Regulatory Compliance

What Does Reg S-P's Vendor Oversight Requirement Actually Require RIAs to Do?

Emily Mora6 min read
What Does Reg S-P's Vendor Oversight Requirement Actually Require RIAs to Do?

Reg S-P's service provider oversight requirement — now in effect for smaller registered investment advisers as of June 3, 2026 — requires a written policy covering three things: due diligence before engaging any service provider with access to customer information, ongoing monitoring of that service provider afterward, and a contractual guarantee that the provider will notify you within 72 hours of any breach involving your customer data. It is not a one-time vendor questionnaire. It is a program that has to keep running for as long as the relationship does.

TL;DR

  • The amended Reg S-P compliance deadline for smaller RIAs (under $1.5 billion AUM) was June 3, 2026 — already passed.
  • The rule requires written policies covering service provider due diligence, ongoing monitoring, and a 72-hour breach notification obligation from the vendor to the adviser.
  • The SEC's Division of Examinations named Reg S-P compliance a 2026 examination priority, so this isn't a theoretical requirement — expect it to come up in exams this cycle.
  • Firms must keep records of service provider agreements, oversight activity, and every instance of unauthorized access detected — for five years, with the first two easily accessible.
  • If you're not fully compliant yet, the fastest defensible step is documenting what oversight you do have today and closing gaps from there, not waiting for a perfect program.

What exactly counts as a "service provider" under Reg S-P?

The rule applies to any service provider that receives, maintains, processes, or otherwise has access to customer information on the adviser's behalf. That's a wide net. It covers obvious cases like custodians, portfolio management software, and CRM platforms, but it also covers less obvious ones: a document storage vendor, an email marketing tool with client lists uploaded to it, a compliance software provider, or any SaaS platform where client PII passes through, even briefly.

The amendments define "customer information" broadly enough that the test isn't "does this vendor store our data long-term" — it's "does this vendor have access to it at all." A vendor you use for two weeks during onboarding still counts.

What written policies does the SEC expect for service provider oversight?

The SEC requires advisers to "establish, maintain, and enforce written policies and procedures that are reasonably designed to require oversight of service providers." In practice, examiners are looking for three components, all in writing:

  1. Due diligence at selection. Some documented process for vetting a vendor's security posture before you sign — not necessarily a formal audit for every vendor, but something more than "we trust them."
  2. Ongoing monitoring after the relationship starts. The SEC intentionally didn't prescribe a fixed cadence, giving smaller firms flexibility to size the program to their complexity. But "we reviewed it once at signing and never again" does not satisfy "ongoing."
  3. A contractual notification requirement. Your service provider agreements need language obligating the vendor to notify you within 72 hours of becoming aware of a breach affecting your customer information. If your existing vendor contracts don't have this language, that's a gap the June 3 deadline was supposed to close.

What does "ongoing monitoring" mean in practice for a small RIA?

This is the part firms tend to underbuild, because "ongoing" sounds like it requires constant vendor re-audits, and most 1–20 person compliance teams don't have the bandwidth for that. The SEC's own framing gives room here: the standard is reasonableness relative to the firm's size and the sensitivity of what the vendor touches.

What actually satisfies "ongoing" for most smaller advisers is a combination of: periodic re-review of higher-risk vendors (anything touching sensitive customer information, at minimum annually), and a way to catch material changes as they happen — a new subprocessor added to a vendor's stack, a shift in where data is hosted, a vendor's own terms of service or privacy policy changing in ways that affect your obligations. That second half — catching changes between formal review cycles — is where most manual programs quietly fail, because nobody is checking a vendor's published terms and DPAs on a rolling basis. It's also the exact gap Legal Sentinel's continuous monitoring approach was built around: vendor documents get re-checked on a fixed interval instead of only at renewal, so a materially adverse change surfaces the same day it happens rather than at the next annual review.

What's the 72-hour notification requirement, and whose job is it?

This obligation runs from the service provider to the adviser, not from the adviser to the SEC directly. Your vendor contracts need to require the vendor to notify you within 72 hours of becoming aware that a breach has occurred resulting in unauthorized access to your customer information. That 72-hour clock is separate from — and upstream of — the adviser's own 30-day customer notification obligation under the incident response program requirement, which only starts once you know about the incident. If your vendor is slow to tell you, your own 30-day clock effectively gets compressed.

This is the part worth checking first if you haven't already: pull your five or six highest-risk vendor contracts (custodian, portfolio software, any platform holding client PII) and confirm the notification language is actually in there, not assumed.

What records do examiners actually want to see?

The recordkeeping requirement is specific. Firms need to maintain:

  • Copies of the written policies covering both the safeguards and disposal requirements
  • Service provider agreements, or separate records documenting oversight of each service provider
  • A record of every instance of unauthorized access detected, and what was done about it
  • Documentation of any determination that customer notification was not required for a given incident (examiners want to see the reasoning, not just the outcome)

Records need to be kept for five years, with the first two easily accessible. "We did the oversight but didn't write it down" is functionally the same as not having done it, from an exam perspective.

The deadline passed June 3 — what if you're not fully compliant yet?

You're not alone, and there's a reasonable path forward that doesn't require rebuilding your compliance program overnight. The SEC's Division of Examinations has flagged Reg S-P as a 2026 exam priority, which means the realistic risk isn't an immediate enforcement action for a firm that's making good-faith progress — it's an exam finding if there's no documented program at all.

The fastest defensible move is to document what oversight already exists today (even informal vendor vetting counts as a starting point), identify which of your service providers actually have access to customer information (not every vendor does), and prioritize closing the contractual notification gap on your highest-risk vendors first. A partial, documented program in progress is a materially different exam conversation than no program.

For firms that want a starting checklist rather than building the service-provider inventory from scratch, we put together a one-page Reg S-P vendor compliance checklist covering the specific oversight obligations above — it's available as a free download.

Legal Sentinel monitors vendor-published legal documents — terms of service, DPAs, privacy policies, sub-processor lists — and flags material changes the same day they happen, which is one input into an ongoing service provider monitoring program under Reg S-P. Read how RFG Advisory used this to catch four vendor AI-training clause changes in three months.

Disclosure: Emily Mora, author of this post, is Cofounder & US Commercial Lead of Legal Sentinel and holds profit-sharing in the company.

Emily Mora
Emily Mora
Cofounder & US Commercial Lead, Legal Sentinel

Emily Mora is a Compliance Senior Associate on the corporate compliance and legal team at RFG Advisory, and Cofounder & US Commercial Lead at Legal Sentinel. She is a member of the Alabama Bar and holds a JD from UCLA School of Law. Emily writes about vendor contract risk and regulatory oversight — Reg S-P, TPRM, and the gap between how compliance teams are expected to monitor vendors and how most actually do it.