^{Legal Alerts | January 20, 2026 12:00 am} Fourth Quarter 2025 Asset Management Regulatory Update

Table of Contents

• 2026 SEC Examination Priorities
• FINRA Fines Firm $10 Million for Gifts and Entertainment Violations
• SEC Fines Dually Registered Firm $325,000 for Cybersecurity and Identity Theft Program Failures
• SEC Charges Six Advisers for Form ADV Filing Issues
• RIA Pays $150,000 to Settle Enforcement Action for Ongoing Compliance Failures
• SEC Delegates Authority to the Director of the Division od Investment Management in Connection With Confidential Information Requests

2026 SEC EXAMINATION PRIORITIES

On November 17, 2025, the Securities and Exchange Commission’s (“SEC” or the “Commission”) Division of Examinations (“EXAMS” or the “Division”) published its examination priorities for 2026. Although this discussion will focus on the relevant risks related to registered investment companies (“RICs”) and investment advisers (“IA”), the Commission included areas of focus for broker-dealers (“BD”), self-regulatory organizations, and other market participants.[1] 

Investment Advisers

Fiduciary Duty Standards: The SEC will continue to focus on the duties of care and loyalty. As part of this, EXAMS will review investment advice and disclosures relating to:

• the impact of advisers’ financial conflicts of interest;
• advisers’ consideration of cost, investment product’s or strategy’s investment objectives, characteristics, liquidity, risks and potential benefits, volatility, likely performance, time horizon, and cost to exit; and
• advisers seeking best execution with the goal of maximizing value.

EXAMS will focus on alternative investments (e.g., private credit), complex investments (e.g., leveraged or inverse exchange traded funds (“ETFs”)), products with a higher cost associated with investing, and whether investment recommendations are consistent with product disclosures and the clients’ investment objectives, risk tolerance, and background.

As part of this process, the Division will pay particular attention to any recommendations made to older investors or products with increased volatility, private fund advisers who also advise separately managed accounts (“SMA”), newly registered funds advisers, newly launched private fund advisers, and advisers who are new to the private fund space. Lastly, EXAMS will focus on types of advisers and advisory services or business practices that may create additional risks and potential or actual conflicts of interest (e.g., dually registered BD/IAs).

Adviser Compliance Programs: Examinations will include analyzing the advisers’ annual reviews of the effectiveness of their compliance policies and procedures. This will include adherence to fiduciary principles, effectiveness of addressing conflicts of interest, and whether these elements address compliance with the Investment Advisers Act of 1940 (the “Advisers Act”). Areas of focus may include:

• the implementation and enforcement of policies and procedures;
• whether disclosures address fee-related conflicts, including conflicts that arise from account and product compensation structures; and
• advisers who engage with activist activities.

Never Examined and Recently Registered Advisers: Consistent with prior years, EXAMs will prioritize examinations of these advisers.

Investment Companies

RIC exams will generally include their compliance programs, disclosures, filings (e.g., summary prospectus) and governance practices. RIC operations of particular focus include fund fees and expenses (and any associated waivers and reimbursements), and portfolio management practices and disclosures, for consistency with statements about investment strategies or approaches, with fund filings and marketing materials, and if and after the compliance date has gone into effect, the amended rule on Investment Company Names (“Fund Names Rule”)[2].

EXAMS will also continue to monitor:

• RICs that participate in mergers or similar transactions, including any associated operational and compliance challenges;
• certain RICs that use complex strategies and/or have significant holdings of less liquid or illiquid investments (e.g., closed end funds), including any associated issues regarding valuation and conflicts of interest; and
• RICs with novel strategies or investments, including funds with leverage vulnerabilities.

Additional Areas of Focus for All Market Participants

Cybersecurity: Cybersecurity will continue to be a focus during the examination process to prevent any interruption to mission-critical services and investor information. As part of the Division’s review, an emphasis will be placed on registrants’ practices and procedures to assess whether they are reasonably managing information security and operational risks, governance practices, data loss prevention, access controls, account management, incident response, and training adaptations in the wake of the proliferation of artificial intelligence (“AI”).

