SEC Sheds Light on 2026 Priorities: Risk Areas and Key Insights for Broker-Dealers

On November 17, 2025, the U.S. Securities and Exchange Commission (SEC) Division of Examinations (the Division) released its examination priorities for fiscal year 2026. These priorities mark the first under the new SEC chair, Paul Atkins, and the industry has been keen for additional insight into which areas the SEC will focus its efforts under its new leadership. Developed in coordination with other SEC divisions and offices, the priorities take into account growing trends and market events and highlight areas that the Division identifies as having heightened risk to investors and capital markets. These priorities will be the Division’s 2026 areas of focus, though the Division will continue to review all areas under its mandate for compliance.

For broker-dealers specifically, the Division identifies three key priorities: financial responsibility, trading practices, and sales practices such as Regulation Best Interest (BI). These priorities are evergreen for broker-dealers, and they largely mirror the SEC’s 2025 examination priorities.

• Financial Responsibility Rules: The Division will continue to review broker-dealers’ compliance with the financial responsibility rules (i.e., the net capital and customer protection rules), including the timeliness of required filings and management of operational resiliency programs. The SEC will assess “credit, market, and liquidity risk management controls” to ensure firms maintain sufficient liquidity during stress events, and it will assess firms’ supervision of third-party vendors and change management processes. The Division’s reviews will also focus on “cash sweep programs and prime brokerage activities,” particularly regarding “concentration, liquidity, and counterparty” risks.

• Trading-Related Practices and Services: As markets continue to move in the direction of extended hours and 24/5 trading (long available for equities, and it is now being offered for certain index options), the Division will review firms’ extended hours trading practices. Registrants can expect the SEC to focus on best execution, pricing and valuation of illiquid instruments, and disclosures related to order routing and execution under Regulation National Market System. The Division will also scrutinize alternative trading systems for compliance with confidentiality safeguards and alignment with their stated operations.

• Retail Sales Practices and Regulation BI: The SEC will continue to prioritize broker-dealer sales practices, emphasizing compliance with Regulation BI. The Division will assess recommendations for products and strategies, such as account and rollover recommendations; practices for conflict identification and mitigation; and “processes for reviewing reasonably available alternatives.” As is typical in this review area, the SEC will give particular attention to recommendations involving older investors, limited product menus, and account types such as options, margins, and self-directed individual retirement accounts. The SEC will also pay close attention to dual registrants’ processes for identifying, mitigating, and eliminating conflicts of interest in relation to receipt of compensation, account allocation (e.g., when investors have more than one type of account), and account selection (e.g., brokerage versus advisory and wrap fee accounts).

The Division also identifies a handful of risk areas that impact market participants broadly: information security and operational resiliency (including cybersecurity, compliance with Regulation S-ID: Identity Theft Red Flags and Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information); emerging financial technology; Regulation Systems Compliance and Integrity (SCI); and anti-money laundering.

• Cybersecurity: The Division’s focus on operational resiliency will continue to identify firm practices to “prevent interruptions to mission-critical services and to protect investor information, records, and assets,” with operational disruption risks remaining “elevated due to the proliferation of cybersecurity attacks, firms’ dispersed operations, weather-related events, and geopolitical concerns.” The Division’s focus on cybersecurity practices will give particular attention to “firms’ policies and procedures pertaining to governance practices, data loss prevention, access controls, account management, and responses and recovery to cyber-related incidents, including those related to ransomware attacks.” Firms should employ training and security controls to “identify and mitigate new risks associated with artificial intelligence (AI) and polymorphic malware attacks, including how they are operationalizing information from threat intelligence sources.” As most firms rely on third-party vendors to assist with cybersecurity, firms should prioritize robust vendor diligence and periodic reviews of third-party service providers in these areas. In connection with cybersecurity, the Division will review for compliance with Regulation SCI including a focus on “policies and procedures related to incident response and how SCI entities review the effectiveness of these policies and procedures” as well as “SCI entities’ management of third-party vendor risk and properly identifying vendor systems that qualify as SCI systems or indirect SCI systems.”

• Regulations S-ID and S-P: The Division will also assess compliance with regulations S-ID and S-P, focusing on “firms’ policies and procedures, internal controls, oversight of third-party vendors, and governance practices.” As a reminder, the SEC adopted amendments to Regulation S-P in 2024 with a phased implementation schedule. Larger entities (i.e., those with $1.5 billion or more in assets) must comply with the amendments by December 3, 2025. Smaller entities (i.e., those with less than $1.5 billion in assets under management) have a later deadline of June 3, 2026. SEC staff will monitor entities for implementation compliance, and firms should ensure that written policies are updated to address the new requirements by each firm’s applicable implementation deadline. Specifically, the Division will engage firms regarding “their progress in preparing incident response programs reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information,” and it “will examine whether firms have developed, implemented, and maintained policies and procedures in accordance with the rule’s new provisions that address administrative, technical, and physical safeguards for the protection of customer information. Regarding Regulation S-ID, “the Division will focus on firms’ development and implementation of a written Identity Theft Prevention Program […] designed to detect, prevent, and mitigate identity theft in connection with covered accounts,” specifically assessing whether policies and procedures “are reasonably designed to identify and detect red flags, particularly during customer account takeovers and fraudulent transfers” and whether they “include firm training on identity theft prevention.”

• Emerging Financial Technology: The SEC will remain “focused on registrants’ use of certain products and services, such as automated investment tools, AI technologies, and trading algorithms or platforms, and the risks associated with the use of emerging technologies and alternative sources of data,” with particular examination of “firms that engage in activities such as automated investment advisory services, recommendations, and related tools and methods.” Firms should ensure that (1) representations regarding these types of products and services “are fair and accurate; (2) operations and controls in place are consistent with disclosures made to investors; (3) algorithms lead to advice or recommendations consistent with investors’ investment profiles or stated strategies; and (4) controls to confirm that advice or recommendations resulting from automated tools are consistent with regulatory obligations to investors, including retail and older investors.”
  
  Firms should review their representations regarding AI capabilities to ensure such representations are accurate with respect to the capabilities provided. Firms should also assess the adequacy of their policies and procedures to monitor and supervise “their use of AI technologies, including for tasks related to fraud prevention and detection, back-office operations, anti-money laundering […], and trading functions, [if] applicable.” The SEC will also focus on firms’ “integration of regulatory technology to automate internal processes and optimize efficiencies.”

• Regulation SCI: As part of the Division’s examination of SCI entities, reviews will continue to focus on policies and procedures related to properly identifying vendor systems that qualify as SCI systems, whether directly or indirectly, performing vendor diligence, managing vendor risk, and responding to SCI events (e.g., disruptions, compliance issues, or intrusions with SCI systems).

• Anti-Money Laundering (AML): The Division will continue to focus on AML programs and review whether broker-dealers are “(1) appropriately tailoring and updating their AML program to their business model and associated AML risks, including accounting for risks associated with omnibus accounts maintained for foreign financial institutions; (2) adequately conducting independent testing; (3) establishing an adequate customer identification program, including for beneficial owners of legal entity customers; and (4) meeting their Suspicious Activity Report filing obligations” as well as monitoring the Office of Foreign Assets Control’s sanctions lists and ensuring compliance with such sanctions.

The industry has been paying close attention to clues to where and how the current SEC will focus its efforts. The 2026 examination priorities indicate that, for broker-dealers at least, perhaps not much is changing. Areas like cybersecurity, Regulation BI, trading and sales practices, and AML have been — and will remain — the basic blocking and tackling of broker-dealer compliance.

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.