On September 30, 2025, the Office of the Chief Counsel of the Securities and ExchangeCommission’s (SEC) Division of Investment Management (the Division) issued a no-actionresponse (the No-Action Letter) stating that it would not recommend enforcement againstregistered investment advisers (RIAs) or certain regulated funds (i.e., registered investmentcompanies and business development companies) for maintaining crypto assets and related cashand cash equivalents with certain state-chartered financial institutions (state trust companies) solong as particular conditions are met.[1] In doing so, the No-Action Letter permits regulated fundsand RIAs to treat state trust companies as “banks” for purposes of the custody requirements ofthe Investment Company Act of 1940, as amended (the 1940 Act), the Investment Advisers Act of1940, as amended (the Advisers Act) and the rules thereunder.CUSTODY REQUIREMENTS UNDER THE 1940 ACT AND ADVISERS ACTThe custody requirements established by the 1940 Act and Advisers Act are designed to preventthe theft, loss, and misappropriation of investor assets. Sections 17(f) and 26(a) of the 1940 Actrequire registered funds to place and maintain securities and similar investments with certainqualified custodians. Similarly, RIAs that have custody of their clients’ funds and securities mustmaintain such items with a “qualified custodian” pursuant to Rule 206(4)-2 of the Advisers Act.Qualified custodians include entities that meet the definition of “bank” under §2(a)(5) of the 1940Act or §202(a)(2) of the Advisers Act.Typically, national and state-chartered banks qualify as a custodian for registered funds and RIAsby meeting the definition of a bank under the 1940 Act and the Advisers Act. State trustcompanies, however, are legal entities organized under state law that are: (i) supervised andexamined by a state authority having supervision over banks and (ii) permitted to exercisefiduciary powers under applicable state law.[2] For a state trust company to meet the definition of”bank” under the 1940 Act and Advisers Act, it must also satisfy the requirement that “asubstantial portion of the business of which consists of receiving deposits or exercising fiduciarypowers similar to those permitted to national banks under the authority of the Comptroller of theCurrency.” The interpretation of this portion of the definition was the subject of the No-ActionLetter.STATE TRUST COMPANIES AS “BANKS”The No-Action Letter permits regulated funds and RIAs to maintain crypto assets (and cashand/or cash equivalents reasonably necessary to effect transactions in crypto assets) with statetrust companies, if the following conditions are met:1. Authorization and Policies: The RIA and/or regulated fund must verify that the statetrust company is authorized by the relevant State Banking Authority to provide custodytroutman.com 4services for crypto assets and has policies to safeguard these assets, focusing on privatekey management and cybersecurity.2. Financial and Control Reports: The RIA and/or regulated fund must review the statetrust company’s latest audited financial statements and internal control reports to ensurecontrols are effective and meet custodial service objectives.3. Custodial Services Agreement: A written agreement must be in place, ensuring that thestate trust company cannot lend or pledge the crypto assets without prior consent andthat these assets are segregated from the company’s own assets.4. Risk Disclosure: The RIA and/or regulated fund must disclose any material risk of usingstate trust companies as custodians to their clients or board members.5. Best Interest Determination: The RIA and/or regulated fund must determine that usingthe state trust company’s custody services is in the best interest of their clients orshareholders, as applicable.In an atypical response to staff no-action letters, two SEC commissioners commented on theissuance of the No Action Letter — one voicing support, and one expressing a more cautionaryview.[3]CONCLUSIONThe Division’s No-Action Letter marks the latest development in the regulatory landscape forcrypto asset custody, allowing crypto assets to be placed and maintained at state trustcompanies, potentially broadening the universe of eligible providers for custody services.Maintaining crypto assets requires a complex web of technology and operational systems toprotect digital assets from misappropriation, making it particularly challenging for compliance. Asthe RIA and fund industries navigate these complexities, participants remain hopeful that the SECwill provide further guidance on crypto asset custody issues, as evidenced by recent commentletters to the SEC’s Crypto Task Force.[4] Stay up to date with the latest on crypto assetregulatory and market developments by subscribing to our Financial Services Blog,our Consumer Financial Services Law Monitor, and to our podcast, The Crypto Exchange, viaApple Podcasts, Google Play, Stitcher, or your preferred platform.