The $17.9 billion headline is closer to $2.7 billion, and the SEC just wrote off $2.3 billion of what your compliance team has been working on for three years.
On April 7, 2026, the Securities and Exchange Commission published its fiscal year 2025 enforcement results. The SEC reported 456 enforcement actions and $17.9 billion in total monetary relief for the fiscal year ended September 30, 2025, but the adjusted figure after excluding the Stanford Ponzi judgment and "deemed satisfied" amounts is closer to $2.7 billion. At first glance it looks like a standard scorecard: 456 enforcement actions, $17.9 billion collected, 119 executives barred from serving as officers or directors, and a record 53,753 tips from the public. Read it a second time and something more interesting shows up. The SEC is quietly redefining what counts as real enforcement, and in the process, it's retiring entire categories of risk that companies have spent the last three years building programs to avoid.
If you run a growing company, the practical question isn't "did the SEC do less this year." The practical question is: which line items in your compliance budget just became outdated, and which just became more dangerous? The release answers both, but only if you're willing to do some of the math yourself.
How big was the SEC's FY2025 enforcement haul, really?
Start with the headline. The SEC says it collected $17.9 billion. That figure breaks into two parts: $10.8 billion in "disgorgement" (money the SEC made defendants give back because they shouldn't have had it in the first place) and $7.2 billion in civil penalties (fines on top of the giveback).
Here's where it gets interesting. The release then tells you that if you strip out two things, the real number is much smaller. First, the SEC excludes the long-running $8 billion Ponzi scheme judgment against Robert Allen Stanford and his co-defendants, which has been on the books for years but never actually collected. Second, it excludes what the SEC calls "deemed satisfied" amounts. Those are dollars the SEC officially ordered a defendant to pay but that the defendant had already paid to the Department of Justice in a parallel criminal case. Historically, the SEC counted those dollars twice: once when DOJ collected them, and once in its own annual totals. The current Commission has decided to stop doing that.
After both adjustments, the real new money the SEC brought in during FY2025 was roughly $2.7 billion ($1.4 billion in giveback plus $1.3 billion in fines). That's still a serious number. It's just nowhere near $17.9 billion, and the gap tells you a lot about how previous SEC scorecards were put together.
Which enforcement categories did the SEC just retire?
The single most important paragraph in the release is the one where the SEC names categories it thinks prior leadership should not have pursued.
Category one: off-channel communications. Since 2022, the SEC has brought 95 enforcement actions and collected $2.3 billion in fines against companies whose employees used WhatsApp, iMessage, personal email, or other unauthorized apps to talk about business. The theory was a record-keeping violation: if a conversation happens and nobody archives it, the firm has broken its books-and-records obligations. These cases swept across big banks, asset managers, and broker-dealers. In response, compliance teams at regulated firms built entire programs around it: new archiving software, new employee training, new attestations, new surveillance, and quarterly certifications about which apps people were using.
The current Commission's position, stated plainly, is that those 95 cases "identified no direct investor harm," "produced no investor benefit or protection," and were a "misallocation of Commission resources." The SEC isn't saying the underlying record-keeping rules are going away. It's saying that aggressively hunting companies under those rules is not what the current leadership wants its enforcement dollars paying for.
Category two: crypto registration. The SEC has dismissed seven prior crypto enforcement cases in FY2025, all listed in the release's footnotes:
- SEC v. Coinbase, Inc., dismissed February 27, 2025 - SEC v. Cumberland DRW LLC, dismissed March 27, 2025 - SEC v. Consensys Software Inc., dismissed March 27, 2025 - SEC v. Payward, Inc. (Kraken), dismissed March 27, 2025 - SEC v. Dragonchain, Inc., dismissed April 30, 2025 - SEC v. Balina, dismissed May 2, 2025 - SEC v. Binance Holdings Limited, dismissed May 29, 2025
Each of those cases was, in its way, a test of whether particular crypto activity counted as a securities transaction under federal law. The dismissals effectively withdraw those tests. For startups raising through token sales, for crypto exchanges, and for any company whose product is adjacent to blockchain, the legal picture at the federal securities level is very different now than it was eighteen months ago.
