SEC Compliance in 2026: A Working Guide for Advisory Firms
by Jump
For advisory firms in 2026, the federal securities laws haven't moved. What's moved is where the Division of Examinations has said it will look. The priorities document published November 17, 2025, gives advisers a clear preview of the questions examiners will lead with this year, and for firms that registered with the SEC three or four years ago and haven't yet been examined, that preview is the closest thing available to a study guide.
The gap between a firm that experiences compliance as a source of friction and one that experiences it as steady-state usually comes down to whether documentation is produced with client work or reconstructed after it. Firms that have built the record into the workflow show up to an exam with their work already in order. Firms that haven't spend six weeks rebuilding it.
This article covers what SEC compliance requires of an advisory firm right now. It walks through who the rules apply to, the four Advisers Act rules that structure an RIA's day-to-day obligations, how fiduciary duty actually shows up in examinations, where deficiencies most often come from, what the 2026 examination priorities signal about the year ahead, what a program looks like when it holds up under scrutiny, and what happens when it doesn't. The goal is orientation, not a reading of the statute.
What is SEC compliance?
SEC compliance is the ongoing obligation for firms and individuals in the U.S. securities industry to follow the rules set and enforced by the Securities and Exchange Commission. For advisory firms, it means operating within the Investment Advisers Act of 1940 and the rules promulgated under it, which govern fiduciary conduct, books and records, marketing, custody, and the firm's written compliance program.
In practice, compliance isn't a status a firm achieves and holds. It's a continuous activity, tested at the firm level through the annual review required by Rule 206(4)-7 and at the regulator level through periodic examinations by the SEC's Division of Examinations. A firm is "in compliance" on the days it can demonstrate, with contemporaneous evidence, that its written policies match how it actually operates and that those policies are being followed.
SEC compliance is the ongoing obligation for firms and individuals operating in the U.S. securities industry to follow the rules set by the Securities and Exchange Commission under the federal securities laws, principally the Securities Act of 1933, the Securities Exchange Act of 1934, and the Investment Advisers Act of 1940.
For an advisory firm in 2026, the laws themselves haven't moved. What's moved is where the Division of Examinations has said it will look. This year's priorities, published November 17, 2025, give advisers a clear preview of the questions examiners will lead with: fiduciary conduct under scrutiny, a compliance program that can actually be tested under Rule 206(4)-7, and a newer frontier covering electronic communications, Regulation S-P, and AI oversight. What follows is a working guide to all three, written for the principal, CCO, or operations lead who already knows what Form ADV is and doesn't need the 1929 origin story.
Who has to comply with the SEC
SEC compliance obligations fall on roughly five categories of market participants: public companies, broker-dealers, investment advisers, investment companies such as mutual funds and ETFs, and issuers raising capital through registered or exempt offerings. Each category carries its own regulatory regime, but the through-line is the same. Any entity whose activity touches U.S. securities markets operates inside the Commission's jurisdiction.
For advisory firms specifically, the line that matters is the one between SEC registration and state registration. Firms generally register with the SEC once they cross $100 million in regulatory assets under management. Below that threshold, they register with their state securities regulator, and in some cases with multiple states if they have clients across jurisdictions. Being SEC-registered doesn't make a firm more legitimate than a state-registered one. It's a jurisdictional line, not a quality line, and firms routinely move between the two as they grow or contract.
Dual-registered firms carry both SEC and FINRA obligations, which means parallel examination cycles, parallel rulebooks, and parallel supervisory requirements. The Advisers Act governs the advisory side; FINRA rules govern the brokerage side. The two overlap in practice, particularly around communications and conduct, but they are administered separately.
The daily reality of compliance for an RIA is governed by a relatively small number of rules that generate a large amount of work. That's where the next section picks up.
The four rules that structure an RIA's compliance program
The structural scaffolding of any RIA compliance program rests on four rules from the Investment Advisers Act, plus Regulation S-P for safeguarding client information. Almost every obligation an adviser encounters in daily practice traces back to one of these five sources.
Rule 204-2 (Books and Records)
Rule 204-2 sets the recordkeeping baseline. Client agreements, trade records, communications, advertisements, performance calculations, and documentation of investment decisions must be retained for at least five years from the end of the fiscal year in which they were created, with the first two years kept somewhere immediately accessible. The rule is technology-neutral, which matters more than it used to. Most deficiencies here aren't about missing records. They're about firms that can't produce them quickly during an exam, or that discover mid-exam that a category of communications was never captured in the first place.