[1] Simpson Thacher & Bartlett LLP, SEC No-Action Letter, Sept. 30, 2025, available here.[2] Id.[3] Commissioner Hester M. Pierce, Statement on “Out of the Gray Zone: Statement on TheDivision of Investment Management’s No-Action Letter Relating to the Custody of CryptoAssets with State Trust Companies” U.S. Sec. & Exch. Comm’n (Sept. 30, 2025)available here; Commissioner Caroline A. Crenshaw, Statement on “Poking Holes: Statementin Response to No-Action Relief for State Trust Companies Acting as Crypto Asset Custodians”U.S. Sec. & Exch. Comm’n (Sept. 30, 2025) available here.[4] For example, see the SEC comment letter submitted by National Society of ComplianceProfessionals on September 8, 2025, which underscores the need for additional guidance oncrypto asset custody, available here.troutman.com 5SEC Division of ExaminationsAnnounces 2026 Priorities11.17.25On November 17, 2025, the Securities and Exchange Commission’s (SEC) Division ofExaminations announced its fiscal year (FY) 2026 examination priorities.[1] The most significantchanges to the division’s priorities from FY 2025 include:* A focus on compliance with the soon-to-be-effective 2024 Regulation S-P amendments;* A focus on compliance with the newly implemented Regulation S-ID;* A change in the priorities of review for broker-dealer trading-related practices;* Commencement of registered security-based swap execution facilities reviews;* A new focus on AI-based cybersecurity risks when evaluating internal cybersecurity policies;and* The elimination of cryptocurrency regulation as an independent division area of focus for FY2026.1. Investment AdvisersAdherence to Fiduciary Standards of Conduct: The division continues to focus on advisers’exercise of their duties of care and loyalty and has identified the following exam areas for reviewof advice and disclosure consistent with such duties:(i) Advisers’ financial conflicts of interest;(ii) Factors considered in providing investment advice to clients including costs, objectives,features, liquidity, risks, volatility, performance across conditions, time horizon, and exit costs;(iii) Best execution;(iv) Higher-risk products (such as alternative investments (e.g., private credit, locked-up privatefunds), complex or option-based/leveraged exchange-traded funds (ETF), and ETF wrappers onless-liquid strategies); and(v) Higher-cost products.Examinations will evaluate whether recommendations match product disclosures and clients’objectives and risk profiles, with a new emphasis on separately managed accounts or newlyregistered funds (including allocation favoritism and interfund transfers).Effectiveness of Advisors’ Compliance Programs: The division will continue to assess theeffectiveness of advisers’ compliance programs, focusing on:* Conflicts that arise from account and product compensation structures;troutman.com 6* Advisers’ practices or products — for example, activist engagements (timely, accurate filingssuch as Schedules 13D/13G, Form 13F, Forms 3-5, and Form N-PX); and* Compliance when business models change or firms begin advising new asset types, clients, orservices.2. Investment CompaniesFor registered investment companies (RICs), including mutual funds and ETFs, examinations willcontinue to touch on disclosures, filings, governance practices, and compliance programs.Particular focus will be paid to:(a) Fund fees and expenses, together with any associated waivers and reimbursements; and(b) Portfolio management practices and disclosures, for consistency with statements aboutinvestment strategies or approaches and for consistency with amended Rule 35d-1 (the NamesRule).Never-before-examined RICs, especially those recently registered, will be prioritized forexamination.The division has also updated its specific areas to assess developments, including:(c) RICs that participate in mergers or similar transactions, including any associated operationaland compliance challenges;(d) Certain RICs that use complex strategies and/or have significant holdings of less liquid orilliquid investments (e.g., closed-end funds and interval funds), including any associated issuesregarding valuation and conflicts of interest; and(e) RICs with novel strategies or investments.3. Broker-Dealers(a) Broker-Dealer Trading-Related Practices.Updated areas of review for broker-dealer equity and fixed income trading practices will includepractices associated with extended hours trading, municipal securities, priority of orders, andmark-up disclosures. The division has noted that reviews will focus on:(i) Best execution;(ii) The pricing and valuation of illiquid instruments such as variable rate demand obligations,other municipal securities, and non-traded REITS; and(iii) Disclosures regarding order routing and order execution information, including as required byRule 605 under Regulation NMS.