Regulation S-ID and Regulation S-P: EXAMS will be assessing compliance with Regulation S-ID with a focus on firms’ development and implementation of a written Identity Theft Prevention Program as well as the reasonableness of their policies in procedures included therein. As it pertains to Regulation S-P, the Division will be inquiring with firms about their progress in firms’ development and implementation of a written Identity Theft Prevention Program. After the compliance date has passed, this will shift to ensuring that firms have developed, implemented, and maintained policies and procedures in accordance with the rule’s provisions.

Emerging Financial Technology: The Division intends to focus on firms that engage in the use of certain emerging financial technology products and services, such as automated investment advisory services, recommendations, and related tools and methods. During these reviews, EXAMS will be assessing the following: (1) representations are fair and accurate; (2) operations and controls in place are consistent with disclosures made to investors; (3) algorithms lead to advice or recommendations consistent with investors’ investment profiles or stated strategies; and (4) controls to confirm that advice or recommendations resulting from automated tools are consistent with regulatory obligations to investors, including retail and older investors. With respect to AI, the Division will review the accuracy of firms’ AI representations and capabilities, whether adequate policies and procedures have been instituted, and the integration of regulatory technology to automate internal processes.

Regulation Systems Compliance and Integrity: Reviews of systems compliance and integrity (“SCI”) will focus on incident response policies and procedures and their effectiveness as well as SCI entities’ management of third-party vendor risk and identification of SCI vendor systems.

Anti-Money Laundering: Lastly, for RICs that are required to establish anti-money laundering (“AML”) programs under the Bank Secrecy Act, the Division will be assessing whether their AML program is: (1) appropriately tailored and updated, including accounting for risks associated with omnibus accounts maintained for foreign financial institutions; (2) adequately conducting independent testing; (3) establishing an adequate customer identification program, including for beneficial owners of legal entity customers; (4) meeting their Suspicious Activity Report (“SAR”) filing obligations; and (5) monitoring the Department of Treasury’s Office of Foreign Assets Control (“OFAC”) sanctions and ensuring compliance with such sanctions.

FINRA FINES FIRM $10 MILLION FOR GIFTS AND ENTERTAINMENT VIOLATIONS

On November 3, 2025, the Financial Industry Regulatory Authority (“FINRA”) announced that it had fined a wholesale distributor of securities (the “Firm”) $10 million and censured the Firm for: (i) providing excessive non-cash compensation to representatives of broker-dealer clients in connection with the distribution of the Firm’s investment company securities; (ii) falsifying expense records, (iii) misleading reporting to client firms, and (iv)  supervisory failures that occurred from at least 2018 through February 2024 (the “Relevant Period”). Without admitting or denying fault, the Firm consented to FINRA’s findings, agreed that within 12 months a senior member who is a registered principal of the Firm will certify that it has implemented a supervisory system, and to provide annual compliance certifications for three years regarding its controls over non-cash compensation and related recordkeeping.

The Letter of Acceptance detailed FINRA’s findings, including findings that the Firm’s wholesalers provided gifts and entertainment that exceeded FINRA’s non-cash compensation limit under Rule 2341, as well as instances where wholesalers offered entertainment, gifts, or payments of educational event expenses that were preconditioned on client firm representatives achieving sales targets with respect to their customers’ purchase of the Firm’s products. For example, the Letter of Acceptance noted instances where courtside seats to professional basketball games were provided to client firm representatives. Because members of the Firm did not also attend the events, FINRA determined that the tickets were gifts instead of business entertainment, making them subject to the limits set forth in Rule 2341 (described below).

As further detailed in the Letter of Acceptance, FINRA also found that Firm wholesalers created and submitted false expense reports related to more than $650,000 worth of non-cash compensation provided to client firm representatives.

FINRA noted that certain client firms placed limits on the amount of non-cash compensation that their representatives could receive from wholesaling firms, and had requested that the Firm submit quarterly reports detailing non-cash compensation the Firm provided to the client firm’s representatives. The Letter of Acceptance stated that throughout the Relevant Period, the Firm had submitted quarterly non-cash compensation reports to client firms, in which gifts and entertainment had been underreported.

