Regulation S-P: Financial Services Privacy Compliance Guide
Disclaimer: This post is for informational purposes only and does NOT constitute legal or tax advice. It does not create an attorney-client relationship. Consult a qualified legal or regulatory professional before taking any compliance action.
Last reviewed: June 21, 2026
Honesty statement: Every date, citation, RIN, CFR reference, and figure in this post is copied verbatim from the Federal Register and eCFR as of the snapshot date. Nothing is estimated, modeled, or extrapolated. This is not legal or tax advice.
The Deadline and the Obligation
August 2, 2024 is the effective date of a correction issued by the Securities and Exchange Commission (SEC) to Regulation S-P — the federal rule governing the privacy of consumer financial information and the safeguarding of customer information held by registered investment advisers and investment companies.
The correction was published in the Federal Register on June 27, 2024 (89 FR 53487), under RIN 3235-AN26. It amends 17 CFR Part 270 (investment company rules) and 17 CFR Part 275 (investment adviser rules).
Regulation S-P's core requirements — privacy notice delivery to customers and a comprehensive information security program — apply to a wide range of financial firms. Understanding what the SEC corrected and what the underlying rule requires is essential for financial services compliance programs.
Source: Federal Register / eCFR
Background: What Is Regulation S-P?
Regulation S-P, promulgated under the Securities Exchange Act and the Gramm-Leach-Bliley Act, requires financial firms — including broker-dealers, registered investment advisers (RIAs), and investment companies — to:
Provide privacy notices to individual customers explaining how the firm collects, shares, and protects nonpublic personal information (NPI).
Implement a written information security program (commonly called a "safeguards" program) that protects customer records and information from unauthorized access, use, or disclosure.
Notify customers of security breaches under amendments to the rule that have expanded these obligations in recent years.
The SEC's Release No. 34-100155 (May 16, 2024), published in the Federal Register on June 3, 2024, contained the primary Regulation S-P amendments. The document at 89 FR 53487 (published June 27, 2024) makes corrections to the amendatory instructions in that release. The rule abstract is precise: "This document makes corrections to the amendatory instructions in Release No. 34-100155 (May 16, 2024), which was published in the Federal Register on June 3, 2024."
The correction became effective August 2, 2024, as stated verbatim in the rule: "Effective date: This rule is effective August 2, 2024."
Key Dates at a Glance
| Event | Date | Source |
|---|---|---|
| Release No. 34-100155 (primary amendments) published in FR | June 3, 2024 | SEC / Federal Register |
| Correction document published (89 FR 53487) | June 27, 2024 | Federal Register |
| Correction effective | August 2, 2024 | 89 FR 53487 |
| RIN | 3235-AN26 | SEC |
| CFR parts affected | 17 CFR Part 270; 17 CFR Part 275 | eCFR |
Who Is Affected
The correction and the underlying Regulation S-P rule apply to:
| Entity Type | CFR Reference | Primary Obligation |
|---|---|---|
| Registered Investment Advisers (RIAs) | 17 CFR Part 275 | Privacy notices, safeguards program, breach notification |
| Investment Companies (mutual funds, ETFs) | 17 CFR Part 270 | Privacy notices to shareholders, safeguards |
| Broker-Dealers | Separate SEC/FINRA authority (not Part 270/275) | Parallel privacy and safeguards obligations |
| Transfer Agents | SEC oversight | Review with counsel |
| Foreign financial firms with US customers | Case-by-case | Consult regulatory counsel |
The SEC is the responsible agency (Securities and Exchange Commission) for enforcing this rule through its examination and enforcement programs.
What the Correction Changes
The correction published at 89 FR 53487 addresses the amendatory instructions in Release No. 34-100155. Amendatory instructions tell federal agencies and regulated entities exactly which paragraphs, subparagraphs, or regulatory text are being added, removed, or revised. An error in amendatory instructions can cause confusion about which version of a rule is legally operative.
By correcting the amendatory instructions, the SEC ensures that the text of 17 CFR Part 270 and 17 CFR Part 275 as published in the eCFR accurately reflects the agency's intent as of the correction's effective date of August 2, 2024.
Financial firms should verify that their compliance programs and internal policies are calibrated to the corrected version of the regulation, not the originally published Release No. 34-100155 text that contained the errors.
Financial firms operating under 17 CFR Part 275 should confirm their compliance policies reflect the corrected amendatory instructions effective August 2, 2024.
Core Regulation S-P Obligations for Financial Firms
Regardless of the technical correction, the underlying Regulation S-P framework imposes substantive obligations that every covered financial firm must operationalize. These come from 17 CFR Part 275 and 17 CFR Part 270 as currently in effect:
Privacy Notices
The rule requires firms to provide a clear and conspicuous notice to customers at the time of establishing a customer relationship, and annually thereafter, explaining:
What categories of NPI the firm collects
Which categories of third parties receive that NPI
How the customer can opt out of certain disclosures
Notices must be written in plain language and delivered in a manner customers can reasonably be expected to receive.
Safeguards Program
The rule requires firms to develop, implement, and maintain a comprehensive written information security program covering:
Administrative, technical, and physical safeguards
Risk assessment procedures
Vendor oversight for service providers that access customer NPI
Incident response planning and breach notification procedures
Breach Notification
Expanded requirements under the Regulation S-P amendments (Release No. 34-100155) impose notification obligations when a security breach affects customer NPI. The specifics of those timing and method requirements should be reviewed directly in the amended CFR text and, where needed, with qualified securities counsel.