(b) Retail Sales Practice.The division will continue to review retail sales practices for compliance with Regulation BestInterest. Examinations are expected to concentrate on complex or tax-advantaged products likevariable and registered index-linked annuities; ETFs investing in illiquid assets; municipaltroutman.com 7securities; private placements; structured products; alternative investments; and other productswith complex fees or return calculations, exotic benchmarks, illiquidity, or rapid retail growth.4. Additional Risk Areas(a) Information Security and Operational Resiliency.The division will review registrants’ practices to prevent disruptions to mission-critical servicesand protect investor data. The division will also evaluate training and controls for emergingthreats tied to artificial intelligence (AI) and polymorphic malware, how firms use threatintelligence, and overall operational resiliency.(b) Regulation S-ID and Regulation S-P.The Division plans to assess compliance with Regulations S-ID and S-P. For Regulation S-ID,exams will review firms’ written Identity Theft Prevention Programs to ensure they detect, prevent,and mitigate identity theft in covered accounts — particularly red flag detection during accounttakeovers and fraudulent transfers — and include staff training. In advance of the Regulation S-Pamendment compliance dates, the division will engage firms on incident response programreadiness; after the applicable compliance dates, it will examine whether firms have implementedpolicies and procedures with administrative, technical, and physical safeguards to protectcustomer information.(c) Crypto Assets.Notably, the division has not renewed its commitment to observing the proliferation ofinvestments involving crypto assets and reviewing the offer, sale, recommendation, advice,trading, and other activities involving cryptocurrencies for FY 2026.5. Other Market Participants(a) Clearing Agencies.New focus areas across for clearing agency registrants include recovery and wind-down,collateral management, operations, and inter-clearing agency arrangements.(b) Municipal Advisors.The division will continue examining municipal advisors’ fiduciary duty, MSRB Rule G-42compliance, and completion of required SEC filings and obligations (qualification, registration,recordkeeping, supervision).(c) Transfer Agents.The division will continue examining transfer agents’ processing of items and transfers,recordkeeping and retention, safeguarding of funds and securities, and SEC filings, focusing onthose using emerging technologies. Following the compliance date, it will also assess adherenceto the 2024 Regulation S-P amendments, including the safeguards rule, disposal rule, andrequirements to establish incident response programs.(d) Funding Portals.The division will examine funding portals’ arrangements with qualified third parties for maintainingand transmitting investor funds, ensuring required records are made and preserved, andtroutman.com 8reviewing written policies and procedures for reasonable design and compliance with applicablesecurities laws. After the compliance date, it may also assess compliance with the 2024Regulation S-P amendments.(e) Security-Based Swap Execution Facilities (SBSEFs).The division will begin examining registered SBSEFs, focusing on their rules and internal policiesand procedures for trade monitoring, trade processing, and participant oversight. It will alsoassess how SBSEFs establish risk analysis and oversight programs designed to identify andminimize operational risk.As we have in the past, we will continue to monitor these issues and will provide future clientupdates. This alert is not intended to be used as a substitute for legal advice and should beutilized for guidance only.[1] U.S. Sec. & Exch. Comm’n, SEC Division of Examinations Announces 2026 Priorities, PressRelease No. 2025-132 (Nov. 17, 2025) https://www.sec.gov/newsroom/press-releases/2025-132-sec-division-examinations-announces-2026-priorities.troutman.com 9Key Takeaways From FINRA’s 2026Annual Regulatory Oversight Report12.9.25The Financial Industry Regulatory Authority’s (FINRA) 2026 Annual Regulatory OversightReport is the most current and comprehensive statement of FINRA’s priorities and expectationsfor member firms. It does not create new legal obligations, but it is clearly designed as an examand enforcement roadmap. The 2026 Report weaves together FINRA’s FINRA Forwardmodernization program, new and evolving risks (especially cyber-enabled fraud and generative AI(GenAI)), and detailed observations on firms’ supervisory, operational, and financial controls.Firms should use it as a structured checklist for 2026 risk assessments, revisions to writtensupervisory procedures (WSPs), and enhancements to testing, surveillance, and training.FINRA FORWARD AND THE ROLE OF THE REPORTFINRA Forward, launched in 2025, underpins much of this year’s Report. It has three pillars:modernizing