Finally, the Letter of Acceptance included that the Firm failed to reasonably supervise its provision and reporting of non-cash compensation. FINRA Rule 3110(a) requires member firms to establish and maintain system to supervise the activities of each associated person that is reasonably designed to comply with applicable securities laws and regulations and FINRA rules. FINRA found that during the Relevant Period, the Firm had policies and procedures in place governing cash and non-cash compensation, but that the Firm’s policies and procedures did not provide guidance as to how to evaluate whether non-cash compensation was too frequent or excessive. FINRA also found that the Firm did not have a reasonable system for supervising the accuracy of expense reports and did not have reasonable controls in place to ensure that modifications to expense reports were appropriate

FINRA Rule 2341(l) sets forth requirements regarding a firm’s payment of cash and noncash compensation in connection with the sale and distribution of investment company securities. Specifically, FINRA Rule 2341(l)(5) prohibits firms from “accept[ing] or mak[ing] payments or offers of payments of any non-cash compensation,” in excess of $100 per person and that are “not preconditioned on achievement of a sales target”, subject to some de minimis exceptions for occasional events and situations. FINRA’s position is that “a member must accompany or participate in an event for it to be business entertainment.”

SEC FINES DUALLY REGISTERED FIRM $325,000 FOR CYBERSECURITY AND IDENTITY THEFT PROGRAM FAILURES

On November 25, 2025, the SEC announced that an Oregon based broker-dealer and investment adviser (the “Adviser”) agreed to settle charges alleged by the SEC that the Adviser failed to maintain reasonably designed policies and procedures concerning cybersecurity, the protection of customer information, and identity theft protection, resulting in a $325,000 civil penalty and censure (the “Order”).

According to the SEC, from 2019 to 2024, 13 branch offices (“member firms”) of the Adviser experienced breaches to their email accounts, exposing client records and personally identifiable information (“PII”). These breaches occurred in large part at member firms that in the SEC’s view lacked core controls required by the Information Security Policy released by the Adviser in 2020 (the “2020 Policy”)—such as multi-factor authentication, annual security awareness training, and written incident response policies. The Commission further asserted that prior to the release of the 2020 Policy, neither the Adviser nor its member firms had any written policies or procedures governing information security across its distributed branch network.

Under Rule 30(a) of Regulation S-P^[3], every registered broker-dealer and investment adviser must adopt written policies and procedures that are “reasonably designed to (i) ensure the security and confidentiality of customer information; (ii) protect against any anticipated threats or hazards to the security or integrity of customer information; and (iii) protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.”

The Commission asserted that the Adviser violated Rule 30(a) for failure to adopt written policies and procedures reasonably designed to protect customer records and information. Additionally, the SEC findings stated that the Adviser violated Rule 201 of Regulation S-ID^[4]—the Identity Theft Red Flags Rule—because the Adviser failed to update its Identity Theft Protection Program on a routine basis despite multiple incidents affecting customers, failed to incorporate relevant cyber-related red flags, failed to establish appropriate responses once red flags were detected, and failed to determine whether it offered or maintained covered accounts.

Without admitting or denying the Commission’s findings, the Adviser agreed to a cease-and-desist order, censure, and $325,000 civil penalty.

SEC CHARGES SIX ADVISERS FOR FORM ADV FILING ISSUES

On November 17, 2025, the SEC announced changes against six investment advisory entities alleging material misrepresentations and unsubstantiated statements in Form ADV filings made with the SEC regarding their organizations, office locations, assets under management, and clients.

Form ADV is the primary disclosure document used by investment advisers, and it requires advisers to report information about their business, ownership, and other information.

The SEC’s complaint alleged, among other allegations, the following:

• Certain advisers claimed to manage specifically named private funds, however, the SEC was unable to substantiate these claims.
• Certain advisers listed office addresses, however, there was no record of the advisers ever operating out of those locations.
• Certain advisers claimed to be public companies, however, the SEC’s records contain no evidence (filings or registrations) to confirm these claims.

The six advisers were asked to provide records validating the information provided on Form ADV, and none of the advisers provided sufficient documentation to substantiate the disclosures.

The SEC alleged violations of (i) Section 204(a) of the Advisers Act for failure to maintain accurate records and (ii) Section 207 of the Advisers Act for making false and misleading statements in SEC filings. The complaints seek both injunctive relief and civil penalties, and the SEC’s investigation is ongoing. 