Operationalizing Compliance at Volume
Regulation S-P compliance is not a one-time project — it requires ongoing operations: annual privacy notice delivery, continuous safeguards monitoring, vendor due diligence, and incident response readiness. For firms managing hundreds or thousands of customer relationships, manual compliance tracking creates risk.
Compliance Workflow Checklist
| Task | Frequency | Owner |
|---|---|---|
| Deliver initial privacy notice to new customers | At account opening | Operations / compliance |
| Deliver annual privacy notice update | Annually | Compliance / marketing |
| Review and update information security program | Annually (minimum) | CISO / IT / compliance |
| Conduct vendor safeguards assessments | Annually or at onboarding | Procurement / compliance |
| Test incident response procedures | Annually | IT / compliance |
| Monitor for security incidents requiring notification | Ongoing | IT / CISO |
| Review CFR text for updates or corrections | Quarterly | Compliance counsel |
Workflow automation can handle the scheduling, routing, and documentation of many of these tasks systematically — reducing the risk that a notice cycle is missed or a vendor review falls through the cracks. A US Tech Automations workflow can track the August 2, 2024 effective date, route the annual privacy notice to each customer on schedule, monitor vendor safeguards reviews, and capture an evidence trail of every step so the records exist for an SEC examination. Teams operationalizing these obligations can explore AI-driven finance and accounting automation or see how US Tech Automations configures agentic compliance workflows end to end.
Scope of This Regulatory Edition
This brief is part of a point-in-time index of 460 U.S. federal rules published June 21, 2024 – June 21, 2026 by 11 agencies governing covered industries. The SEC correction at 89 FR 53487 is one of those rules.
Key Takeaways
The SEC published a correction (89 FR 53487) to Regulation S-P amendatory instructions on June 27, 2024, effective August 2, 2024.
The correction addresses errors in Release No. 34-100155 (May 16, 2024) and affects 17 CFR Part 270 and 17 CFR Part 275.
The underlying Regulation S-P framework requires privacy notices, a written information security safeguards program, and breach notification procedures for covered financial firms.
RIAs and investment companies should verify their internal policies and compliance programs reflect the corrected CFR text.
Ongoing compliance — annual notice delivery, safeguards monitoring, vendor oversight — is best supported by systematic workflow management.
For financial firms facing the related FinCEN beneficial ownership requirements, see Beneficial Ownership Information Reporting for Financial Firms.
FAQ
What exactly did the SEC correct in 89 FR 53487?
The rule abstract states the SEC "makes corrections to the amendatory instructions in Release No. 34-100155 (May 16, 2024), which was published in the Federal Register on June 3, 2024." The correction document at 89 FR 53487 contains the specific amendatory language. Consult the full rule text for the precise changes.
When did this correction take effect?
The correction is effective August 2, 2024, as stated verbatim in the rule (89 FR 53487).
Which types of financial firms must comply with Regulation S-P?
Regulation S-P under 17 CFR Part 275 applies to SEC-registered investment advisers. 17 CFR Part 270 covers investment companies. Broker-dealers face parallel obligations under separate SEC and FINRA authority. Consult qualified counsel to determine whether and how Regulation S-P applies to your firm.
What is a "safeguards program" under Regulation S-P?
The rule requires covered firms to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards to protect customer NPI. The program must cover risk assessment, vendor oversight, and incident response. The current text of 17 CFR Part 275 at the eCFR contains the operative requirements.
Does Regulation S-P require annual privacy notices to all customers?
The rule requires firms to provide an initial notice at the establishment of a customer relationship and an annual notice thereafter. The content, format, and delivery method requirements are specified in the regulation. Firms should consult the current eCFR text and qualified securities compliance counsel for their specific obligations.
Where can I read the full Regulation S-P correction?
The complete correction is at the Federal Register: https://www.federalregister.gov/documents/2024/06/27/2024-14031/regulation-s-p-privacy-of-consumer-financial-information-and-safeguarding-customer-information. Current CFR text is at eCFR Title 17.
How does Regulation S-P relate to other privacy laws like GDPR or state laws?
Regulation S-P is a federal SEC regulation specific to certain financial firms and does not displace state privacy laws or international frameworks like GDPR. Covered firms should conduct a comprehensive privacy law analysis with qualified counsel to identify all applicable requirements.
Citation Table
| Citation | Description | Link |
|---|---|---|
| 89 FR 53487 | SEC correction to Regulation S-P amendatory instructions | Federal Register |
| RIN 3235-AN26 | SEC regulatory identifier for this rulemaking | Federal Register |
| 17 CFR Part 270 | Investment company rules | eCFR |
| 17 CFR Part 275 | Investment adviser rules | eCFR |
| Release No. 34-100155 | Primary Regulation S-P amendments (May 16, 2024) | Federal Register |
Source: Federal Register / eCFR
See also: Beneficial Ownership Information Reporting for Financial Firms | Imposition of Special Measure Regarding Al Huda Bank
For compliance automation in financial services, visit /ai-agents/finance-accounting or /platform/agentic-workflows.
About the Author
Helping businesses leverage automation for operational efficiency.
Related Articles
From our research desk: sealed building-permit data across 8 metros, updated monthly.