Rule 206(4)-7 (Compliance Program)
Rule 206(4)-7 requires every SEC-registered adviser to adopt written policies and procedures reasonably designed to prevent violations of the Act, to designate a Chief Compliance Officer with authority to administer them, and to review them annually. The annual review is meant to be substantive. A review that concludes everything is working as intended, year after year, is often flagged by examiners as evidence the review isn't actually testing anything.
Rule 206(4)-1 (Marketing Rule)
Rule 206(4)-1, overhauled in 2020 and in full effect since November 2022, governs how advisers advertise. It permits client testimonials and third-party endorsements with specific disclosures, prohibits misleading performance claims and cherry-picked results, and imposes detailed requirements for hypothetical and predecessor performance. The SEC has repeatedly identified Marketing Rule compliance as one of the most common deficiency areas in recent exam cycles, which tells you where examiners tend to look first.
Rule 204A-1 (Code of Ethics)
Rule 204A-1 requires every adviser to adopt a code of ethics establishing standards of conduct, addressing personal trading by access persons, and requiring periodic reporting of securities holdings and transactions. The rule is where conflicts around employee trading live. A firm's code of ethics reads differently from its other policies because it's binding on individuals, not just on the entity.
Regulation S-P
Regulation S-P covers the safeguarding of client information. The 2024 amendments added incident response program requirements and customer notification obligations, with compliance dates phased in at December 3, 2025 for larger advisers and June 3, 2026 for smaller ones. For most firms, the practical implication is that a written information security policy is no longer enough. The firm also needs a documented incident response plan it can actually execute.
What "best interest" means when the SEC is looking
An investment adviser's fiduciary duty under the Advisers Act has two components, a duty of care and a duty of loyalty, and the SEC evaluates both through the lens of conflicts of interest: whether they exist, whether they're disclosed in language a client can actually understand, and whether the client's interest is being served in practice.
Duty of care means a reasonable basis for recommendations, ongoing monitoring of the advice given, and best execution when trades are placed. In an exam, duty of care shows up as questions about how the firm arrived at a particular allocation, why a specific share class was selected, and how the adviser documented the suitability of a recommendation at the time it was made. Hindsight is not the standard. The standard is whether the recommendation was reasonable given what the adviser knew and what the client's circumstances required.
Duty of loyalty is the harder one in practice. It requires eliminating conflicts of interest or, where that isn't possible, disclosing them with enough specificity that a client can give informed consent. Revenue-sharing arrangements, wrap fee program selections, proprietary product recommendations, and 12b-1 fee conflicts all fall here. The SEC has made clear through enforcement that generic disclosure buried in a Form ADV Part 2 won't satisfy the duty. A conflict has to be described plainly enough that a reasonable client understands what it is and why it matters.
Breaching fiduciary duty is not a technical violation. It's the central failure an adviser can commit, and it's the charge the SEC reaches for when the facts support it. The 2026 examination priorities continue to emphasize fiduciary conduct for retail-facing advisers, with specific attention to how conflicts are identified and how disclosures are written.
For dual-registered firms, the distinction between Regulation Best Interest on the brokerage side and the fiduciary standard on the advisory side matters. Reg BI applies to recommendations made in a broker-dealer capacity; the Advisers Act fiduciary standard applies to ongoing advisory relationships. Examiners pay attention to whether firms are drawing the line consistently and whether clients understand which standard applies to which part of the relationship.
SEC recordkeeping rules for electronic and off-channel communications
The single most common source of SEC deficiencies, and the area where enforcement penalties have climbed highest in the last three years, is recordkeeping failures around electronic and off-channel communications.
Rule 204-2 is technology-neutral. If an email, text message, WhatsApp thread, iMessage, Signal chat, or LinkedIn DM relates to the firm's advisory business, it's a business record. It has to be captured, retained for five years, and producible during an exam. The channel doesn't matter. The device doesn't matter. Whether the employee used a personal phone doesn't matter. If the content is about the advisory business, the obligation attaches.
The SEC made this position unambiguous starting in 2022 with a wave of enforcement actions against broker-dealers, resulting in more than $2 billion in combined penalties across the major firms. In April 2024, the Commission brought its first stand-alone action against a registered investment adviser for off-channel communications failures, signaling that the same standard applies to the adviser side of the industry. Firms that assumed the enforcement wave was a broker-dealer problem have been revising that assumption ever since.
What this shifts operationally is the relationship between compliance and the channels where work actually happens. Compliance can no longer sit downstream of client communication, reviewing what was captured after the fact. It has to be built into the channels themselves, with firm-issued messaging tools, mobile device policies, archiving across every approved channel, and training that gives advisors a clear answer to the question of where they can and can't have a client conversation.
