Compliance and Regulatory Alerts | 06-03-26
Reg S-P Compliance Date Is Here: What Examiners Will Be Looking For Now
Today, June 3, 2026, is the Regulation S-P compliance date for smaller covered institutions. The deadline that has been on the horizon since the SEC adopted its amended privacy rule has arrived. For firms that do not meet the "large institution" threshold, the runway is gone. The question is no longer whether your program will be ready, but whether you can demonstrate it is.
Reg S-P is not a new arrival on the SEC's radar. It has appeared on the Division of Examinations' priority list every single year since 2022, including 2026. The amended rule requires covered institutions to maintain written policies and procedures to safeguard customer information, deliver initial and annual privacy notices, oversee service providers with access to customer data, and follow a documented incident response process including customer notification when sensitive information may have been compromised.
Explore Our SEC 2026 Exam Priorities Analysis and Annual Chart
What the Examiners are Saying
At a recent Compliance Outreach Seminar hosted by the SEC's Atlanta Regional Office, Division of Examinations staff offered a preview of how Reg S-P examinations will run. They emphasized that under the amended rule, the term "customer information" was deliberately changed to widen the data the rule reaches. Staff disclosed that they are working from 18 internal "work programs" that guide their inquiries subject by subject.
They also laid out nine broad categories that may appear in an initial examination document request letter: governance and risk management; books and records; data loss prevention; access control; vulnerability management; incident response; training and awareness; business continuity and disaster recovery; and vendor management. Notably, examiners said they will not review all nine in a single exam, but firms should be ready on each.
Expected Exam Gaps
Examinations will probe testing above all, looking for simulations or other exercises that show how a firm would respond to a breach, and asking how systems are tested, who diagnoses a breach, and what tools support Reg S-P compliance. Staff reminded firms to keep records documenting compliance, including meeting minutes, and that they may benchmark a program against the NIST framework. The hardest piece for smaller advisers will be getting larger vendors to commit, in writing, to notify them within 72 hours of a breach. Investigations must occur within 30 days, and a firm that cannot rule out a breach must notify every affected customer.
The three biggest mistakes, according to examiners, are failing to craft written policies and procedures to comply with the rule; failing to enforce the P&Ps you have; and assembling P&Ps that are not reasonably designed to protect client data. For firms that have done the work, the priority now is documenting that work to show examiners not just that policies exist, but that they are reasonably designed, tested, and enforced.
How Bates Group Helps
Bates Group works with broker-dealers and registered investment advisers on regulatory exam priorities: policy and procedure review, enterprise and service-provider risk assessment, incident response planning, and mock examinations. If your program needs a second look, contact us today.