Each year, U.S. financial regulators provide insight into where they believe the greatest risks to investors and markets reside. These publications are not merely informational - they shape examination activity, enforcement posture, and how firms across the financial ecosystem allocate resources, design controls, and assess risk.
For the calendar year 2026, the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) have released detailed guidance outlining their regulatory focus areas. The Commodity Futures Trading Commission(CFTC), while not publishing an annual examination priorities document, continues to operate under a multi-year strategic framework that influences its supervisory and enforcement agenda.
When viewed collectively, these signals point to a regulatory environment that is not seeking to radically reinvent oversight, but rather to ensure that existing expectations are being executed effectively. Investor protection, operational resilience, governance over technology, and demonstrable compliance effectiveness are no longer emerging concepts, they are baseline expectations.
SEC 2026 Examination Priorities: Reinforcing the Foundations
The SEC’s Division of Examinations publishes its annual priorities to highlight areas it believes pose the greatest risk to investors and market integrity. The 2026 priorities reflect continuity and refinement rather than dramatic change, reinforcing that many core regulatory concerns remain unresolved or unevenly addressed across the industry.
The SEC emphasizes that its priorities are risk-based and not exhaustive, meaning firms should not treat the document as a checklist. Instead, it should serve as a lens through which firms assess their own activities, products, and operational vulnerabilities.
The SEC’s priorities apply broadly to:
Fiduciary Duty and Investment Oversight
Fiduciary responsibility continues to sit at the center of the SEC’s oversight of investment advisers. In 2026, examiners will focus on whether advisers are acting in clients’ best interests not just on paper, but in practice.
Key review areas include:
-
Identification and mitigation of conflicts of interest
-
Clarity and completeness of disclosures
-
Fee arrangements and expense allocations
-
Alignment of recommendations with client objectives
-
Effectiveness of compliance programs
Why this matters for firms: The SEC’s sustained attention to fiduciary duty reflects a belief that many investor harms stem from subtle conflicts and incentive structures rather than overt misconduct. As advisory models evolve and product offerings become more complex, the regulator expects firms to reassess whether legacy disclosures and controls remain fit for purpose. The emphasis on compliance program effectiveness also signals that regulators are looking beyond documentation to actual outcomes.
Broker-Dealer Conduct and Retail Investor Protection
Retail investor participation continues to expand, driven by digital platforms, ease of access, and growing interest in markets. Against this backdrop, the SEC remains focused on broker-dealer conduct and compliance with Regulation Best Interest (Reg BI).
Key areas of focus include:
-
Recommendation processes and supporting documentation
-
Disclosure of fees, risks, and compensation
-
Supervisory systems governing sales practices
-
Financial responsibility and capital compliance
Why this matters for firms: Several years after Reg BI’s implementation, the SEC continues to assess how effectively firms have embedded its principles into daily operations. Firms that treat Reg BI as a disclosure obligation rather than a behavioral standard remain vulnerable. This focus underscores the regulator’s broader concern that retail investors often place significant trust in recommendations, making transparency and supervision essential to fair outcomes.
Operational Resilience and Cybersecurity
Operational resilience has emerged as a defining regulatory theme, and the SEC’s 2026 priorities reinforce its importance. Cyber incidents, system outages, and third-party failures can all cause investor harm, even when no misconduct is present.
Examiners will evaluate:
-
Cybersecurity governance and risk assessments
-
Incident response and escalation protocols
-
Protection of customer data under Regulation S-P
-
Business continuity and disaster recovery planning
-
Oversight of vendors and outsourced service providers
Why this matters for firms: The SEC increasingly views operational resilience as a core component of investor protection. Firms are expected to anticipate disruptions, respond effectively when incidents occur, and recover in a manner that minimizes harm to clients.
Technology failures are no longer viewed as isolated IT issues; they are treated as enterprise-level risk management concerns.
Emerging Financial Technology and Market Infrastructure
While the 2026 priorities do not identify crypto or digital assets as standalone categories, the SEC continues to assess risks associated with emerging financial technologies within existing regulatory frameworks.
Focus areas include:
-
Automation and algorithmic processes
-
System integrity and reliability
-
Data quality and governance
-
Compliance with market infrastructure requirements
Why this matters for firms: Rather than regulating technologies themselves, the SEC’s approach centers on outcomes. Firms adopting new tools must demonstrate that innovation does not compromise transparency, fairness, or market stability.
FINRA’s 2026 Annual Regulatory Oversight Report: From Observations to Expectations
FINRA’s Annual Regulatory Oversight Report is designed to help member firms understand regulatory risk by summarizing examination findings, observed deficiencies, and effective practices. The 2026 report reflects both long-standing concerns and rapidly evolving risk areas.
