Webinar Replay

Click Here to Download Summary Below

Preparing for an SEC Exam and 2026 Examination Priorities

Presented by Michelle Atlas Quinn, Esq.

1. Fact-Checked Executive Summary / Overview

For many registered investment advisers (RIAs), few regulatory events generate more anxiety than an SEC examination. Yet, as securities attorney Michelle Atlas Quinn explained throughout this session, firms that understand the SEC's examination process, maintain strong compliance cultures, and proactively address potential weaknesses often experience significantly smoother examinations.

Rather than viewing examinations as punitive events, advisors should recognize that the SEC's Office of Compliance Inspections and Examinations (now the Division of Examinations) is primarily responsible for assessing whether firms are meeting their fiduciary obligations, safeguarding client assets, maintaining accurate disclosures, and operating effective compliance programs. While enforcement actions may arise from serious deficiencies, most examinations are designed to identify risks, encourage corrective action, and improve investor protection.

The session provided advisors with a practical roadmap for understanding how examinations are initiated, what examiners commonly review, and why documentation frequently matters as much as the underlying compliance activity itself. Michelle Atlas Quinn also reviewed the SEC's emerging examination priorities for 2026, highlighting cybersecurity, Regulation S-P, artificial intelligence, anti-money laundering requirements, fee transparency, marketing practices, custody issues, and fiduciary oversight.

One recurring theme throughout the webinar was that regulators generally expect firms to demonstrate—not simply claim—that compliance policies are operating effectively. Written policies alone are insufficient. Firms should be able to produce evidence of testing, ongoing monitoring, employee training, supervisory reviews, vendor oversight, and corrective actions.

Another key takeaway was the importance of maintaining a principles-based approach to compliance. Because many provisions of the Investment Advisers Act rely upon fiduciary principles rather than detailed prescriptive rules, advisors must continually evaluate whether their practices remain aligned with their fiduciary duty of care and loyalty rather than simply asking whether a specific action is technically permissible.

Ultimately, Michelle emphasized that firms with organized records, clear disclosures, thoughtful documentation, and an active compliance culture generally place themselves in the strongest position during SEC examinations.

2. Understanding the SEC Examination Process

One of the webinar's foundational topics involved helping advisors better understand what an SEC examination actually is—and what it is not.

Many advisors understandably associate the SEC with enforcement actions and penalties. Michelle clarified that the SEC's Division of Examinations serves a different role. Its primary objective is to evaluate whether registered investment advisers are operating in compliance with federal securities laws and fulfilling their fiduciary obligations to clients.

Why the SEC Conducts Examinations

The SEC conducts examinations to:

• Protect investors.
• Promote market integrity.
• Identify emerging industry risks.
• Evaluate firm compliance programs.
• Assess whether disclosures accurately reflect actual business practices.
• Identify trends that may warrant future rulemaking or enforcement initiatives.

The SEC also uses examination findings to improve regulatory guidance across the advisory industry.

Examination Selection

Michelle explained that firms may be selected for examination for numerous reasons, including:

• Routine examination cycles.
• Newly registered adviser examinations.
• Risk-based examinations.
• Thematic examinations focused on specific regulatory initiatives.
• Customer complaints.
• Referrals from other regulators.
• Significant growth in assets under management.
• Marketing activity or unusual business models.

Selection for examination should not automatically be interpreted as evidence that regulators suspect wrongdoing.

Examination Timeline

The webinar noted that SEC examinations vary considerably in length.

Examples discussed included:

• Approximately three-month examinations.
• Five-month examinations.
• Examinations lasting more than one year for larger or more complex firms.

The duration frequently depends upon:

• Firm size.
• Business complexity.
• Number of deficiencies identified.
• Responsiveness to document requests.
• Complexity of investment products.
• Multi-office operations.

Michelle shared examples of firms that completed examinations with no deficiencies, while others required lengthy follow-up reviews despite ultimately avoiding enforcement actions.

Practical Advisor Takeaway

Firms should view examinations as an ongoing process rather than a single event.

Preparing for an SEC examination begins long before an examination notice arrives.

3. Fiduciary Duty: The Foundation of SEC Oversight

Throughout the presentation, Michelle repeatedly returned to one overarching principle:

Every SEC examination ultimately centers on fiduciary duty.

Although examinations evaluate numerous technical compliance areas, nearly every issue relates back to whether the adviser acted in the client's best interest.

Duty of Care

The fiduciary duty of care requires advisers to:

• Provide advice based on a reasonable understanding of the client's circumstances.
• Conduct appropriate due diligence.
• Monitor investments when ongoing monitoring has been promised.
• Seek best execution.
• Recommend suitable strategies based upon the client's objectives.