FINRA’s rules to better reflect current markets, “empowering member firmcompliance” with more tools and feedback, and intensifying focus on cybersecurity and fraud.Organizationally, FINRA has unified Member Supervision, Market Oversight, and Enforcementinto a single Regulatory Operations function, which means firms should expect more integrated,cross-silo supervision and enforcement.The Report is explicitly positioned as an evolving reference library. It updates prior topics, addsnew ones (notably a dedicated GenAI section), and highlights “effective practices” and resources.Firms are encouraged to read it selectively, focusing on areas relevant to their business lines andrisk profile, but examiners will reasonably expect that the Report has informed the firm’scompliance planning.CYBERSECURITY AND CYBER-ENABLED FRAUDCyber remains at the top of FINRA’s agenda. The Report ties cyber risk directly to Regulation S-P(privacy and safeguarding), Regulation S-ID (identity theft red flags), FINRA Rule 3110(supervision), Rule 4370 (BCP), and Exchange Act books-and-records rules. It emphasizes the2024 amendments to Regulation S-P, which require a written program to detect, respond to, andrecover from unauthorized access to “sensitive customer information,” including customernotification. Larger firms were to have complied by December 3, 2025, while smaller firms haveuntil June 3, 2026.Substantively, FINRA continues to see ransomware and extortion events, data breaches,phishing/smishing/quishing, new account fraud, account takeovers, account impersonation, andimposter sites. Relationship investment scams, often initiated via text or social media, are aparticular concern. The Report also flags GenAI-enabled threats such as deepfake audio/videoand AI-generated documents/polymorphic malware, as well as “cybercrime-as-a-service” toolsthat allow less technical actors to launch sophisticated attacks.troutman.com 10FINRA’s “effective practices” now look more like baseline expectations: multifactor authenticationfor staff and customers; monitoring for unusual logins and payment requests; domain and socialmedia impersonation surveillance; outbound data-loss controls; network segmentation; BYODgovernance; routine training; cross-team coordination between cyber and anti-money laundering(AML); and structured vendor risk management. The practical question is no longer whetherthese controls exist but whether they are formally documented, consistently implemented anddemonstrably tested.AML, EXTERNAL FRAUD, AND IDENTITY-BASED THREATSThe Report devotes extensive attention to AML (FINRA Rule 3310) and “external fraud” threats.FINRA continues to find AML programs that are not properly tailored to firms’ businesses, thatunder-resource monitoring and investigations (especially after business growth), and that fail toescalate red flags from outside the AML function (e.g., cyber alerts, clearing firm inquiries).FINRA highlights evolving fraud patterns: disaster-related donation scams; social media”investment clubs” used to drive pump-and-dump activity; gold bar courier scams in whichcustomers are convinced to liquidate portfolios and hand physical metals to “couriers” cryptoconfidence schemes relying on phony apps; and mail-theft-related check fraud. In parallel, FINRAsees persistent new account fraud and account takeovers, increasingly enabled by GenAIthrough highly targeted phishing, voice clones used in call-center interactions, AI-generatedidentity documents, and deepfake “selfies” that defeat automated KYC.The Report expects firms to incorporate these typologies into their risk-based AML and fraudprograms, CIP/CDD controls, independent testing, and training. It emphasizes the importance ofrobust identity verification at onboarding and during investigations, careful scrutiny of omnibusaccounts and small-cap offerings, clear escalation paths for suspicious activity, and use ofavailable tools such as FINRA Rule 2165 (temporary holds) and trusted contact information whenexploitation is suspected.GENAI: GOVERNANCE, RISK, AND AI AGENTSFor the first time, FINRA devotes a standalone section to GenAI. The central message is thatFINRA’s rules are technology-neutral, meaning using GenAI does not change a firm’s obligationsunder supervision, communications, recordkeeping, outsourcing, or fair-dealing standards.However, GenAI amplifies many existing risks and introduces new governance challenges.FINRA notes that most current use cases are internal and efficiency-oriented such assummarization and information extraction, conversational assistants, coding support, syntheticdata generation, and workflow automation. But even internal deployments can impact supervisorysystems and decision-making. The Report warns about “hallucinations” (confident but incorrectoutputs) and bias (skewed outputs due to limited or outdated training data) and expects firms totest for and manage these risks, especially where