Reg S-P and Your Annual Rule 206(4)-7 Compliance Review

Reg S-P is now in force for all SEC-registered advisers. The amended compliance dates have passed, and the rule is a named SEC examination priority for fiscal year 2026. This guide explains how to fold Reg S-P into the annual compliance review you are already required to run.

Most coverage of Regulation S-P treated it as a deadline to beat. That framing is over. The compliance dates came and went (December 3, 2025 for larger entities and June 3, 2026 for smaller entities), and the rule is simply part of the regulatory baseline now. The question is no longer "will I be ready in time." It is "can I prove, every year, that my safeguards still work."

That proof happens inside your annual Rule 206(4)-7 compliance review. If you treat Reg S-P as a one-time document drop and never revisit it, you have not actually complied. You have created a paper record that will age into a liability the moment an examiner asks what you reviewed last year.

What Rule 206(4)-7 Actually Requires

Rule 206(4)-7 under the Investment Advisers Act, often called the Compliance Rule, has three core obligations for every SEC-registered adviser:

1. Adopt written policies and procedures reasonably designed to prevent violations of the Advisers Act and its rules.
2. Review those policies and procedures at least annually for both adequacy and effectiveness.
3. Designate a Chief Compliance Officer responsible for administering them.

The phrase that matters most is "adequacy and effectiveness." Adequacy asks whether your policies are designed correctly on paper. Effectiveness asks whether they actually work in practice. A Reg S-P incident response program that looks complete but has never been tested fails the effectiveness test, and that is exactly the kind of gap an examiner is trained to find.

Why Reg S-P Belongs in the Annual Review

The amended Regulation S-P (adopted May 16, 2024, Release No. 34-100155) is now part of the body of rules your written policies must reasonably be designed to follow. That pulls it directly into the scope of Rule 206(4)-7. Reviewing your Reg S-P safeguards is not optional housekeeping. It is a component of the annual review the SEC already mandates.

Reg S-P also created obligations that are inherently ongoing rather than one-time:

• An incident response program that has to be maintained and tested, not just written.
• Service provider oversight that has to keep pace with the vendors you actually use.
• A breach notification process capable of notifying affected individuals within 30 days of determining that sensitive customer information was, or was likely, accessed without authorization.
• Recordkeeping that documents all of the above and is retained per the books-and-records requirements.

Each of these decays without attention. Vendors change. Staff turn over. New systems come online. The annual review is the mechanism that catches that drift before an examiner does.

The Reg S-P Annual Review Checklist

Here is a practical sequence for the Reg S-P portion of your annual Rule 206(4)-7 review. Work through it, document each step, and date the result.

1. Re-confirm Your Data Inventory

Start by mapping where sensitive customer information actually lives today, not where it lived when you first wrote your policies. Account for new applications, cloud storage, email, CRM systems, and any place client data flows. If your data footprint has changed and your policies have not, that is your first gap.

2. Test the Incident Response Program

A written plan you have never exercised is not effective, it is theoretical. Run a tabletop exercise: walk a realistic scenario (for example, a compromised email account or a vendor breach) through your plan step by step. Confirm that roles are assigned, escalation paths are current, and the 30-day notification clock is something your team can actually meet. Document who participated and what you learned. For a fuller walkthrough, see our incident response plan guide.

3. Refresh Your Service Provider Oversight

Pull your current vendor list and compare it against the inventory in your service provider oversight program. For every vendor with access to customer information, confirm you have appropriate due diligence and contractual safeguards in place. New vendors added during the year are a common blind spot. Our vendor management requirements guide covers what oversight the rule expects.

4. Review Breach Notification Readiness

Confirm your breach notification templates and procedures are current, that you know which individuals would need to be notified, and that you can meet the 30-day standard. Check that contact data for clients is accurate enough to actually reach them. A notification process that cannot locate affected customers fails in practice.

5. Verify Recordkeeping

Confirm you are retaining the records the amended rule requires, including documentation of your incident response program, written policies, and any incidents and the firm's response. Recordkeeping is frequently where otherwise compliant firms lose points, because the substance existed but was never preserved in a way the firm can produce on request.

6. Document Findings and Remediation

Write a dated summary: what you reviewed, what gaps you found, what you changed, and what remains open with a target date. This is the artifact that proves the review happened. The four required documents themselves are covered in our guide to the four documents every RIA needs.