Advisor Implications

The SEC expects advisers to understand:

• Client financial circumstances.
• Investment objectives.
• Risk tolerance.
• Liquidity needs.
• Tax considerations.
• Time horizon.

Recommendations should reflect individualized analysis rather than standardized solutions.

Duty of Loyalty

The fiduciary duty of loyalty requires advisers to:

• Place client interests ahead of their own.
• Avoid or mitigate conflicts whenever possible.
• Fully disclose material conflicts.
• Obtain informed client consent where appropriate.

Michelle emphasized that disclosure alone does not automatically cure every conflict.

Rather, firms should first determine whether conflicts can be eliminated before relying solely upon disclosure.

Fiduciary Duty Is Ongoing

Unlike many transactional regulations, fiduciary duty is continuous.

Advisors should regularly evaluate whether:

• Fee structures remain appropriate.
• Investment recommendations remain suitable.
• Disclosures remain accurate.
• Client circumstances have changed.
• Conflicts have evolved over time.

4. 2026 SEC Examination Priorities

Michelle reviewed numerous areas expected to receive heightened regulatory attention during 2026 examinations.

Although examination priorities evolve annually, several recurring themes continue to dominate SEC oversight.

Cybersecurity

Cybersecurity remains one of the SEC's highest priorities.

Polling conducted during the webinar showed that nearly half of attendees identified cybersecurity as their greatest compliance concern.

Michelle emphasized that cybersecurity extends far beyond firewalls and antivirus software.

Examiners increasingly review:

• Written cybersecurity policies.
• Employee training.
• Incident response procedures.
• Vendor due diligence.
• Multi-factor authentication.
• Password management.
• Data encryption.
• Business continuity planning.

Practical Considerations

Firms should periodically test:

• Backup systems.
• Disaster recovery plans.
• Vendor security controls.
• Remote access procedures.

Cybersecurity should be viewed as an ongoing governance issue rather than an annual checklist exercise.

Regulation S-P

Michelle discussed the SEC's continued focus on Regulation S-P, particularly in light of recent amendments designed to strengthen customer information protections.

Areas likely to receive examination attention include:

• Customer privacy notices.
• Information safeguarding procedures.
• Incident response planning.
• Vendor oversight.
• Data breach response.
• Consumer notification procedures.

The expectation is that firms maintain written procedures reasonably designed to protect client information throughout its lifecycle.

Artificial Intelligence

The SEC continues increasing its focus on artificial intelligence.

Michelle emphasized that advisers may certainly use AI tools.

However, firms remain responsible for:

• Supervising AI-generated work.
• Protecting confidential information.
• Avoiding misleading marketing.
• Maintaining required books and records.
• Ensuring human oversight.

AI should enhance—not replace—professional judgment.

Anti-Money Laundering

Although AML requirements for advisers continue evolving, Michelle encouraged firms to prepare for expanded expectations regarding:

• Customer due diligence.
• Suspicious activity identification.
• Beneficial ownership.
• Internal controls.
• Employee training.
• Record retention.

Even where formal AML rules are still developing, strong internal procedures demonstrate proactive risk management.

Emerging Technologies

Beyond AI, examiners increasingly evaluate firms' use of:

• Cloud providers.
• Third-party software.
• Digital communication platforms.
• Client portals.
• Electronic signatures.
• Technology vendors.

Vendor due diligence has become an important component of modern compliance programs.

5. Marketing Rule, Form ADV, Form CRS, and Disclosure Best Practices

Michelle devoted considerable attention to disclosure obligations because inaccurate or incomplete disclosures remain among the most common examination findings.

Marketing Rule Compliance

The SEC's Marketing Rule continues receiving significant examination attention.

Advisors should carefully review:

• Website content.
• Social media.
• Podcasts.
• Educational presentations.
• Testimonials.
• Endorsements.
• Performance advertising.
• Third-party rankings.

Marketing materials should be reviewed regularly to ensure continued compliance.

Website Reviews

Michelle specifically encouraged firms to review their websites periodically.

Common issues include:

• Outdated biographies.
• Incorrect disclosures.
• Inaccurate fee descriptions.
• Missing disclosures.
• Performance claims lacking required context.

Marketing materials should accurately reflect current business practices.

Form ADV

Form ADV remains one of the SEC's primary examination documents.

Michelle reminded attendees that regulators frequently compare:

• ADV disclosures.
• Compliance manuals.
• Client agreements.
• Website language.
• Actual business practices.

