The regulatory landscape heading into 2026 appears deceptively calm. Major rules have been delayed, but this has created what the council described as a dangerous balancing act: one in which formal rulemaking slows, but liability, enforcement risk, and examination scrutiny remain very much in motion.
Across cybersecurity, AML, vendor oversight, and exam priorities, regulators are shifting how they evaluate compliance. The question is no longer whether firms have policies in place, but whether those policies actually work in practice. In their first discussion of 2026, the Private Markets Regulatory Council made clear that this shift is already underway.
A quieter regulatory environment is not a regulation-free environment
Carlo di Florio shared that the SEC Exam program has been very busy, focusing exams on their recently published 2026 Exam priorities. They include perennial issues such as valuation, marketing, custody, trading, fees and expenses, and conflicts of interest. Di Florio also noted that they will focus on recent trends and developments, including AI, cyber/Reg-SP amendments, digital assets, and retail access to alternative investments.
While many compliance dates have been moved out for some new rules, there is still Exam focus on the topics. For example, even though the Financial Crimes Enforcement Network (FinCEN) postponed the effective date of the Investment Adviser Anti-Money Laundering Rule until January 1, 2028, di Florio cautioned against interpreting the delay as a reduction in expectations. He suggested that a 2028 version of the rule may ultimately better reflect “how the world really works” when it comes to the relationship between investment advisers and fund administrators.
Operational credibility has become a real compliance test
For years, compliance programs were judged primarily on their documentation. Did the policy exist? Was it updated? Did it reference the right rule? But those questions are now table stakes. As Michael McVickar succinctly put it, “It's becoming less about box-checking and more about operational credibility."
“Operational credibility” shows up in unglamorous places: how data moves through systems, how vendors are monitored after onboarding, how exceptions are documented, and how quickly teams can respond when something breaks. The council repeatedly emphasized that the strongest compliance programs don’t rely on memory, heroics, or manual clean-up. They rely on systems and processes that naturally generate evidence as work gets done. McVickar noted that, “It becomes easiest—and strongest—when documentation is just the byproduct of doing the work, not a separate exercise.”
Olga Kamensky added, “You can have the best policy in the world on paper, but if it’s too burdensome for the folks that need to do the work to implement it, that work likely isn’t going to get done.”
Vendor oversight is a key part of any compliance effort
Reg SP made explicit what regulators have been signaling for years: responsibility doesn’t stop at the firm’s firewall. GPs are expected to understand where their data lives, how vendors protect it, and how quickly incidents will be surfaced.
As Dan Rothenberg noted, “There is a general trend right now across regulations of trying to push more responsibility to the platforms themselves.” He emphasized that this shift isn’t limited to Reg SP but extends to AI providers, payment platforms, and fundraising technology.
But oversight isn’t about forcing perfect contractual terms—especially with large vendors that have negotiating leverage. As the council discussed, regulators are far more focused on whether advisers can demonstrate thoughtful, ongoing oversight than on one-time diligence at onboarding. Kamensky noted that there is no single prescription for the appropriate procedures or scope of such initial due diligence and ongoing monitoring, and that GPs should instead tailor these to the circumstances of each service provider relationship using a risk-based approach. Rothenberg added that 2026 must be the year of operational discipline for GPs, including knowing exactly what vendors are doing with firm data and how they’re keeping it safe.