What the December 2025 SEC risk alert actually means for solo RIAs

On December 16, 2025, the SEC's Division of Examinations published its fourth risk alert on the Marketing Rule. It's the most directly threatening one yet — and unlike the previous three, it ends with a sentence the staff has been careful not to write before: “Repeat findings will be referred to Enforcement.”

That sentence is a roadmap. It's the staff telling the industry exactly which findings the next wave of enforcement actions will cite. If you run a one- to three-person RIA without a dedicated compliance team, this page is the field-guide translation: nine findings, three buckets, and a same-week fix-list you can work through in about an hour.

The full alert (with each finding linked to the rule sub-paragraph it cites) is at /risk-alert/2025-12-16; the SEC's original PDF is on sec.gov. What follows is the “what does this mean for me” reading.

The shape of the alert

Nine specific findings, organized into three layers of how a Marketing Rule problem actually surfaces:

1. The disclosure layer— how testimonial and endorsement disclosures are written and where they're placed (3 findings).
2. The structure layer — written agreements with promoters, ineligible-person screening, and disclosed affiliation (3 findings).
3. The third-party ratings layer — due diligence on rating providers and the disclosures that need to accompany the rating (2 findings).

Plus the closer (the ninth item): the explicit warning that repeat findings will move from comment letter to enforcement referral.

Bucket 1: Disclosures (where most firms are still failing)

Hyperlinked disclosures don't satisfy “clear and prominent”

The single most common pattern the staff called out: “Important disclosures available at firm.com/disclosures” under a testimonial. The reader has to click through. That fails the placement test in Rule 206(4)-1(b)(2), full stop.

What actually counts as clear-and-prominent: the disclosure sits in the same visual unit as the testimonial, in the same font size or close to it (no smaller than ~80% of the quote's size), with no click required. If your homepage renders a quote card, the disclosure should be the next paragraph inside that card — not in a footer, not behind a link, not in a separate page section.

Compensation disclosures need specifics

Many firms know they need to disclose compensation, so they write something like “the testimonial-giver received compensation.” The alert called this out as insufficient. The disclosure has to specify the nature and amount — a fee discount and the percentage, a flat dollar amount, the value of any non-cash consideration (free service, equity, gift cards). Vague comp disclosure is a cited deficiency, not a defensive position.

See Rule 206(4)-1(b)(1)(ii) for the material-terms requirement. The standard the staff is applying: a reasonable client should be able to understand the size and nature of the comp arrangement without seeking additional information.

Disclosures must appear at-or-before the time of dissemination

The alert reinforced the timing element. A disclosure that exists in your recordkeeping system but doesn't appear at the moment a viewer encounters the testimonial doesn't count. This catches firms whose written disclosures are buried in their compliance binder but absent from the actual marketing asset.

Bucket 2: Promoter structure

Written agreements aren't optional once compensation flows

Rule 206(4)-1(b)(3) requires a written agreement with any promoter receiving more than de minimis compensation ($1,000 or less in 12 months). This includes: paid social-media sponsorships, finder-fee arrangements with CPAs and attorneys, podcast sponsorships, paid speakers at firm events, and yes — paying a former-client influencer for a LinkedIn post about your firm.

The agreement needs to specify the compensation, the scope of statements the promoter is authorized to make on the firm's behalf, and the disclosure language they must include. The agreement also needs to be in place before any compensated activity begins; signing it after the fact is its own violation.

Ineligible-person screening got broader

The alert read Rule 206(4)-1(b)(4) more expansively than parts of the industry expected. Specifically: state-level disciplinary actions (not just SEC- or FINRA-level disqualifications) can render a person ineligible for compensated promoter / endorser status. A speaker with a 2018 state-level cease-and-desist who you'd casually book for a client-event keynote may be off-limits.

Affiliation between adviser and promoter must be “readily apparent”

If a promoter is affiliated with the adviser — employee, investor, family member, company you control — the affiliation must be disclosed at the time of the endorsement, in a way the reader can detect without research. A blog post by your own employee that praises the firm's service without disclosing the employment relationship is a textbook violation. So is a podcast sponsored by a company your spouse owns, without disclosing that fact.