Generative Artificial Intelligence: Governance Over Novelty
For the first time, FINRA’s report includes a dedicated discussion of Generative Artificial Intelligence (GenAI). This inclusion reflects the rapid adoption of AI tools across communications, research, surveillance, and operational functions.
FINRA highlights risks related to:
-
Accuracy and bias in AI outputs
-
Oversight of automated decision-making
-
Recordkeeping for AI-generated content
-
Reliance on third-party vendors
Why this matters for firms: FINRA’s message is not that AI should be avoided, but that it must be governed. Firms are expected to understand how AI tools operate, how outputs are reviewed, and how accountability is maintained. Delegating tasks to AI does not delegate regulatory responsibility.
Cybersecurity and Cyber-Enabled Fraud
Cyber-enabled fraud remains one of FINRA’s most persistent concerns. The 2026 report highlights the increasing sophistication of attacks, particularly those involving social engineering.
Key risks include:
Why this matters for firms: FINRA expects firms to move beyond reactive controls. Effective cybersecurity programs should integrate prevention, detection, response, and recovery, supported by training and governance. Firms that cannot demonstrate active cyber risk management may face scrutiny even absent a major incident.
AML, Sanctions, and Financial Crime Prevention
FINRA frames AML, fraud, and sanctions compliance as part of a broader ‘financial crimes prevention’ posture and notes the continued evolution of external fraud threats targeting investors and firms. It also reiterates that FINRA Rule 3310 requires a written AML program - approved in writing by senior management - reasonably designed to achieve and monitor compliance with the Bank Secrecy Act
FINRA continues to identify weaknesses in AML programs, particularly in:
-
Suspicious activity monitoring and reporting
-
Beneficial ownership identification
-
Sanctions screening and escalation
Why this matters for firms: As financial crime techniques evolve, static AML programs become increasingly ineffective. FINRA expects monitoring systems, escalation processes, and training to adapt to emerging risks. FINRA’s effective-practices examples emphasize continuously reviewing regulatory alerts and advisories and clearly delegating AML responsibilities across teams that detect fraud, identity theft, and suspicious transmittals. Practically, firms should be prepared to show evidence - not just policies - of timely identity/beneficial owner verification, red-flag investigation, and SAR decisioning aligned to their risk assessments.
Senior and Vulnerable Investor Protection
Protecting senior and vulnerable investors remains a consistent FINRA priority. The 2026 report again highlights the ‘trusted contact’ and temporary-hold toolkit, and its findings underscore that firms must operationalize these tools through documented training, internal review, and recordkeeping.
The report emphasizes:
-
Trusted contact information
-
Transaction holds where exploitation is suspected
-
Escalation and documentation procedures
Why this matters for firms: Demographic trends suggest this risk will only grow. FINRA’s focus reflects both investor protection concerns and the reputational risk to firms that fail to act proactively. FINRA explicitly notes that its examination and enforcement programs cover a broad range of senior-investor topics and that it has brought disciplinary actions where firms mistreat seniors. Expect 2026 reviews to look for case-level evidence (e.g., reasonable efforts to obtain trusted contact information and the documentation supporting temporary holds), not only high-level procedures.
market Integrity and Core Compliance Functions
FINRA is treating market integrity as a data-and-controls discipline as much as a trading discipline, with dedicated coverage of the Consolidated Audit Trail (CAT) and customer order handling (best execution and order routing disclosures). These topics signal that 2026 examinations will emphasize accuracy, timeliness, and supervision (including vendor-supported reporting) as core indicators of control quality.
FINRA also reinforces expectations around foundational compliance areas:
-
Best execution
-
Order routing transparency
-
Market manipulation surveillance
-
Books and records
-
Supervision and outsourcing
Why this matters for firms: Weaknesses in these areas often signal broader governance and control issues. FINRA’s own findings examples show exam teams validating control effectiveness through the underlying data and review workpapers - or example, best-execution reviews that fail to compare execution quality across competing venues, or CAT controls that produce incomplete submissions and untimely error remediation. And as order-routing transparency expectations mature, firms should assume that disclosures and routing analytics will be benchmarked against actual routing behavior.
CFTC's Strategic Direction Through 2026: Stability with Selective Adaption
The CFTC does not publish an annual priorities document. Instead, its actions are guided by its Strategic Plan covering 2022 through 2026, budget priorities, and leadership direction.
Core Mission: Derivatives Market Integrity
The CFTC is emphasizing its mission to promote the integrity, resilience, and vibrancy of U.S. derivatives markets through sound regulation and oversight of core market utilities and intermediaries. The plan explicitly describes CFTC supervision across DCOs, DCMs, SEFs, SDRs, swap dealers, and futures commission merchants - setting expectations for continued attention to foundational market structure and risk management.