Meeting notes sit in the same category. A call with a client about retirement income, a Zoom review of a financial plan, an in-person meeting about an inheritance—all of it produces content that's within the scope of Rule 204-2 once it's written down. Firms that rely on advisors to draft notes from memory hours or days later end up with records that are inconsistent, incomplete, and difficult to defend during a branch audit or an SEC exam. Compliance for financial advisors increasingly hinges on whether the record of a client conversation exists as a byproduct of the conversation, or whether someone has to reconstruct it afterward.
The enforcement pattern is clear enough that no firm registered with the SEC in 2026 can plausibly claim it didn't know where the scrutiny was landing.
What the SEC's 2026 examination priorities signal
On November 17, 2025, the SEC's Division of Examinations published its 2026 priorities, and for advisory firms the document functions less as a list than as a preview of the questions examiners will lead within the coming year. Reading it as a compliance officer rather than as a lawyer, five areas stand out.
Fiduciary duty for retail-facing advisers
The fiduciary issues discussed earlier remain at the center of the Division's 2026 focus, with particular attention to share class selection, wrap fee programs, and recommendations involving complex or illiquid products. What's new in this year's priorities is the emphasis on documentation. Examiners will be asking not only whether a recommendation was suitable, but whether the file shows the adviser's reasoning at the time it was made. The recommendation itself isn't enough. The record behind it has to hold up.
Compliance program effectiveness under Rule 206(4)-7
The 2026 priorities enumerate five specific sub-areas within 206(4)-7 examinations: marketing, valuation, portfolio management, disclosure, and custody. This is more specific than prior years. A firm preparing for an exam should assume that each of these five will be tested, with examiners looking for written policies tailored to the firm's actual business, evidence of forensic testing during the year, and an annual review that reads like it found something.
Regulation S-P and incident response
The incident response program requirements added in the 2024 amendments are phased in at December 3, 2025 for larger advisers and June 3, 2026 for smaller ones. By the time most firms are examined in 2026, the compliance date will have passed. Examiners will be asking whether a written incident response plan exists, whether it has been tested, and whether the firm can demonstrate the customer notification protocol would execute in a breach scenario.
Emerging technology and AI governance
The Division has flagged artificial intelligence, trading algorithms, and automated tools for heightened scrutiny, particularly where they're used in investment recommendations, marketing materials, or client interactions. The question isn't whether a firm uses AI. It's whether the firm can describe what AI it uses, what supervisory controls sit around it, and how clients have been informed where informed consent matters. Firms that adopted AI tools without updating their compliance policies to match are the ones most exposed here.
Never-before-examined and recently registered advisers
The Division continues to prioritize firms that registered recently and haven't yet been examined. A firm that crossed the $100 million threshold in 2022 or 2023 and hasn't received a fieldwork notice should plan for one, and should assume the examiner's preparation will include a close read of the firm's Form ADV against what it's doing in practice.
One absence is worth noting. Crypto assets were not listed as a stand-alone priority for the first time since 2018. Under Chair Paul Atkins, the Division's posture toward digital asset innovation appears to have softened, though firms with crypto exposure should not read the omission as a free pass. Custody, valuation, and disclosure obligations still apply.
The priorities document is most useful read as a gap analysis prompt. If a firm's written policies don't address each of the areas above with specificity, the work to close that gap should start before the fieldwork notice arrives.
What an exam-ready RIA compliance program looks like
A compliance program that holds up under SEC examination is not a binder of policies. It's the documented, tested, and evidenced practice that shows the firm is doing what its policies say. Examiners are trained to look for the gap between the two, and the gap is almost always where deficiencies are written.
Four components separate the programs that survive an exam cleanly from the ones that don't.
A CCO with real authority and real time
The 2026 priorities continue to scrutinize whether the Chief Compliance Officer has the seniority, access to leadership, and bandwidth to actually run the program. Outsourced and part-time CCO arrangements are permitted, but they're examined more closely, particularly where the CCO also serves as CEO or CFO. A CCO who can't name the firm's top three compliance risks from memory, or who hasn't personally reviewed the last marketing campaign, is a red flag regardless of title.
Written policies that reflect the firm as it operates
The most frequently cited weakness in compliance manuals is not that they're missing something. It's that they describe a firm that doesn't exist. A manual that references custody procedures when the firm has no custody, or that omits the messaging platforms employees actually use, tells an examiner the document isn't being used. Policies that match the business, in the specific words the business uses, read differently in an exam.
An annual review that tests
Rule 206(4)-7 requires an annual review of the adequacy of policies and the effectiveness of their implementation. The operative word is effectiveness. A review that concludes everything is working, year after year, is often flagged because it suggests the review isn't finding anything, which in turn suggests it isn't looking. Strong annual reviews identify gaps, document them, and track the remediation into the following year. They read like work product, not like a certification.
