Translating SEC Exam Priorities into Action:

Author:

Victoria Olson DeLucia, CRCP®
Director of Institutional Engagement at Confluence

Going forward into 2026, the compliance landscape will be shaped less by brand-new rules and more by heightened expectations around program effectiveness, governance, and execution. The SEC’s 2026 Examination Priorities reinforce a familiar message: core obligations haven’t changed, but scrutiny has intensified. Fiduciary duty, disclosures, cybersecurity, and operational resilience remain front and center, with regulators increasingly focused on how well compliance programs scale with business complexity and risk.

Confluence’s recent webinar, Prioritizing the Priorities: Strategic Compliance Planning for 2026, addressed the key themes of the Exam Priorities, especially those pertaining to investment advisers, and offered practical insights for aligning resources with the regulator’s core focus areas.

The SEC’s priorities: A forward-looking roadmap

The SEC’s annual Examination Priorities provide transparency into the business activities the regulator believes present the greatest risks to investors and the markets. They serve as a practical guide for firms to anticipate exam focus areas, assess the effectiveness of their compliance programs, and allocate resources where scrutiny is most likely. Priorities evolve every year, but are grounded in recurring examination findings as well as emerging risk trends. For advisers, the opportunity lies in using them strategically: aligning compliance resources with the firm’s business model, growth strategies, and client risk profiles.

Fiduciary duty and disclosure still anchor exams

At the core of the SEC’s 2026 Examination Priorities is a renewed emphasis on fiduciary duty and the quality of disclosures that support it. Examiners continue to view fiduciary duty as an active, ongoing obligation—one that requires advisers to place client interests first, not just in theory, but in day-to-day decision-making. As discussed during the webinar, it’s not enough to simply identify and disclose conflicts of interest—firms must assess whether those conflicts can be eliminated or mitigated before turning to disclosure.

The SEC is less interested in the volume of disclosure and more focused on whether firms can demonstrate thoughtful conflict management, clear communication, and decision-making that is demonstrably grounded in the client’s best interest. The SEC will evaluate whether disclosures are full, fair, and accurate, and whether they clearly explain how the firm actually operates. This includes scrutiny of fee arrangements, compensation structures, product selection, allocation practices, and the use of affiliated service providers. Boilerplate language or overly technical descriptions that obscure material facts are increasingly viewed as inconsistent with fiduciary expectations.

As firms expand into private funds, alternatives, and more complex or illiquid strategies, the disclosure burden intensifies. Examiners are paying close attention to whether disclosures meaningfully align with client objectives, sophistication, and risk tolerance—particularly for retail or vulnerable clients. The same applies during periods of heightened market volatility, emphasizing that investment risks, liquidity constraints, and valuation practices must be clearly communicated and consistently applied.

Complex products demand stronger guardrails

Private funds, private credit, and other complex or illiquid strategies continue to draw regulatory attention, especially when retail or less sophisticated investors are involved. Valuation practices, fee transparency, conflicts of interest, and suitability analysis are critical control points.

Compliance programs must evolve alongside product complexity. Firms offering or expanding into complex strategies are expected to demonstrate robust oversight, independent testing, and clear documentation that supports decision-making across the product lifecycle—from onboarding and disclosures to ongoing monitoring and allocation practices. The SEC’s message is that complex products demand stronger guardrails, and firms that cannot clearly articulate how their controls scale with complexity may endure prolonged, painful examinations.

Governance and program maturity are under the microscope

The SEC’s 2026 Examination Priorities place a strong emphasis on governance and the overall maturity of compliance programs, including a substantive evaluation of how programs operate in practice. Examiners are focused on whether firms have appropriately resourced compliance functions, clear lines of responsibility, and meaningful senior management oversight. Annual reviews, risk assessments, and testing are expected to be tailored to the firm’s actual business, reflecting growth, product complexity, and evolving risk rather than relying on static or generic frameworks.

Compliance programs must be living, integrated systems rather than static policy binders on a shelf. Program maturity is demonstrated through execution—how effectively policies are embedded into day-to-day operations, how issues are escalated and resolved, and how governance structures support a culture of accountability and continuous improvement.

