Intro (00:00):
This is Advisor Intelligence, the podcast for investment advisors and financial institutions. In each episode, attorneys from your investment management and securities team break down compliance, regulation, and risk into practical insights that help you stay exam ready and ahead of what’s next. This podcast is brought to you by Stark & Stark.
Jeffrey Lang, Esq. (00:28):
Welcome to another episode of Advisor Intelligence. My name is Jeffrey Lang and I’m joined today by …
Stephen Galletto, Esq. (00:35):
Steven Galletto.
Mittal Patel, Esq, (00:36):
Mittel Patel.
Jeffrey Lang, Esq. (00:37):
And today we are going to talk about exam priorities. Every year, the SEC comes out with its exam priorities, which is the SEC’s way of letting us know those particular items that they intend to focus on during their examination process. I think it’s important to emphasize that this is not an all- inclusive list and they can focus on different things and different exams and other important items or other important topics may come about during the year and also become exam priorities. So we’ve seen that happen as well. But what we’re going to talk about today are the exam priorities that we’ve seen set forth for 2026.
Stephen Galletto, Esq. (01:22):
Mythel, what have you seen as an exam priority?
Mittal Patel, Esq, (01:25):
So one of the things that I saw that was different from 2025 to 2026 was the implementation of an incident response program. Under regulation SP, all investment advisors are going to have to implement an incident response program. Investment advisors with over 1.5 billion in assets under management will have to implement this plan by December 3rd of 2025, and all other investment advisors will have to implement the program by June 3rd of 2026. This incident response plan is basically supposed to outline how the firm will identify any cybersecurity incidents, what steps they will take in the case that there’s a cybersecurity incident, and how they will resolve the issue.
Stephen Galletto, Esq. (02:09):
Mythel, what do you think the major difference is between a cybersecurity policy and an incident response plan? I think from my perspective, I see an incident response plan being a written path for an actual breach where a cybersecurity policy does what it can to mitigate the potential for there being a breach, but also does have some response plan or policy embedded within it. What do you see the primary difference being?
Mittal Patel, Esq, (02:39):
I agree with you on the differences that you just outlined. The cybersecurity policy, I also feel like outlines the firm’s cybersecurity protocols that it has in place, and it’s not just tailored to identifying any risks that the firm will have. And the cybersecurity policy should also incorporate any of the platforms that the firm is using.
Jeffrey Lang, Esq. (03:00):
Right. Right. So I guess a couple of things that stand out in terms of regulation SP and the changes are, one, that this will be a focus this year, whereas in previous years, it may not have been as much of a spotlight, but given the changes in the Reg SP rules and also some of the developments, I think folks will focus on it. I add one more thing to that whole discussion. The SEC will also emphasize that firms have and implement and execute on a Reg SID program. So this is sort of-
Stephen Galletto, Esq. (03:41):
Yeah. Can I just go back before we go to that next issue?
Jeffrey Lang, Esq. (03:44):
Sure.
Stephen Galletto, Esq. (03:44):
What I want to say in response, so with the cybersecurity policy and the incident response plan effectively being two different pieces, and Jeff, to your point, this being a focus of the SEC investigations or exams going forward, in those exams, they’re always asking, “Have you suffered some sort of breach, cybersecurity breach? How did you handle it? How do you approach it?
Jeffrey Lang, Esq. (04:09):
”
Stephen Galletto, Esq. (04:10):
As I alluded to in prior podcasts, the SEC likes to make examples of larger firms. Larger firms, 1.5 billion or greater, and assets under management needed to comply with this rule by December 3rd. If you have a cybersecurity breach after December 3rd in 2025, you’re over 1.5 billion and you don’t have an incident response policy prepared, it’s going to be another thing the SEC is going to hammer you with, right? So this is, again, just racking and stacking issues during an examination. How did you respond? Well, you didn’t respond in a consistent matter. You didn’t follow a plan that you were supposed to enter Reg SP and here we are with losses that could have been mitigated, risks that could have been mitigated and clients that are harmed as a result.
Mittal Patel, Esq, (05:00):
I wouldn’t be surprised if the SEC asks registrants who haven’t implemented an incident response plan yet because they’re not required to, what steps they’re taking to implement this plan.
Jeffrey Lang, Esq. (05:11):
Right. That’s truely so. Yeah. I’ve been in some audit situations where folks who weren’t as familiar with the rules said, “Well, I don’t have an incident response plan per se, but I have a business continuity plan.” Is that the same thing? No.
Stephen Galletto, Esq. (05:28):
As in it’s a plan written on paper?