GenAI touches regulatory analysis,surveillance, customer communications, or product design.Firms are urged to implement enterprise-level GenAI oversight, with formal review and approvalprocesses for new use cases; model risk management adapted to GenAI; testing for accuracy,reliability, privacy, and bias; logging of prompts and outputs; and appropriate human-in-the-looptroutman.com 11review. FINRA also flags AI “agents,” autonomous systems that plan and execute tasks, as anemerging concern.THIRD-PARTY AND TECHNOLOGY RISKThe Report also reinforces FINRA’s longstanding view that outsourcing does not outsourceresponsibility. Firms must maintain a supervisory system reasonably designed to overseeactivities performed by vendors, including technology, AML monitoring, cybersecurity, and keyback-office functions. FINRA notes more frequent cyber incidents and outages at vendors andstresses the importance of understanding concentrations of systemic risk where many firms relyon the same providers.In 2025, FINRA enhanced its own capabilities by launching Cyber & Operational REsilience(CORE), which collects and shares cyber and technology risk intelligence with potentially affectedfirms. The Report encourages firms to keep FINRA apprised of changes in critical vendors and tointegrate vendor-related scenarios into incident response planning and testing.Effective practices include maintaining detailed vendor inventories; structured initial and ongoingdue diligence that covers security, resilience and any use of GenAI; contractual limits on howvendor tools may consume and use firm and customer data; continuous monitoring forvulnerabilities and breaches; coordinated incident response with vendors; and disciplinedoff-boarding to ensure data is returned or destroyed and access is revoked.CRYPTO ASSETSThe Report reiterates that FINRA’s focus is on member firms’ crypto activities, especially wherecrypto assets are securities or are offered and sold as investment contracts. FINRA highlightsenforcement issues around communications (Rule 2210) that misstate or omit risks, overstateprotections (e.g., SIPC coverage), or make unsound comparisons to traditional investments,including content disseminated through influencers.FINRA also continues to see deficiencies in firms’ due diligence on crypto-related privateplacements and products, AML programs that do not adequately address crypto-related risks,and operational issues such as improper ACATS rejections when customers maintain associatedcrypto accounts with affiliates. The Report expects firms to understand the legal basis forunregistered offerings, the mechanics and risk profile of crypto securities, and to use on-chainanalytics where appropriate in AML and fraud monitoring.RETAIL COMMUNICATIONS, SOCIAL MEDIA, AND AI-GENERATED CONTENTFINRA’s communications findings have a strong digital flavor. Many firms lack robust supervisionand recordkeeping around social media influencers acting on the firm’s behalf, including failure topre-approve static content, supervise interactive content, or archive posts as required. Mobile appinterfaces and push notifications are another area of concern, particularly where they do notadequately explain products (options, margin, complex or crypto-linked strategies), understaterisk, or use gamified “nudges” that are promissory or misleading. When GenAI is used to draft ordeliver communications, FINRA expects full compliance with existing standards: communicationsmust be fair and balanced, consistent with products actually offered, and properly supervised andretained. Chatbots interacting with customers are treated as firm communications and must betroutman.com 12supervised and archived accordingly. References to AI-enabled products or services mustaccurately reflect how AI is used and balance potential benefits with clear discussion of risks.REGULATION BEST INTEREST AND COMPLEX PRODUCTSRegulation Best Interest (Reg BI) continues to be a central focus. The Report details failuresunder the Care Obligation (inadequate product due diligence, recommendations inconsistent withcustomer profiles, insufficient consideration of costs and reasonably available alternatives, weakdocumentation of account-type and rollover recommendations), as well as under the Conflict ofInterest, Disclosure, and Compliance Obligations. Many of these issues are most acute aroundcomplex or higher-risk products, including variable annuities, RILAs, options, and certain privateplacements.In private placements, FINRA emphasizes that firms must conduct reasonable investigations ofissuers, offerings and management; respond to red flags; maintain evidence of due diligence; andcomply with private placement filing requirements. FINRA notes continuing concerns with pre-IPOfund offerings, including misstatements about holdings and access to pre-IPO shares.In the annuities space, FINRA highlights problematic exchange patterns, including