Where is the SEC focusing its enforcement resources now?
Where prior leadership was casting a wide net, current leadership is sharpening three specific priorities.
Going after individuals, not just companies. Two-thirds of the SEC's 303 stand-alone enforcement actions in FY2025 charged at least one individual, up 27 percent from the year before. Under the current chair, that rate climbs to nearly nine out of ten. The SEC also got court orders barring 119 people from serving as officers or directors of public companies. These are the numbers your board should care about most. When the SEC shifts from fining a company to charging the executive personally, everything changes: who pays legal bills, whether D&O insurance covers it, whether the executive can settle quietly, and whether the executive keeps their job.
Going after traditional fraud. The release lists five priority areas going forward, and all five are decades-old categories of conduct: offering frauds (fake investments), market manipulation, insider trading, false or misleading public disclosures, and investment advisers who break their duty to clients. None of these are novel legal theories. The signal is that the current SEC wants its record built on cases where investor money actually disappeared, not on technical paperwork violations.
Going after classic investor scams. The FY2025 cases the SEC highlights follow the same pattern. Paramount Management Group and its founder Daryl Heller allegedly ran a $400 million Ponzi scheme that hit roughly 2,700 investors. First Liberty Building and Loan and Edwin Brant Frost IV allegedly took more than $140 million from 300 investors. Nightingale Properties and Elchonon Schwartz allegedly raised $60 million from about 700 retail investors and allegedly misused more than $52 million of it. The SEC also flagged Allarity Therapeutics for hiding an FDA critique of its lead cancer drug from the public, and Vanguard Advisers for pushing clients into fee-based services without disclosing the adviser's financial incentive to do so. Different fact patterns, same theme: someone with less information lost money to someone with more information, and the SEC wants the record to show it went after them.
The two new units to watch
The SEC created two new enforcement groups during FY2025.
The Cyber and Emerging Technologies Unit, launched in February 2025, handles fraud involving blockchain, artificial intelligence, account takeovers, and cybersecurity. It's already been active. The unit charged the founder of Nate, Inc., a mobile shopping startup, with raising more than $42 million by claiming the app used AI to complete purchases when, according to the SEC, actual humans overseas were doing the work. The SEC filed that case exactly one year ago today, on April 9, 2025, which makes this week's FY2025 scorecard a fitting anniversary marker for how fast AI-washing has moved from novelty to named enforcement priority. (We covered the broader AI-washing trend in our March 5 analysis.) The unit also charged Unicoin, Inc. and four of its executives with misleading statements about crypto token rights, and it brought a case against the founder of PGI Global, who allegedly ran a $198 million crypto and foreign-exchange fraud and allegedly kept more than $57 million of it for himself.
The Cross-Border Task Force, launched in September 2025, targets fraud coming from outside the United States, especially foreign-run stock-manipulation schemes aimed at American investors. If your company has foreign directors, foreign affiliates, or capital that routes through other countries, this group is now watching.
What hasn't retreated
Before anyone starts cutting compliance budgets, it's important to understand the limits of what the SEC actually said.
The SEC is not the only cop on the beat. The Department of Justice still pursues criminal securities fraud, and DOJ has not signaled any change in its appetite for cases where executives used personal devices to, say, commit insider trading or destroy evidence. The Commodity Futures Trading Commission has its own authority over large parts of the derivatives and crypto markets. FINRA still enforces record-keeping rules against broker-dealers, and its rulebook is independent of whatever the SEC does. State attorneys general in New York, California, and elsewhere have their own securities laws and show no signs of slowing down. And private lawsuits on behalf of investors continue to get filed on the same theories the SEC is now deprioritizing.
In other words: the SEC has narrowed its own lane. The total enforcement ecosystem is about the same size as it was before.
