We’re reaching out to help you comply with recent amendments to Regulation S-P and remind you about recently adopted continuing education requirements imposed by many states:  

• As the first compliance deadline for “large entities” under the amended Regulation S-P quickly approaches, we’re here to help your firm develop and implement thoughtful and practical policies and procedures.  
• We’re keeping you up to date about state-imposed continuing education obligations for investment adviser representatives (“IAR”) as more states have adopted and continue to adopt these requirements. 

Regulation S-P Amendments

What is it? The SEC adopted amendments to Regulation S-P, which governs privacy for investment advisers. The amendments aim to fortify existing client data protection obligations, impose formal requirements for service provider oversight, and ensure timely and consistent incident response and notification about data breaches.  

What are the compliance deadlines? Larger entities, including registered investment advisers with $1.5 billion or more under management, are required to comply by December 3, 2025. Other investment advisers registered with the U.S. Securities and Exchange Commission are not required to comply until June 3, 2026. State registered investment advisers are not subject to these amendments; however, they remain subject to state privacy and data breach laws.  

How do you comply with the amended rule? To ensure a smooth transition, we’re recommending that advisers update their privacy policies and procedures in advance of their respective compliance deadlines. Those policies and procedures should be guided by the adopting release to the amended rule, tailored to your firm’s actual privacy practices, and address the following updated requirements:  

• Written Incident Response Plan – Advisers must maintain and implement a documented plan for detecting, responding to, and recovering from data breaches or unauthorized access. 

• Client Notification – If “sensitive customer information” is compromised, advisers must generally notify affected clients within 30 days of determining that unauthorized access has occurred. 

• Service Provider Oversight – Advisers must take reasonable steps to ensure third-party service providers who manage certain data maintain comparable safeguards and promptly notify the adviser about certain types of security breaches. 

• Expanded Safeguard Expectations – The amendments codify specific administrative, technical, and physical safeguards to protect both current and former clients’ information. 

What are your next steps? If you are a fixed fee client who engaged us to maintain your firm’s policies and procedures manual, rest assured we are already making the necessary adjustments and will be reaching out to you shortly. This is part of our ongoing commitment to keep you ahead of the regulatory curve.  

For all other advisers, please reach out to your primary contact at RIA Lawyers or email us at [email protected] to schedule a call and get started.  

Investment Adviser Representative Continuing Education 

What is it? The North American Securities Administrators Association (NASAA) Model Rule for Investment Adviser Continuing Education sets a standardized continuing education requirement for individuals registered as investment adviser representatives who are individually registered in states that adopt the model rule. So far, the regulations that states have adopted closely align with the model rule, but investment adviser representatives should ensure they comply with the rules as imposed by the states where they are licensed.  

How does it work? Under the model rule, IARs are required to complete 12 hours of continuing education each calendar year, consisting of 6 hours of products and practice, and 6 hours of ethics and professionalism (with at least 3 credits devoted to ethics). Only approved IAR CE course providers can award credits, and surplus credits cannot be carried into the next year. CE credits must be earned and reported by mid-December of the applicable year. 

Why does it matter? Failure to complete the required CE can result in the state revoking the IAR’s license.  

Which states adopted continuing education requirements? The jurisdictions listed below have informed NASAA they have an IAR CE requirement: 

We can help. Please reach out to your primary contact at RIA Lawyers or email us at [email protected] if you need any help navigating these requirements.