Expect Targeted AI Exams, Retail Fraud Crackdown in 2026

The SEC's 2026 focus has shifted "to one of conducting more routine exams with shorter exam periods and risk-focused reviews to narrow the scope and look for 'low-hanging fruit' to include in deficiency letters or even better, from the SEC’s perspective, enforcement actions," Lynch said in an alert.

The SEC Division of Examinations is already conducting sweep exams of large firms on Reg S-P compliance, Lynch noted in the alert. Targeted exam letters went out to several large firms the week of Dec. 3 "to see if firms had changed policies or processes to meet the new requirements. Expect the same treatment for smaller advisers after June 3, 2026."

New data privacy requirements under Reg S-P require advisors and broker-dealers to adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information, including procedures for providing timely notification to individuals affected by an incident involving sensitive customer information.

The new Reg S-P requirements took effect Dec. 3 for advisors with $1.5 billion or more in AUM. Smaller advisors have until June 3, 2026, to comply.

Also, "expect to see sweep exams of firms that would most likely be early adopters of AI, such as retail robo-advisers and algorithmic trading hedge funds," Lynch said.

Targeted exams "always lead to enforcement so we could see Reg S-P or AI related enforcement cases," Lynch said. "It used to be the SEC would wait at least 2 years before going after firms with enforcement on new rules, but the marketing rule showed a change in approach by the SEC. They will use the targeted exams to find egregious activity."

Also, "enforcement will be mostly focused on fraud activity. Cases are now more likely to be adjudicated in the courts, so enforcement needs to go after slam-dunk type issues," Lynch said.

Marketing Rule Warning

On Dec. 17, the SEC issued a new risk alert describing how advisors' use of testimonials, endorsements and third-party ratings are still not in compliance with the Marketing Rule. The rule is among the SEC's top exam priorities for 2026.

The alert points to observations examiners have made.

"Apparently there is a sizeable number of advisers that did not understand they had entered into arrangements with third parties to make statements that would meet the Marketing Rule’s definition of 'endorsement' — and presumably did not structure the arrangements accordingly," Matthew Shepard, director at ACA Group, said in an email.

"It is not clear if this was because they did not understand the definition, its applicability to the arrangement in question, or what the third party was actually doing for them. However, the applicability of the Marketing Rule to third-party marketers is not obvious or intuitive, and ACA has seen the industry experience difficulties in this regard."

The risk alert "does not expressly address the compensated endorsements of third-party marketers, and we are still lacking important guidance in this area," Shepard added.

FINRA Forward, AML

Valerie Mirko, leader of Armstrong Teasdale’s Securities Regulation and Litigation practice area, said she expects both the SEC and the Financial Industry Regulatory Authority "to focus on retail investor harm" in 2026, which will also "impact how both regulators approach examinations."

As to rulemaking, Mirko notes that digital assets and crypto will be first on the SEC's agenda in 2026, while FINRA will push ahead with FINRA Forward, the broker-dealer regulator's effort, launched in late April, to modernize its rulebook. FINRA said earlier this year it was opening its rulebook as part of its three-pronged FINRA Forward initiative.

With its Regulatory Oversight report released on Dec. 9, FINRA is "leaning into" FINRA Forward to "enhance support for member firm compliance programs," Mirko said.  

Similar to the SEC’s exam priorities, the Regulatory Oversight report "focuses on fraud and bad actors," Mirko pointed out. "Specifically, the tone has shifted from solely firms’ compliance programs to more one of a tone where FINRA and industry have common enemies and need to be protecting retail investors from fraud and bad actors, ensuring that recommendations are suitable and that firms are continuously monitoring the effectiveness of their supervision programs.

"Also notably, FINRA highlights the importance of close coordination between cybersecurity and AML programs to combat sophisticated, fraudulent schemes," Mirko pointed out. This focus aligns with the SEC's recent announcement that "AML due diligence and reporting obligations apply to omnibus relationships with foreign financial institutions."

The AML section of the FINRA report "has greater granularity in the past, indicating FINRA’s current focus on compliance in this area," Mirko added.

The Treasury Department's Financial Crimes Enforcement Network, or FinCEN, postponed the effective date for its anti-money laundering rule for investment advisors to Jan. 1, 2028.

"But the new Customer Identification Protection rule is still sitting on the SEC’s regulatory agenda as a proposed rule," Lynch pointed out. "This indicates that there will most likely be movement on the AML rule to include revisions. Expect another AML sweep if the SEC believes it needs more data to finalize the rule."

Generative AI, meanwhile, "is the sole new dedicated topic for 2026" in FINRA's Regulatory Oversight report.

FINRA "discusses the emerging trends of GenAI in terms of risks, use cases and the importance of controls," Mirko said. "I am not surprised that FINRA notes that firms need to develop a supervisory process before developing and implementing AI into their business and operations, as that is what we have been counseling."

Further, "an additional FINRA report takeaway is that a supervisory process needs alongside it appropriate governance controls that will help monitor and manage the unique risks associated with this technology," Mirko added.