Cybersecurity, vendor oversight, and operational resilience

Information security and operational resilience featured prominently in the SEC’s priority list, particularly in light of recent updates to Regulation S-P (Privacy of Consumer Financial Information) and growing reliance on third-party vendors. Prominent areas of regulatory focus are incident response planning, access controls, and vendor oversight—including the ability to demonstrate reasonable efforts to protect client data and respond quickly to breaches. These requirements reinforce the need for strong cross-functional coordination between compliance, operations, IT, and vendor management teams.

Emergent technology and AI governance

The use of emergent technologies, including AI-driven tools, is now firmly within the SEC’s examination scope. Regulators are taking a closer look at how these technologies are governed, supervised, and integrated into investment decision-making, portfolio management, and marketing. Firms are expected to document how these technologies are used, how outputs are reviewed, and how risks such as bias, model drift, and data quality issues are identified and controlled.

The SEC makes it clear that fiduciary duty does not diminish in automated environments. Effective AI governance is imperative, requiring robust policies, testing, escalation protocols, human oversight, and of course, disclosure.

Identity theft protection and AML as foundational controls

While certain anti-money laundering (AML) rulemaking for advisers has been rescinded, core financial crime controls remain foundational. Examiners continue to expect firms to maintain effective programs around customer identification, sanctions screening, and ongoing customer due diligence.

Regulation S-ID remains a key area of attention, with examiners assessing how firms identify, prevent, and respond to identity theft risks. This includes oversight of account opening and maintenance, authentication controls, red flag identification, and coordination with third-party service providers. Identity theft protection programs must be actively maintained, tested, and aligned with the firm’s client base and operational realities.

Turning priorities into strategy

One of the most important takeaways from our webinar is also the most simple: 2026 is about execution, not just awareness. Regulators are looking for thoughtful oversight, proactive risk management, and transparency at every level. Firms that align compliance with business strategy, document their policies and controls, and demonstrate accountability will not only be exam-ready—they’ll be building long-term resilience. Your focus now is to translate these priorities into action, embed them in your culture, and continuously refine your program to meet the evolving expectations of both clients and regulators.

Watch the Replay

For practical guidance on navigating the SEC’s 2026 examination priorities and strengthening exam readiness, watch our recent webinar, Prioritizing the Priorities: Strategic Compliance Planning for 2026, on demand.

Is your compliance team swimming upstream? Confluence^® Technologies can help.

At Confluence, we understand that compliance isn’t just about checking boxes—it’s about building resilient, scalable programs that adapt to regulatory uncertainty. To learn more about Confluence Compliance Services – and to “make our experts your experts”
– contact us.

Disclaimer

The content provided by Confluence^® Technologies, Inc. is for general informational purposes only and does not constitute legal, regulatory, financial, investment, or other professional advice. It should not be relied upon as a substitute for specific advice tailored to particular circumstances. Recipients should seek guidance from appropriately qualified professionals before making any decisions based on this content.

Unless otherwise stated, Confluence Technologies, Inc. (or the relevant group entity) owns the copyright and all related intellectual property rights in this material, including but not limited to database rights, trademarks, registered trademarks, service marks, and logos.

No part of this content may be adapted, modified, reproduced, republished, uploaded, posted, broadcast, or transmitted to third parties for commercial purposes without prior written consent.

About Confluence^® Technologies

Confluence is a global leader in enterprise data and software solutions for regulatory, analytics, and investor communications. Our best-of-breed solutions make it easy and fast to create, share, and operationalize mission-critical reporting and actionable insights essential to the investment management industry. Trusted for over 30 years by the largest asset service providers, asset managers, asset owners, and investment consultants worldwide, our global team of regulatory and analytics experts delivers forward-looking innovations and market-leading solutions, adding efficiency, speed, and accuracy to everything we do. Headquartered in Pittsburgh, PA, with 700+ employees across North America, the United Kingdom, Europe, South Africa, and Australia, Confluence services over 1,000 clients in more than 40 countries.

For more information, visit confluence.com