Three Years of SEC Reg BI Enforcement: What the Actions Tell Compliance Officers

US financial regulatory enforcement abstract imagery

Regulation Best Interest became effective in June of its first compliance year. The SEC spent the first two years publishing guidance, conducting examinations, and signaling what it expected. Then enforcement began in earnest. By mid-2025, the agency had brought over 70 actions with a Reg BI component — enough of a dataset that patterns are visible if you know what to look for.

We track SEC enforcement publications as part of our daily ingestion work on Fynrex. When we reviewed the Reg BI enforcement record for 2022 through mid-2025, we were not looking for headlines. We were looking for the compliance program failures that showed up in the orders — specifically, how those failures mapped back to identifiable gaps in firms' regulatory change management processes. What we found was instructive.

What Reg BI Actually Requires — and Where Firms Got It Wrong

Before getting to the enforcement data, it is worth stating precisely what Reg BI requires, because many of the compliance failures we saw stemmed from an incomplete read of the rule's scope.

Regulation Best Interest applies to broker-dealer recommendations of securities transactions or investment strategies involving securities to retail customers. The rule has four component obligations: (1) Disclosure — provide full and fair disclosure of material facts relating to the scope and terms of the relationship and conflicts of interest; (2) Care — exercise reasonable diligence, care, and skill in making a recommendation; (3) Conflict of Interest — establish, maintain, and enforce written policies and procedures reasonably designed to identify and address conflicts; (4) Compliance — establish, maintain, and enforce written policies and procedures reasonably designed to achieve compliance with Reg BI as a whole.

The enforcement record shows failures concentrated in two areas: the Conflict of Interest obligation and the Compliance obligation. The Care obligation was present in some actions but was rarely the lead charge. The Disclosure obligation appeared most frequently as a downstream failure — when the underlying conflict was not addressed, the disclosure was also deficient.

The Timing Pattern: Implementation Gaps Showing Up Eighteen Months Later

One of the clearest patterns in the enforcement record is the timing gap between Reg BI's effective date and when the cited violations occurred. Most of the actions we reviewed involved conduct from mid-2021 through 2023 — meaning firms that had the rule in effect for twelve to thirty months were still generating Reg BI violations.

This is not surprising if you understand how compliance implementation actually works at growing financial firms. The effective-date sprint produces a written compliance program. Policies get drafted. Training gets scheduled. The governance committee signs off. But the day-to-day conduct of registered representatives and the incentive structures that drive their recommendations did not change as quickly as the paperwork did.

The enforcement orders repeatedly described situations where a firm's written Reg BI policies prohibited or required disclosure of certain conflicts, but the actual supervisory process did not enforce those policies against ongoing conduct. The gap was between the policy register and the supervisory workflow — not between the firm's knowledge of the rule and its written response to it.

We are not saying that having a well-drafted Reg BI compliance program prevents enforcement exposure on its own. A policy that is not operationally embedded in supervisory review is a document, not a control.

The Specific Conflicts That Generated the Most Actions

Three conflict types dominated the enforcement record:

Revenue-sharing arrangements. The most common pattern involved broker-dealers recommending share classes of mutual funds or annuity products where the firm received revenue-sharing payments that were not fully disclosed or were not adequately considered in the recommendation analysis. The SEC's position was consistent: a firm cannot meet the Reg BI best interest standard when revenue-sharing creates a financial incentive to recommend one product over an equivalent lower-cost product and that incentive is not surfaced and addressed in the recommendation process.

Proprietary product preferences. Firms that offered both proprietary products and third-party products frequently had incentive structures — compensation differentials, sales quotas, promotional contests — that favored the proprietary offering. Where those incentives were not disclosed or offset by procedural controls that required affirmative justification for recommending the proprietary product, the SEC found Reg BI violations.

Principal trades and riskless principal transactions. Some actions involved broker-dealer firms that were recommending transactions where the firm was acting as principal — buying or selling securities from its own inventory — without adequately disclosing the nature of the firm's role or the potential conflicts embedded in it.

A Scenario That Illustrates the Compliance Program Failure

Consider a mid-size broker-dealer registered in multiple states, with approximately 120 registered representatives and a product shelf that includes both proprietary managed accounts and third-party mutual fund families. The firm implemented Reg BI at the effective date: new Forms CRS, updated disclosure documents, a written conflicts policy, and annual compliance training.

Eighteen months after the effective date, the firm's proprietary managed accounts still carry a higher payout rate for representatives than equivalent third-party products with comparable risk profiles and expense ratios. The written policy states that representatives "must give primacy to the customer's best interest when making recommendations." But no supervisory workflow requires that when a representative recommends the proprietary account over a lower-cost alternative, the recommendation is reviewed for compliance with the best interest standard before the account is opened.