Bucket 3: Third-party ratings

“Common-sense” due diligence is a floor, not a ceiling

Rule 206(4)-1(c)requires the adviser to have a reasonable basis for believing a third-party rating wasn't designed to be biased. The alert specified what the staff considers a reasonable “common-sense” floor:

• Reviewing publicly disclosed information about how the rating provider constructs its rating (methodology, data sources, weighting).
• Obtaining and reviewing any questionnaires or surveys the rating is based on.
• Seeking representations from the rating provider on the design and administration of the rating.

The staff specifically called out advisers who used third-party ratings without performing anyof these steps. “Common-sense” here is the staff's deliberately mild description of what should be a baseline.

Rating disclosures need provenance, period, and methodology

When you cite a third-party rating, the disclosure has to include: who created the rating, the period it covers, the criteria / methodology, the population it ranks against, and whether any compensation flowed to the rating provider. “Five-star Morningstar rating” on its own — without the rating date, the time period the rating covers, and a methodology link — fails this test.

What “repeat findings → Enforcement” means in practice

The closing line of the alert isn't boilerplate — it's the staff's explicit signal that the next round of enforcement won't be confined to hypothetical performance (which has been the gateway issue, see our enforcement ledger). The Meridian case (September 2025) was the first Atkins-era Marketing Rule enforcement; everything in this risk alert is on the menu for the next one.

For a small RIA, “referred to Enforcement” means: a case file moves from the deficiency-letter track (a comment letter, you respond, you fix it, the file closes) to the formal-investigation track (subpoenas, sworn statements, document requests, six- to twelve-month timeline, six-figure legal bills, and — on settlement — a public order). The cost of that path substantially exceeds the cost of fixing the underlying issues now.

The 60-minute solo-RIA fix-list

If you have an hour this week, work through this in order:

1. Open every customer-facing page (10 min).Screenshot any testimonial / endorsement / third-party rating you find. You'll likely identify 4–10 instances.
2. For each testimonial: confirm the four required disclosures are inline + prominent (15 min).Client status, compensation specifics, material conflicts, placement that doesn't require a click. Edit on the spot. See (b)(1)(i)(A), (b)(1)(i)(B), (b)(1)(i)(C), (b)(2).
3. For each third-party rating: rewrite the disclosure to include provider, date, period, methodology link, and compensation status (10 min). See (c).
4. List every paid promoter relationship in the past 12 months (10 min). CPAs, attorneys, social-media influencers, podcast sponsorships, paid event speakers. For each: written agreement on file? Comp disclosed in their public statements about the firm? See (b)(3).
5. Screen anyone you intend to pay going forward (15 min, ongoing). Build a screened-and-approved list. SEC IAPD + FINRA BrokerCheck minimum; state regulator if applicable. See (b)(4).

That single hour, done before your next exam window, takes you out of the most common citation patterns the December alert flagged.

Three pieces of inertia to overcome

The biggest barriers to actually doing the fix-list above aren't legal or technical — they're organizational habits a solo or small firm can fall into without realizing:

• “The marketing person handles that.”If the marketing person isn't the CCO, the marketing person is publishing material the CCO is responsible for. Either the CCO needs review-before-publish authority, or the marketing function needs the same Marketing Rule training the CCO has. In a 1–3 person firm, this almost always means the CCO reads everything before it's posted.
• “That testimonial has been on the site for three years without anyone complaining.”The relevant question isn't whether anyone has complained — it's whether the rule applied to it the moment 206(4)-1 reached its compliance date in November 2022. Three years of unflagged exposure is exposure, not safety.
• “We'll wait until our next exam to see what they find.”Two problems with this: first, the staff has now telegraphed in writing what they'll find, so the surprise factor is gone. Second, the cost of fixing identified issues during an exam is a multiple of the cost of fixing them now, and a finding remediated post-hoc still appears on your record.

Educational summary — not legal advice. Always read the original SEC release in full and consult your own compliance counsel before relying on any specific interpretation. Safe to Publish is not a law firm. See Terms.