Howdy, March is a good month to check the fences.
With regulatory expectations continuing to evolve—especially around cybersecurity, documentation, and oversight—now is the time to make sure your compliance program reflects how your firm actually operates day to day.
Recent regulatory guidance and exam trends suggest a consistent theme: regulators are paying close attention to whether firms’ policies, controls, and real-world practices are aligned and well documented.
For advisers, that means tightening procedures now—before exam season comes riding through.
One of the most common issues observed in exams is a disconnect between a firm’s written compliance manual and its actual practices.
Policies and procedures are expected to reflect how the firm truly operates, not just a template created years ago.
Areas that often draw scrutiny include:
Examiners are looking for more than documentation—they want to see evidence that compliance controls are actively operating.
This month is a good opportunity to review your policies and confirm they match the way your firm conducts business today.
Cybersecurity and client data protection remain front-and-center for regulators.
With the amended Regulation S-P requirements taking effect in June 2026, firms should begin preparing now to ensure their privacy safeguards and incident response processes meet the new standards.
Key preparation steps include:
Update Policies & Procedures | Compliance manuals should clearly outline privacy protections, breach response procedures, and data-handling protocols.
Train Your Team | Employees and advisers should understand how to protect non-public client information and how to escalate potential cybersecurity incidents.
Strengthen Vendor Oversight | Third-party service providers will also be expected to comply with heightened standards, including new 72-hour breach notification expectations.
Cybersecurity policies aren’t just an IT issue—they’re increasingly part of the SEC’s broader compliance review.
Delegating portfolio management doesn’t delegate fiduciary responsibility.
When RIAs work with third-party managers or sub-advisers, regulators expect firms to maintain meaningful oversight of those relationships.
Effective due diligence should include:
Initial due diligence is important—but ongoing monitoring and annual review are just as critical.
Firms should maintain documentation demonstrating that oversight is active and continuous.
The SEC continues to emphasize the importance of maintaining complete records of client communications.
Using personal email, text messaging, or unapproved platforms for business conversations can quickly create compliance gaps.
Best practices include:
Maintaining proper records is a key component of the Books and Records Rule, and examiners are paying close attention.
As we head into the spring compliance cycle, consider reviewing the following items:
Staying organized now can prevent unnecessary scrambling later.
Throughout 2026, True West will continue sharing regulatory insights, practical compliance guidance, and tools designed to help RIAs stay prepared and exam-ready.
From regulatory updates to operational best practices, our goal is simple: help firms maintain clean documentation, strong controls, and confidence heading into any exam.
Here’s to keeping the program tight, the records clean, and the trail ahead clear.