The CFTC's primary responsibility remains oversight of:
-
Futures, options, and swaps markets
-
Futures commission merchants
-
Clearinghouses and exchanges
Why this matters for firms: Derivatives markets play a critical role in price discovery and risk transfer. The CFTC’s continued focus on these markets reflects concerns about systemic risk and market stability. That systemic-risk lens is visible in the CFTC’s supervisory stress test of derivatives clearing organizations (DCOs), which evaluated DCO resilience under extreme market shocks and multiple clearing member defaults. For firms connected to cleared derivatives, this translates into sustained scrutiny of clearing member risk management and the operational readiness of cleared derivatives infrastructure during high-volatility events
Risk-Based Enforcement and Supervision
Recent CFTC policy statements suggest 2026 will continue to prioritize ‘back-to-basics’ enforcement centered on fraud and manipulation, coupled with efforts to deploy enforcement resources more efficiently.
The CFTC continues to emphasize:
-
Fraud and market manipulation enforcement
-
Compliance with existing rules
-
Coordination with other regulators
Why this matters for firms: This approach signals a preference for targeted enforcement grounded in statutory authority rather than expansive new rulemaking. At the same time, the Division of Enforcement’s 2025 advisory introduced a formal framework - including a mitigation-credit matrix and a safe harbor for promptly correcting inaccuracies - to evaluate self-reporting, cooperation, and remediation when recommending penalties. For compliance leaders, that means internal detection, escalation, and remediation mechanics can materially influence enforcement outcomes and timelines, not just the underlying violation.
Technology and Data Modernization
Data modernization is positioned as an enabler of oversight and enforcement, which describes enhancing tools and analytical capabilities to support market surveillance and identify trading events that warrant further inquiry.
The CFTC's strategic plan highlights:
Why this matters for firms: As markets become increasingly data-driven, regulators expect improved data quality and reporting from market participants. The CFTC’s staff advisory on AI underscores the same principle: deploying AI (directly or via third parties) does not change a firm’s obligations under the Commodity Exchange Act and CFTC regulations, and firms are expected to assess AI risks and update policies, procedures, controls, and systems accordingly.
Where Regulatory Priorities Converge
A clear 2026 throughline is that ‘core compliance’ and ‘technology risk’ are converging: the SEC’s FY 2026 examination priorities treat cybersecurity/operational resiliency and emerging financial technology (including AI) as cross-cutting risk areas and explicitly connect them to AML and OFAC sanctions compliance. FINRA and the CFTC echo this approach by embedding AI- and fraud-driven risks into financial-crimes frameworks and by emphasizing that accountability for regulatory obligations remains with the firm regardless of automation or vendor use.
Across the SEC, FINRA, and CFTC, several themes clearly align:
-
Operational resilience is now a core expectation
-
Governance over innovation is essential
-
Investor and market protection remains the unifying mission
What this Means for Firms in 2026:
In 2026, firms will be expected to ensure that their compliance programs are demonstrably effective, not merely documented in policy. Technology risk must be managed at the enterprise level, reflecting its broad impact across the organization. Additionally, as AI adoption accelerates, firms will need to implement strong governance frameworks, maintain clear oversight, and keep thorough documentation to satisfy regulatory scrutiny. Fragmented compliance approaches will increasingly be viewed as a source of risk rather than flexibility. Overall, firms operating across markets should expect growing alignment in regulatory expectations, raising the bar for consistency and coordination in compliance efforts.
Conclusion: Execution, Accountability, and Trust
The regulatory priorities for 2026 reflect a more mature oversight environment. Rather than introducing sweeping new frameworks, regulators are reinforcing expectations around execution, accountability, and resilience. The central question regulators are asking is no longer whether firms have policies in place, but whether those policies function effectively under real-world conditions.
This approach acknowledges the complexity of modern financial markets. As technology accelerates change and operational dependencies deepen, trust becomes the defining currency of the financial system. Regulators are emphasizing that trust is built through consistency, transparency, and preparedness - not through reactive compliance after issues arise.
For firms, this moment offers opportunity as much as obligation. Organizations that invest in strong governance, clear accountability, and resilient operations can move beyond compliance as a defensive exercise and use it as a foundation for sustainable growth. Those firms will be better positioned to engage regulators constructively, serve clients responsibly, and adapt to ongoing change.
Ultimately, the 2026 priorities send a clear message: regulatory success is no longer about meeting minimum standards - it is about demonstrating maturity. Firms that embrace that mindset will not only meet regulatory expectations but help shape a more stable, trustworthy financial system for the years ahead.
Discover how SteelEye’s robust data and surveillance capabilities can help you make informed, compliant decisions when it comes to record-keeping and personal data protection.
Book a demo today
.png)
