Per the SEC’s 2026 examination priorities, regulators are placing a greater focus on registered investment advisers’ (“RIA”) compliance policies and procedures, making it essential for RIAs to maintain clear, well-documented and consistently followed practices. RIAs should ensure their compliance manuals are up to date with current practices, address emerging risks, and provide clear guidance for employees. This includes adopting policies where appropriate, or required, such as an artificial intelligence policy or incident response plan.
Artificial Intelligence Policy
RIAs that incorporate artificial intelligence (“AI”) tools into their day-to-day operations should adopt a formal AI policy that clearly outlines appropriate use of AI tools.
AI tools are being adopted rapidly across the investment advisory industry. From productivity and search platforms like Claude, Gemini, and ChatGPT to meeting transcription tools such as Zocks, Jump, and Copilot, these technologies are transforming the way work is performed.
While AI can enhance efficiency by supporting tasks like online research, meeting summaries, and routine workflow automation, its use also increases the importance of complying with applicable regulatory requirements. Firms must ensure the protection of client data, uphold privacy and confidentiality standards, maintain accurate books and records, and conduct proper vendor due diligence.
Absent a formal AI policy, RIAs risk implementing AI tools without sufficient oversight or evaluation, which may result in errors, data breaches, or regulatory noncompliance.
Incident Response Plan
By June 3, 2026, all SEC RIAs are required to implement an incident response plan under Regulation S-P. Each RIA’s incident response plan is required to identify written procedures to:
- Assess the nature and scope of an incident: RIAs must evaluate the nature and scope of any incident, identify impacted systems and data, and determine which clients were affected.
- Contain and control the incident: RIAs should create procedures to limit and remediate incidents, such as isolating compromised systems, addressing vulnerabilities, and preventing further unauthorized access.
- Notify the affected individuals: RIAs are required to notify individuals whose sensitive information was, or is reasonably likely to have been, accessed or misused, unless an investigation determines there is no risk of harm.
Further, RIAs should ensure service providers take appropriate measures to: (1) protect against unauthorized access to or use of customer information, and (2) provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware that a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider.
