Every year the SEC publishes its enforcement results and every year most RIAs skim the headline numbers and move on. This year that’s a mistake.
The FY2025 report, released April 7, 2026, isn’t just a scorecard. It’s a policy statement. The current Commission used it to formally repudiate how its predecessor operated, redefine what enforcement effectiveness means, and signal exactly where it intends to focus next. For RIAs, three things in that signal deserve more attention than they’re getting.
The Shift That Actually Matters
The Commission filed 456 enforcement actions in FY2025, down significantly from prior years, and was explicit about why. The prior Commission, in its view, prioritized volume over substance: running up case counts with off-channel communications violations, novel legal theories, and crypto registration actions that produced large penalty numbers but no direct investor protection. The current Commission called that out by name and walked away from it.
What replaces it is a fraud-first framework. Offering frauds, market manipulation, insider trading, disclosure violations, breaches of fiduciary duty. Cases that require two or more years to develop and bring, which means the pipeline being built right now reflects decisions the Division made in 2024 and 2025.
For RIAs, the instinct is to read “fewer cases, less aggressive enforcement” as relief. That reading is wrong. What actually changed is the target. The prior Commission went after process failures, record-keeping, registration, definitional compliance. This one is going after conduct failures, fraud, undisclosed conflicts, broken fiduciary obligations. The firms that were most exposed under the old regime had sloppy documentation. The firms most exposed under the new one have something more serious: advice that isn’t actually in the client’s interest, and disclosures that obscure rather than illuminate it.
That’s a harder problem to fix than updating a record-keeping policy.
The Fiduciary Signal Is Specific
Two cases in the FY2025 results should sit uncomfortably with any RIA CCO who reads them carefully.
The first is Vanguard. The SEC charged Vanguard Advisers for failing to adequately disclose conflicts of interest when recommending clients enroll in a fee-based advisory service. The allegation wasn’t fraud in the traditional sense, no fabricated returns, no misappropriated funds. It was a failure to clearly tell clients that the firm had a financial incentive in the recommendation it was making. A conflict existed, the disclosure was inadequate, and that was enough.
The second is Cutter Financial Group. Jeffrey Cutter and his firm were found liable after trial for recommending insurance products that paid substantial upfront commissions without adequately disclosing the financial incentive to sell them. Same structure: the recommendation was real, the product existed, but the conflict behind the recommendation wasn’t clearly surfaced to clients.
Neither case required the SEC to prove that clients were defrauded in the dramatic sense. It required proof that conflicts weren’t disclosed with the specificity the fiduciary standard demands.
This is where the enforcement shift lands most directly on RIA compliance programs. Under a fraud-first framework, the Commission isn’t looking for missing attestations or off-channel text messages. It’s looking at whether the advice clients received was genuinely in their interest, and whether any financial incentive that could have influenced that advice was clearly disclosed. Those are questions that live in Form ADV Part 2, in fee disclosures, in the way compensation arrangements are described, or not described, to clients.
An RIA whose disclosures were built to satisfy the prior regime’s documentation focus may have disclosure language that’s technically present but not substantively adequate. The difference between “we disclosed it” and “we disclosed it in a way that a client could actually understand and act on” is exactly where these cases turned.
The Individual Accountability Number Is Not a Footnote
Buried in the supporting detail of the FY2025 report is a number that deserves more prominence: approximately two-thirds of standalone actions filed during the year involved charges against one or more individuals, a 27 percent year-over-year increase. Under Acting Chairman Uyeda and Chairman Atkins specifically, nearly nine out of every ten standalone actions included individual charges.
The Commission was explicit about the rationale. Holding individuals accountable creates specific and general deterrence in ways that firm-level penalties don’t. A fine paid by the firm doesn’t follow the CCO to their next job. A bar order does.
For RIAs, this changes the personal calculus for compliance decision-making in a specific way. Under the prior regime, the dominant enforcement risk was institutional, the firm gets fined, the firm updates its policies, the firm moves on. Under the current one, the person who made the call, signed off on the disclosure, or failed to flag the conflict is the one the Division is most interested in.
That shift doesn’t mean every compliance failure becomes personal liability. But it does mean that the CCO who treats compliance as a documentation exercise, rather than as a substantive evaluation of whether the firm’s practices actually serve clients, is carrying more personal risk than they were two years ago. The standard being applied in enforcement is closer to “did you do the right thing” than “did you file the right form.”
What This Means for the Compliance Program in Front of You
The practical read-through from FY2025 isn’t complicated, but it requires some honest self-assessment.
On fiduciary disclosures: when did you last read your Form ADV Part 2 as a client would, rather than as a compliance checklist item? The Vanguard and Cutter cases weren’t brought because disclosures were absent. They were brought because disclosures were inadequate, present in form, insufficient in substance. If your conflict disclosures describe the existence of compensation arrangements without giving clients enough context to understand their significance, that’s the gap the current Commission is looking for.
On the fraud-first priority: the cases the Division is building right now, the ones that will appear in the FY2026 and FY2027 results, started as investigations in 2024 and 2025. The shift away from record-keeping enforcement doesn’t mean record-keeping stopped mattering. It means the Commission’s patience for process failures is lower, not higher: they’re not going to bring a case because your attestations were late, but if a substantive problem surfaces during an exam, inadequate documentation makes the underlying conduct look worse, not better.
On individual accountability: the question worth sitting with is whether the compliance decisions being made at your firm, the close calls on disclosure language, the judgment calls on what constitutes a material conflict, are being made and documented in a way that reflects genuine analysis, not just a box checked. The difference matters if those decisions are ever reviewed.
None of this requires a compliance program overhaul. It requires a different quality of attention to the things that were already supposed to be getting attention: fiduciary obligations, conflict disclosures, and the substantive alignment between the advice clients receive and the interests of the people giving it.
The Underlying Message
The Commission’s FY2025 report is, at its core, a statement about what the SEC thinks good compliance looks like. Not comprehensive documentation of every process. Not aggressive pursuit of technical violations. Genuine protection of investors from the people who are supposed to be acting in their interest.
That’s a higher bar in some ways and a narrower one in others. Firms that have been running compliance programs built primarily around documentation and record-keeping need to ask whether the substance underneath the documentation is actually there. Firms that have been treating disclosure as a formatting exercise need to ask whether their clients could read those disclosures and actually understand what they’re being told.
The SEC isn’t coming for the firms with perfect attestation logs and one ambiguous sentence in their ADV. But it is coming — more personally and more deliberately than before — for the ones where the advice and the disclosure don’t hold up to scrutiny.
Smartria’s policy management and marketing review tools are built around documentation that holds up, not just present on the page, but timestamped, version-controlled, and tied to the decision that generated it. If the FY2025 results prompt a review of where your disclosures and conflict documentation currently stand, book the demo
