The amended Regulation S-P requires every SEC-registered investment adviser to maintain a written service provider oversight policy. This is not an abstract requirement. SEC examiners ask for it by name. Deficiency letters cite its absence specifically.
This article provides template language for each required section of a Reg S-P service provider oversight policy. These are not summaries of what the policy should say -- they are policy sections you can copy, customize with your firm's specifics, and incorporate into your written compliance program.
For background on the underlying regulatory requirements, see SEC Reg S-P Vendor Management: What Your Firm Must Document. This article goes one step further: it gives you the actual language.
What the Template Must Cover
The amended Regulation S-P (17 CFR Part 248, Subpart A) requires covered institutions to adopt and implement written policies and procedures reasonably designed to:
- Identify and assess information security risks posed by service providers
- Select and retain service providers that maintain appropriate safeguards
- Require service providers to implement and maintain appropriate safeguards by contract
- Oversee service providers on an ongoing basis
A compliant written policy needs to address five elements:
- Scope -- which service providers are subject to oversight
- Initial due diligence -- how the firm evaluates providers before engagement
- Contractual standards -- what the firm requires in vendor agreements
- Ongoing monitoring -- how the firm reviews vendor security over time
- Incident response coordination -- how the firm responds when a vendor has a breach
Each element is addressed in the template sections below.
Section 1: Scope and Definitions
Purpose. This policy establishes written procedures for [FIRM NAME] (the "Firm") to oversee service providers that receive, maintain, process, or otherwise have access to customer information, as required by SEC Regulation S-P.
Definition of Service Provider. For purposes of this policy, a "service provider" is any third party engaged by the Firm that, in the course of providing services, receives, maintains, processes, or otherwise has access to customer information. This includes, but is not limited to:
- Custodians and broker-dealers
- Portfolio management and trading platforms
- Client relationship management (CRM) systems
- Cloud storage and data backup providers
- Email and communication platforms
- Information technology support and managed services providers
- Compliance technology platforms
- Third-party administrators
Vendor Register. The Compliance Officer shall maintain a written vendor register listing each covered service provider, the nature of customer information accessed, the date of initial engagement, and the status of contractual review. The vendor register shall be reviewed and updated at least annually and upon engagement of any new service provider.
Exclusions. This policy does not apply to service providers that have no access, actual or potential, to customer information. The Compliance Officer shall make the exclusion determination in writing and retain it in the compliance files.
Section 2: Initial Due Diligence
Pre-Engagement Assessment. Before engaging any service provider that will access customer information, the Compliance Officer or a designated reviewer shall conduct a written due diligence assessment addressing the following:
- The nature and volume of customer information the provider will access
- The provider's information security policies and certifications (SOC 2 Type II, ISO 27001, or equivalent)
- The provider's incident history and track record for disclosing breaches
- The provider's data retention and deletion practices
- The provider's subcontractor or fourth-party relationships that may involve customer information
Documentation Requirement. The results of each pre-engagement assessment shall be documented in a standard due diligence questionnaire and retained in the provider's compliance file. Verbal representations from vendors do not satisfy this requirement.
Risk Tiering. Based on the due diligence assessment, the Compliance Officer shall assign each service provider a risk tier:
- Tier 1 (High Risk): Providers with broad, ongoing access to the full customer database (custodians, core portfolio systems, CRM). Subject to enhanced due diligence and annual formal review.
- Tier 2 (Moderate Risk): Providers with access to customer information in the course of specific services (IT support, cloud backup, email archiving). Subject to standard due diligence and periodic review.
- Tier 3 (Lower Risk): Providers with incidental or limited access. Subject to baseline contractual requirements and review upon material change.
Risk tier designations shall be documented and may be revised when the provider's access or risk profile changes materially.
Section 3: Contractual Standards
Required Contract Provisions. Contracts with covered service providers shall include, at minimum, the following provisions before the Firm engages the provider or renews an existing engagement:
(a) Security Safeguards. The service provider shall implement and maintain appropriate administrative, technical, and physical safeguards designed to protect customer information from unauthorized access, use, or disclosure. Such safeguards shall be no less protective than those the Firm maintains for its own customer information.
