Your RIA Has 25 Days to Comply with Reg S-P
On June 3, 2026, the SEC's amended Regulation S-P compliance deadline hits smaller RIAs. If your firm manages under $1.5 billion in AUM, that deadline is yours. And if you're running AI in your advisory workflow — even a single commercial AI tool — you have specific, nontrivial gaps to close before that date.
The Number That Should Have Your Attention
30 days. That's how long you have to notify affected clients after becoming aware of a potential breach. Not a confirmed breach — a potential one. Under 17 C.F.R. § 248.30(a)(4), the triggering standard is "reasonably likely to have occurred." If your AI vendor's infrastructure is compromised and client data was in scope, your clock starts ticking the moment you learn about it.
The penalty for missing that window isn't abstract. The SEC's 2026 Examination Priorities named amended Reg S-P as an active enforcement focus. Examiners are specifically looking at whether firms have updated their incident response programs to cover AI vendor breaches.
Large RIAs (AUM ≥ $1.5B) had until December 3, 2025. If you're in this category and haven't acted, you're already overdue. Smaller RIAs (AUM < $1.5B): June 3, 2026. That's your line.
Where AI Creates Exposure the Old Rule Didn't Contemplate
Reg S-P was written in 2000. The original rule didn't contemplate AI vendors with continuous API access to client data, retrieval indexes that pool data across clients, or inference logs that capture client-specific context in vendor infrastructure.
The 2024 amendments change that. Here are four specific exposure points that RIAs using AI need to address before June 3:
1. Your AI vendor is a service provider — and your contract probably doesn't reflect that
Under the amended rule, any vendor with access to customer nonpublic information (NPI) is a service provider subject to oversight requirements. That includes AI tools that process client data through an API. Your vendor contract must include a 72-hour breach notification clause — the vendor must notify you within 72 hours of discovering a breach involving your client data. Most standard AI vendor agreements don't include this. If yours doesn't, you're already non-compliant with the oversight requirements of 17 C.F.R. § 248.30(a)(3).
2. Shared AI infrastructure creates firm-wide notification exposure
If your AI vendor uses a shared retrieval index across customers — where a single embedding index contains data from multiple clients or multiple RIA firms — you have a structural problem. In the event of a breach, if you can't identify which specific clients were affected, the amended rule requires notifying all clients whose data resided in the affected system. One misconfiguration event at a vendor using shared infrastructure could trigger firm-wide notification.
3. Prompt logs are customer information records
Every query you submit to an AI system with client-specific context is a log entry containing NPI. If your AI vendor retains those logs, those logs are customer information subject to your 5-year recordkeeping requirements. You need contractual access to them for SEC examination. Most AI vendor agreements give you no such access.
4. AI-generated client communications require grounding documentation
If an AI system generates client-facing content — and the SEC examines that content — "the model said so" is not an acceptable basis for a factual claim. You need to be able to show the source, the retrieval context, and the verification applied. An AI output that contains a fabricated account detail or hallucinated regulatory reference is a Reg S-P and Advisers Act § 206 problem, not just an AI reliability problem.
Scan your AI stack for Reg S-P gaps
Sturna's Reg S-P scan checks your current AI workflow against the amended rule's requirements: tenant isolation, vendor contract coverage, audit log completeness, and grounding evidence. Under 60 seconds. No account required.
Run Reg S-P Compliance Scan →Not legal advice. Consult qualified securities counsel for compliance determinations.
The Three Things to Fix Before June 3
You don't need to rebuild your entire compliance program in 25 days. You need to close the specific gaps the amended rule creates. In order of priority:
- Update vendor contracts. Every AI tool that touches client data needs a 72-hour breach notification clause. Get legal on this immediately — it's a contract amendment, not a major project, but it requires vendor cooperation.
- Update your incident response program. Your existing incident response plan almost certainly doesn't cover AI vendor breaches, prompt injection attacks, or hallucination-induced disclosure events. Add a specific AI section. Document the 30-day notification mechanics and who's responsible for triggering them.
- Audit your AI vendors for tenant isolation. Ask your AI vendors directly: is client data segregated at the infrastructure level? Can a retrieval query from one client's session access another client's data? Get the answer in writing before June 3.
What a Compliant AI Deployment Looks Like
The amended rule uses principles-based language — "reasonably designed," "reasonable investigation." That gives compliance credit for documented, systematic controls. A compliant AI deployment for an RIA has five verifiable properties: tenant-isolated infrastructure, WORM audit logging (5-year retention, first 2 years accessible), factual grounding on all client-facing outputs, a 72-hour notification clause in every AI vendor contract, and an incident response program that covers AI-specific breach scenarios.
None of those require custom software. They require architectural choices by your AI vendor and contractual commitments on paper.
Deploy Reg S-P-compliant AI before your deadline
The $2,500 Sturna RIA pilot provisions a tenant-isolated agent pool with WORM audit logging, factual grounding, and the 72-hour notification clause in your vendor contract — active from day 1. Your 30-day pilot deposit credits your first month of service.
Reserve RIA Pilot — $2,500 →Payments secured by Stripe · No annual contract required