Investment Adviser | Risk Management Updates (RMU)

2025 Year-End Compliance Considerations

October 20, 2025 by

As 2025 draws to a close, compliance teams have a valuable opportunity to pause, reflect, and confirm the overall health of their programs. Year-end is not just about closing out outstanding tasks — it’s about validating that the firm’s compliance framework remains effective, risk-aligned, and ready to meet 2026 expectations.

This checklist is designed to help compliance officers take a clear “temperature check” of their program, identify any remaining gaps, and prepare for the year ahead. Throughout the guide, you’ll find practical reminders and areas to double-check before year-end to ensure the firm’s compliance program is complete, documented, and exam-ready.

Please note this checklist is not all-inclusive; additional steps may be required depending on the firm’s business practices.

 

Compliance Themes

Before diving into the checklist, keep these themes in mind:

  • Tailor Policies and Procedures. Policies should be customized to the firm’s size, complexity, and risk profile — regulators expect more than “off-the-shelf” language.
  • Evaluate Resourcing. Year-end is the ideal time to assess whether staffing, technology, and vendor support are adequate for the firm’s current and upcoming obligations.
  • Foster a Culture of Compliance. Senior leadership should set the tone, reinforce accountability, and ensure compliance priorities remain visible as 2026 planning begins.

The following checklist puts these principles into action, providing a practical way to confirm that core compliance responsibilities have been addressed as the year concludes.

 

1. Governance Policies & Risk Framework
  • Update the firm’s risk assessment and conflicts inventory to capture 2025 developments, including amended Reg S-P requirements, cybersecurity risks, and any new products or strategies.
  • Complete the annual compliance review under Rule 206(4)-7, addressed findings, and documented remediation steps.
  • Verify that policies and procedures accurately reflect business practices, regulatory guidance, and lessons learned throughout 2025.
  • Confirm that governance oversight roles and escalation processes are clearly defined heading into 2026.

 

2. Disclosures, Registrations, & Filings
  • Review and update Form ADV, Form CRS, and other disclosures to ensure accuracy and consistency with current marketing and business practices.
  • Verify that Form U-4/U-5 updates and employee certifications of disciplinary disclosures are complete and filed.
  • Reconcile other regulatory filings, including Form PF, Form D, Form 13F, Schedule 13G/D, Form N-PX, and state notice filings, to confirm all 2025 submissions were made.
  • Capture 2026 filing deadlines on the compliance calendar to ensure timely renewals and reporting.

 

3. Books, Records, & Communication Controls
  • Verify that required records (trading, client agreements, financials, marketing, etc.) are retained, indexed, and retrievable in compliance with Rule 204-2 of the Investment Advisers Act of 1940 (the “Advisers Act”). As noted in the 2025 exam priorities[1], during exams the SEC continues to evaluate compliance with amended books and records requirements, including those associated with T+1 settlement cycle change.
  • Review off-channel communication policies and controls to confirm approved business platforms are documented, archived, and functioning properly.
  • Confirm that data and record retention and disposal protocols align with the firm’s policies and procedures for cybersecurity and privacy, and are in line with amended Reg. S-P.
  • Test to determine that all required backup documentation for data and/or performance in the firm’s marketing and advertising materials is being maintained.

 

4. Custody, Internal Audits, & Financial Controls
  • Analyze reasons for custody and confirmed compliance with all requirements under Rule 206(4)-2 of the Advisers Act.
  • Complete any required surprise custody examination and ensure Form ADV-E was filed on time.
  • Review fee-calculation and billing processes, test a sample of accounts, correct discrepancies, and document findings.
  • Verify that account reconciliations and cash-movement controls are up to date and effective.

 

5. Vendor & Outsourcing Oversight
  • Perform annual vendor due-diligence reviews, ensuring documentation such as SOC reports, cybersecurity certifications, and BCP test results are on file.
  • Review vendor contracts to confirm confidentiality, breach-notification, and data-protection clauses meet requirements, including amended Reg S-P standards. Communicate expectations to applicable vendors if warranted.
  • Evaluate vendor financial stability and performance throughout the year and document follow-up actions.
  • Identify any vendors or technology updates that require 2026 budget allocations for improved compliance or cybersecurity protections.

 

6. Cybersecurity, Privacy, & Regulation S-P Compliance
  • Adopt or update policies and procedures reflecting amended Reg S-P[2] requirements, including incident-response and notification protocols.
  • Conduct vulnerability assessments and penetration tests and document remediation.
  • Review the firm’s Privacy Notice and delivery processes for accuracy and compliance with federal and state requirements.
  • Perform a tabletop or functional incident-response exercise to validate escalation and communication workflows.
  • Meet with IT and key vendors to discuss 2025 incidents, review cybersecurity controls, and plan system enhancements or upgrades needed for 2026.

 

7. Training, Awareness, & Culture
  • Complete annual compliance training, including training on high-risk areas such as cybersecurity, custody, Reg S-P, privacy, and conflicts of interest.
  • Verify that IAR continuing-education requirements were met and documented.
  • Provided additional or department-specific training where emerging risks warrant deeper coverage.
  • Reinforce tone-from-the-top messaging through year-end communications or meetings with staff.

 

8. Examination Preparation & Regulatory Trends
  • Review 2025 SEC exam priorities and risk alerts and confirm how the firm’s program addresses each applicable area and has appropriate controls in place.
  • Update/create the firm’s “Day 1 Deck”[3] to reflect current business practices, operations, and compliance structure.
  • Confirm that compliance files and testing evidence are centralized and organized for quick production.
  • Conduct internal or third-party mock audits to identify and remediate potential deficiencies before year-end.
  • Perform mock interviews or briefings with key personnel to strengthen exam preparedness.

 

9. Strategic Planning & Looking Ahead
  • Monitor proposed regulations and determine which may require 2026 implementation (e.g., Reg S-P, cybersecurity, private-fund reporting).
  • Assess staffing, outsourcing, and technology needs and incorporate those costs into the 2026 compliance budget.
  • Prepared a compliance report for senior management summarizing 2025 activities, key findings and recommendations, and upcoming priorities.
  • Schedule early-year planning discussions with IT, operations, and firm leadership to align 2026 compliance initiatives.

 

10. Closure & Documentation
  • Maintain and update the compliance review log tracking all testing and reviews, findings, and actions taken..
  • Archive all 2025 compliance documentation — policies, training logs, testing and results, approvals — in retrievable format.
  • Ensure senior-management signs-off on the annual review, all compliance program updates, and 2026 priorities.
  • Verify that documentation clearly evidences continuous monitoring throughout the year.

 

Final Review

By working through this checklist, Chief Compliance Officers can close out 2025 with confidence that their firm’s Compliance Program is robust, are in line with current regulations, well-documented, and forward-looking. A complete, evidence-based year-end review not only satisfies regulatory expectations but demonstrates an active culture of compliance — one that evolves alongside business growth and regulatory change.

 

Author:  Josh Jones, Sr. Compliance Consultant; Editor: Tina Mitchell, Managing Director, Consultation Services, Core Compliance & Legal Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, and private fund managers on regulatory compliance issues.

This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon regarding any particular facts or circumstances without first consulting with a lawyer and/or tax professional.

[1] https://www.sec.gov/files/2025-exam-priorities.pdf

[2] The compliance date for the final amendments is December 3, 2025 for larger entities (advisers with $1.5 billion or more in assets under management) and June 3, 2026 for smaller entities (advisers with less than $1.5 billion in assets under management).

[3] A Day 1 Deck is a presentation used at the outset of an SEC exam to give regulators an overview of the firm’s business and compliance framework.