Regulatory Reset: What the SEC’s Withdrawal of 14 Proposed Rules Signals for Compliance Leadership
Introduction: A Turning Point for Regulatory Strategy
Published by CRC-Oyster, July 2025
On June 12, 2025, the Securities and Exchange Commission (SEC), now led by Chairman Paul Atkins, formally rescinded 14 pending rule proposals introduced during the prior administration. This move represents far more than a change in regulatory trajectory. Rather, it is a decisive pivot in tone, intent, and expectation that represents a critical inflection point demanding renewed strategic focus for Chief Compliance Officers (CCOs) and senior leadership within registered investment advisers and broker-dealers.
The Withdrawn Proposals: Overview of the 14 Rescissions
In one of the most sweeping deregulatory actions in recent history, the SEC withdrew the following proposals:
- Amendments to Rule 14a-8 (Shareholder Proposal Resubmissions)
- Conflicts of Interest in Predictive Analytics and AI-Driven Engagement
- Safeguarding Advisory Client Assets (Expanded Custody Rule)
- Cybersecurity Risk Management for RIAs, BDCs, and Registered Funds
- ESG Disclosure Requirements for Investment Advisers
- Oversight Requirements for Third-Party Service Providers
- Large Security-Based Swap Position Reporting
- Re-definition of “Exchange” to Include DeFi Platforms
- Form PF Reporting Enhancements for Systemic Risk
- Adviser Compensation Transparency Amendments
- Climate-Related Risk Disclosure for Issuers
- Regulation of Digital Engagement Practices (Behavioral Nudging)
- Market Structure Reform (Tick Size, Order Routing)
- Amendments to the Investment Company Names Rule
Together, these proposals had embodied an expansive regulatory philosophy focused on modernization, transparency, and a more interventionist posture toward risk. Their withdrawal marks a clear ideological shift.
Why This Matters: The Strategic Repositioning of the SEC
Under Chairman Atkins, a returning figure from the George W. Bush-era Commission, the SEC is taking deliberate steps to recalibrate its agenda around capital formation, industry self-governance, and targeted, material investor protections. According to Financial Times, this shift is designed to offer a “clean slate” that redirects the agency away from what Atkins has characterized as “political goals” and back toward core market integrity.
Many industry groups have largely applauded the move. Private fund sponsors, digital platforms leveraging AI, and ESG product developers have all unsurprisingly welcomed relief from rule proposals they viewed as overly prescriptive or operationally burdensome. However, investor protection advocates warn that the rollback may create dangerous gaps, particularly in areas like cybersecurity, systemic risk monitoring, and environmental disclosure.
This divergence in interpretation underscores a critical truth for compliance professionals: the absence of formal rulemaking does not equate to the absence of regulatory risk.
Implications for CCOs: Relief, Responsibility, and Readiness
The regulatory vacuum left by these rescissions may appear to simplify compliance operations on the surface, however, CCOs should view this as a call to reinforce rather than relax internal controls and strategic foresight.
While the SEC has formally withdrawn certain proposed rules related to cybersecurity and asset safeguarding, the regulatory reprieve should not be mistaken for reduced scrutiny. In reality, the operational, financial, and reputational risks associated with data breaches, custody failures, and third-party vulnerabilities remain sharply in focus, particularly in light of the SEC’s finalized amendments to Regulation S-P. These amendments, which now require covered firms to implement incident response programs, enhance safeguards for nonpublic personal information, and exercise explicit oversight of service providers, reinforce that information security and custody practices are not optional or episodic, but rather, foundational.
Firms should view this period as an inflection point: an opportunity to assess whether existing cybersecurity protocols and custody procedures are not just in place, but resilient, well-documented, and forward-looking. Practical steps include benchmarking cybersecurity practices against frameworks such as NIST or CISA, conducting targeted access control reviews, and testing incident response readiness. In line with the Reg S-P amendments, firms must also ensure breach notification protocols are designed to meet timeliness and content requirements, and that service providers with access to client information are contractually bound to maintain effective safeguards and notify the firm of security incidents.
