June 3, 2026
Reg S-P Deadline Passed
Smaller SEC-registered advisers are now in scope
6 Years
FINRA 17a-4 Core Retention
Records must be immutable and readily accessible
60 Days
Reg S-P Breach Notice
The clock starts at discovery of unauthorized access
5 Domains
What Exams Now Probe
Infrastructure, cybersecurity, data, AI, and supervision
We are halfway through 2026, and the pattern in this year's SEC and FINRA examinations is consistent: regulators are no longer satisfied with policies on paper. They want evidence that technology controls were active continuously — not just on the day of the review.
That shift matters because most firms manage compliance as an annual event. They assemble documentation before an exam, pass, and move on. But a control that lapses between reviews — MFA quietly disabled for a departing executive, an archiving connector that silently stopped capturing a messaging channel — leaves a gap that a point-in-time assessment will never catch, and that an examiner increasingly will.
Below are the six technology-governance gaps most likely to surface in a 2026 examination, mapped to the domains examiners now probe. If you cannot immediately answer "yes, and here is the evidence" for each, it is a gap worth closing before the request letter arrives.
1. MFA That Is Not Enforced for Everyone
Multi-factor authentication is the control examiners ask about first, because it maps directly to the amended Reg S-P safeguards and the GLBA Safeguards Rule. The common failure is not the absence of MFA — most firms have it. It is the exceptions: a service account, a shared mailbox, an executive who found it inconvenient, a vendor with standing access.
⚖️ rule
The fix is not a policy statement. It is a continuously monitored control that flags the moment an account falls out of MFA enforcement.
2. Business Communications That Are Not Archived Immutably
FINRA Rule 4511 and SEC Rule 17a-4 require firms to preserve business communications in a non-rewritable, non-erasable (WORM) format for the required retention period. Email is usually covered. What trips firms up in 2026 is everything else: Teams and Slack messages, collaboration tools, text messages, and the output of AI assistants that now sit inside those channels.
If a communication about firm business happens on a channel that can be edited or deleted after the fact, it does not satisfy 17a-4 — even if nothing was ever altered. Off-channel communications remain one of the most heavily penalized records failures in the industry.
3. Written Supervisory Procedures That Are Stale — or Untested
FINRA Rule 3110 requires written supervisory procedures (WSPs), and Rule 3120 requires annual testing of those supervisory controls. Two gaps recur: WSPs that have not been reviewed in more than twelve months, and firms that have never documented a 3120 test.
✅ action
4. Shadow AI: The Tools You Have Not Inventoried
This is the fastest-growing exam topic, and the one firms are least prepared for. Staff are using AI tools — Copilot, ChatGPT, meeting-note assistants, research tools — often without the compliance team's knowledge. The SEC's AI governance expectations and the NIST AI Risk Management Framework both start from the same requirement: you must know what AI is in use before you can govern it.
When an examiner asks for your inventory of AI tools that touch client data, "we do not have one" is not an acceptable answer. Neither is a list you assembled the week before. The expectation is a maintained inventory with a risk assessment and an approval decision for each tool.
5. Backups That Have Never Been Tested
FINRA Rule 4370 requires a business continuity plan, and the technical foundation of any BCP is a backup that actually restores. Many firms have backups running; far fewer have documented a successful recovery test. An untested backup is an assumption, not a control — and a ransomware event is the wrong time to discover it does not restore cleanly.
6. The Meta-Gap: No Continuous Evidence
The other five gaps share a root cause. Firms treat compliance as a document to produce rather than a state to maintain. When the exam request arrives, they scramble to assemble evidence for a point in time, with no way to show the control held over the preceding months.
🔑 key
This is the difference between a checklist and a governance program. Continuous technology governance treats infrastructure, cybersecurity, data, AI, and supervision as one accountable program with evidence assembled as controls run — so exam readiness is a standing condition, not a quarterly fire drill.
How to See Where Your Firm Stands
You do not need to guess which of these six gaps applies to you. The Centience Governance Score is a free, five-minute self-assessment that scores your firm 0–100 across all five domains, benchmarks you against peer firms, and shows you exactly which gaps to close first — mapped to the SEC and FINRA rules each one touches.
Get Your Free Governance Score
🔗 Related Service: Technology Governance
Managed infrastructure, cybersecurity, and AI governance delivered as one accountable, continuously evidenced program.
For a deeper look at the records side of these obligations, see our guide to data governance for financial services firms, or explore how Centience supports financial services firms specifically.

Frequently Asked Questions