Jeffrey Lang, Esq. (05:31):
Yeah.
Stephen Galletto, Esq. (05:31):
Maybe.
Jeffrey Lang, Esq. (05:31):
Yeah.
Stephen Galletto, Esq. (05:32):
Entirely different from this space, entirely different in this space.
Jeffrey Lang, Esq. (05:35):
Right. Right. So again, just to emphasize, there is also going to be an emphasis on Reg SID, which is basically having a, this is, I’d say, the first cousin to the cybersecurity or the Reg SP program, which is really geared towards protection around identity theft. So what I run into a lot of the time is that firms will have, practically speaking, such things as multifactor authentication or verbal verification processes with clients where as they say, “Gee, I do have stuff that I do and I take special care if we do have a breach of subkind to make sure that we’ve addressed whatever the problem was. ” But on top of all that, you will be expected to, or are expected to have a Reg SID program as well and look at that annually and make sure that it continues to be in good order. So I bring this up because a lot of times my clients will have a good Reg SP program, but they haven’t yet in writing address the Reg SID requirements.
(06:46):
Steve or Mithell, you want to comment on what you’ve seen?
Stephen Galletto, Esq. (06:48):
Honestly, I haven’t seen a specific focus on Reg ISID yet.
Jeffrey Lang, Esq. (06:53):
I
Stephen Galletto, Esq. (06:53):
Think this is developing. I think it’s a matter of time before the SEC figures out what their narrative’s going to be, what they’re reviewing and identifying. Much like when the SEC started doing the cybersecurity exams, those sweep exams, they took a very fine tooth comb approach upfront and now they’re using more of an expansive understanding. Are there proper protocols in place? Are there proper considerations in place? Is the advisor even aware of this requirement in the first place? That’s a baseline for a lot of this stuff.
Jeffrey Lang, Esq. (07:28):
Right.
Stephen Galletto, Esq. (07:30):
So I think it’s something that you need to make sure … Mythel, where would you put the reg SID policy for most firms? Would you put that in the policies and procedures? Would you embed that in a cybersecurity policy? What would your preference be?
Mittal Patel, Esq, (07:46):
I usually recommend that it be embedded in the compliance manual because it is a pretty robust policy. So I usually recommend combining SID and regulation SP in one section titled the Privacy Section.
Stephen Galletto, Esq. (07:59):
Right. And a lot of firms, most firms that I’m working with currently are using a tech stack where multifactor authentication, certain protocols are just redundant. Custodians require certain things in order for the transfer of assets and money out of client accounts. So I would say the main hallmarks of what you would expect to see within a regular SAD program is sort of embedded within the workspace already, but it’s a matter of making sure you have something appropriate written and you understand the requirement.
Jeffrey Lang, Esq. (08:30):
Yeah. Another emphasis that they mentioned in the priorities is, and this kind of hearkens back to our previous podcast on the basic blocking and tacklings, is making sure that we do it in review and review and risk assessment, as we call it here at Stark at Stark. Steve, do you want to talk about how we go about that?
Stephen Galletto, Esq. (08:52):
Sure. So our annual review and risk assessment process usually takes the form of an interview with a client, understanding where the client’s coming from, asking what’s changed within the firm, within the business, whether they’re considering new or potentially more higher risk compliance type activities. Are they going to assume custody? Are they going to assume check writing authority? Are they going to accept third party standing letters of authorization? What do you have in place as far as background checks for your employees? What are you considering as far as branch office securities and reviews? What are you doing with best execution? All of the basic nuts and bolts of a compliance program we review and we determine whether or not the firm is adhering to those standards or is blind in certain spots. We write up more or less a risk review of the firm. Our annual review of the policies and procedures takes a different approach, whereas we look at the policies and procedures they currently have in place, and then we compare that or overlay that with the risks that we’ve identified after reviewing and auditing the firm.
(10:14):
Making sure the policies and procedures is in line with that risk assessment that we’ve prepared. I have not seen a single SEC examination, whether it’s remote or in person, whether it’s limited scope or not, that did not include a request for a risk assessment and an annual review.
Jeffrey Lang, Esq. (10:31):
Yeah, totally agree. Coupled with requests to see any internal testing or reviews that were undertaken by the firm during the exam period that sort of lead up to, or are the internal workings towards conducting that review. Right. So the expectation is, hey, not only have we done some kind of annual review, but we’re doing a lot of interim reviews and testing to make sure we have, as the buzzword goes, effectively implemented our policies and procedures.