transactionsthat increase fees, restart surrender periods or forfeit valuable riders without sufficient benefit,and notes that many firms lack robust WSPs, data and surveillance for RILA recommendations.As an effective practice, FINRA suggests applying Rule 2330-style heightened controls to RILAs,with documented rationales, principal review, and exchange trend monitoring.MARKET INTEGRITY: CAT, BEST EXECUTION, MANIPULATION, MARKETACCESS, AND EXTENDED HOURSThe market integrity section touches several pillars. For the Consolidated Audit Trail (CAT),FINRA continues to find incomplete, inaccurate and untimely reporting, weak error correction andinsufficient oversight of third-party reporting agents. Firms should be able to map internal recordsto CAT fields, systematically review CAT feedback, and sample reported data against tradeblotters.Best execution under FINRA Rule 5310 remains a core obligation. FINRA expects “regular andrigorous” reviews of execution quality that genuinely compare venues and order types, considerthe impact of payment for order flow and venue incentives, and result in modifications ordocumented justifications where appropriate. The Report also highlights continuing inaccuraciesand omissions in Rule 606 order routing disclosures and expects firms to have WSPs that ensureaccuracy, completeness, and timely publication.Manipulative trading, particularly in small-cap exchange-listed issuers, remains a high-prioritysurveillance area. FINRA describes evolving pump-and-dump schemes that exploit nomineeaccounts, foreign omnibus accounts, undisclosed secondary offerings and, increasingly, accounttakeover-driven purchases. Firms are expected to tailor surveillance to their business andcustomer base and to integrate these patterns into AML and market abuse monitoring.Under the Market Access Rule (SEA Rule 15c3-5), FINRA expects pre-trade financial andregulatory risk controls that are calibrated to firms’ business models and demonstrablyreasonable, with clear documentation and controls over intra-day adjustments. Overreliance ontroutman.com 13venue-provided controls, without firm-level oversight, is viewed as inadequate. Firms are alsoexpected to conduct holistic post-trade reviews for manipulative activity and document annualeffectiveness reviews.Extended-hours trading triggers familiar obligations: clear and prominent risk disclosures underRule 2265, incorporation of extended-hours orders into best execution, CAT and TRF reporting,and supervisory processes that address lower liquidity, wider spreads and venue-specific pricebands overnight. FINRA also expects firms to think about operational readiness and customersupport during overnight trading sessions.FINANCIAL RESPONSIBILITY, LIQUIDITY, AND CUSTOMER PROTECTIONThe Report underscores ongoing issues and new requirements under the net capital rule,customer protection rule, and liquidity management expectations. FINRA continues to identifyimproper revenue and expense recognition, misclassified assets and liabilities, and incorrecthaircuts or OCC charges, particularly in underwriting arrangements. It points to recent SECactions requiring EDGAR submission of annual reports, forthcoming XBRL tagging requirementsfor FOCUS reports, and amendments to customer and PAB reserve computations. Most notably,the requirement for certain firms to move to daily reserve computations by June 30, 2026, withcorresponding funding and liquidity implications.FINRA’s Supplemental Liquidity Schedule (SLS) has become an important supervisory tool, andthe Report notes recurring SLS errors, such as misidentified counterparties, incomplete reportingof securities borrowing and lending, and inaccurate collateral data. Firms are expected tomaintain liquidity governance frameworks, run stress tests that reflect both firm-specific andmarket-wide shocks, and maintain contingency funding plans that realistically account forcontractual covenants and the potential unavailability of certain funding sources under stress.Under the Customer Protection Rule (Rule 15c3-3), FINRA continues to observe weaknesses inreserve formula computations, customer vs. noncustomer classifications, management ofsuspense items, possession or control of customer securities, and reconciliations with externalcustodians. FINRA stresses the importance of experienced FINOPs with appropriate access tobooks and records and of ongoing variance analyses and control testing.SENIOR INVESTORS AND TRUSTED CONTACTSThe Report reaffirms FINRA’s focus on senior and vulnerable investors. It notes that many firmsstill fail to make reasonable efforts to obtain trusted contact information (Rule 4512), do notprovide customers with clear disclosures about how trusted contacts may be used, and rely onRule 2165 (temporary holds) without documented training or internal review procedures. FINRAencourages firms to integrate senior investor protection into their broader fraud and