The regulatory environment facing US investment managers in 2026 is not simpler than it was five years ago. It is not friendlier. It is, if anything, more technically demanding — once again underlining the value of a dynamic and integrated system of compliance. Firms that prioritize compliance controls as an operational capability can gain an important strategic asset, and those that don’t run a genuine business risk.
A More Targeted Regulator Is Still a Vigilant One
The arrival of Chair Paul Atkins at the SEC has prompted some in the industry to exhale. That framing deserves scrutiny. Under the new leadership, examination and enforcement resources are being redirected toward fraud and concrete investor harm, though practitioners are wise to note that smaller average fines do not signal a lighter touch across the board. Under Chair Atkins, the SEC’s Division of Examinations continues to prioritize retail investor protection, RIAs’ fiduciary obligations, and the effectiveness of RIAs’ compliance programs.[1] The instrument of scrutiny may be sharper and more focused — but it has not been put away.
What Examiners Are Actually Looking For
The SEC’s Division of Examinations released its fiscal year 2026 priorities in November 2025, identifying areas it believes present heightened compliance and investor protection risks. The priorities apply to investment advisers, investment companies, broker-dealers, and other registrants.
The list is not abstract. The 2026 priorities highlight the core elements of RIA compliance programs including Marketing, Valuation, Trading, Portfolio Management, Disclosure and Filings, and Custody.[2] Addressing conflicts of interest and documenting strong standards of conduct are crucial[3] as are emerging risks like cybersecurity, due diligence, and compliance with new Regulation S-P. We can expect regulators to demand demonstrable proof that firms are keeping adequate records, doing compliance testing, and verifying effectiveness of controls in all these areas.
On the technology front, examiners are looking closely at AI governance. The Division will evaluate whether firms’ actual AI usage matches their representations to clients and regulators.[4] Firms claiming to use AI for portfolio management must demonstrate that AI tools genuinely influence investment decisions rather than serve merely as supplemental research. This is a meaningful standard — and one that is difficult to satisfy without documented processes, audit trails, and a compliance platform capable of capturing them.
The Data Security Deadline Is Now
If any single regulatory development illustrates the case for a robust compliance platform, it is the amended Regulation S-P. The amendments update the privacy and data security rules originally adopted under the Gramm-Leach-Bliley Act[5] to require incident response planning and data breach notification for a range of financial firms, with large firms (over $1.5B AUM) required to comply from December 3, 2025, and smaller firms by June 3, 2026.[6]
The operational request is significant. Required documentation includes the firm’s incident-response program and any updates, risk assessments and evaluations of data security controls, incident logs detailing detected breaches, and vendor-oversight records. These records must be available on short notice for SEC examinations to evidence actual compliance;[7] having a policy is not enough. Policies stored in a shared drive, and vendor contracts buried in email threads will not pass muster.
The CFTC Dimension
For managers with any exposure to commodity interests, the CFTC adds another layer. Entities relying on certain CPO exemptions or exclusions under CFTC Rule 4.13, and CTA exemptions under CFTC Rule 4.14, must complete an annual affirmation through the NFA’s Exemptions Filing System. Failure to affirm results in an automatic withdrawal of the exemption.[8] If a manager inadvertently misses the deadline, they can find themselves suddenly subject to full Part 4 requirements — an outcome that no technology system can retroactively cure, but that a well-managed compliance calendar absolutely prevents.
On a more constructive note, in December 2025 the CFTC issued a no-action letter permitting many private fund managers registered with the SEC to opt out of registering with the CFTC as commodity pool operators and commodity trading advisors, responding to longstanding goals to harmonize securities and commodities regulation and concerns about duplicative registration for managers offering pools exclusively to sophisticated investors.[9] Eligible firms should assess whether to rely on this relief — a determination that itself requires careful compliance analysis and diligent maintenance of the documentation that supports reliance on the no-action letter.
The Broader Regulatory Signal
Across the SEC, FINRA, and CFTC, several themes align: in 2026, firms will be expected to ensure that their compliance programs are demonstrably effective, not merely documented in policy.[10] Fragmented compliance approaches will increasingly be viewed as a source of risk rather than flexibility.
That sentence should be printed and placed above the desk of every CCO and their senior level executives. “Demonstrably effective” is a platform problem as much as a people problem. Regulators are now examining whether systems exist to monitor, detect, escalate, and document — not merely whether policies have been written.
The Bottom Line
Investment managers who rely mainly on spreadsheets, digital or even manual checklists, and institutional memory to run their compliance function are not just inefficient — they are exposed. The regulatory environment of 2026 demands documented processes, real-time monitoring, audit-ready recordkeeping, and the ability to demonstrate that your actual practices match your stated policies. That is not a function of good intentions. It is a function of good infrastructure and better tools. Great regulatory technology is well adapted to those needs, including at Leo RegTech.
Leo is an end-to-end regulatory platform built specifically for financial services firms. It cleanly memorializes all stages of a firm’s compliance program and consolidates policies, procedures, monitoring, training, and governance into a single configurable platform, replacing fragmented tools and creating the kind of structured, audit-ready compliance environment that the US regulators are explicitly looking for. Please click https://leo.tech/us/ to get started with up-to-date controls, AI monitoring, due diligence, regulatory filings calendar, employee training, and more.
