The next compliance date for implementing the requirements under amended Regulation S-P is fast approaching.[1] To help you prepare, this month’s Risk Management Update (“RMU”) provides steps that are required to be implemented – but are being presented with a twist.
Trudging Through the Trackless Jungle
“So that’s the deal?” you ask.
“That’s the deal,” your boss repeats, unenthusiastically. “We need you to explore the area marked on the map and find information about this new Reg S-P amendment. We need to know what we are doing with it by June 3rd”
“But that area is a trackless, unexplored jungle!” you object. “How will I get through that in time and still do a thorough job?”
“That ‘trackless jungle’ isn’t nearly as wild and untamed as you think. Just 25 years ago, it was wide open savannah country with towns, villages, farms, civilization.”
“And everything grew up that fast?”
“You wouldn’t believe how quickly things can change in these parts.”
There would be no way around it. Your firm—with its under $1.5B of AUM—needed to position itself to comply with the amended Reg S-P…and that will require you to go thrashing through the thick underbrush, tangled roots, hanging vines, and treacherous foliage to find the answers you firm needs.
Without another word, you return to your shack to retrieve your gear. You have an old map, one from before the jungle. On that map, you know your base camp’s location, but finding other points of interest—now well within the jungle—will be a matter of pure dead reckoning. Also among your gear, a compass, a flashlight, and a machete. While the blade makes sense, you wonder just how dark it will be beyond the foreboding green wall of growth now before you.
You pause before the jungle’s edge for a moment and then, with the dauntless courage only found in someone with no idea what is going on, you wind up your arm and deliver the first swing of the blade into your leaved adversary. The cutting is slow at first, but you quickly establish a rhythm as leaves, vines, branches, and other vegetable detritus falls before you and you step further and further away from the real world and into the surreal wilds that await, still marveling at how this much grew in 25 years. You lose track of time as you move forward further into the trees as minutes feel like hours. Your arm tires from the constant swinging as sweat turns your once-dry shirt rather damp in the humid heat.
Suddenly, you see it.
Off to your right, about ten paces into the undergrowth, the most inexplicable sight one could imagine this deep in the woods. You begin hacking your way toward it with renewed energy having now seen all your hard work pay off. At your feet before you rests…
…a vintage automobile!
It’s vintage by today’s standards, but it would have been in reasonably new condition when it was parked here for the last time. You work your way to the driver’s door and pull on the handle.
The door opens!
Excitedly, you climb into the driver’s seat. The car’s interior smells musty and the leather seats are hard and cracking from decades of disuse. On the passenger seat is a faded manilla file folder. You open it and find inside a series of documents, the first of which begins:
“Congratulations! You have made a find that will take you on a journey of a lifetime; an epic adventure quest!”
“How mysterious”, you think to yourself. “This has been sitting here untouched for 25 years, yet it’s as if it was placed here for me to find!”
You read on:
“To fulfill your firm’s Reg S-P obligations, you must successfully complete three challenges: the Safeguarding Rule, the Notification Rule, and the Disposal Rule. Enclosed are detailed directions and a map. Good luck!”
What a find! And it will take all the guesswork out of finding what you need in the jungle! You begin comparing your newly-found map to the old one you brought along and quickly gain your bearings. From the maps, the nearest of the three destinations is Safeguarding Rule.
With newfound motivation, you continue chopping your way through the thick greenery, pausing periodically for an orienteering break with the compass and maps. After a period of time that surely felt shorter than the time that has already elapsed, you come to a clearing in the trees occupied by a large brick building signed as a bank. You look ahead and see that its ancient glass door, though intact, was ajar. You rush up the crumbled front sidewalk and push open the door with a metallic, grinding screech. Like the car, the building had that disused musty smell. The carpet was growing moss while the teller stations, which once hosted daily interactions, now sat empty and were covered in guano. You withdraw and turn on the flashlight as you venture deeper inside, into the dark recesses of the building: the instructions said to check the vault.
Locating the vault was easy and its ten-ton steel door was wide open. It was completed cleared out save for a single banker’s box on a shelf in the corner. Inside was a binder marked “Safeguarding Rule”. It contained:
- Procedures pertaining to how client information is protected
- Do your procedures define Consumer Information, Consumer Report, Client Information, and Sensitive Client Information and give examples of Sensitive Client Information?
- Do your procedures address administrative, technical, and physical safeguards for the protection of client information? The “who”, “what”, “where”, “when”, “how”, and “why”?
- Cybersecurity protocols
- An incident response plan
- Are your procedures designed to detect, respond to, and recover from unauthorized access to/use of client information?
- Do your procedures assess the nature and scope of an incident of unauthorized access?
- Do your procedures identify Client Information systems and kind of Client Information that might be accessed in an incident of unauthorized access?
- Do your procedures spell out the steps taken to contain and control a security event to prevent further unauthorized access to/use of Client Information?
“Success!” you think to yourself. “One down and two to go!”
