SEC Reg S-P AI Vendor Rules Are Now Live — Are You Already Out of Compliance?

SEC Reg S-P AI Vendor Rules Are Now Live — Are You Already Out of Compliance?

On June 3, 2026, the SEC's amended Regulation S-P safeguards rule took full effect for smaller investment advisers and broker-dealers. The amendment does something most advisory firms missed: it explicitly classifies AI tools used for client-facing work as service providers subject to written vendor oversight and incident-response requirements.

If your firm uses AI for client communications, research assistance, portfolio analysis, or financial planning — and you don't have written AI vendor oversight provisions — the compliance deadline has already passed.

Here's what the rule requires and what to do about it this week.

---

What Changed in Regulation S-P

Regulation S-P has governed broker-dealer and investment adviser data privacy obligations since 2000. The SEC's amended version, finalized in 2024, introduced two major additions that came into full effect June 3 for smaller firms:

1. Written incident-response programs. Your firm must have a documented, written plan for how it responds to data breaches — including breaches originating from third-party vendors, which now explicitly includes AI tools.

2. Service provider oversight obligations. AI vendors that access, process, or generate outputs based on client financial data must be subject to written contractual oversight provisions. Specifically: breach notification timelines, data handling requirements, and security standards — in writing, in the vendor contract.

Larger firms (assets under management above a certain threshold) had an earlier compliance deadline. Smaller investment advisers and broker-dealers hit the June 3, 2026 deadline, which has now passed.

---

Who This Affects in Professional Services

This is not an abstract rule for large wirehouses. It applies directly to:

Investment advisory firms and RIAs of any size. If you hold an investment adviser registration and use AI tools for client-facing work, Reg S-P's service-provider provisions apply. There is no small-firm exemption.

Accounting firms with advisory registrations. Many regional and mid-size CPA firms hold RIA registrations to offer financial planning alongside tax and audit services. If your accounting firm has an RIA registration, your AI tools for client work fall under the same obligations. Tax prep AI that processes client financial data, AI document drafting tools used in client engagements, and AI research assistants that output client-specific financial analysis — all of these now require written vendor oversight.

Multi-service financial advisory boutiques. Firms that combine wealth management, financial planning, and consulting under one RIA registration are often the ones most exposed here — because they use the broadest range of AI tools across the most client-facing work.

---

The Specific Gap Most Firms Have

The problem is not whether you know about the rule. The problem is the vendor contract.

Most firms that adopted AI tools in 2024 and 2025 did so quickly, clicking through standard terms of service. Standard ToS agreements from AI vendors were written for general commercial use — they typically do not include:

• Breach notification timelines aligned with SEC requirements
• Explicit statements about where client data is stored, processed, or used for model training
• Contractual commitments about security standards that satisfy the SEC safeguards rule

When an AI vendor's contract does not contain these provisions, using that tool for client work creates a compliance gap — not because you're doing anything wrong with the tool, but because the contractual scaffolding the SEC requires isn't in place.

This is the gap you need to close this week.

---

What a Written Oversight Provision Looks Like

You don't need to hire outside counsel to fix this, but you do need to act. Here's what an adequate written oversight provision covers:

Breach notification. The vendor must notify your firm within a specified period (typically 72 hours, consistent with SEC guidance) if a breach affects your clients' data.

Data handling. The contract must specify whether the vendor uses your client data to train their AI models. For most enterprise AI tools used in financial advisory, the answer should be no — and that needs to be in writing.

Security standards. The vendor should attest to maintaining security standards (SOC 2 Type II is the common benchmark) and provide evidence of those standards on request.

Your firm's right to audit. You should have contractual standing to request evidence of the vendor's compliance with these provisions.

For most major AI tools used in professional services — Microsoft Copilot under M365, Claude Pro/Team, specialized tools like Harvey, Casetext, or Karbon — vendor-facing data processing agreements (DPAs) are available. The process is usually a business request through the vendor's enterprise sales or legal team, not a major negotiation.

---

The Three-Step Fix This Week

Step 1: Build your AI vendor list.

Write down every AI tool your firm uses that touches client data. Cast a wide net: tax prep platforms with AI features, document drafting assistants, research tools, client communication drafting tools, portfolio analysis software, anything with an AI layer. Include tools that staff use informally — if a paralegal is pasting client information into a general-purpose AI to draft a letter, that tool is in scope.

Step 2: Check each vendor for a DPA.

For each tool on your list, check whether you already have a data processing agreement in place. If you don't know, assume you don't. Log in to each vendor's trust or legal portal and search for "DPA" or "data processing agreement." Many vendors have self-serve DPAs for business accounts. If you're on a business or team plan, you've likely accepted a DPA you may not have read.

For standard consumer-tier AI tools (general ChatGPT, standard Gemini), you should not be using client-specific financial data. Move that work to a business tier with a DPA in place or stop using AI for that task until you do.

Step 3: Update your incident-response plan.

Add a section to your firm's written incident-response plan that covers AI vendor breach scenarios specifically. The SEC examination staff will look for evidence that your incident-response program contemplates vendor-originated breaches. This does not need to be long — a 200-word addendum to an existing plan is better than no plan.

If your firm does not have a written incident-response plan at all, this is your signal to create one. The SEC's examination staff is prioritizing AI vendor oversight in 2026 reviews.

---

The Accounting Firm Alert

If your CPA firm has an RIA registration — even if financial advisory is a small part of your practice — you are in scope. The SEC does not distinguish between a pure-play RIA and an accounting firm with an advisory registration. If you have the registration and you use AI for advisory client work, the obligation is the same.

This is one area where the cross-disciplinary nature of many accounting firms creates a compliance gap. The tax team is thinking about Circular 230 and IRS guidance. The advisory team is thinking about client service. The compliance piece — Reg S-P's new AI vendor provisions — often falls through the gap between both.

The fix is the same as above: vendor list, DPA check, incident-response plan update.

---

What Comes Next

The SEC is not alone in moving on AI vendor oversight. The same logic — that AI tools used for client work are service providers requiring written oversight — is showing up in state bar ethics rules (California's proposed Rule 1.1 changes would require written agreements before using AI on client matters), in state privacy laws, and in the AICPA's emerging AI governance guidance.

The direction of travel is clear: regulators expect firms to treat AI vendors the way they treat any other vendor handling sensitive client data — with written contracts, breach notification protocols, and documented oversight.

Investment advisers and accounting firms with RIA registrations are simply first in line because the SEC moved first.

If you have not done the three steps above, this week is the right time. The deadline passed on June 3. The examination cycle is ongoing.

---

The Crossing Co covers AI adoption for professional services firm owners. Subscribe to The Crossing Report for weekly intelligence on AI tools, compliance developments, and what your competitors are doing.