March has been a busy and defining month across the regulatory landscape.
From FINRA’s long-awaited increase to the gifts and gratuities limit, to continued SEC focus on cybersecurity, vendor oversight, and private credit valuations, the throughline is clear: expectations are not only evolving, they’re becoming more operational, more scrutinized, and more interconnected across agencies.
We’re also seeing a broader shift in how regulation is taking shape. Coordination between the SEC and CFTC is accelerating; AI is introducing entirely new categories of risk faster than policy can keep up, and regulators are signaling that documentation alone is no longer enough. What matters now is evidence, ownership, and execution.
In this month’s edition of The Salus GRC Brief, we’ve pulled together the key developments, enforcement actions, and emerging risks that we believe are most relevant for compliance teams navigating today’s environment.
As always, our goal is simple: provide clarity on what’s changing, what it means in practice, and where firms should be focusing their attention next.
SEC Compliance Outreach Offers Guidance for Smaller Firms
Recent SEC outreach on Regulation S-P makes clear that cybersecurity programs must be operational, not just documented. Examiners are increasingly focused on evidence of monitoring, ownership, and incident response readiness. Smaller firms, in particular, should prepare for more detailed and practical exam scrutiny.
FINRA Increases Gift Limit
FINRA has increased the annual gifts and gratuities limit from $100 to $300 for the first time in over 30 years, alongside new guidance on valuation, aggregation, and exclusions. The update introduces more prescriptive expectations around supervisory controls and recordkeeping. Firms should revisit their policies to ensure alignment with the revised framework.
Valuation of Private Credit: Madison Funding Enforcement
The SEC fined Madison Funding $900,000 for failing to properly assess fair market value when executing principal transactions with affiliated funds during market disruption. The case underscores the importance of valuation rigor, particularly during periods of stress. Even proactive remediation may not shield firms from enforcement risk.
Securities Attorney Calls on Congress to Strengthen SRO Oversight
Testimony before Congress outlined recommendations to enhance oversight of self-regulatory organizations, including governance reforms, due process protections, and increased transparency. The proposals reflect the growing scrutiny of the SRO model and its accountability. If adopted, these changes could significantly impact how firms interact with FINRA and other regulators.
OpenClaw AI and Autonomous Risk
OpenClaw, a rapidly emerging autonomous AI tool, introduces new operational and cybersecurity risks by enabling system-level actions across connected tools and accounts. Its ease of use outside traditional IT controls raises concerns around data exposure, misconfiguration, and unmonitored automation. Firms should proactively address governance, training, and shadow AI usage.
SEC and CFTC Collaboration
The SEC and CFTC have formalized efforts to coordinate oversight, signaling a shift toward harmonized regulation, shared examinations, and reduced duplicative enforcement. For dually regulated firms, this may streamline compliance while increasing cross-agency visibility. The move reflects a broader push for regulatory alignment.
Regulatory Deadlines
- Quarterly Form PF – March 1, 2026
- Quarterly CPO-PQR (NFA/CFTC) – March 1, 2026
- 4.13(a)(3) Affirmation (NFA Exempt Private Funds) – March 1, 2026
- Third-Party Vendor Request (FINRA) – March 4, 2026
- Distribute Pool Participant Statements (NFA/CFTC) – March 30, 2026
- Audited Fund Financial Statements (NFA/CFTC) – March 31, 2026
- Form ADV Annual Amendment – March 31, 2026
A Note from Bill Mulligan, CEO
March finds our industry deep in one of its most demanding annual rituals, the Form ADV updating amendment season. Across the SEC investment advisory landscape, firms are navigating the careful process of reviewing and amending their Form ADV, Part 2A disclosure brochures, and Form CRS filings to ensure documents are accurate and up to date. I extend my sincere appreciation to our entire compliance team, whose diligence, precision, and professionalism in handling these filings on behalf of our clients during this period are nothing short of remarkable. Their work is the backbone of the trust our clients place in us.
Looking ahead, we remain firmly committed to advancing our approach to artificial intelligence, not simply as a technology conversation, but in terms of drafting policies, assessments and creating efficiencies. As AI tools become increasingly embedded in how firms operate, our responsibility is to help clients navigate operational and regulatory concerns around how AI is implemented. Similarly, our focus expands beyond traditional vendor due diligence to operational due diligence. We are actively assessing system compatibility, data security, workflow integration, and long-term operational risk across client infrastructure. This is the standard our clients deserve, and the standard we hold ourselves to as the industry, regulation and governance continue to evolve.
Warm regards,
Bill Mulligan, CEO