On October 21, the Securities and Exchange Commission's (SEC) Division of Examinations (Division) published its examination priorities for its fiscal year 2025 (Oct. 1, 2024–Sept. 30, 2025). First published in 2013, the SEC's annual examination priorities inform industry participants about key areas the Division intends to focus its efforts — areas the Division believes present the highest risks to investors and the markets. Taking the time to analyze the Division's priorities is a valuable tool for the industry and investors.
According to the Division, this fiscal year's examinations will prioritize perennial and emerging risk areas, such as fiduciary duties, standards of conduct, cybersecurity, and artificial intelligence (AI). Furthermore, the Division will examine for compliance related to emerging technologies use and will test the soundness of controls intended to protect investor information records and assets.
In this advisory, Katten will first look at the risk areas identified by the Division, highlighting the updates as these areas reflect examination trends and key themes that industry participants need to be aware of. Next, we will summarize the Division's priorities based on registrant type, as these priorities are likely already familiar to industry participants.
The Division's Risk Areas Impacting Various Market Participants have undergone several key changes from last year's examination priorities document. The Information Security and Operational Resiliency risk area has been divided into three subparts – Cybersecurity, Regulation S-ID and Regulation S-P, and Shortening of the Settlement Cycle. Cybersecurity retains similar provisions regarding protecting investor information and managing operational risks. The Regulation S-ID and Regulation S-P subpart is a new addition detailing how the Division will evaluate a firm's policies and procedures to prevent identity theft and intrusions of customer accounts and safeguard customer records and information. Also new is the Shortening of the Settlement Cycle subpart, which builds upon last year's revisions to Rule 15c6-1 under the Securities Exchange Act of 1934, as amended (Exchange Act), shortening the standard settlement cycle from T+2 (two business days after trade date) to T+1. This subpart also highlights that the Division will evaluate advisers' compliance with amended books and records requirements under Rule 15c6-2 of the Exchange Act.
Split from Crypto Assets into its own standalone section, Emerging Financial Technology has been expanded to cover digital engagement practices, such as digital investment advisory services, recommendations and related tools and methods. This risk area also includes new parameters for assessing a firm's emerging technologies, focusing on fair representations of the technology, consistent operations and controls in place accompanied by disclosures to investors, advice or recommendations that are produced by algorithms aligning with an investor's profile or strategy, and controls to validate that the advice or recommendations resulting from digital engagement practices satisfy regulatory obligations to investors.
The Crypto Assets risk area remains materially similar to last year's version. Notably, the Division added the phrase "that are offered and sold as securities" to the statement that describes what the Division will examine regarding registrants who offer crypto asset-related services.
The Regulation Systems Compliance and Integrity section has been extended to include incident response plans, in particular the policies and procedures regarding the decision to disconnect or reconnect from another registrant or third-party that is experiencing a cyber event.
Lastly, the final risk area, Anti-Money Laundering, remains nearly identical to last year's version.
The Division's priorities reflect a continued focus on many of last year's priorities. The 2025 examination priorities continue to focus substantially on historical areas of importance, as the examination program continues to pursue registrants' traditional obligations to investors and markets.
Risk Areas Impacting Various Market Participants
The Division identified several risk areas that impact various market participants. These risk areas are summarized below:
- Information Security and Operational Resiliency – Cybersecurity. The Division will review registrant practices to prevent interruptions to mission-critical services and to protect investor information, records, and assets.1 The Division will focus on firms' policies and procedures, governance practices, data loss prevention, access controls, account management, and responses to cyber-related incidents, including those related to ransomware attacks. The Division will continue to consider cybersecurity risks and resiliency goals associated with third-party products, sub-contractors, services, and any information technology (IT) resources used by the business without the IT department's approval, knowledge or oversight, or non-supported infrastructure. In the Division's budget request for 23 additional positions to focus on critical priorities, the Division claimed that these additional resources will strengthen its ability to address critical and evolving risks such as those associated with the resiliency of critical market infrastructure, cyber and information security, and crypto assets and emerging technologies.2 Additionally, the Division of Enforcement will focus on cybersecurity, as one of its six priorities for Fiscal Year 2025 is to address risks posed by cyber-related misconduct and related failures regarding technological controls.3
- Information Security and Operational Resiliency – Regulation S-ID and Regulation S-P. The Division will focus on firms' policies and procedures related to safeguarding customer records and information, internal controls, oversight of third-party vendors, and governance practices. The Division will evaluate how firms identify and detect issues to prevent against identity theft, safeguard personally identifiable information, and train staff on their theft prevention program. As the compliance date of the SEC's amendments to Regulation S-P approaches, the Division will engage with firms during examinations about their progress in preparing to establish incident response programs reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.