Stephen Galletto, Esq. (11:08):
Right. That gets back to the nuts and bolts stuff. That is the best execution review. That is the fee testing. That is the email review, documenting all these things, making sure that we have records that reflect that we did look at the quarterly transaction reviews in the first quarter, second quarter, third, and fourth quarter of 2025. We have that documentation in the file and we can point back to it. Same thing with the email reviews, mutual fund share class reviews, all that stuff. We need to make sure we have the documentation to show that we’re doing that.
Jeffrey Lang, Esq. (11:37):
Totally. And so we want to make sure we have the annual review and risk assessment on file for each year. And then I think another focus that was mentioned in the priorities list is just our general filings. So we’re talking about the various types of filings that can exist. There’s going to be 13F filings, 13H filings. We’ll talk about these more in a second. There is the new form NPX filing that is related to the 13F filing for proxy voting situations or not. Steve, do you want to talk about what you do? I know you handle a lot of those for our staff.
Stephen Galletto, Esq. (12:16):
Edgar is a wasteland of a upload system and it only gets more complex. There’s lots of code that is old code. If anyone is an Edgar filer, you understand you’ll run into errors that don’t make any sense. You will understand the level of frustration you have and the fact that you probably destroyed five or six keyboards over the course of the past six or seven years just by making sure all of the codes … Yeah. Anyway, so a little anger and aggression there, but 13F takes all of the individual securities, ETFs, QCIP numbers for those respective securities, value that you currently hold, number of shares that you currently hold, whether you have proxy voting responsibilities, whether you share proxy voting responsibilities, and that all gets transmitted into the Edgar system. You have an individual CIK code, which identifies your firm as the proper filer for those 13F reports.
(13:22):
And these are all public, right? The information and the data that you’re putting into these filings, you could request confidential treatment, but there’s no guarantee that you’re going to
Jeffrey Lang, Esq. (13:31):
Get it,
Stephen Galletto, Esq. (13:32):
But these are public. And what I’ve seen over the past 10 years or so is that the SEC is not reaching out to you when there’s an error. It’s the data scrapers out there that’s reviewing all this public information, trying to figure out what advisors are doing, what third party managers are doing and large outfits are doing. Identifying that someone added an extra zero to a holding, got the QCIP number wrong for a specific security. And they’re reaching out to the advisor saying, “Hey, what you filed is not accurate.” So what does that tell me? It tells me that the SEC is leaving the marketplace up to kind of governing whether or not the filing’s correct or not. But also important to reference for many, many, many years, I had not seen the SEC raise their eye or even consider a 13F filing super important in the regulatory space.
(14:24):
In 2024, there were quite a number of SEC orders that were executed between investment advisory firms that had failed to file the 13F for a number of years. And we’re talking about substantial fines and penalties. We’re not talking 5,000 bucks, a slap on the wrist. Get your filing up to date. We’re talking about 360,000. We’re talking about 580,000. We’re talking 65,000. We’re talking substantial monetary penalties for late filings. So it’s important to understand, one, are you a 13F filer and you don’t know it? If that’s the case, call me. If you are a 13F filer, did you file on time? It’s important to make sure you stay current with that. Also, if you’re a 13F filer, are you filing a form NPX? Doesn’t matter whether you vote proxies or not. By the end of August, every calendar year, you should be filing a form NPX reflecting how you voted proxies when it comes to say on pay.
(15:28):
All right. Mythel, anything you want to add on any of that?
Mittal Patel, Esq, (15:32):
I’ve seen, to reiterate what Steve was saying, I’ve definitely seen the SEC and exam deficiency letters indicate that filings were not filed properly, and we definitely want to make sure that some forms need to be filed at the end of every quarter or after we hit a certain threshold. So we definitely want to make sure that we are monitoring the calendar and also the thresholds to make sure that they are filed properly.
Stephen Galletto, Esq. (15:55):
Also, because these are public filings and because the SEC can take a look at these anytime they want, they can identify firms based upon assets under management reported on your form ADV, and now it’s broken out in item five of the ADV part one as to whether or not they think that you’re going to be a 13F filer or not. And if you’re not filing a form 13F, they think you should be. They can certainly throw you a letter saying, “Why aren’t you filing a 13F? Prove to me what your holdings are. ” Kind of testing the concept before they go further to say that you failed the file.
Mittal Patel, Esq, (16:27):
Absolutely.
Stephen Galletto, Esq. (16:28):
Right. Other filings like the 13H, that’s the large- Large trader. I know we already touched on the form MPX. I think that’s kind of covered as well.