AMLframeworks, including escalation protocols that involve trusted contacts, Adult Protective Servicesand law enforcement where appropriate, and to provide staff with practical “playbooks” andtraining on recognizing exploitation and diminished capacity.PRACTICAL IMPLICATIONSIn practice, the Report functions as a detailed “to-do list” for 2026. Firms should map its topics totheir own business activities, update risk assessments, and then prioritize enhancements totroutman.com 14WSPs, surveillance, testing, and training. This is particularly important in the areas of cyber andfraud (including GenAI-enabled threats), GenAI governance, Reg BI and complex products,digital communications, market integrity controls, liquidity management, and senior investorprotection. While the Report does not introduce new binding rules, it sets out the standardsagainst which FINRA will evaluate whether a firm’s compliance program is reasonable, risk-basedand responsive to today’s investor and market risks.troutman.com 15The Division of ExaminationsPublishes a Risk Alert to PromoteCompliance with the Marketing Rule12.16.25The Securities and Exchange Commission’s (the SEC) Division of Examinations (the Division)issued a Risk Alert on December 16, 2025 to promote investment advisers’ compliance withamended Rule 206(4)-1 (the Marketing Rule or the Rule)1 under the Investment Advisers Act of1940 (the Advisers Act). The Risk Alert addresses observations regarding advisers’ satisfaction ofdisclosure requirements and oversight and compliance practices under the Testimonials andEndorsements Provisions, as well as advisers’ due diligence and disclosure requirements underthe Third-Party Ratings Provisions.BACKGROUND ON THE MARKETING RULEApplicable to investment advisers subject to Section 203 of the Advisers Act, the Marketing Ruleis the SEC’s comprehensive framework governing how such advisers may market their servicesand investment strategies. Amended by the SEC in 2020, the most recent changes becameeffective November 2022.Designed “to prevent fraudulent, deceptive, or manipulative acts, practices, or courses ofbusiness,” the Marketing Rule’s framework includes requirements and guidance relating totestimonials, endorsements, and third-party ratings.2TESTIMONIALS AND ENDORSEMENTS3Clear and ProminentThe Marketing Rule permits advisers to use testimonials and endorsements in advertisements,but only if they meet specific disclosure, oversight, and eligibility conditions. At the time theadvertisement is disseminated, the adviser must ensure there are clear and prominentdisclosures stating:1 SEC, Final Rule: Investment Adviser Marketing, Advisers Act Rel. No. 5653 (Dec. 22, 2020)(Marketing Rule Adopting Release) (adopting amendments under the Advisers Act to updatethe rules that govern adviser marketing). The Marketing Rule applies to investment advisersregistered or required to be registered with the SEC under Section 203 of the Advisers Act.2 Advisers Act 206(4)-1.3 Advisers Act 206(4)-1(b).troutman.com 16* Whether the person giving the testimonial4 or endorsement5is a current client or investor;* Whether the person is being compensated (directly or indirectly);* The material terms of that compensation; and* Any material conflicts of interest arising from the relationship or compensation arrangement.The SEC staff has observed widespread noncompliance with the Marketing Rule’s testimonialand endorsement requirements, particularly with respect to disclosures. Testimonials andendorsements on adviser websites, d/b/a sites, social media, and referral or review platformsoften lacked clear and prominent disclosures about whether the promoter is a client, whether thepromoter is compensated and on what terms, and any related conflicts of interest. Even wheredisclosures existed, they were frequently ineffective — buried in small print, placed away from thetestimonial, or accessible only via hyperlinks. The staff also noted that some advisers failed torecognize that lead generators, influencers, referral networks, and incentivized client reviews areendorsements subject to the Rule.OVERSIGHTAdvisers also must oversee promoters and, in most cases, enter into written agreements withthem. The adviser must have a reasonable basis for believing that the testimonial orendorsement, including the required disclosures, complies with the Marketing Rule. Writtenagreements with compensated promoters generally must describe the scope of the promotionalactivities and the terms of compensation. While there is a limited de minimis exception (for totalcompensation of $1,000 or less over the preceding 12 months) and a partial exemption for certainaffiliated personnel, advisers are prohibited from compensating “ineligible persons” — i.e., thosesubject to specified disqualifying events — where the adviser knows or should know of thedisqualification.The SEC identified weaknesses in oversight, documentation, and use of