SEC / FINRA Compliance Pulse

The SEC has jurisdiction over broker-dealers, investment advisers, public companies, investment companies (mutual funds, ETFs), and transfer agents. FINRA is a self-regulatory organization (SRO) authorized by Congress that oversees broker-dealers specifically — all broker-dealers doing business with the public must be FINRA members. Investment advisers with over $110M in AUM register with the SEC; those below that threshold generally register with their home state (with some exceptions). FinTech and digital asset platforms may be subject to SEC oversight depending on their activities, particularly if they offer or facilitate the trading of securities. The SEC has taken an expansive view of what constitutes a security in recent enforcement actions against crypto platforms.

The SEC's amended Regulation S-P (effective November 2024) significantly expanded cybersecurity obligations for broker-dealers and investment advisers. Key requirements include: (1) Incident Response Program — written policies and procedures for detecting, responding to, and recovering from unauthorized access to customer information; (2) 30-Day Customer Notification — affected individuals must be notified within 30 days of detecting a breach involving their "covered data"; (3) Service Provider Oversight — firms must oversee vendors and service providers that have access to customer information; (4) Annual Review — the incident response program must be reviewed and updated at least annually. Covered data includes social security numbers, account numbers, and other sensitive personally identifiable information (PII). The amendments greatly expanded the original 2000 Regulation S-P, which focused primarily on privacy notices.

Regulation Best Interest (Reg BI), which became effective June 30, 2020, requires broker-dealers to act in the best interest of retail customers when making recommendations of securities transactions or investment strategies. It has four component obligations: (1) Disclosure Obligation — disclose material facts about the recommendation and any conflicts of interest; (2) Care Obligation — exercise reasonable diligence, care, and skill when making recommendations; (3) Conflict of Interest Obligation — establish written policies to identify, disclose, and mitigate conflicts, including eliminating incentives that create conflicts; (4) Compliance Obligation — establish written policies reasonably designed to achieve compliance with the entire Reg BI. Broker-dealers and investment advisers must also deliver Form CRS (Customer/Client Relationship Summary) to retail investors before or at the time of the first recommendation or service provision.

Form ADV is the SEC's registration and disclosure form for investment advisers. Part 1 contains structured information about the adviser's business, ownership, clients, employees, business practices, affiliations, and any disciplinary events — filed electronically via IARD and publicly available on the SEC's Investment Adviser Public Disclosure (IAPD) website. Part 2A (the "brochure") must be written in plain English and describe the adviser's services, fees, investment strategies, risks, disciplinary information, conflicts of interest, and other material information. Part 2B (the "brochure supplement") discloses information about individual supervised persons who provide advisory services. Advisers must deliver Part 2A to prospective clients before or at the time of entering into an advisory contract. Annual updates to Form ADV must be filed within 90 days of the adviser's fiscal year end. Prompt amendments are required when information becomes materially inaccurate.

SEC civil monetary penalties are adjusted annually for inflation under the Federal Civil Penalties Inflation Adjustment Act. For 2024: Tier I (standard violations) — up to $10,781 per violation; Tier II (fraud, deceit, manipulation, or deliberate/reckless disregard of regulations) — up to $107,813 per violation; Tier III (violations causing substantial losses or significant risk to others) — up to $215,626 per violation. Each day of a continuing violation may be treated as a separate violation, meaning penalties can compound rapidly. FINRA fines vary by rule but can reach $500,000 or more per violation; egregious cases have resulted in fines exceeding $1 million. Additional sanctions include disgorgement of all ill-gotten gains plus pre-judgment interest (confirmed by the Supreme Court in Liu v. SEC), industry bars or suspensions, and criminal referrals to the Department of Justice for willful violations (up to 20 years imprisonment under 15 U.S.C. § 78ff).