On November 17, 2025, the SEC released its annual examination priorities covering all categories of entities under its supervision. These include broker-dealers, investment advisers, FINRA, as well as funding portals operating under Regulation Crowdfunding.
Although the list of priorities specific to funding portals is shorter than those for other regulated entities, it still signals the areas where the SEC believes compliance gaps may exist. In particular, the SEC plans to focus on funding portals’ relationships with qualified third parties responsible for holding investor funds in escrow, the adequacy and preservation of their records, the sufficiency of their written policies and procedures, and their implementation of the 2024 amendments to Regulation S-P.
The funding portal examination priorities is provided below:
Funding Portals
The Division will focus on funding portal arrangements with qualified third-parties regarding the maintenance and transmission of investor funds and examine whether funding portals are making and preserving required records. In addition, the Division will review funding portals’ written policies and procedures to assess if they are reasonably designed to achieve compliance with applicable federal securities laws and rules relating to its business as a funding portal. After the compliance date, the Division may also examine funding portals for compliance with the 2024 amendments to Regulation SP, including the safeguards rule, the disposal rule, and the requirement to establish incident response programs.*
* (1) requiring [funding portals] to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information; (2) requiring that the response program include procedures for [funding portals] to provide timely notification to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization; and (3) broadening the scope of information covered by Regulation S-P’s requirements