Inconsistencies between these documents often generate additional examination questions.

Best Practices

Review Form ADV regularly for:

• Fee schedules.
• Services offered.
• Disciplinary disclosures.
• Conflicts of interest.
• Outside business activities.
• Custody disclosures.

Updates should occur promptly whenever material changes arise.

Form CRS

Michelle emphasized that Form CRS should be:

• Accurate.
• Complete.
• Written in plain English.
• Consistent with other disclosures.

The SEC continues placing significant emphasis on investor-friendly communication.

Technical accuracy alone is insufficient if average retail investors cannot reasonably understand the document.

Fee Disclosure

Fee transparency remains one of the SEC's most common examination topics.

Michelle discussed examples involving:

• Advisory fees.
• Planning fees.
• Wrap fees.
• Third-party manager fees.
• Performance-based fees.
• Family discounts.

The SEC generally expects:

• Clear explanations.
• Consistent billing practices.
• Appropriate documentation.
• Reasonable fee structures.

When clients pay different fees for similar services, firms should maintain documentation explaining the rationale.

Best Execution

The duty of best execution extends beyond simply selecting the lowest commission.

Advisers should periodically evaluate:

• Execution quality.
• Custodian services.
• Trading practices.
• Overall value provided.

Best execution reviews should be documented rather than assumed.

Documentation Is Critical

Perhaps the most consistent advice throughout the first half of the webinar was simple:

If it isn't documented, regulators may assume it didn't happen.

Documentation should support:

• Compliance reviews.
• Annual testing.
• Employee training.
• Vendor oversight.
• Best execution reviews.
• Cybersecurity testing.
• Disclosure reviews.
• Marketing approvals.
• Fee analyses.

Strong documentation frequently becomes one of the firm's best defenses during examinations.

6. Custody Rules, Standing Letters of Authorization (SLOAs), and Conflicts of Interest

Among the most technically challenging areas discussed during the webinar was the SEC Custody Rule. Michelle Atlas Quinn noted that custody remains one of the most misunderstood—and frequently examined—areas of investment adviser regulation because firms may inadvertently trigger custody without realizing it.

Understanding Custody Under the Advisers Act

Under Rule 206(4)-2 of the Investment Advisers Act of 1940, an adviser is generally considered to have custody if it holds, directly or indirectly, client funds or securities, or has any authority to obtain possession of those assets.

While many advisors assume custody applies only when they physically hold client funds, the rule is much broader.

Examples of situations that may create custody include:

• Serving as trustee for a client's trust.
• Acting as executor of a client's estate.
• Holding client passwords or login credentials.
• Having authority to withdraw advisory fees without appropriate safeguards.
• Certain standing transfer instructions.
• Having authority over client bank accounts beyond authorized advisory activities.

Michelle emphasized that many custody deficiencies arise unintentionally rather than through misconduct.

Advisor Takeaways

• Review every role advisors serve for clients, including fiduciary appointments.
• Understand whether outside business activities could create custody.
• Review custody implications whenever firm services expand.

Standing Letters of Authorization (SLOAs)

Standing Letters of Authorization received considerable attention during both the presentation and Q&A.

Many clients appreciate the convenience of recurring transfers to outside accounts, but these arrangements must satisfy specific regulatory safeguards.

Michelle explained that firms should verify that:

• Transfer instructions are properly documented.
• Clients provide written authorization.
• Destination accounts are appropriately identified.
• Changes to instructions require client approval.
• Custodians maintain appropriate verification procedures.

Common Mistakes

Examples discussed included:

• Third-party transfers without proper authorization.
• Outdated transfer instructions.
• Missing documentation.
• Failure to monitor standing instructions.

These seemingly administrative issues often become examination findings because they directly affect the safeguarding of client assets.

Safeguarding Client Assets

Michelle repeatedly reminded advisors that safeguarding client assets extends beyond compliance with the technical custody rule.

The SEC increasingly evaluates whether firms maintain appropriate operational controls designed to reduce fraud, theft, or unauthorized transactions.

Examples include:

• Separation of duties.
• Secure authorization procedures.
• Verification of wire requests.
• Internal approval processes.
• Independent reconciliation procedures.

Strong operational controls demonstrate an effective compliance culture.

Conflicts of Interest

Another major examination priority involves identifying, managing, and disclosing conflicts of interest.

Michelle emphasized that conflicts exist in virtually every advisory practice. The objective is not necessarily to eliminate every conflict but to identify them, evaluate them, disclose material conflicts appropriately, and mitigate them whenever possible.

