A new administration in Washington has sparked some speculation that the SEC might ease up on private fund advisers. But don’t count on a softer regulatory touch any time soon. While headline-grabbing enforcement actions may become less frequent – whether due to different priorities or a more restrained approach – private equity and hedge fund managers should still expect intense scrutiny.

10 takeaways for success

SEC exams are likely to stay just as rigorous, if not become even more detail-oriented. Examiners are digging deeper, looking not just for policies and procedures on paper, but for evidence that they’re implemented effectively in real life.

1. Exam focus areas haven’t changed

Despite leadership turnover, the SEC’s 2025 Examination Priorities remain heavily focused on private fund advisers. Hot spots include:

• disclosure of conflicts of interest;
• fee and expense calculations and allocations;
• compliance with new rules and amendments.

Expect examiners to take a close look at how fees are calculated and disclosed, how expenses are handled, and how valuations affect fee structures. They’ll also scrutinize any relationships with affiliates and third parties, especially where financial conflicts might exist.

Takeaway: Past exam results are no guarantee for the future. The regulatory bar is always moving. It’s critical to refresh your disclosures frequently, ensuring they are accurate, detailed, and aligned with evolving SEC expectations. Know your fund’s Limited Partnership Agreement (LPA) inside and out– particularly around fees, expenses, valuations, and related-party dealings. If your operations or disclosures don’t match the LPA, you’re setting yourself up for trouble.

2. Custody: Still a danger zone

Custody issues remain one of the most misunderstood and risky areas for private fund advisers. Many mistakenly believe that custody only applies when they directly hold client assets. In fact, custody can be triggered in far more subtle ways.

If you manage private funds, liquidation vehicles, employee co-investment programs, or simply have authority over disbursements from a client account, you may already have custody obligations. This includes having control over bank or brokerage accounts used for capital calls or distributions.

The SEC continues to aggressively pursue custody violations, especially when firms fail to:

• conduct annual financial audits of private funds;
• arrange for surprise exams (where necessary);
• deliver audited financials to investors on time (120 days for private funds; 180 days for fund-of-funds).

Example: An adviser managing an employee co-investment vehicle assumed custody rules didn’t apply because there were no management fees. However, the adviser controlled the bank account. During an exam, the SEC found a failure to secure annual audits or timely distribute financial statements, resulting in a deficiency letter, expensive remediation, and investor notification.

Takeaway: Analyze all fund structures and account controls carefully. Document your conclusions if you believe custody doesn’t apply – but when in doubt, it’s safer to engage an auditor and distribute audited financials.

3. Your testing program must work – not just exist

Simply having compliance policies is no longer enough. SEC staff are laser-focused on whether your systems are actually functioning as designed – and whether your testing validates that.

They expect:

• frequent, tailored testing;
• simulated real-world failure scenarios;
• stress-testing automated systems;
• evidence that testing evolves with changing risks.

Example: A firm paid $15m after it was discovered that its wire transfer surveillance system had never been properly vetted. A design flaw went unnoticed for years, allowing suspicious transactions to slip through undetected.

Takeaway: “No issues” doesn’t always mean “no problems.” Make sure your testing isn’t just routine box-checking:

• run live scenarios;
• spot-check automated results;
• regularly recalibrate your systems;
• keep thorough testing records.

Testing must be active, ongoing, and risk-driven – or the SEC will consider it ineffective.

4. If you think you’re exempt, prove it

Examiners increasingly cite firms not for violating rules, but for failing to document why certain rules don’t apply to them.

Example: Regulation S-ID (Identity Theft Red Flags Rule): Many advisers assume this rule doesn’t apply because they don’t have “covered accounts.” But the SEC expects every adviser to formally assess and document that conclusion.

Example: A private fund adviser with an investor portal failed to assess whether the portal’s features triggered covered account obligations. Despite believing the rule didn’t apply, the SEC cited them for not conducting and documenting a formal analysis.

Takeaway: Establish a repeatable process:

• annually assess exposure to Regulation S-ID (and similar rules);
• document your analysis and conclusions;
• if covered, implement a formal identity theft prevention program.