What to actually do, by role
If you're the CEO: 1. Ask your general counsel for a simple, one-page summary of which compliance programs exist mainly because of SEC off-channel communications enforcement, and what those programs cost each year. 2. Put individual executive liability on the agenda at your next audit committee meeting. The 119 officer bars and the 27 percent jump in personal charging are signals your board needs to see. 3. If any part of your fundraising pitch mentions AI, walk through the specific claims yourself and confirm each one matches what your engineers actually do. The SEC's new tech unit is watching this exact issue, and the risk is personal, not just corporate.
If you're the CFO: 1. Take a fresh look at your FY2026 compliance and legal budget. Focus on line items that trace back to the 2022 off-channel communications enforcement wave. 2. Review your directors and officers (D&O) insurance. Ask your broker how your carrier is pricing coverage for individual securities actions versus the older pattern of corporate-level fines. 3. If your company does business internationally, ask whether any of your fundraising or investor communications could draw attention from the new Cross-Border Task Force.
If you're the general counsel: 1. Pull any memo you wrote on SEC registration risk for crypto-related activity. Update it to reflect the seven dismissed cases and the SEC's course correction. Keep the original memo on file, because future administrations can reverse this shift. 2. Rebuild your compliance risk register. Move off-channel communications and crypto registration down a tier. Move disclosure accuracy, adviser fiduciary duty, and individual executive certifications up a tier. 3. Refresh your officer and director indemnification agreements and the matching bylaws. Make sure they clearly cover personal legal expenses when an executive is charged individually by the SEC, not just when the company is charged. 4. Do not dismantle your off-channel communications policies or your archiving systems. FINRA, DOJ, private lawsuits, and state enforcers still reach this conduct, and the underlying SEC rules haven't changed. Scale back the fire drill, not the fire extinguisher.
If you're the audit committee chair: 1. Ask management for a briefing on the FY2025 release at your next meeting, with specific attention to the personal liability trend and its D&O implications. 2. Ask your outside auditors to walk you through the "deemed satisfied" accounting change, so you can read future SEC scorecards with clearer eyes. 3. Request a written memo on any open or threatened SEC matter the company is facing, and whether the shift in SEC priorities changes how the matter is likely to play out.
What to watch in the next ninety days
The SEC has signaled that a proposed new crypto rule, informally called "Reg Crypto," is currently at the White House's regulatory review office. When the formal proposal is published, it will be the most significant fundraising-related rule change in several years for any company working near the edge of token issuance.
The SEC also updated its Division of Enforcement manual in a separate release. That document controls how SEC lawyers open investigations, how they notify targets that charges are coming (a "Wells notice"), and how they decide whether to give cooperation credit. If your company could ever receive an SEC subpoena, those procedural details matter.
Also watch for the first enforcement actions from the Cross-Border Task Force. Those early cases will show how the SEC defines "cross-border" and where it expects to draw its jurisdictional lines.
And keep an eye on SEC v. Cutter Financial Group, a Massachusetts case in which an investment adviser was found liable on one count of adviser fraud but not on two others. The split verdict creates a more nuanced legal standard for future adviser cases, and how the SEC responds will matter for every registered adviser in the country.
The short version
The FY2025 scorecard is not a retreat from enforcement. It's a reallocation. The SEC has formally put away a set of risks that companies spent years building programs around, and it has sharpened a different set of risks in their place. Companies that adjust quickly will save real money on compliance work that no longer moves the needle, and they'll redirect that spend toward the risks that matter more now. Companies that read the $17.9 billion headline and assume nothing has changed will spend the next year defending against a threat model that's out of date.
The release rewards careful reading. Give your board the chance to do it.
---
This article is for informational purposes only and does not constitute legal advice. Every company's situation is different, and you should consult with qualified legal counsel before making compliance decisions based on the developments discussed here.
If your compliance program was built for the enforcement climate of 2022 through 2024, the FY2025 release is the right moment to ask whether it still fits the risks your business actually faces. SparkPoint helps growth-stage companies reset compliance priorities as enforcement priorities shift.