SEC releases fiscal year 2025 examination priorities

Emerging risk areas (such as AI), plus cybersecurity, crypto and AML in focus as we dig deep into Examination Priorities document.

Information security and operational resiliency, emerging financial technologies, crypto assets, identity theft procedures and controls, and customer data safeguards have been flagged as focal areas for the next year by the SEC Examinations Division.

The Division has just released its Fiscal Year 2025 Examination Priorities document which, as ever, offers a roadmap to registered firms about the division’s priorities for examinations and outreach so firms can assess their preparedness accordingly.

Let’s dig in further.

Improving compliance programs

At the outset, the SEC says its emphasis on the effectiveness of compliance programs will continue through 2025 with its targeted outreach efforts, including its 12th Annual Compliance Outreach Program National Seminar for Investment Adviser and Investment Company Senior Officers scheduled for November.

And the Exam Division said it plans to conduct targeted outreach on the implementation of requirements in the SEC’s updates to Regulation S-P, the rule requiring written policies and procedures that address the administrative, technical, and physical safeguards needed for the protection of customer records and information.

The Division says it will tailor its review of investment adviser compliance programs to their business model, so if clients invest in illiquid or hard-to-vale assets (like commercial real estate), the review will prioritize valuation issues. Accordingly, if advisers integrate artificial (AI) into advisory operations – from portfolio management and trading to marketing – the team will likely look in depth at the policies and procedures around its use and disclosures to investors related to its use.

Since advisers to private funds remain a sizable portion of the SEC-registered investment adviser population, the SEC said it would continue to focus on them, looking in particular at how the adviser is reacting to market volatility, interest rate fluctuations, and significant withdrawals. Besides having adequate policies and procedures, the SEC will be looking at the disclosure of conflicts of interest, controls and risk reviews, especially of investments held by multiple funds or involving affiliated service providers.

Broker-dealers

The Division says it will continue to review broker-dealers for compliance with Regulation Best Interest (Reg BI) in terms of recommendations and disclosures made to customers, processes for reviewing alternative products, and the consideration made of an investor’s investment profile.

Higher risk products that are recommended will be prioritized for review, as will any recommendations made using automated tools or other digital engagement processes.

The Division is focused on registrants’ use of certain services as automated investment tools, AI, and trading algorithms, and the risks associated with emerging technologies and alternative data sources.

The broker-dealer’s supervision of its sales practices at branch office locations may be reviewed as well.

Also, last February, the SEC adopted rule amendments to shorten the standard settlement cycle for most broker-dealer transactions from two business days after the trade date (T+2) to one business day after the trade date (T+1), with the compliance date kicking in this May. In its 2025 examinations, the agency will review firms for ensure the firm’s written agreements and procedures are in line with them, as well as their recordkeeping processes.

Security-Based Swap Execution Facilities (SBSEFs)

Last November, the SEC adopted new Regulation SE under the Exchange Act, which implements a set of rules and forms for the registration and regulation of SBSEFs. The adoption of Regulation SE eliminated the prior temporary registration exemptions for SBSEFs as of August 12, 2024, at which time SBSEFs needed to apply for registration with the agency.

Accordingly, the Division may begin conducting examinations of registered SBSEFs in late fiscal year 2025.

Cybersecurity

The Division said it will continue to review registrant practices to prevent interruptions to mission critical services and to protect investor information, records, and assets. Operational disruption risks remain elevated due to the proliferation of cybersecurity attacks, firms’ dispersed operations, weather-related events, and geopolitical concerns.

As part of its examinations in this area, the Division will examine registrants’ procedures and practices to assess whether they are reasonably managing information security and operational risks.

This review will specifically pay attention to compliance with:

  • Reg S-ID: Identification and detection to prevent and protect against identity theft during customer account takeovers and fraudulent transfers.
  • Training: The firm’s training on identity theft prevention should include a thorough review of internal policies and procedures that are reasonably designed to protect customer records and information.
  • Technology risks: The firm is addressing operational – including technology-based – risks such that operational failures are assessed as to how they would affect a firm’s ability to safeguard customer records and information.
  • PII and Reg S-P: Firms’ practices to prevent account intrusions and safeguard customer records and information, including personally identifiable information (PII), especially as it pertains to firms with multiple branch offices.
  • Incident response: In preparation for the compliance date of the new amendments to Regulation S-P, the Division will review firms for their progress in preparing to establish incident response programs reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.
  • Reg SCI: Regulation Systems Compliance and Integrity (Reg SCI) applies to entities that play a significant role in the US securities markets and whose disruptions could strongly affect investors and the market as a whole. These include self-regulatory agencies such as FINRA and stock and options exchanges and alternative trading systems. SCI entities must ensure that their systems’ capacity, integrity, resiliency, availability, and security is adequate to maintain their operational capability and promote the maintenance of fair and orderly markets and that they maintain suitable incident planning, business continuity planning and testing practices.

Emerging financial technologies

The Exams Division remains focused on registrants’ use of certain services, such as automated investment tools, AI, and trading algorithms or platforms,
and the risks associated with the use of emerging technologies and alternative sources of data. As such, it plans to examine firms that employ certain digital engagement practices, such as digital investment advisory services, recommendations, and related tools and methods.

Firms must meet their suspicious activity filing obligations and oversee financial intermediaries – showcasing ongoing monitoring over people, transactions and indicia of market manipulation, such as money laundering and terrorist financing schemes.

Critical questions the SEC has are whether representations are fair and accurate; whether controls are in place that are consistent with what is disclosed to investors; whether algorithms produce advice or recommendations consistent with investors’ investment profiles or stated strategies; and whether controls are in place to confirm that advice or recommendations resulting from digital engagement practices are consistent with obligations to investors, including older investors.

Specific to AI tools, the SEC said it will review representations regarding a firm’s AI capabilities or AI use for accuracy and assess whether firms have
implemented adequate processes for monitoring and/or supervising their use of AI, including for tasks related to fraud prevention and detection, back-office operations, anti money laundering (AML), and trading functions, as applicable.

Reviews will also consider firms’ integration of regulatory technology to automate internal processes and optimize efficiencies, and review how registrants
protect against loss or misuse of client records and information that may occur from the use of third-party AI models and tools.

Crypto assets

The Division continues to observe investments involving crypto assets and will continue to monitor conduct examinations of registrants offering crypto asset-related services, focusing on the offer, sale, recommendation, advice, trading, and other activities involving crypto assets that are offered and sold as securities or related products, such as spot bitcoin or ether exchange-traded products.

The examinations will review whether the registrants: (1) meet and follow their respective standards of conduct when recommending or advising customers and clients regarding crypto assets with a focus on retail investors (including older investors) and investments involving retirement assets; and (2) routinely review, update, and enhance their compliance practices, including crypto asset wallet reviews, custody practices, BSA compliance reviews, and valuation procedures.

AML

Under the BSA, broker-dealers and certain registered investment companies must create AML programs that are tailored to their particular risks, implementing policies, procedures, and internal controls that are designed to achieve compliance with the BSA, plus independent testing; and customer due diligence that includes identifying and verifying the identity of customers (customer identification, including identifying beneficial owners) and conducting ongoing monitoring to identify and report suspicious transactions.

These firms must meet their suspicious activity filing obligations and oversee financial intermediaries – each of these obligations with an eye toward showcasing the firm’s ongoing monitoring over people, transactions, and any indicia of market manipulation, such as money laundering, terrorist financing, or Ponzi schemes.