On The Docket – New counsel, decoding the SEC’s recordkeeping rule, upcoming EDGAR deadlines, and more

By Chris Stanley

Welcome to the February 12, 2026 edition of On The Docket, which includes the following content:

  1. Our Tech Stack MVPs of 2025
  2. Welcoming Carrie Wong: New Counsel at BSL!
  3. Decoding the SEC’s Recordkeeping Rule: Retention Nuances
  4. Summary Takeaways from the SEC’s Virtual Compliance Outreach re: Newly-Amended Reg S-P
  5. RIA Anti-Money Laundering Rule Officially Delayed to 2028
  6. A Recipe for an SEC Administrative Proceeding
  7. Upcoming EDGAR Deadlines: 13F and 13H Filings
  8. A Quick Tip for Phishing Prevention Using AI

🌐 All past On The Docket editions (as well as other article, video, and podcast content) are available by visiting the On The Docket page of the Beach Street Legal website.

📥 If this edition was forwarded to you, you can subscribe directly by clicking here.

💬 Prefer to follow along via social media? You can follow us below:

Happy reading.

– Chris

* * * * *


Our Tech Stack MVPs of 2025

The following tech tools & partners have really helped level-up Beach Street Legal LLC (and me individually) in 2025.

Whether in the form of efficiency gains, cost savings, or adding new capabilities, all are worthy of a hat tip.

  • Nickel for payment processing (replaced Quickbooks payment processing). Free ACH, seamless invoice integration, and responsive support.
  • Automation Helpers (and Sydney Klintworth specifically) to help us connect all the dots in our tech stack and automate both internal and client-facing processes. Converting arduous, manual tasks to multi-step automations is a project I wish we’d started years ago.
  • Airtable for workflow/project/task management, CRM, invoice automation, time tracking, form response integration, etc. etc. If we’re working on something either internally or for a client, it’s tracked in Airtable.
  • Make for workflow automation (replaced Zapier). Friendlier pricing and interface compared to our prior tool (without losing capabilities).
  • Wispr Flow for voice-to-type across desktop and iPhone. Surprisingly accurate, quick-to-process, and saves my recurring wrist pain from typing so damn much.
  • Fillout for form creation and response collection (replaced Google Forms). Tons of question types, formatting options, and integrations with other elements of our tech stack.
  • PandaDoc for e-signatures (replaced DocuSign). Friendlier pricing, added features, and more intuitive interface compared to our prior tool.
  • TextExpander for turning short text snippets into long form sentences or paragraphs. Saves a bunch of time compared to manually retyping the same sentences/paragraphs over and over again.
  • Loom for screen recording, verbal walkthroughs, and other visual spitballing in an async fashion. We use it both internally and with clients, but I feel we’ve only scratched the surface.
  • Google Workspace in general as the backbone for email, calendar, docs, sheets, chat, doc storage / sharing, virtual meetings, etc. etc. Google keeps shipping updates that make operating a small business through its platform a no-brainer.


Welcoming Carrie Wong: New Counsel at BSL!

Please join me in welcoming Carrie Wong as Counsel at Beach Street Legal!

Carrie is a corporate and securities law attorney with nearly 15 years of experience in the investment management industry. Prior to joining Beach Street Legal, she worked at Dimensional Fund Advisors in both legal and sales operations roles. Her experience spans investment adviser and broker-dealer regulatory compliance, fund formation, performance reporting, advertising, and issues affecting investment advisers operating across regulatory jurisdictions. She holds a J.D. from Santa Clara University and a B.A. from Boston University. Carrie lives in Austin, Texas with her husband, three children, and two dogs. In her spare time, she enjoys spending time with her family, the great outdoors, and traveling.

On a personal note, Carrie and I worked together in our prior roles at Loring Ward, so it is nice to come full circle and have the opportunity to work together once again.

On behalf of the entire Beach Street Legal team, we’re absolutely thrilled to have Carrie on board.

Cheers!


Decoding the SEC’s Recordkeeping Rule: Retention Nuances

The SEC’s Recordkeeping Rule is unnecessarily convoluted when it comes to the duration for which certain records must be retained by advisers.

It generally requires an adviser’s books and records to be maintained “for a period of not less than five years from the end of the fiscal year during which the last entry was made on such record.”

This begs the question of what it actually means to make an “entry” on a “record,” as the required duration of retention hinges on this opaque nuance of when the clock starts.

A few examples of what I believe causes an “entry” on a “record”:

  • The date and email was sent or received.
  • The date of a custodian account statement.
  • The date a trade error log was last updated.
  • The date client meeting notes were last edited.
  • The date of an adviser’s financial statement (such as a P&L, GL, etc.).
  • The version date of an ADV Part 2.

