Regulatory Round-Up March 2026

March Focus: Compliance Alignment, Cyber Readiness & Third-Party Oversight

Howdy, March is a good month to check the fences.

With regulatory expectations continuing to evolve—especially around cybersecurity, documentation, and oversight—now is the time to make sure your compliance program reflects how your firm actually operates day to day.

Recent regulatory guidance and exam trends suggest a consistent theme: regulators are paying close attention to whether firms’ policies, controls, and real-world practices are aligned and well documented.

For advisers, that means tightening procedures now—before exam season comes riding through.

Compliance Programs: Make Sure the Manual Matches the Trail

One of the most common issues observed in exams is a disconnect between a firm’s written compliance manual and its actual practices.

Policies and procedures are expected to reflect how the firm truly operates, not just a template created years ago.

Areas that often draw scrutiny include:

• Compliance manuals that haven’t been updated after operational changes
• Generic policies that don’t reflect the firm’s business model
• Marketing review procedures that aren’t consistently documented
• Billing processes that lack verification controls
• Supervisory procedures that exist on paper but aren’t consistently followed

Examiners are looking for more than documentation—they want to see evidence that compliance controls are actively operating.

This month is a good opportunity to review your policies and confirm they match the way your firm conducts business today.

Regulation S-P: Preparing for the 2026 Amendments

Cybersecurity and client data protection remain front-and-center for regulators.

With the amended Regulation S-P requirements taking effect in June 2026, firms should begin preparing now to ensure their privacy safeguards and incident response processes meet the new standards.

Key preparation steps include:

• Update Policies & Procedures | Compliance manuals should clearly outline privacy protections, breach response procedures, and data-handling protocols.

• Train Your Team | Employees and advisers should understand how to protect non-public client information and how to escalate potential cybersecurity incidents.

• Strengthen Vendor Oversight | Third-party service providers will also be expected to comply with heightened standards, including new 72-hour breach notification expectations.

Cybersecurity policies aren’t just an IT issue—they’re increasingly part of the SEC’s broader compliance review.

Oversight of Third-Party Managers

Delegating portfolio management doesn’t delegate fiduciary responsibility.

When RIAs work with third-party managers or sub-advisers, regulators expect firms to maintain meaningful oversight of those relationships.

Effective due diligence should include:

• Reviewing registration status and regulatory history
• Evaluating investment strategy and performance consistency
• Assessing operational and cybersecurity capabilities
• Identifying potential conflicts of interest
• Reviewing fee arrangements and disclosures

Initial due diligence is important—but ongoing monitoring and annual review are just as critical.

Firms should maintain documentation demonstrating that oversight is active and continuous.

Off-Channel Communications: Still a Hot Topic

The SEC continues to emphasize the importance of maintaining complete records of client communications.

Using personal email, text messaging, or unapproved platforms for business conversations can quickly create compliance gaps.

Best practices include:

• Requiring client communications through approved firm systems
• Archiving communications across email and messaging platforms
• Implementing clear reporting procedures for accidental off-channel communications
• Training employees on communication policies

Maintaining proper records is a key component of the Books and Records Rule, and examiners are paying close attention.

March Compliance Checklist

As we head into the spring compliance cycle, consider reviewing the following items:

1. Confirm ADV Annual Amendment progress ahead of the March 31 deadline
2. Review marketing materials and ensure they are properly archived
3. Conduct a cybersecurity check to confirm no data breaches occurred
4. Review third-party manager due diligence documentation
5. Confirm policies and procedures accurately reflect firm operations
6. Distribute and review the updated Compliance Manual with staff

Staying organized now can prevent unnecessary scrambling later.

Looking Ahead

Throughout 2026, True West will continue sharing regulatory insights, practical compliance guidance, and tools designed to help RIAs stay prepared and exam-ready.

From regulatory updates to operational best practices, our goal is simple: help firms maintain clean documentation, strong controls, and confidence heading into any exam.

Here’s to keeping the program tight, the records clean, and the trail ahead clear.