The compliance failure here is architectural, not behavioral. The individual representative may believe, genuinely, that the proprietary product is a reasonable fit. The problem is that the firm's supervisory system does not generate a record of that analysis, and the compensation incentive has not been restructured or offset. That is exactly the Conflict of Interest obligation failure pattern the SEC cited in multiple actions.

What would a functional Reg BI compliance program look like in this scenario? It requires either (a) eliminating the differential payout, (b) building a supervisory workflow that flags and requires documented justification for every proprietary recommendation where a comparable lower-cost option exists, or (c) disclosing the differential compensation to retail customers explicitly at the point of recommendation. All three are defensible. None of them happen automatically because a policy says the right thing.

What OCIE Examination Findings Signaled Before Enforcement

Enforcement actions are the trailing indicator. OCIE examination findings — published as Risk Alerts and incorporated into examination priority letters — were signaling the specific failure patterns two to three years before enforcement actions addressed them.

The SEC's OCIE published a Reg BI examination findings report in late 2021 that explicitly flagged the revenue-sharing and proprietary product patterns. Firms that had a process for tracking and acting on SEC Risk Alerts would have had the opportunity to audit their own programs against those findings and remediate before the examination or enforcement cycle caught up with them.

This is where regulatory change management connects directly to enforcement risk reduction. Reg BI enforcement was not a surprise. The rule was public, the examination findings were public, and the SEC's public statements about its enforcement priorities were unambiguous. Firms that systematically tracked SEC publications — including Risk Alerts and examination findings, not just final rules — had earlier warning than firms that relied on industry newsletters or periodic outside counsel briefings.

We track SEC examination Risk Alerts as a dedicated source category in Fynrex, precisely because they are often more operationally specific than the final rules themselves. When an SEC examiner documents a pattern across multiple firms, that is a higher-probability indicator of enforcement priority than a rulemaking proposal.

The Compliance Program Takeaway: What to Audit

Based on the enforcement record, a Reg BI compliance program audit for a broker-dealer should address five specific questions.

First: does your written conflicts policy identify every compensation differential, revenue-sharing arrangement, and proprietary product preference that exists in your current product shelf and compensation structure? Written policies that were accurate at implementation may be outdated if your product relationships or compensation arrangements have changed since launch.

Second: does your supervisory workflow require documented best-interest analysis — not just form completion — when a registered representative recommends a product where the firm receives differential compensation? A signed Form CRS does not substitute for a supervisory record showing that the recommendation was reviewed against the Reg BI standard.

Third: when OCIE publishes a Risk Alert or examination findings report that touches Reg BI, does someone in your firm read it and compare it to your current controls? The gap between "we have a Reg BI program" and "our Reg BI program addresses the current SEC examination focus areas" is exactly where enforcement risk accumulates.

Fourth: has your compliance training been updated since initial implementation to reflect what the SEC has actually cited in examinations and enforcement, rather than what the rule required at launch? Training materials that teach the original version of Reg BI without incorporating the subsequent examination record are producing registered representatives who understand the rule but may not understand how the SEC is applying it.

Fifth: if you have made material changes to your product shelf, compensation structure, or business model since the rule's effective date, have you formally assessed whether those changes require updates to your Reg BI policies and disclosures? Rule implementation is not a one-time event. It is an ongoing obligation that changes as your business changes.

The Broader Lesson for Regulatory Change Monitoring

Reg BI is a useful case study because the rule is mature enough to have produced real enforcement data, but recent enough that many firms are still discovering gaps in their implementation.

The pattern holds more generally. Most compliance failures in enforcement actions trace back not to firms that ignored a regulatory change entirely, but to firms that implemented the change at a specific point in time and then did not maintain their compliance programs as the regulatory interpretation developed through examination findings, guidance documents, FAQ publications, and ultimately enforcement orders. The rule did not change. The SEC's published view of what adequate compliance requires did change, and firms that were not tracking that evolution were exposed.

That is the operational case for monitoring enforcement actions and examination findings as first-class regulatory publications, not just the Federal Register or the SEC's final rules. The enforcement record is a continuous update to what compliance looks like in practice — and it is publicly available on the day it publishes.

Related Articles

CFTC and FINRA Update Cycles: What Compliance Teams at Cross-Registered Firms Miss March 24, 2026 · Priya Alves Building a Regulatory Change Management Workflow That Actually Works June 5, 2025 · Isabelle Marchand