Even a “no” needs to be supported by clear, current documentation.

5. Vendor oversight is no longer optional

Vendor management is now a standing item on examiners’ lists – especially vendors touching sensitive data or core business functions.

Examiners want to see documented:

• pre-onboarding diligence;
• security and risk assessments;
• signed contracts with appropriate safeguards;
• ongoing performance reviews and monitoring;
• follow-up when issues arise.

Example: An adviser had a policy requiring quarterly vendor reviews – but couldn’t produce documentation during an exam. The result? A deficiency letter and remediation.

Takeaway: Classify vendors based on risk:

• critical vendors (for example, cloud storage, fund administrators) need robust onboarding, close monitoring, and detailed contracts;
• non-critical vendors still need basic diligence, but oversight can be scaled appropriately.

6. MNPI Controls: Private fund managers under the microscope

Handling material non-public information (MNPI) is a growing risk area – especially for private fund managers who operate in both public and private markets.

The SEC expects:

• strong policies around identifying, handling, and escalating MNPI risks;
• restricted lists, watch lists, and trade pre-clearance;
• diligence on expert networks and interactions with public company insiders;
• ongoing employee training on MNPI risks;
• testing and documenting enforcement of MNPI policies.

Takeaway: It’s not just about whether your fund trades on MNPI – it’s about whether you have visible, enforceable guardrails to prevent misuse. Regulators are penalizing firms not just for insider trading, but for weak or inconsistent MNPI compliance programs.

7. The Marketing Rule: Substantiation is everything

The SEC’s new Marketing Rule is being heavily enforced – and there’s no tolerance for unsupported claims, no matter how harmless they may seem.

Examiners expect:

• substantiated performance data;
• transparent assumptions for hypothetical returns;
• clear disclosures around testimonials and endorsements;
• full oversight of all advertising channels—including websites, social media, and third-party platforms.

Takeaway: Marketing practices need to be bulletproof. Make sure your marketing team:

• reviews every piece of promotional material before release;
• documents the basis for every factual claim;
• understands what now qualifies as an “advertisement”.

Sloppy or casual language – even on social media – can land you in hot water.

8. Off-channel messaging: Fix it before they find it

The SEC continues to hammer firms for failing to monitor text messages, WhatsApp, Signal, and other personal communication channels.

Firms must:

• ban business communications over unapproved apps;
• provide compliant alternatives that allow automatic archiving;
• monitor compliance and conduct random checks;
• train employees regularly—and document it all.

Proactive remediation efforts – like rolling out compliant messaging platforms – can significantly reduce penalties if violations are found.

Takeaway: Having a policy isn’t enough. Enforcement actions show the SEC expects real implementation and enforcement when it comes to off-channel messaging.

9. The new AML Rule is coming fast

Starting January 1, 2026, certain investment advisers will be subject to Bank Secrecy Act (BSA) requirements, including:

• written AML compliance programs;
• investor due diligence;
• suspicious Activity Reports (SARs);
• appointment of a designated AML compliance officer.

Takeaway: Don’t wait until the deadline. Start building your AML framework now:

• identify risks;
• train staff;
• review service provider contracts;
• test your processes.

AML compliance will become a major exam focus as soon as the rule is in force.

10. New data protection rules: Breach response just got serious

Under amendments to Regulation S-P, firms will have to:

• notify customers within 30 days of discovering a data breach;
• extend protection responsibilities to third-party vendors;
• implement stricter information security controls.

Compliance dates:

• large firms (≥ $1.5B AUM): April 15, 2026;
• small firms (< $1.5B AUM): October 15, 2026.

Takeaway: Review your data security policies now. Tighten vendor oversight. Update contracts. Make sure your incident response plans are more than window dressing.

Final word

A new administration may mean fewer headlines, but SEC exams are not getting easier. Examiners remain aggressive, and the expectations around documentation, implementation, and testing are only getting higher.

Firms that invest now in strengthening their compliance infrastructure – and that treat exams seriously, not reactively – will be better positioned to weather whatever comes their way.