(b) Breach Notification. The service provider shall notify [FIRM NAME] in writing within [X] business days (not to exceed 30 days) of discovering any actual or reasonably suspected unauthorized access to, or disclosure of, customer information maintained by or on behalf of the service provider. Notification shall include: (i) the nature of the incident; (ii) the customer information involved; (iii) an estimated number of affected customers; and (iv) the steps taken and planned to contain, investigate, and remediate the incident.
(c) Right to Oversight. [FIRM NAME] reserves the right to conduct or commission a security review of the service provider's information security practices, including review of relevant audit reports (such as SOC 2 reports), and the service provider shall cooperate fully with such review.
(d) Subcontractors. The service provider shall not share customer information with subcontractors without prior written approval from [FIRM NAME] and shall require any approved subcontractors to maintain safeguards equivalent to those required under this agreement.
(e) Data Return and Destruction. Upon termination of the engagement, the service provider shall return or destroy all customer information in its possession within [X] days, and provide written certification of destruction upon request.
Legacy Contracts. Contracts executed before [COMPLIANCE DATE] that do not include all required provisions shall be reviewed at next renewal or no later than [DATE]. The Compliance Officer shall maintain a log of legacy contracts pending amendment and the target amendment date for each.
Section 4: Ongoing Monitoring
Annual Review. At least annually, the Compliance Officer shall conduct a formal review of each covered service provider. The annual review shall assess:
- Whether the vendor's security practices remain adequate based on current SOC 2 or equivalent audit reports
- Whether the vendor has reported any incidents or experienced any publicly known breaches since the last review
- Whether the vendor's access to customer information has changed materially
- Whether required contract provisions remain in effect and up to date
- Whether the vendor should be retained, placed on a watch list, or terminated
Annual review findings shall be documented in a vendor review report and retained in the provider's compliance file.
Triggered Reviews. In addition to annual reviews, the Compliance Officer shall conduct a triggered review of a service provider whenever:
- The provider reports a breach or suspected breach involving customer information
- The provider undergoes a material change in ownership, management, or technology infrastructure
- The Firm materially changes the scope of customer information shared with the provider
- An SEC examination request, deficiency letter, or regulatory action references the provider
Triggered reviews shall be documented with the triggering event, findings, and any corrective actions taken.
Ongoing Monitoring Activities. Between formal reviews, the Compliance Officer shall:
- Monitor publicly reported incidents involving covered vendors
- Review vendor security alerts or patch notices that may affect customer data
- Track receipt of required annual SOC 2 reports or equivalent documentation from Tier 1 providers
Section 5: Incident Response Coordination
Vendor Breach Notification Protocol. Upon receiving notice of an actual or suspected breach from a service provider, the Compliance Officer shall:
- Log the notification with date, time, and method of receipt
- Assess the scope of customer information potentially affected
- Activate the Firm's Incident Response Program as to the vendor-related incident
- Determine whether notification obligations to affected customers are triggered under Reg S-P's 30-day requirement
- Consult legal counsel if the scope or customer impact is uncertain
- Document all response actions and communications
Coordination with Incident Response Program. This policy operates in coordination with [FIRM NAME]'s written Incident Response Program. A vendor-caused breach is treated as an incident under that program, and the breach notification provisions of Reg S-P apply regardless of whether the breach originated within the Firm or at a service provider.
Vendor Continuity Assessment. Following a material breach at a service provider, the Compliance Officer shall assess whether to continue the vendor relationship, require enhanced safeguards, or transition to an alternative provider. The assessment and outcome shall be documented.
Annual Policy Review and Recordkeeping
This policy shall be reviewed at least annually as part of [FIRM NAME]'s annual Rule 206(4)-7 compliance review. The annual review shall assess whether the policy remains adequate given changes in:
- The Firm's vendor relationships
- The volume and sensitivity of customer information the Firm processes
- Regulatory guidance or SEC examination priorities
- Reported incidents at peer firms or custodians
All records required by this policy -- due diligence questionnaires, vendor register, contract review logs, annual review reports, triggered review documentation, breach response records -- shall be retained for at least five years and made available to SEC examiners upon request.
For a broader checklist of records required under Reg S-P, see SEC Regulation S-P Compliance Checklist for Small Investment Advisers.