Examples discussed included:

• Compensation arrangements.
• Revenue sharing.
• Outside business activities.
• Proprietary products.
• Referrals.
• Family relationships.
• Personal trading.
• Gifts and entertainment.

Gifts

During the Q&A, Michelle addressed questions regarding gifts from clients and family friends.

Her guidance emphasized:

• Follow firm policies.
• Document approvals.
• Obtain supervisory review when required.
• Maintain consistency.

Even well-intentioned gifts can create regulatory concerns if documentation is inadequate.

Third-Party Managers

Many advisory firms utilize third-party money managers.

Michelle emphasized that delegating portfolio management does not eliminate the adviser's fiduciary responsibilities.

Advisors should continue to perform:

• Initial due diligence.
• Ongoing monitoring.
• Performance reviews.
• Risk evaluations.
• Periodic reassessment.

If circumstances change materially, advisers should evaluate whether continued use remains appropriate.

Documentation of monitoring activities is essential.

7. Cybersecurity, Regulation S-P, Regulation S-ID, Artificial Intelligence, and Compliance Technology

Technology-related risks continue expanding rapidly, and Michelle noted that cybersecurity remains one of the SEC's most significant examination priorities.

Polling conducted during the webinar showed cybersecurity ranked among attendees' top compliance concerns.

Cybersecurity Is an Enterprise Risk

Michelle stressed that cybersecurity should not be viewed solely as an IT issue.

Instead, it affects:

• Client confidentiality.
• Fiduciary duty.
• Business continuity.
• Vendor management.
• Regulatory compliance.
• Reputation.

Examiners increasingly expect firms to demonstrate active governance over cybersecurity programs.

Cybersecurity Best Practices

Examples discussed included:

• Multi-factor authentication.
• Strong password management.
• Vendor due diligence.
• Employee phishing training.
• Secure remote access.
• Encryption.
• Incident response plans.
• Business continuity testing.

Regular testing is often as important as written policies.

Regulation S-P

Michelle discussed the SEC's expanded expectations surrounding Regulation S-P.

Firms should ensure they maintain procedures designed to:

• Protect client information.
• Respond to security incidents.
• Oversee vendors.
• Notify affected parties when appropriate.
• Limit unauthorized disclosures.

Policies should reflect actual business practices and evolving cybersecurity threats.

Regulation S-ID (Identity Theft Red Flags)

Regulation S-ID requires many firms to maintain identity theft prevention programs.

Michelle highlighted the importance of:

• Monitoring suspicious account activity.
• Verifying identity.
• Responding appropriately to red flags.
• Training employees.
• Updating programs periodically.

Identity theft prevention should become part of ongoing compliance reviews rather than a standalone annual exercise.

Artificial Intelligence

Artificial intelligence generated significant discussion.

Michelle acknowledged that AI tools may improve efficiency but cautioned advisers against assuming technology eliminates professional responsibility.

Advisors remain responsible for:

• Accuracy.
• Confidentiality.
• Supervisory review.
• Record retention.
• Marketing compliance.
• Client communications.

AI-generated content should always receive human review before being provided to clients.

Vendor Due Diligence

The SEC increasingly evaluates third-party vendor oversight.

Examples include:

• CRM providers.
• Cloud storage companies.
• Financial planning software.
• AI vendors.
• Portfolio management platforms.
• Email providers.

Advisors should understand:

• Security controls.
• Contract provisions.
• Data storage practices.
• Incident response capabilities.

Vendor oversight should be documented.

8. Anti-Money Laundering, Best Execution, Advisory Fees, Books and Records, and Preparing for an SEC Exam

Anti-Money Laundering

Michelle encouraged firms to prepare for expanding AML expectations.

Although advisers have historically operated under different AML requirements than broker-dealers, regulatory developments continue moving toward enhanced AML oversight.

Recommended procedures include:

• Customer identification.
• Beneficial ownership review.
• Suspicious activity escalation.
• Internal reporting procedures.
• Employee education.
• Ongoing monitoring.

Best Execution

Best execution extends well beyond commission costs.

Michelle encouraged advisers to periodically evaluate:

• Execution quality.
• Custodian services.
• Research capabilities.
• Trading efficiency.
• Overall client value.

Best execution reviews should occur regularly and be documented.

Advisory Fee Reviews

Fee reviews generated numerous audience questions.

Michelle explained that regulators generally focus on whether fees are:

• Fully disclosed.
• Reasonable.
• Consistently applied.
• Appropriate for services provided.

She discussed examples involving:

• Ultra-high-net-worth clients.
• Different fee schedules.
• Planning plus AUM fees.
• Third-party manager arrangements.

