The Supervisory Reset Reaches Capital Markets: What Mid-Size Broker-Dealers Must Get Right Before the Next FINRA Cycle

The SEC's 2026 examination priorities target broker-dealer compliance with net capital and customer protection rules, operational resilience programs, cash sweep programs, and prime brokerage activities. The division is increasing focus on cybersecurity practices and what it describes as risks from evolving products, business models, and technology-driven risks. The amended Regulation S-P compliance deadline for smaller broker-dealers arrives June 3, 2026, requiring written incident response programs, expanded cybersecurity controls, and breach notification procedures.

FINRA's 2026 oversight report tells the same story. It flags recurring control gaps in operational resilience, third-party dependencies, cyber-enabled fraud, and governance of emerging technologies. For the first time, FINRA included a dedicated section on generative artificial intelligence (AI) risks and launched its Cyber and Operational Resilience (CORE) program to share risk intelligence directly with member firms. Enforcement is not slowing. In March 2026, the Financial Crimes Enforcement Network (FinCEN) imposed an $80 million penalty against Canaccord Genuity LLC for willful failure to maintain an effective Anti-Money Laundering (AML) program, the largest Bank Secrecy Act (BSA) action ever brought against a broker-dealer, with the SEC and FINRA imposing coordinated penalties of $20 million each. The message is consistent: examiners are testing whether compliance programs actually function.

Three patterns show up frequently, and they tend to compound. The first is regulatory reporting treated as a technology output rather than a governed process. Firms implement platforms for Consolidated Audit Trail (CAT), Customer and Account Information System (CAIS), or SEC Rule 606 submissions and treat the obligation as substantially met. When FINRA inquires about a pattern of exceptions or rejected submissions, the ownership trail can be difficult to reconstruct if it was never documented as an ongoing discipline.

The second is surveillance positioned as a checkbox rather than an operating discipline. Off-channel communications supervision follows the same pattern. FINRA fined a broker-dealer $750,000 in January 2026 for failing to supervise and retain business-related text messages, and cumulative industry fines for off-channel communications failures now exceed $2.2 billion. The underlying issue is rarely the absence of a policy. It is that the supervision and evidence trail around the policy is incomplete.

The third is ownership ambiguity across compliance, operations, and technology. Regulatory reporting depends on data feeds, platform configurations, exception workflows, and reconciliation processes that span multiple functions. In many mid-size firms, the question of who owns the data quality feeding a regulatory submission does not have a clean, documented answer. That ambiguity becomes a finding when an examiner asks for one.

Firms that handle these examinations well share common practices. Regulatory reporting has a named owner, a documented exception management process, and an evidence trail showing that errors are identified, escalated, and remediated rather than simply corrected and resubmitted. Surveillance findings connect to the firm's risk register and escalation framework. A recurring pattern of trade reporting errors is treated as an operational risk indicator, not just a technology issue.

Third-party regulatory technology dependencies are governed, not just procured. The firm can articulate what controls the vendor provides, what controls the firm retains, and how vendor performance is monitored. Documentation reflects how the firm actually operates: policies describe current processes, procedures are current, and evidence is maintained as an ongoing operational artifact rather than reconstructed under time pressure for each examination cycle.

The SEC examination priorities are published. FINRA's oversight report is public. The Regulation S-P deadline for smaller broker-dealers is June 3, 2026. Supervisory expectations for capital markets firms are tightening along the same path that banking regulators set over the past seven months.

Mid-size broker-dealers with FINRA cycles approaching in the next 90 to 180 days should map ownership across regulatory reporting, surveillance, and exception management. Test whether documentation reflects actual operations. Confirm that the second line of defense can demonstrate independent challenge of the first line's compliance work product. Firms that treat the current environment as regulatory relief rather than a sharper governance standard risk discovering the shift during the examination, not before it.