- Information Security and Operational Resiliency – Shortening of the Settlement Cycle. For broker-dealers, the Division will evaluate their compliance with Rule 15c6-1 under the Exchange Act, which reduced the standard settlement cycle for most securities to the day after trade date (T+1), and with Rule 15c6-2 under the Exchange Act, which requires broker-dealers engaging in the allocation, confirmation, or affirmation process to have written agreements or written procedures reasonably designed to ensure completion of the process as soon as practicable and no later than the end of day on trade date (T). For advisers, the Division will evaluate their compliance with amended books and records requirements associated with T+1 settlement and operational changes or impacts related to adviser facilitation of institutional transactions that are involved in the allocation, confirmation, or affirmation processes subject to Rule 15c6-2(a).
- Emerging Financial Technologies. As this risk area was expanded to include AI this year, the Division reiterated that it remains focused on registrants' use of certain services, such as automated investment tools, AI, and trading algorithms or platforms, and the risks associated with the use of emerging technologies and alternative sources of data. Moreover, in the SEC's Fiscal Year 2025 Congressional Budget Justification, the SEC identified three strategic goals, one of which seeks to "develop and implement a robust regulatory framework that keeps pace with evolving, markets, business models, and technologies."4 The Division will examine registrants that employ certain digital engagement practices, such as digital investment advisory services, recommendations, and related tools and methods. Through these examinations, the Division will assess if the representations are fair and accurate, if operations and controls in place are consistent with disclosures made to investors, if algorithms that produce advice or recommendations are consistent with investors' investment profiles or stated strategies, and controls to confirm that advice or recommendations resulting from digital engagement practices are consistent with regulatory obligations to investors. Regarding AI, the Division will review for accuracy registrant representations regarding their AI capabilities or AI use, assess if firms have implemented adequate policies and procedures to supervise their use of AI and examine how registrants protect against loss or misuse of client records and information that may occur from the use of third-party AI models and tools. In one of SEC Chair Gary Gensler's "Office Hours" video segments on AI, he emphasized that the investor protection requirement mandates that firms that deploy AI models put in place the appropriate guardrails.5
- Crypto Assets. Presented as a standalone risk area this year, crypto assets will remain a focus as the Division continues to monitor and conduct examinations of registrants offering related services. These examinations will focus on the offer, sale, recommendation, advice, trading, and other activities involving crypto assets that are offered and sold as securities or related products (e.g., spot bitcoin or ether exchange-traded products). Moreover, the Division will assess whether registrants meet and follow their respective standards of conduct when recommending or advising customers and clients regarding crypto assets, and routinely review, update, and enhance their compliance practices (including crypto asset wallet reviews, custody practices, Bank Secrecy Act compliance reviews, and valuation procedures), risk disclosures, and operational resiliency practices.
- Regulation Systems Compliance and Integrity (SCI). The Division's examination of SCI entities will cover the policies and procedures regarding the operational, business continuity planning and testing practices, the effectiveness of incident response plans to cyber events, and policies and procedures pertaining to the security operations management tools.
- Anti-Money Laundering (AML). Largely identical to last year's version, the Division will continue to focus on AML programs and will review whether broker-dealers and certain registered investment companies are appropriately tailoring AML program to business models and associated AML risks, conducting independent testing of AML programs, establishing adequate customer identification programs, and meeting Suspicious Activity Report (SAR) filing obligations.
The Division's priorities are divided into seven categories, the first six for each type of registrant (Investment Advisers, Investment Companies, Broker-Dealers, Self-Regulatory Organizations, Clearing Agencies, and Other Market Participants), with a seventh overarching category for Risk Areas Impacting Various Market Participants.
Fiscal Year 2025 Examination Priorities
The Division outlined specific priorities based upon registrant type, which we have summarized below:
I. Investment Advisers
Ensuring that advisers comply with their duty of care and duty of loyalty obligations continues to be a key priority for the Division. The Division will continue to focus on:
- Investment advice provided to clients regarding products, investment strategies and account types, specifically, high-cost products, unconventional instruments, illiquid and difficult-to-value assets, and assets sensitive to higher interest rates or changing market conditions.
- Impact of advisers' financial conflicts of interest on providing impartial advice and best execution, especially with non-standard fee arrangements.
- Core areas of advisers' compliance programs, including marketing, valuation, trading, portfolio management, disclosure and filings, and custody, as well as advisers' annual reviews of the effectiveness of their compliance programs.
- Advisers' compliance programs help advisors avoid placing their interests ahead of their clients. These programs address issues such as advisers' fiduciary obligations when outsourcing investment selection and management, alternative sources of revenue or benefits advisers receive, and the appropriateness and accuracy of fee calculations and the disclosure of fee-related conflicts.
- AI integrated into the advisory operations, evaluating disclosures related to AI. Regarding AI disclosures, in one of his Office Hours videos, Chair Gensler directed advisers to not mislead the public through "AI washing," which entails an adviser stating it is using AI when it is not, or when the adviser states it is using AI in a particular way and does not do so.6
II. Investment Advisers to Private Funds
The Division will continue to focus on advisers to private funds and prioritize specific topics, such as reviewing:
- Consistency of adviser disclosures with actual practice and reviewing strategies that are exposed to market volatility and interest rate fluctuations.