You move back through the building to near the door where you can read the maps using natural light. Unfortunately, the map only shows navigation information from the car to each point, not from one point to the next. No problem. Using the information on the map and some high school geometry, including the Pythagorean Theorem, you calculate an approximate distance to the next point. The compass could be used to match your bearing to the directional vectors between points on the map. With all of this established, you bid the bank farewell and go tramping back into the tall grass and forbidding jungle.
Due to the distance, it took longer to find the next point, your journey aided by the appearance of a river with a crumbling concrete bridge still crossing it, both of which appeared on both maps.
You stop to take a rest, knowing that the old bridge once carried a street that ended at your next point: a radio station. You whimsically think about broadcasting something humorous but then remember that the power had been shut off there for years. Still, you wonder if any operable equipment remained inside. You look up to make a navigation check and see a massive cement block ahead. It was the kind used to anchor the guy wires of an antenna mast. You rush ahead and find the massive, heavy-duty steel cable still fastened to the anchor. Determining the wire’s direction, you check the compass for the wire’s bearing: vectoring yourself to the antenna using the guy wire’s bearing should bring you mere steps away from the radio station.
Before long, you are standing before the former home of KRSP Radio. The building’s glass front door was smashed and thousands of glass shards lay scattered on the ground on both sides of the door. You carefully step inside and switch on the flashlight before making your way to the back of the building and the radio studio.
At first glance, you are impressed by the sheer amount of equipment still there: microphones, audio console, headphones, signal lights…it was as if everyone left one day and never returned! According to the instructions, you are to check a back table. You glance to the back of the room, and see a table littered with a jumble of cables, cords, and…
…and single document labelled “Notification Rule”:
- Do your procedures specify the trigger point for notifying clients of a breach?
- Do your procedures specify the party responsible for notifying clients?
- Do your procedures include informing third-party vendors of their obligations to notify your firm within 72 hours of any breach involving your clients’ information?
“I am two for two with this mysterious list!” you think to yourself. It is getting late in the afternoon and the next location—an abandoned junkyard/recycling facility—is well to the north, probably at the former edge of town. Employing the same geometric navigation technique as before, you get a rough direction and distance profile for the final location. You will need to hurry so that you have sufficient time to retrace your steps all the way back to base camp before nightfall. Even with a flashlight, the thought of being in the jungle after dark is not your idea of a good time.
You set off through the verdant surroundings as before, but your arms, tired from hacking all day, don’t swig the machete as hard anymore. The satisfying collapse of a branch or shrub from a single cut has given way to two or three cuts to accomplish. The going is slow as afternoon marches incessantly toward evening. Your upper board screams out in pain to stop while you reassure yourself that the return trip will be far faster and comparatively effortless. Much to your relief, you run straight into an overgrown, rusted, and long neglected chainlink fence—the type commonly used to surround facilities such the next point on the map.
Following the fenceline, you locate the former driveway and squeeze yourself through a gap in a closed gate—it seems they closed up here before leaving.
The grounds of this facility are surprisingly open compared to the rest of the jungle land. Between the heavily compressed ground from years of heavy trucks transiting it daily and the piles of assorted junk and scrap metal stacked in nearly arranged piles around the grounds, it was inhospitable to the growth of trees and other foliage. You are able to walk the final hundred yards to the building’s front door.
Inside, an area that appears to be the facility’s offices spread out before you. And like the other buildings, everything appeared to be as if it had been left behind one day and nobody ever returned. On a desk were several invoices dated 25 years ago…along with a coffee mug, its inside stained brown by coffee that had long since evaporated. Even the wall had hanging on it a calendar from the same time period as the invoices.
The instructions direct you to a filing cabinet with a file folder marked “SP”. You open a drawer in a filing cabinet behind the desk, not doubting the file will be there. You withdraw the file and open it to a single page that reads, “Disposal Rule”:
- Do your procedures discuss the specifics of how Client Information is to be disposed when no longer in use?
- Do your procedures specify that any disposal method must render the Client Information unreadable and unable to be reconstructed?
You have located everything you need to begin complying with the amended Reg S-P…and not a moment too soon. The shadows outside grow long as the day turns to evening. You need to make all possible speed to return to base camp before dark.
Conclusion
Importantly, complying with this regulation does not need to feel like you are venturing through a trackless jungle to find all the necessary updates to your compliance program.
It is important to be thorough when integrating updated procedures into your compliance program. A good start includes reviewing your current policies and procedures and highlighting topics the amendments address—you can use the “map” described above as a starting point. And as always, do not forget to distribute the updated policies and procedures to firm personnel and train them on what is expected of them from the new requirements.
The Core Compliance consulting team can assist you with implementing all the amended Regulation S-P requirements. We also offer compliance technology solutions, which play a crucial role in maintaining a strong compliance program. For more information, please contact us at info@corecls.com, at (619) 278- 0020 or visit us at www.corecls.com.
Author: Matthew Rothchild, Sr. Compliance Consultant; Editor: Tina Mitchell, Managing Director, Consultant Services, Core Compliance & Legal Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, and private fund managers on regulatory compliance issues.
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon regarding any particular facts or circumstances without first consulting with a lawyer and/or tax professional.
[1] June 3, 2026