This enforcement action reinforces the SEC’s commitment to transparency and accuracy in Form ADV filings made by investment advisers.

RIA PAYS $150,000 TO SETTLE ENFORCEMENT ACTION FOR ONGOING COMPLIANCE FAILURES

On November 24, 2025, pursuant to an Order Instituting Administrative Cease-and-Desist Proceedings (the “Order”), a Registered Investment Adviser and its principal (collectively, the “RIA”) agreed to pay civil penalties in the amount of $150,000 to settle the SEC’s enforcement action against the RIA for longstanding compliance failures.

The Order came after the RIA continued to be noncompliant even following prior SEC enforcement actions in 2004 and SEC deficiency findings in 2005, 2020, and 2021.

The Order alleged, among other allegations, the following violations:

• From 2013 through 2020, the RIA failed to perform the required annual review of its compliance policies and procedures to confirm adequacy and effectiveness of implementation.
• From at least 2013 through February 2025, the RIA claimed (through public filings) to have a tiered fee schedule. However, the RIA actually charged negotiated fees (based on percentage of assets under management) that were often higher than the fees disclosed to clients.
• The RIA’s compliance policy required that client contracts be maintained for purposes of recordkeeping, however, the RIA failed to maintain executed advisory agreements from a large number of its clients.
• The RIA did not maintain adequate records of brochure deliveries.

Based on the above allegations, the SEC found willful violations of Section 206(4) of the Advisers Act and Section 204 of the Advisers Act. As part of the Order, the RIA is required to obtain an independent consultant to, among other things, conduct compliance reviews and make recommendations surrounding the RIA’s areas of noncompliance.

This enforcement action reinforces the principle that compliance requires ongoing oversight and implementation, rather than a one-time exercise of meeting compliance requirements.

SEC DELEGATES AUTHORITY TO THE DIRECTOR OF THE DIVISION OF INVESTMENT MANAGEMENT IN CONNECTION WITH CONFIDENTIAL INFORMATION REQUESTS

On December 29, 2025, the SEC amended Rule 30-5 to delegate authority to the Director of the Division of Investment Management (the “IM Director”) to issue orders granting, denying, or revoking requests for confidential treatment of information in Form ADV and other filings under Section 210(a) of the Advisers Act.

By way of brief background, Section 210(a) of the Advisers Act generally requires that information contained in registration applications, reports, or amendments filed pursuant to the Advisers Act be made publicly available, unless the SEC determines that public disclosure is neither necessary nor appropriate in the public interest or for the protection of investors. Thus, prior to the amendment, only the SEC could grant, deny, or revoke confidential treatment requests.

As amended, Rule 30-5(g)(8) grants the IM Director delegated authority to issue orders granting or denying confidential treatment applications under Section 210(a), and to revoke previously issued orders. The SEC retains the right to review any action taken by the IM Director under rule 30-5(g)(8), either on its own initiative or upon petition by a party or intervenor, including applicants for confidential treatment under Section 210(a) of the Advisers Act.

As noted in the adopting release, the SEC acknowledged it has not historically acted on applications for confidential treatment. With this new delegation to the IM Director, the SEC appears to be establishing a formal process for advisers seeking confidential treatment.

UPCOMING CONFERENCES

*Host Organization Key: Mutual Fund Directors Forum (“MFDF”), Independent Directors Council (“IDC”), and Investment Company Institute (“ICI”)

© 2026, Davis Graham & Stubbs LLP. All rights reserved. This newsletter does not constitute legal advice. The views expressed in this newsletter are the views of the authors and not necessarily the views of the firm. Please consult with your legal counsel for specific advice and/or information.

[2] Sec. and Exch. Comm’n, Final Rule: Investment Company Names, Release No. IC-35000 (Sept. 20, 2023).

[3] 17 C.F.R. § 248.30(a).

[1] The SEC’s 2026 examination priorities can be found at https://www.sec.gov/files/2026-exam-priorities.pdf.

[4] 17 C.F.R. § 248.201.

CONTACT US
Peter H. Schwartz
Alena Prokop
Stephanie Danner
Martine Ventello
Mackenzie Coupens
Robert Hill