exemptions. Someadvisers lacked written agreements with compensated promoters or used agreements that did notadequately describe the scope of promotional activities or compensation terms. Othersmisapplied the de minimis exception by evaluating each payment separately rather than totalcompensation over a 12‑month period. Examinations also found instances where advisers4 Advisers Act 206(4)-1(e)(17). (“Testimonial means any statement by a current client or investorin a private fund advised by the investment adviser: (i) About the client or investor’s experiencewith the investment adviser or its supervised persons; (ii) That directly or indirectly solicits anycurrent or prospective client or investor to be a client of, or an investor in a private fund advisedby, the investment adviser; or (iii) That refers any current or prospective client or investor to bea client of, or an investor in a private fund advised by, the investment adviser.”).5 Advisers Act 206(4)-1(e)(5) (“Endorsement means any statement by a person other than acurrent client or investor in a private fund advised by the investment adviser that: (i) Indicatesapproval, support, or recommendation of the investment adviser or its supervised persons ordescribes that person’s experience with the investment adviser or its supervised persons; (ii)Directly or indirectly solicits any current or prospective client or investor to be a client of, or aninvestor in a private fund advised by, the investment adviser; or (iii) Refers any current orprospective client or investor to be a client of, or an investor in a private fund advised by, theinvestment adviser.”).troutman.com 17compensated ineligible persons despite disqualifying disciplinary histories, and many advisershad not adequately updated or implemented their compliance policies and procedures to addressthe use of testimonials and endorsements under the Marketing Rule.THIRD-PARTY RATINGS6The Marketing Rule permits advisers to use third-party ratings in advertisements, but only if theysatisfy specific due diligence and disclosure requirements. An adviser must have a reasonablebasis for believing that any questionnaire or survey used to prepare the rating makes it at least aseasy to provide unfavorable as favorable responses and is not designed or structured to producea predetermined result.In addition, the adviser must provide, or have a reasonable basis to believe the rating includes,clear and prominent disclosures of key information, including:* The date of the rating;* The period on which the rating is based;* The identity of the third party that created and tabulated the rating; and* Whether the adviser directly or indirectly compensated the third party in connection withobtaining or using the rating.Any such compensation — including fees for consideration, logo use, reprints, or enhancedvisibility — must be clearly described so that investors can evaluate potential conflicts of interest.The staff observed that many advisers are out of compliance with the Rule when using third-partyratings in advertisements. Advisers frequently relied on ratings in websites, social media,pitchbooks, brochures, press releases, blogs, newsletters, and similar materials withoutadequately assessing the underlying questionnaires or surveys, and often lacked a reasonablebasis to believe the rating process was neutral and not designed to produce predetermined,favorable results. In many cases, firms had no documented process or supporting recordsdemonstrating this required due diligence.The staff also identified recurring disclosure deficiencies. Advertisements often omitted clear andprominent disclosures of the rating date, the period covered, or the identity of the third-partyrating provider, and a logo alone was sometimes used in place of a meaningful identification.Some advisers listed multiyear award ranges that included years in which they did not actuallyreceive the rating. In addition, advisers frequently failed to clearly and prominently disclose thatthey compensated the rating provider — such as by paying for consideration, logo use, reprints,enhanced exposure, or referral‑related benefits — or buried these disclosures in footnotes, smallprint, or hyperlinks.6 Advisers Act 206(4)-1(c).troutman.com 18CONCLUSIONThe Division’s published observations make clear that it is paying attention to advisers’compliance with the Marketing Rule, particularly around testimonials, endorsements, andthird-party ratings. This Risk Alert signals that advisers should expect continued exam focus onclear and prominent disclosures, oversight of promoters, and documented due diligence onthird-party ratings. In response, advisers and their legal counsel should review their marketingpractices, agreements, and policies and procedures with the expectation that these areas willremain an enforcement and examination focus.For a copy of the Division of Examination’s Risk Alert, click here: Risk Alert.