At the same time, while proposed rules related to ESG disclosures and the use of artificial intelligence were set aside, investor interest and regulatory attention toward these domains has not waned. Inconsistencies between stated ESG commitments and actual investment practices, or opaque use of predictive technologies, continue to present reputational and regulatory risk. Advisers and broker-dealers leveraging ESG factors or AI-driven engagement tools should maintain a well-defined governance structure, one that includes clear documentation, oversight protocols, and controls to mitigate conflicts of interest. ESG-related disclosures should align closely with internal policies and investment practices, while predictive analytics, including those powered by machine learning, must be explainable and subject to ongoing human oversight.
Finally, the SEC’s decision not to impose new third-party oversight rules should not be interpreted as an easing of expectations. In fact, the revised Reg S-P now mandates that firms extend their safeguarding obligations to include service providers handling customer information. This reinforces the need for formalized vendor oversight programs that include initial due diligence, clearly defined service level expectations, periodic reassessments, and traceable supervisory responsibility. Whether the function outsourced relates to data storage, trade execution, or compliance infrastructure, firms remain accountable for the integrity of those services, and will be expected to demonstrate that delegation has not come at the expense of control.
The regulatory direction may be shifting, but the core expectations around operational resilience, client protection, and supervisory diligence are more firmly entrenched than ever. Firms that internalize these obligations as strategic priorities, rather than reactive check-the-box exercises, will be best positioned to navigate both current expectations and what lies ahead.
Despite the SEC’s decision to withdraw or delay certain rule proposals, firms engaged in security-based swaps, decentralized finance (DeFi), or digital engagement practices should not interpret this as a reduction in regulatory focus. These areas remain central to the SEC’s enforcement priorities and public discourse, with repeated warnings from Commission leadership about the risks associated with complex derivatives, behavioral prompts in investor platforms, and emerging market structures. Even without finalized rules, the SEC has emphasized, through risk alerts, enforcement actions, and staff guidance, that it expects firms to operate with clear disclosures, robust internal controls, and proactive supervision.
To meet these expectations, firms should conduct ongoing reviews of their policies and supervisory procedures, ensuring they align with current regulatory interpretations and are agile enough to adapt to new rulemaking. Legal and compliance teams should be fully integrated into the development and oversight of DeFi strategies, digital tools, or swap-related offerings well before launch. Risk assessments should be documented, conflicts evaluated, and controls embedded within operations and client communications. In a regulatory environment where policy remains fluid but scrutiny is intensifying, firms that approach these issues with rigor and foresight will be better positioned to avoid regulatory friction and sustain long-term resilience.
Next Steps: What Compliance Leaders Should Do Now
| Priority Area | Recommended Action |
| Internal Project Audit | Identify and unwind any internal compliance efforts linked to withdrawn rules. |
| Policy and Disclosure Updates | Revise manuals, disclosures, and vendor documentation to reflect the current regulatory landscape. |
| Leadership Briefings | Proactively update boards and senior staff on the SEC’s action and its operational implications. |
| Strategic Foresight | Monitor the SEC’s rulemaking agenda for narrower re-proposals or interpretive guidance. |
| Maintain Best Practices | Continue adhering to elevated internal standards, even in a deregulated climate. |
Conclusion: A Pause, Not a Pass
This blanket withdrawal may be viewed as a defining inflection point for U.S. securities regulation whereupon the SEC signaled a retreat from its expansive rulemaking agenda. For compliance officers and executive teams, however, this is not a time to disengage, but rather to balance flexibility with established best practices.
The credibility of our industry is not defined solely by rules but by the standards we choose to uphold. Strong fiduciary governance, risk controls, and operational discipline are not just regulatory imperatives, they are reputational assets.
At CRC-Oyster, we view this regulatory pause as a strategic opportunity to reset, reassess, and ready ourselves for whatever comes next. Whether that future brings a resurgence of rulemaking or continued deregulatory sentiment, the firms that invest in resilient compliance today will be best positioned to lead tomorrow.