Contemporaneous evidence of testing
The difference between a program that looks good on paper and one that holds up in the field is documentation created at the time the work was done. Forensic email sampling, trade reviews, marketing material approvals, code of ethics personal trading reports, branch reviews, and CCO memoranda should exist as dated artifacts, not reconstructed narratives. When an examiner asks what the firm did in Q2 to test the Marketing Rule, the answer should be a file, not a description.
Where compliance meets the client workflow
Consider the math. An advisor managing 150 households has, conservatively, three to four substantive client conversations per household per year, plus ad hoc calls, emails, and reviews. That's more than 500 client interactions annually, each of which may produce content that falls within Rule 204-2, each of which may trigger Marketing Rule implications if a testimonial or performance reference comes up, and each of which will be relevant when the annual compliance review pulls a sample for forensic testing.
When the record of those conversations is drafted from memory hours later, or pieced together from partial notes at quarter-end, two things happen. The record is incomplete, and the advisor has spent ten or twenty hours a month doing administrative reconstruction that didn't need to exist. The firms that consistently show up on industry lists of the best financial advisors tend to run their practices the other way. The notes exist before the meeting ends. The required disclosures are captured when they're given. The client's stated objectives, risk tolerance, and any language that matters for suitability are in the record in the client's own words, with a timestamp. A branch review or an SEC exam pulling a sample from that record is reviewing work that was already in order.
This is the operational pattern tools like Jump are built around. Jump's AI note-taker sits in the client meeting, captures the conversation to the firm's note structure, flags required disclosures and notable client statements as they occur, and pushes a compliance-ready record into the CRM within minutes of the meeting ending. The documentation is produced as a consequence of the meeting rather than as a task that follows it, which is the difference between a firm that spends the week before an exam rebuilding records and one that hands them over as they already exist.
What happens when a firm falls out of compliance
SEC enforcement outcomes sit at the sharp end of financial advisor regulations. They range from deficiency letters and required remediation at the low end to civil penalties, disgorgement, suspensions, and registration revocation at the high end. The financial consequences are real, but for a firm whose business is built on client trust, the reputational consequences usually outweigh them.
Most exams conclude with a deficiency letter. The Division of Examinations identifies findings, the firm responds in writing with a remediation plan, and the matter closes administratively. A first-time finding that the firm addresses promptly is generally not a career event for a CCO or a reputational event for the firm.
Material findings, or patterns of repeat deficiencies, can be referred to the Division of Enforcement. From there, the Commission can bring an administrative proceeding or file a civil action in federal court. Remedies include cease-and-desist orders, civil monetary penalties, disgorgement of ill-gotten gains, industry bars for individuals, and in severe cases registration revocation. The SEC publishes enforcement actions. For a firm whose prospects, referral partners, and existing clients can search the public record, the press release is often the more lasting cost.
The pattern in recent years is worth noticing. Off-channel communications cases have produced the largest penalties in dollar terms, Marketing Rule cases have produced the highest volume of actions, and custody, valuation, and conflicts disclosure cases have produced the most individual charges against CCOs and senior personnel. A firm that reads the enforcement docket for its own practice area gets a clear picture of which risks are currently being priced most aggressively.
One of the more practical tips for financial advisors running their own firms is that the cost of preventing a deficiency is almost always lower than the cost of remediating one, and the cost of remediating a deficiency is almost always lower than the cost of defending an enforcement action. That math tends to push serious firms toward building compliance into the workflow rather than treating it as an annual cleanup.
Compliance as an operating posture
The firms that experience SEC compliance as a source of friction are usually the ones running it as a separate, after-the-fact workstream. The firms that experience it as steady-state are the ones that have built it into how the work happens. Documentation produced with the conversation. Policies that match the actual firm. Annual reviews that test rather than certify. When the 2026 exam arrives, the difference between those two postures is the difference between reconstructing six months of records and handing them over.
What that looks like from the client's side is a quieter thing, and a more durable one. Advisors who aren't distracted by the paperwork they owe. Follow-through that happens when it was promised. A firm that can answer a hard question without pausing to go check whether the answer was written down somewhere.
Jump is the AI note taker for financial advisors that closes the gap between the conversation and the record. It sits in every client meeting, captures the exchange in the firm's voice and note structure, flags required disclosures and notable client statements as they happen, and pushes a compliance-ready record into the CRM within minutes of the meeting ending. Firms using Jump report saving five to ten hours per advisor per week on meeting administration, with branch reviews and annual compliance reviews pulling from records that are already consistent, already timestamped, and already in order. See how it fits into your practice by booking a demo.