What SEC Examiners Look for in Vendor Oversight Policies
Understanding the exam angle helps ensure the written policy holds up when it counts. Based on SEC examination priorities and published deficiency patterns, examiners focus on:
Is the policy specific to the firm? Generic templates that do not name the Firm's actual vendors, describe the Firm's actual data flows, or reflect the Firm's actual oversight practices are red flags. Examiners ask how the policy was implemented, not just whether it exists.
Is the vendor register current? A policy that references a vendor register, but the register is outdated or does not include all covered vendors, creates an immediate gap. The register is a core piece of exam-request documentation.
Are contracts actually updated? Firms that have a strong written policy but legacy service contracts missing the required breach notification or oversight provisions receive deficiency findings on the contract gap specifically.
Is there evidence of ongoing monitoring? A policy describing annual reviews is only useful if there are annual review reports to show. Examiners expect documentation of each year's monitoring activities, not just assertions that monitoring occurs.
Does the incident response procedure connect to actual vendor incidents? If a covered vendor experienced a breach during the review period and the firm has no documentation of its response, that is a significant deficiency, regardless of how well the policy reads on paper.
For a full breakdown of what an SEC examination looks like and how to prepare, see What SEC Examiners Look For in a Reg S-P Examination.
Using This Template
The sections above are starting points, not final documents. Before incorporating any language into your firm's written compliance program:
- Replace all bracketed fields with firm-specific information
- Review the contractual standards section with your compliance counsel to match your actual vendor agreements
- Add vendor-specific language for your custodian relationship, which typically has different oversight dynamics than other providers
- Confirm the breach notification timeline in Section 3(b) aligns with your overall incident response procedures
If your firm has not yet produced the full set of required Reg S-P documents -- incident response program, service provider oversight policy, breach notification templates, and recordkeeping procedures -- RegShield generates all four as examination-ready PDFs in about 15 minutes, customized to your firm profile.
Frequently Asked Questions
What must a Reg S-P service provider oversight policy include?
Under the amended Regulation S-P, a compliant service provider oversight policy must address five elements: scope (which vendors are subject to oversight); initial due diligence (how the firm vets vendors before onboarding); contractual standards (what security and notification provisions must appear in vendor contracts); ongoing monitoring (how the firm reviews vendor security on a continuing basis); and incident response coordination (how the firm responds when a vendor reports a breach involving client data).
Does Reg S-P require a separate vendor oversight document or can it be part of the main compliance manual?
Reg S-P does not specify a particular document format. Many small RIAs maintain a standalone written service provider oversight policy, while others incorporate the required elements into a broader information security or compliance manual. SEC examiners look for the substance -- written procedures covering the five required elements -- not a specific format. A standalone document is easier to produce, update, and present to an examiner on request.
Which vendors must be included in a Reg S-P oversight policy?
Any service provider that receives, maintains, processes, or otherwise has access to customer information. For most small RIAs, this includes the custodian, portfolio management software, CRM, cloud storage, email provider, IT support, and any outsourced compliance technology. The rule covers providers who handle customer information even incidentally -- an IT vendor who can access client folders during support work qualifies.
What contract language does Reg S-P require for service providers?
The amended rule expects vendor contracts to include: a requirement that the vendor maintain appropriate information security safeguards; an obligation to notify the RIA promptly of any breach involving customer information; a right for the RIA to conduct or request security reviews; and a provision addressing data handling upon contract termination. Contracts signed before the compliance date should be reviewed and amended to include these terms at the next renewal opportunity.
How often must a service provider oversight policy be reviewed?
At least annually. The annual Rule 206(4)-7 compliance review is the appropriate vehicle for assessing whether the service provider oversight policy remains accurate and whether vendors are being monitored as the policy describes. Reviews should also be triggered by material events: a vendor breach, a significant change in vendor services, or onboarding a new high-risk vendor. See Reg S-P and Your Annual Rule 206(4)-7 Compliance Review for how to structure this.
Can RegShield generate a complete service provider oversight policy for my firm?
Yes. RegShield's Service Provider Oversight document is one of the four core documents generated for each firm. It is customized to your specific vendors, data flows, and firm profile based on your intake responses, and produced as an examination-ready PDF. Get started here.
Frequently Asked Questions
Rees Calder
Rees is the founder of RegShield and CEO of Levity Leads Ltd. He works with small registered investment advisers to simplify SEC compliance, with a focus on making Regulation S-P requirements accessible and actionable for firms that lack dedicated compliance departments.