Roadmap to Compliance: Amended Regulation S-P

Overview

The Regulation S-P Amendments (the “Amendments”) were finalized in May 2024. Now what? Although covered institutions have 18 to 24 months to comply, some of these requirements will take time and thoughtful planning to implement. That’s why developed this Roadmap, broken down by quarter, to assist advisers in making a practical plan to adopt changes to meet the compliance deadline.

Note that the compliance deadline is staggered based on size of the covered institution (December 2025 for larger entities and June 2026 for smaller entities). Definitions of larger and smaller covered institutions are included below for reference.

Definitions

  • Covered institution: Any broker or dealer, investment company, registered investment adviser, or transfer agent.
  • Larger covered institution: Investment companies with net assets of $1 billion or more as of the end of the most recent fiscal year; any registered investment adviser with at least $1.5 billion in assets under management; all broker-dealers and transfer agents that are not considered small entities under the Securities and Exchange Act for purposes of the Regulatory Flexibility Act.
  • Smaller covered institution: Smaller entities will be the covered institutions that do no meet the standards in the definition of larger covered institutions. 
  • Service Providers: Any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.

Roadmap to Compliance

Note: the recommended timeline below applies to both smaller and larger entities, even though there are staggering compliance deadlines. Since it may take longer for smaller advisers to implement the necessary changes, we suggest that they begin planning now to take advantage of the longer timeline.

Q3 – Q4 2024

  • Familiarize yourself with the Amendments to ensure you understand the requirements and what they mean for your firm.
  • If you do not already have a vendor management program in place, consider starting as soon as possible. If you have already adopted a vendor management program, determine what updates are necessary to comply with the Amendments.
  • Work with your legal counsel to review vendor contracts, especially as they come up for renewal, and consider including terms to require the vendor to notify you of any breaches within 72 hours. While contractual agreements are not expressly required under the Amendments, they are helpful for establishing expectation of breach notification. Consider other terms that may be advantageous to include.
  • The Amendments go into effect on August 2, 2024. However, firms are not required to be fully compliant by this date.

Q1 2025

  • Review policies and procedures and determine what changes are necessary to comply with the Amendments and ensure they meet the incident response and customer notification requirements below.
    • Covered institutions must have policies and procedures reasonably designed to ensure that Service Providers: (1) have appropriate measures to protect against unauthorized access to or use of customer information; and (2) provide notification to the covered institution as soon as possible and within 72 hours after becoming aware that a breach has occurred resulting in unauthorized access to customer information. Upon receipt, the covered institution must proceed with its incident response plan. 
    • Depending on how your firm’s policies are structured, the following policies may need to be reviewed and updated:
      • Business Continuity and Disaster Recovery Plan
      • Incident Response Plan
      • Vendor Due Diligence Policy
      • Privacy Policy
      • Policies and procedures for complying with state privacy requirements and any breach notification requirements.
        • Regulation S-P applies in addition to any state requirements.
      • Disposal policies
  • Draft procedures for maintaining written records of compliance with the Safeguards and Disposal Rules, if your firm does not already have this in place. Consider adopting this policy ahead of the compliance date. At a minimum, document actions taken and decisions made as you prepare for compliance.

Q2 – Q3 2025

  • Review your firm’s vendor list and ensure the firm has a plan for conducting due diligence on any Service Providers.
  • Conduct training to ensure employees are aware of the regulatory expectations and any changes to your firm’s business practices.

Q4 2025

  • For smaller covered institutions, finalize any remaining action items above.
  • Larger covered institutions must comply with the Amendments by December 3, 2025:
    • Adopt policies and procedures.
    • Draft a privacy policy if needed. If you have an existing privacy policy, review your policy and determine if any changes are needed.

Q1 – Q2 2026

  • Smaller covered institutions must comply with the Amendments by June 3, 2026.
    • Adopt policies and procedures.
    • Draft a privacy policy if needed. If you have an existing privacy policy, review your policy and determine if any changes are needed.