Some Regulatory Priorities & How Leo Addresses Them
| Regulatory Priority | Leo Solutions |
| SEC Examination Priorities — RIA Compliance Programs | Centralized compliance program infrastructure covering marketing, valuation, trading, and portfolio management; configurable monitoring workflows with full audit trail for SEC examination readiness. |
| Fiduciary Standards & Conflicts of Interest | Governance workflows with embedded conflicts tracking, conduct oversight, and documented standards of conduct — providing demonstrable evidence of fiduciary compliance. Compliance training documented. Resolution of conflicts and exceptions is also documented. |
| AI Governance & Technology Oversight | Documented AI usage policies, process capture, and audit trails that evidence whether AI tools genuinely influence firm decisions — satisfying the SEC’s “actual use” standard. |
| Regulation S-P — Data Security & Incident Response | Centralized incident response documentation, risk assessment records, vendor oversight logs, and breach incident tracking — all audit-ready for SEC examination on short notice. |
| CFTC / NFA — CPO & CTA Exemption Maintenance | Regulatory filings calendar with deadline alerts for NFA annual affirmations; documentation management to support ongoing reliance on CFTC no-action relief and Rule 4.13 / 4.14 exemptions. |
| Cybersecurity, Due Diligence & Vendor Oversight | Structured due diligence workflows, vendor contract and oversight records, and risk assessment tools consolidated in a single searchable platform — replacing fragmented email and shared drive approaches. |
References
[1]SEC Division of Examinations, “2026 Examination Priorities” (Nov. 17, 2025), https://www.sec.gov/about/reports-publications/2026-examination-priorities; full report: https://www.sec.gov/files/2026-exam-priorities.pdf
[2]SEC Division of Examinations, 2026 Examination Priorities, Section I.A (“Adherence to Fiduciary Standards of Conduct”) and Section I.B (“Effectiveness of Advisers’ Compliance Programs”), pp. 5-7.
[3]Investment Advisers Act of 1940, Rule 206(4)-7, 17 C.F.R. § 275.206(4)-7 (requiring registered investment advisers to adopt written policies and procedures reasonably designed to prevent violations of the Advisers Act, conduct annual reviews of compliance program adequacy and effectiveness, and designate a Chief Compliance Officer). See https://www.law.cornell.edu/cfr/text/17/275.206(4)-7
[4]SEC Division of Examinations, 2026 Examination Priorities, Section VII.B (“Emerging Financial Technology”), pp. 12-13. The Division will evaluate whether firms’ representations about AI use are consistent with their actual practices.
[5]SEC Press Release, “SEC Adopts Rule Amendments to Regulation S-P to Enhance Protection of Customer Information” (May 16, 2024), https://www.sec.gov/newsroom/press-releases/2024-58; Final Rule: Exchange Act Release No. 34-100155 (May 16, 2024), published in the Federal Register at 89 Fed. Reg. 47688 (June 3, 2024), https://www.federalregister.gov/documents/2024/06/03/2024-11116/regulation-s-p-privacy-of-consumer-financial-information-and-safeguarding-customer-information
[6]SEC, Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, Exchange Act Release No. 34-100155 (May 16, 2024), amending 17 C.F.R. §§ 248.1-248.100. The amendments update Regulation S-P, which was originally adopted in 2000 pursuant to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq. Compliance dates: 18 months (December 3, 2025) for larger entities (RIAs with $1.5B+ AUM); 24 months (June 3, 2026) for smaller entities. See SEC Small Entity Compliance Guide: https://www.sec.gov/files/rules/final/2024/regulation-s-p-small-entity-compliance-guide.pdf
[7]SEC Division of Examinations, 2026 Examination Priorities, Section VII.A.2 (“Regulation S-ID and Regulation S-P”), p. 12 (the Division will focus on firms’ policies and procedures, internal controls, oversight of third-party vendors, and governance with respect to the Reg S-P amendments).
[8] CFTC regulations require annual affirmation of CPO exemptions under 17 C.F.R. §§ 4.13(a)(1), (a)(2), (a)(3), and (a)(5), and CTA exemptions under 17 C.F.R. § 4.14(a)(8), within 60 days of calendar year-end through the NFA Exemptions Filing System. Failure to affirm results in automatic withdrawal. See NFA, Exemptions Filing System: https://www.nfa.futures.org/electronic-filing-systems/exemptions.html
[9]CFTC Market Participants Division, No-Action Letter No. 25-50 (Dec. 19, 2025) (providing interim no-action relief from CPO and CTA registration for SEC-registered investment advisers operating commodity pools offered solely to qualified eligible persons (QEPs), pending formal rulemaking to reinstate former CFTC Regulation 4.13(a)(4)). CFTC Press Release No. 9160-25: https://www.cftc.gov/PressRoom/PressReleases/9160-25; letter: https://www.cftc.gov/csl/25-50/download
[10]SEC Division of Examinations, 2026 Examination Priorities, Section VII.A.1 (“Cybersecurity”) and Section VII.B (“Emerging Financial Technology”), pp. 11-13; see also SEC, Cybersecurity: https://www.sec.gov/featured-topics/cybersecurity