- Accuracy of calculations and allocations of fees and expenses, specifically with the valuation of illiquid assets, calculation of post-commitment period management fees, offsetting of such fees and expenses, and the adequacy of disclosures.
- Products and practices including the use of debt, fund-level lines of credit, investment allocations, adviser-led secondary transactions, transactions between fund(s) and/or others; investments held by multiple funds; and use of affiliated service providers.
- Compliance with recently adopted SEC rules, namely the amendments to Form PF and the updated rules that govern investment adviser marketing.
III. Investment Advisers that are Dual Registrants
For dual registrants, the Division will focus on the suitability of investment advice and product recommendations for clients' advisory accounts, disclosures regarding how recommendations are made, practices to determine account selection and conflicts of interest mitigation and disclosure.
IV. Investment Companies
Generally, the Division will examine compliance programs, disclosures and governance practices for registered investment companies. The Division will prioritize several topics or characteristics involving fund fees and expenses, oversight of service providers, portfolio management practices and disclosures, and issues related to market volatility.
V. Broker-Dealers
The Division also identified several priorities for examinations of SEC registered broker-dealers. Those areas include the following:
- Regulation Best Interest. Examinations will continue to cover recommendations regarding products, investment strategies, and account types, including if the broker has a reasonable basis to believe the recommendation is in the best interest of the customer and does not place the broker's interests ahead of the customer's interests; disclosures related to conflicts of interest and identification, mitigation, and elimination of conflicts; processes for reviewing reasonably available alternatives; and factors considered based on the investor's investment profile, such as investment goals and account characteristics. The Division emphasized that recommended products that are complex, illiquid, or that present a higher risk to investors (e.g., crypto assets and alternative investments), will receive additional attention. Additionally, examinations may focus on recommendations using automated tools or other digital engagement practices, related to opening different account types, such as option, margin, and self-directed IRA accounts, and made to certain types of investors.
- Form CRS. The Division will review the content of Form CRS, such as how the broker-dealer describes the relationships and services that it offers to retail customers, its fees and costs, its conflicts of interest, and if the broker-dealer discloses any disciplinary history. Examinations will also evaluate whether obligations have been met to file the Form CRS with the SEC and deliver the Form CRS to retail customers as required.
- Broker-Dealer Financial Responsibility Rules. The Division will examine for compliance with the Net Capital Rule and Customer Protection Rule and related internal processes, procedures and controls. Other areas of review include accounting practices impacted by recent regulatory changes, the timeliness of financial notifications and other required filings made by the broker-dealer, operational resiliency programs, and supervision of third-party or vendor-provided services that contribute to the records firms used to prepare their financial reporting information. Lastly, the Division will assess broker-dealer credit, market and liquidity risk management controls.
- Broker-Dealer Trading-Related Practices and Services. The Division will review several areas, including the structure, marketing, fees and potential conflicts associated with offerings by broker-dealers to retail customers, including bank sweep programs, fully paid lending programs, and mobile apps/online trading platforms. In addition, examinations will cover trading practices associated with trading in pre-IPO companies, the sale of private company shares in secondary markets, execution of retail orders, order marking, and the pricing and valuation of illiquid or retail-focused instruments. Regarding Regulation SHO, the Division will specifically examine if broker-dealers are appropriately relying on the bona fide market-making exception, including whether quoting activity is away from the inside bid/offer.
Conclusion
Katten's above description of the 2025 Priorities Report is not exhaustive. It is recommended that regulated entities carefully review the report as it gives important insight into the likely focus of future examinations.
The Fiscal Year 2025 Examination Priorities are available here.
Footnotes
1. For more information on this risk area, see Katten's post, SEC's 2025 Exam Priorities Include Cybersecurity and AI, at https://quickreads.ext.katten.com/post/102jmeu/secs-2025-exam-priorities-include-cybersecurity-and-ai.
2. Fiscal Year 2025 Congressional Budget Justification, US Securities and Exchange Commission (Mar. 11, 2024) https://www.sec.gov/files/fy-2025-congressional-budget-justification.pdf.
3. Fiscal Year 2025 Congressional Budget Justification, US Securities and Exchange Commission (Mar. 11, 2024) https://www.sec.gov/files/fy-2025-congressional-budget-justification.pdf.
4. Fiscal Year 2025 Congressional Budget Justification, US Securities and Exchange Commission (Mar. 11, 2024) https://www.sec.gov/files/fy-2025-congressional-budget-justification.pdf.
5. Fraud and Deception in Artificial Intelligence, Office Hours with Gary Gensler (Oct. 11, 2024) https://www.youtube.com/watch?v=Tym3pO261Gc&list=PLrB8PjaXSV6vWl2NrPjghfvCehCrT7Kjo&index=1.
6. AI Washing, Office Hours with Gary Gensler (Sept. 4, 2024) https://www.youtube.com/watch?v=NzKEQfG5OZk&list=PLrB8PjaXSV6vWl2NrPjghfvCehCrT7Kjo&index=2.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.