Depending on the date of last entry, the adviser would then start the five year retention clock *from the last date of that fiscal year end.*

Yet various records required under the Code of Ethics Rule, as well as an adviser’s policies and procedures, simply must be kept “within the past five years” (not from the end of the fiscal year when the last entry was made).

Advertisements must generally be retained for five years from the end of the fiscal year in which they were “last published or otherwise disseminated” (not from when the last entry was made).

Various organizational/corporate records (articles of organization or incorporation, minute books, stock certs, etc.) technically have to be retained for 3 years after “termination of the enterprise.”

There are also instances in which it is highly advisable (if not de facto required) to keep a record longer than may be technically required (e.g., a current client’s advisory agreement that was signed 10 years ago but hasn’t had a new “entry” made on it since).

Lastly, bear in mind that the Recordkeeping Rule simply sets the *minimum* required duration for record retention; advisers are free to keep records longer, and there are several valid reasons for doing so.

The long of the short of it is that the SEC has ample simplification opportunities w/r/t the Recordkeeping Rule, and I hope that day soon comes.

Perhaps the references to “microfiche” and “microfilm” can even be replaced… but that may be asking too much.

Oh, and why yes… that is another AI-generated cover image. I simply copy/pasted the entire text above into Nano Banana and wrote “create a cover image”.

—– 🔖 Resources —–
Recordkeeping Rule


Summary Takeaways from the SEC’s Virtual Compliance Outreach re: Newly-Amended Reg S-P

The compliance date for SEC-registered RIAs w/ <$1.5B AUM to comply with newly-amended Reg S-P is June 3, 2026.

I attended the SEC’s recent virtual Compliance Outreach on Reg S-P for “small firms,” and have summarized my takeaways below. The Compliance Outreach itself was recorded and posted to Youtube, and is linked below.

• • • • • TLDR summary of what newly-amended Reg S-P requires • • • • •

  • Written policies/procedures to detect, respond to, and recover from unauthorized access to client info (i.e., a data breach response program).
  • In the event of unauthorized access to “sensitive” client info, written notification to affected clients as soon as reasonably practicable (but no later than 30 days after discovery).
  • Enhanced service provider oversight, including to ensure service providers notify advisers w/in 72 hours of discovery of unauthorized access to their client info. 

• • • • • My takeaways from the Compliance Outreach event • • • • •

  • Create and maintain a risk-based inventory of (1) where client data physically and digitally resides, and (2) the third-party service providers that have access to such client data. Review and update this inventory regularly to keep it current.
  • Implement reasonably-designed technological barriers to (1) prevent client data from being accessed without authorization or exfiltrated from the firm, and (2) detect/monitor for unauthorized access. What is ‘reasonable’ for a solo RIA may look very different from a larger, multi-office ensemble practice.
  • Ensure written policies/procedures match actual practice; don’t overcommit to a cybersecurity infrastructure that can’t be substantiated. While the NIST Cybersecurity Framework for small businesses can be a helpful resource, it is not a one-size-fits-all solution for all RIAs.
  • Education/train employees about the prescriptive requirement to report suspected data breach incidents so they can be timely addressed.
  • Don’t neglect basic, low-hanging protective measures like multi-factor authentication, need-to-know access rights, encrypting sensitive data in transit and at rest, complex password requirements, etc.

—– 🔖 Resources —–
Reg S-P Compliance Outreach recording: Compliance Outreach on Regulation S-P for Small Firms


RIA Anti-Money Laundering Rule Officially Delayed to 2028

As originally proposed in Sept 2024, the effective date for imposing anti-money laundering regs on RIAs has been officially extended to Jan 1, 2028.

“The two-year delay will provide additional time for FinCEN to review the IA AML Rule and, as applicable, ensure the IA AML Rule is effectively tailored to the diverse business models and risk profiles of types of firms within the investment adviser sector. Delaying the effective date will also provide investment advisers more time to come into compliance with the rule upon the revised effective date.”

“Consistent with the Administration’s deregulatory policies focused on reducing any unnecessary or duplicative regulatory burden on Americans, the Secretary, through FinCEN, has determined that the IA AML Rule should be reviewed to ensure it strikes an appropriate balance between cost and benefit.”

🔮 Takeaway: Further changes to the AML/CFT Rule before the new Jan 1, 2028 effective date may be forthcoming. TBD if FinCEN will also reassess the proposed-but-not-adopted Customer Identification Program (CIP) rulemaking that was also to apply to RIAs.

—– 🔖 Resources —–
Final Rule


A Recipe for an SEC Administrative Proceeding

Impermissible hedge clause + missing consent-to-assignment clause + unrecognized custody + failure to follow compliance policies and procedures = SEC administrative proceeding. 