Jeffrey Lang, Esq. (16:39):
One topic that is not specifically enumerated in the priorities, however, I have seen to be a substantial focus in a number of exams recently, so I feel like it’d be prudent to bring it up, is for folks using automated tools or tools that allow them to access third party retirement plans or held away assets to better manage those assets. Certainly, a lot of folks have adopted the use of these technologies and find them very useful to facilitate the management of held away assets, particularly in retirement plans. There has been a focus on all things compliance relative to those relationships. How were they set up? Does the firm itself have permissioning from the clients to access accounts using? There’s been issues raised relative to what access points, what username and password are being used and to access these accounts and whether or not there’s any privacy concerns raised depending on how these accounts are accessed.
(17:55):
So I would say it’s sort of the anatomy of the relationship using this technology is sort of looked at end to end by the examiners.
Stephen Galletto, Esq. (18:05):
If you’re accepting it, your client’s user ID and password and you’re saving that, storing that and using that in order to rebalance someone’s 401k, your client could very well be violating the terms of use for using that 401k platform. You also are in a situation where the SEC could deem you to have custody as a result of that ability to log in and access. Does that user ID and password, if you accept that from the client, gives you the ability to transfer money from the client’s 401k account to an outside third party account. If so, you have custody. Proving that you don’t is sometimes very difficult. All that being said, not only has the SEC taken issue with this, various states have also taken issues with this concept. It’s important that people contemplating or using this service currently understands that it does kind of put you in the crosshairs a little bit and you are going to have to be able to speak intelligently about these services, why you think they’re appropriate, why you think the protocols and procedures in place to protect client information is sufficient in order for you to continue to use these services.
Jeffrey Lang, Esq. (19:17):
Right. How you’ve disclosed and how you’ve obtained permission from the client through some form of addendum or something like that to be able to have your own access.
Stephen Galletto, Esq. (19:29):
Right.
Jeffrey Lang, Esq. (19:29):
You
Stephen Galletto, Esq. (19:30):
Can’t just sign an agreement and just open the floodgates and pay zero attention to the potential liabilities, how the system works. There’s a due diligence requirement for every third party. Every third party you’re engaging help you facilitate your services. If you can’t explain this on a fairly layman’s person basis, the SEC is not going to like your use of this type of service.
Mittal Patel, Esq, (19:56):
Absolutely. One priority that I would like to bring attention to is the use of emerging technologies, particularly AI. The SEC, based off of my experience, has not really issued specific guidance to the use of AI tools, but it seems like that SEC wants to make sure that our advisors are not falling into the trap of AI watching, and they want to make sure that advisors are adhering to their fiduciary duties.
Jeffrey Lang, Esq. (20:23):
Including record keeping.
Mittal Patel, Esq, (20:25):
Including record keeping and making sure that all AI outputs are reviewed by them, and they are not simply just take grabbing and going,
Jeffrey Lang, Esq. (20:33):
Is how
Mittal Patel, Esq, (20:34):
I describe
Jeffrey Lang, Esq. (20:34):
It. And retaining various raw data, if you will, transcripts, things like that. So if we’re editing something, we want to make sure that we’re retaining any raw video, original video, or any original transcript, because they’re very interested in seeing what might have been edited or that type of thing. So very important to pay attention to both the usage, the record keeping. Our form of AI policy is very clear in making sure it describes what’s in scope and what’s out of scope because you don’t want to create a situation where you just say to the folks at your firm, “Okay, we’re approved for AI now.” Now, you want to make sure that it’s approved for particular services and- And particular tools. And particular tools so that everyone understands the width and breadth of what they can do with the approved AI tools and capabilities.
Stephen Galletto, Esq. (21:28):
Right. There’s a very big difference between a closed end product and an open end product. An open end product is going to take the information that you put into it and it’s going to learn from that.
Mittal Patel, Esq, (21:38):
It’s treating the engine.
Stephen Galletto, Esq. (21:39):
Of course. Of course, right? Do not put a client account number or a social security number into an open end AI system or tool. We want to make sure that we limit what we’re using and how we’re using it. There’s an approval process for everything.
Jeffrey Lang, Esq. (21:54):
Thank you for attending our podcast today, and thank you to all who are listening to the podcast. We really appreciate your tuning in and more podcasts to come.
Stephen Galletto, Esq. (22:05):
Thanks everyone.
Intro (22:07):
The Advisor Intelligence Podcast provides general information and commentary only. The content is not legal advice, nor does it create an attorney-client relationship. For more information about Stark & Stark services, please visit our website at stark-stark.com.
