In 2026, RIAs face a more operational version of compliance. This shift is driven by current regulatory updates and enforcement.
Cybersecurity rules now require written incident-response programs and client notice within 30 days after certain data breaches. AI claims are also under scrutiny after the SEC charged two investment advisers in 2024 for false or misleading AI statements, resulting in $400,000 in combined penalties.
Compliance Programs Under SEC Rule 206(4)-7
SEC Rule 206(4)-7 requires registered advisers to maintain written compliance policies. The rule also requires an annual review and a designated chief compliance officer.
A practical compliance program should connect policies with daily evidence. If a policy describes supervision or approval, the firm should be able to show where that review happened and who completed it.
Form ADV Updates for RIAs
Form ADV remains an active obligation after registration. Advisers generally file an annual updating amendment within 90 days after fiscal year end. They also amend it sooner when required information changes.
For RIAs, Form ADV should match the firm’s client agreements and brochure language. Fee descriptions, conflicts and custody disclosures should remain consistent across public filings and internal records.
Books and Records Under SEC Rule 204-2
SEC Rule 204-2 requires advisers to maintain books and records tied to the advisory business. These records include client agreements, trade activity and written communications. They also support marketing materials and performance claims.
The operational point is evidence. During an SEC exam or client dispute, the firm needs records that show what was disclosed and what was approved.
Custody and Client Asset Controls
Custody remains an area that RIAs should review regularly. It can arise through fee deduction, related-party access, or authority over client assets. When custody exists, the rule may require a qualified custodian and independent verification.
This is especially important for firms serving trusts, private funds, or complex households. These relationships can create asset-control questions even when the firm does not physically hold client funds.
Regulation S-P Cybersecurity Requirements
The 2024 amendments to Regulation S-P apply to RIAs and other covered firms. The rule requires written incident-response programs and client notice within 30 days after certain breaches involving customer information. Larger entities have 18 months to comply, while smaller entities have two years.
For RIAs, this makes cybersecurity part of compliance infrastructure. Vendor review, access controls, and breach-response procedures should be documented before an incident occurs.
Overlooked Risks and Fiduciary Duty
One of the latest trends requiring more attention from RIAs is securities class action recovery. It is becoming more relevant to RIA fiduciary oversight for a practical reason: eligible settlement proceeds can represent recoverable client value.
Legal history already points in this direction. There have been cases where missed claims led to problems and allegations framed as fiduciary-duty issues.
As regulation becomes tighter, more attention is moving toward areas that were historically overlooked. Given the size of the settlement market, including $8B available in 2025, this issue is becoming more urgent.
In the past, securities class action recovery required manual matching between settlements and client holdings. That made the process easier to justify as operationally difficult. With the development of platforms such as 11th.com, which can automate the workflow, that argument becomes harder to maintain.
What RIAs Should Do in 2026
RIAs should review whether written policies match real workflows. Form ADV, custody analysis, and marketing claims should align with the systems the firm uses every day.
Cybersecurity requires the same discipline. Firms should know their breach process and client notice timeline before an incident occurs.
RIAs should also monitor areas that were previously overlooked. As the market and technology develop, regulation is likely to move faster, and firms will need clearer processes for emerging operational risks.
FAQ:
What are the main ongoing obligations for SEC-registered investment advisers?
RIAs must maintain compliance policies, update Form ADV, keep records, review custody, protect client data, and document supervision.
How often should RIAs update Form ADV?
RIAs generally file an annual update within 90 days after fiscal year end.
What does SEC Rule 206(4)-7 require?
It requires written compliance policies, an annual review, and a designated chief compliance officer.
What should RIAs know about custody?
RIAs should check whether fee deduction, related-party access, or asset authority creates custody obligations.
How does securities class action recovery relate to fiduciary duty?
Eligible settlement proceeds can represent client value. RIAs should have a process to monitor claims and document recovery efforts.