What SEC Examiners Look For

Because Reg S-P is an FY2026 examination priority, the annual review is increasingly where firms are tested. Examiners tend to probe a predictable set of weaknesses:

• Generic, non-firm-specific policies. Documents that describe capabilities or procedures your firm does not actually have are an immediate red flag. Examiners are trained to spot boilerplate.
• A written plan with no evidence of testing. If you cannot show a tabletop exercise or any operational test of your incident response program, the program is presumed ineffective.
• A stale vendor inventory. Oversight that lists vendors you no longer use, or omits vendors you added this year, signals that the program is not maintained.
• No documented annual review. If you cannot produce a dated record of the review itself, you have a Rule 206(4)-7 deficiency independent of the underlying Reg S-P substance.

The pattern across all of these is the same: the SEC is far less interested in how polished your documents look and far more interested in whether your firm actually does what the documents say.

The Compounding Risk of a Weak Review

The reason the annual review matters so much is that a failure there multiplies. Suppose your incident response program has a gap, for example no clear owner for breach notification. If your annual review misses it, an examiner can cite two findings: the substantive Reg S-P inadequacy and the failure of your Rule 206(4)-7 review to catch it. One operational weakness becomes two deficiencies on the same exam.

This is also why post-deadline enforcement is a real risk rather than a hypothetical one. The firms most exposed now are not the ones who were a few weeks late. They are the ones who filed compliant-looking documents once and never built the annual habit of testing them. For more on enforcement exposure, see our analysis of what happens after the Reg S-P deadline.

Building a Repeatable Annual Process

The goal is not heroics once a year. It is a process you can run the same way every year, document the same way, and improve incrementally. A few principles make that achievable for small firms:

• Calendar it. Tie the Reg S-P review to a fixed point in your annual compliance cycle so it never gets skipped.
• Keep the prior year's report. Each review should start by checking whether last year's open items were closed. That continuity is itself evidence of an effective program.
• Update the documents, do not just re-read them. If your business changed, your policies should change. An annual review that produces no edits in a year where you onboarded vendors or new staff looks like a rubber stamp.
• Make the documents firm-specific in the first place. The single biggest driver of a clean review is starting from policies that genuinely reflect how your firm operates. Generic templates create work every year because they never quite match reality.

If your starting documents are firm-specific and current, the annual review becomes a manageable confirmation exercise rather than a yearly scramble. If they are not, every review surfaces the same structural gaps.

Where RegShield Fits

RegShield generates the four required Reg S-P documents tailored to your firm in about fifteen minutes for a one-time $299, with a 30-day money-back guarantee. Firm-specific documents are what make the annual Rule 206(4)-7 review straightforward, because there is far less to reconcile between what your policies say and what your firm actually does. You can compare the full range of options in our breakdown of the true cost of Reg S-P compliance.

The deadline is behind you. The exams are ahead. The annual review is how you stay on the right side of both.

Frequently Asked Questions

Does Reg S-P have to be included in my annual compliance review? Yes. Rule 206(4)-7 requires every SEC-registered adviser to review its written policies and procedures at least annually for adequacy and effectiveness. Now that the amended Regulation S-P is in force, your incident response program, service provider oversight, breach notification procedures, and recordkeeping must be tested as part of that annual review.

How often do I need to review my Reg S-P policies? At minimum once per year under Rule 206(4)-7. Many firms also conduct interim reviews after a material change, such as onboarding a new vendor with access to customer data, a system migration, or an actual security incident.

Does the SEC require a written report of the annual review? The rule does not prescribe a specific format, but the SEC expects firms to be able to demonstrate that a meaningful review took place. A dated written summary of what was reviewed, what gaps were found, and what was remediated is the practical standard examiners look for.

What happens if my annual review misses a Reg S-P gap? If an examiner finds that your incident response program or vendor oversight is inadequate and your annual review failed to catch it, you face a potential deficiency on both the substantive Reg S-P requirement and the Rule 206(4)-7 review obligation itself. A weak annual review compounds the underlying problem.

Who is responsible for the annual Reg S-P review? Your Chief Compliance Officer, designated under Rule 206(4)-7, owns the annual review. At a solo or small firm the CCO is often the principal, which is why a documented, repeatable process matters more than firm size.