Where different clients receive different pricing, firms should document the business rationale.

Excessive Fees

Michelle cautioned that regulators evaluate fees within the context of fiduciary duty.

Rather than relying upon a specific numerical threshold, firms should consider:

• Services provided.
• Client complexity.
• Ongoing monitoring.
• Planning work.
• Client expectations.

Documentation supporting fee structures becomes increasingly important.

Books and Records

Books and records requirements surfaced repeatedly throughout the webinar.

Michelle advised firms to maintain organized documentation for:

• Client communications.
• Trading records.
• Compliance testing.
• Policies.
• Marketing approvals.
• Cybersecurity reviews.
• Vendor due diligence.
• Annual reviews.

Strong recordkeeping significantly improves examination readiness.

Preparing for an SEC Examination

Michelle offered several practical recommendations.

Before the Examination

• Review compliance manuals.
• Confirm policies reflect actual practices.
• Conduct annual compliance testing.
• Update disclosures.
• Review marketing materials.
• Verify cybersecurity procedures.
• Confirm books and records.

During the Examination

• Respond promptly.
• Answer questions directly.
• Ask for clarification when necessary.
• Avoid speculation.
• Maintain organized document production logs.
• Keep copies of everything provided.

Michelle emphasized that being cooperative does not mean volunteering unnecessary information.

Rather, advisers should provide complete, accurate, and responsive answers.

9. Practical Advisor Takeaways

Michelle concluded the session with numerous practical observations that can help firms strengthen compliance long before receiving an SEC examination notice.

Immediate Action Items

• Review your compliance manual annually.
• Confirm employees understand compliance procedures.
• Update Form ADV promptly after material changes.
• Review Form CRS for plain-English accuracy.
• Conduct periodic website reviews.
• Evaluate cybersecurity controls.
• Review vendor due diligence documentation.
• Test business continuity plans.
• Review custody implications for every advisory service.
• Evaluate standing letters of authorization.
• Document best execution reviews.
• Monitor advisory fees for consistency and reasonableness.
• Archive text messages and electronic communications.
• Review books and records procedures.
• Conduct annual compliance testing and document findings.
• Treat documentation as a continual process rather than an annual project.

Perhaps Michelle's most important advice was that firms should strive to build compliance into daily operations rather than preparing only when an examination is announced.

A well-designed compliance program should become part of the firm's culture.

10. External Reference Sources

Primary Regulatory Sources

U.S. Securities and Exchange Commission – Division of Examinations
https://www.sec.gov/exams

U.S. Securities and Exchange Commission – Investment Advisers Act of 1940
https://www.sec.gov/about/laws/iaa40.pdf

SEC Investment Adviser Marketing Rule (Rule 206(4)-1)
https://www.sec.gov/rules/final/2020/ia-5653.pdf

SEC Custody Rule (Rule 206(4)-2)
https://www.ecfr.gov/current/title-17/chapter-II/part-275

SEC Form ADV Instructions
https://www.sec.gov/about/forms/formadv-instructions.pdf

SEC Form CRS Information
https://www.sec.gov/investment/form-crs-relationship-summary

SEC Regulation S-P
https://www.sec.gov/rules/final/2000/34-42974.htm

SEC Regulation S-ID (Identity Theft Red Flags Rule)
https://www.ecfr.gov/current/title-17/part-248

SEC Cybersecurity Risk Alerts
https://www.sec.gov/exams

SEC Safeguarding Client Assets Proposal
https://www.sec.gov/rules/proposed/2023/ia-6240.pdf

Investment Adviser Fiduciary Duty Interpretation
https://www.sec.gov/rules/interp/2019/ia-5248.pdf

FINRA Cybersecurity Resources
https://www.finra.org/rules-guidance/key-topics/cybersecurity

National Institute of Standards and Technology (NIST) Cybersecurity Framework
https://www.nist.gov/cyberframework

Financial Crimes Enforcement Network (FinCEN)
https://www.fincen.gov

CFP Board Code of Ethics and Standards of Conduct
https://www.cfp.net/ethics/code-of-ethics-and-standards-of-conduct

Overall Advisor Takeaway

The strongest firms are not necessarily those with the longest compliance manuals—they are the firms that can demonstrate thoughtful implementation, ongoing monitoring, clear documentation, and a culture of fiduciary responsibility.

Michelle Atlas Quinn's central message was consistent throughout the presentation:

Compliance is not a one-time project or a document on a shelf. It is an ongoing process of protecting clients, documenting decisions, improving procedures, and continuously demonstrating that the firm's practices align with its fiduciary obligations.