Today’s the Day: Amended Reg S-P Compliance Deadline

June 3, 2026

After months of preparation, today’s the day: All smaller firms ($1.5B or less in AUM) must comply with Amended Regulation S-P by today, June 3, 2026. These firms now join the larger firms that began complying on December 3, 2025. Amended Regulation S-P has several key requirements:

1. Vendor Management Program: The amendments formally establish requirements for covered institutions to adopt policies and procedures regarding due diligence and monitoring of service providers. Note: Firms must ensure that service providers give notice of an incident to the firm within 72-hours.
2. Incident Response Program: Covered entities are required to maintain an incident response plan. The plan must be designed to detect, respond to, and recover from unauthorized access to or use of client information and to prevent unauthorized use. Note: Even if you have an incident response plan in place, you will still need to update your program to comply with the adopted amendments.
3. Customer Notification Requirement:Firms are required to notify those whose sensitive information was, or is reasonably likely to have been, accessed or used without authorization, unless the firm’s investigation determines that there is no reasonably likely risk of substantial harm or inconvenience. Note: Covered institutions have 30 days to provide this notice to customers.
4. Expansion of Safeguards and Disposal Rules (including written records): The amendments expand the safeguards and disposal rules to cover nonpublic personal information. Covered institutions (except funding portals) must also maintain written records evidencing compliance with the safeguards and disposal rules.

If your firm has not yet implemented these new requirements, now is the time. Fairview provides full support for Amended Regulation S-P, including developing and implementing policies and procedures; conducting ongoing testing; and conducting due diligence reviews. Contact us if you need assistance.