their technology policies and consider enterprise or private AI deployments hosted on platforms like Azure or AWS.

Recordkeeping Responsibilities

As collaboration and AI tools generate new forms of communication, firms continue to grapple with what constitutes a record. If a conversation creates recordable information, regulators stressed that the SEC may request it, regardless of the format or tool used. Encryption remains important, especially when discussions involve account details or other sensitive information.

To stay ahead of artificial intelligence, check out our newest course, Artificial Intelligence Oversight for Supervisors”

2) The Marketing Rule: Clarifications, Challenges, and Hot Spots for Exams

Sessions on the SEC Marketing Rule generated heavy attendance, with many firms still working to interpret expectations and avoid common pitfalls.

Understanding the Rule’s Scope

Social media remains a gray area, whether a post is considered advertising depends on whether it promotes the firm, offers services, or becomes entangled with firm messaging. Regardless of channel, the anti-fraud standard always applies.

Where Firms Are Struggling

Presenters highlighted several recurring issues:

  • Websites remain one of the most scrutinized areas for enforcement
  • Hypothetical performance cannot be used if actual performance exists but has not been calculated
  • Every claim or performance statement must be backed by clear documentation

Patterns Seen in Exams

Misleading marketing remains one of the most common triggers for exams. Off-channel communications and insider trading concerns also appeared frequently, often identified through evolving data analytics tools used by regulators.

To stay ahead of the Marketing Rule, check out our newest course, Practical Insights into the SEC Marketing Rule”

3) Crypto: More Education, More Questions, and a Shifting Regulatory Landscape

Crypto was another high-interest topic this year, reflecting continued uncertainty and regulatory movement.

Regulatory Landscape in Flux

A new crypto oversight framework has passed the House and is currently under Senate review. If adopted, it could allow broker-dealers to sell digital commodities under stricter disclosure, segregation, and conflict management standards. Several states are pushing for additional enforcement mechanisms before full approval.

Jurisdictional Complexity

Oversight still varies significantly across financial sectors, which leaves many firms navigating uneven expectations. For example, broker-dealers remain subject to full books and records requirements, while investment advisers are not held to the same standard. Adding to the uncertainty, speakers noted that an unusually high number of crypto-related cases were dismissed this year, signaling that the regulatory landscape is still finding its footing.

Education Efforts Accelerate

FINRA is developing a three-level crypto education program for staff, designed to broaden industry knowledge, support compliance efforts, and help combat crypto-related fraud, not to introduce new regulatory rules.

  • Level one covers Bitcoin fundamentals and terminology
  • Levels two and three will build on that foundation through in-person applied learning courses developed in collaboration with Georgetown University

Speakers encourage firms to engage early with regulators and ensure that staff understand the basics of blockchain, custody, and digital asset mechanics.

Communications Still Matter

Even if a firm does not offer crypto products, any educational or marketing content must comply with FINRA Rule 2210. Several firms were cited for implying crypto availability that did not actually exist. As one speaker summarized, FINRA remains a “taker, not a maker” of crypto rules, enforcing conduct standards rather than setting new ones.

To stay ahead of rising crypto regulations, check out our newest course, Advanced Cryptocurrency: The Race to Regulate”

4) Regulation S-P: New Requirements and Implementation Challenges

Regulation S-P updates were another focal point, especially as firms begin preparing for new timelines and obligations.

Bipartisan Support and Forward Momentum

Amendments to Regulation S-P received unanimous 5-0 support and appear likely to move forward unless slowed by a government shutdown.

Unrealistic Vendor Timelines

A significant concern centered on the new 72-hour incident notification requirement. Many vendors are simply not equipped to meet that timeline, with 30-day notifications still common across the industry. As a result, firms will need to revisit their vendor contracts and escalation procedures well before the rule takes effect.

Cybersecurity Realities

Recent high-profile cyber incidents in the financial and alternative investment space have made firms more cautious about sharing PII with third-party platforms. At the same time, a growing shortage of cybersecurity professionals means many firms are under real pressure to meet the enhanced expectations under Regulation S-P.

To stay ahead of  Regulation S-P, check out our newest course “Reg S-P Amendments: Ethics and Privacy”

What This Means for Compliance Teams

This year’s NSCP conference made one thing clear: regulators and firms alike are preparing for a year defined by technology adoption, data protection, and heightened expectations for governance. While the specifics differ across AI, marketing, crypto, and S-P, the common thread is the need for stronger oversight and clearer internal frameworks.

To stay ahead, firms should prioritize a few core actions:

  • Strengthen AI governance by defining approved tools, restricting data use, and training staff
  • Refresh marketing oversight processes, especially around websites, performance data, and social media
  • Prepare for S-P’s 72-hour notification expectations by reviewing vendor contracts and response plans
  • Ensure crypto communications remain accurate and balanced, even if the firm does not offer crypto products

By taking these steps now, firms can position themselves for a smoother exam cycle and reduce operational risk heading into 2026.