More specifically, the respondent RIA: 

  • “Required advisory clients to sign investment advisory agreements that included liability disclaimer language, commonly referred to as a hedge clause, that contained misleading statements regarding the scope of each adviser’s unwaivable fiduciary duty and could lead a client to believe, incorrectly, that the client had waived a non-waivable cause of action against the adviser provided by state or federal law.” 
  • “Had clients sign the Advisory Agreements that failed to provide, in substance, that no assignment of such contract shall be made by the investment adviser without the clients’ consent, as required by Section 205(a)(2) of the Advisers Act.” 
  • Had clients sign advisory agreements that granted the respondent RIA the authority to withdraw client funds or securities without client notice. 
  • Failed to follow its own compliance policies and procedures that prohibited the use of hedge clauses and required proper assignment provisions in advisory agreements. 

Impermissible hedge clauses: 

“Limited Liability: [Respondents] shall not be liable to Client, its agents or representatives thereof, for any act, omission, or determination made in connection with this Agreement except for its willful misconduct or gross negligence. . .” 

“Liability [Respondents] shall not be subject to liability for any act or omission in the course of, or connected with, its performance of this Agreement, except in the case of willful misfeasance, bad faith or gross negligence on the part of [Respondents], or the reckless disregard by the [Respondents] of its obligations and duties under this Agreement, but nothing herein shall in any way constitute a waiver or limitation of any rights which Client may have under any federal or state securities law or the Employee Retirement Income Security Act of 1974 (“ERISA”), if applicable…” 

“Indemnification: Notwithstanding any provision of this Agreement, Client shall defend, indemnify and hold harmless [Respondents]… against any and all losses, claims, damages, liabilities, actions, costs or expenses to which such indemnified party may become subject to the extent such losses, claims, damages, liabilities, actions, costs or expenses arise out of or are based upon . . . (b) any violation of federal or state securities, trust or insurance laws by [Respondents], its officers, its agents, or its employees arising out of the purchase, sale, offer to purchase or offer to sell any security; (c) any breach, default or violation of, under or with respect to any of [Respondents’] duties, obligations, representations, warranties or covenants contained in this Agreement; or (d) any negligence, gross negligence, recklessness or willful or intentional misconduct of, or violation of any law by [Respondents] or any FamilyWealth employee or agent.” 

Impermissible assignment clause: 

“[Respondents] retain[] that right to assign or otherwise transfer this Agreement or its rights or obligations set forth hereunder without notice *and without Client’s consent* .” (emphasis added). 

Impermissible custody clause: 

“Trading Authorizations: [Respondents] may give instructions to Custodians selected by [Respondents] with respect to such assets, and such Custodians may rely on [Respondents’] instructions *without obtaining Client’s approval, counter-signature, or co-signature* (emphasis added). [Respondents’] authority will include, without limitation, the authority: … (e) to withdraw or direct the disbursements of assets held in any account maintained on behalf of Client; . . . (h) generally to do and take all actions considered necessary or desirable by [Respondents].” 

* * * * *

💡 Takeaways: Review your advisory agreements to confirm (a) they do not limit your liability to a “gross negligence” / “willful misconduct” or similar standard, (b) require client consent to assignments (even if via passive/negative consent), and (c) do not inadvertently impute custody by authorizing withdrawals or disbursements w/out client approval. 

—– 🔖 Resources —–
Administrative Proceeding


Upcoming EDGAR Deadlines: 13F and 13H Filings

Advisers that crossed the §13(f) reporting threshold for the first time last year must file their first Form 13F through EDGAR within 45 days of the end of the 2025 calendar year (technically Feb. 17, 2026, since the 45th day falls on a Saturday and the following Monday is a holiday).

Similarly, advisers that became designated as “large traders” last year for the first time must generally make an annual Form 13H filing through EDGAR by the same date.

If you haven’t yet started the process to gain access to EDGAR, now’s the time to start; it’s a bit of a pain.

Not sure if you should be filing Form 13F or Form 13H? Additional resources below:

—– 🔖 Resources —–
Form 13F Article
Form 13H Video


A Quick Tip for Phishing Prevention Using AI

Phishing attempts and malicious email links seem to spike during tax season.

One way to confirm the legitimacy of a link embedded in an email – especially one that runs through tracking redirections that obscure the ultimate website URL the link directs to – is to simply copy/paste the link in question into your AI tool of choice with the following prompt:

“Where does the following link ultimately redirect to? I want to make sure I am clicking on a legitimate link that is not malicious, spam, or a phishing attempt: {{insert questionable link}}”

Before clicking on any link in an email that doesn’t directly point to a recognized website, consider:

  1. Hovering over the link
  2. *Right* click on the link to bring up a context menu
  3. Click on “Copy Link Address”
  4. Paste the link into your AI tool of choice after the prompt above

Stay safe out there.