Reg S-P (Privacy) and Reg S-ID (Identity Theft)
Quick Answer
SEC Regulation S-P implements the Gramm-Leach-Bliley Act for SEC-regulated entities and requires firms to deliver an initial privacy notice at customer-relationship establishment, an annual privacy notice (with a post-2024 exception when no nonpublic personal information (NPI) sharing changes have occurred), an opt-out opportunity before sharing NPI with nonaffiliated third parties, and to maintain a Safeguards Rule program. The 2024 amendments (compliance December 3, 2025 for large firms; June 3, 2026 for small firms) added an incident response program and a 30-day customer breach notification window. SEC Regulation S-ID requires every firm with covered accounts to maintain a written Identity Theft Prevention Program with five categories of red flags and four functional elements (identify, detect, respond, update).
Reg S-P protects customer information held inside the firm; Reg S-ID protects against fraudsters outside the firm impersonating customers. Both live in the SEC's privacy and identity-theft regulations and both apply to broker-dealers. The exam tests them as paired but distinct programs.
Reg S-P: Privacy of Consumer Financial Information
Reg S-P implements Title V of the Gramm-Leach-Bliley Act (GLBA) for SEC-regulated entities (broker-dealers, investment advisers, registered funds, transfer agents). Its core obligations:
Initial Privacy Notice
- Provided to a customer at the time of establishing the customer relationship
- Provided to a consumer (a non-customer who provided NPI to the firm) before sharing NPI with nonaffiliated third parties (subject to enumerated exceptions)
- Must describe the firm's information-collection, sharing, and protection practices in clear and conspicuous form
Annual Privacy Notice
- Provided at least once in any period of 12 consecutive months during which the customer relationship exists
- Post-2024 exception: a firm may omit the annual notice if (1) the firm only shares NPI under enumerated exceptions (e.g., for servicing, joint marketing under contract) AND (2) the firm has not changed its policies since the last notice delivered
Opt-Out Notice
- Customers must receive a reasonable opportunity to opt out before NPI is shared with nonaffiliated third parties
- Opt-out is not required for shares under enumerated exceptions (servicing the account, joint marketing under contract, response to legal process, etc.)
- Sharing with affiliates is generally not subject to opt-out under GLBA, though it may be under the Fair Credit Reporting Act (FCRA) for certain consumer-report uses
Safeguards Rule
The firm must adopt written policies and procedures addressing:
- Administrative safeguards (training, access controls, vendor management)
- Technical safeguards (encryption, intrusion detection, authentication)
- Physical safeguards (locked file rooms, secured equipment disposal)
The Safeguards Rule is the part of Reg S-P that the 2024 amendments significantly upgraded.
Disposal Rule
Firms must take reasonable measures to protect against unauthorized access to consumer information in the course of disposal: shredding paper records, wiping or destroying digital media, using contractor services that certify secure destruction.
Exam Tip: Gotchas
- Reg S-P opt-out is required for sharing with nonaffiliated third parties, not affiliates. The exam will sometimes describe a firm sharing customer data with a corporate affiliate (for example, a sister investment-management firm) and ask if opt-out is required. Generally no, though FCRA may impose its own restriction for consumer-report use.
- The annual privacy notice has a post-2024 exception for unchanged sharing practices. A firm that only shares NPI under enumerated exceptions and has not changed its policies may skip the annual notice. The initial notice is still required.
The 2024 Reg S-P Amendments
The SEC adopted significant Reg S-P amendments in May 2024. The compliance dates depend on firm size:
| Firm Size | Compliance Date |
|---|---|
| Large firms ($1.5 billion or more in total assets under management or $1.5 billion or more in total assets) | December 3, 2025 |
| Small firms (below the large-firm thresholds) | June 3, 2026 |
The amendments require:
- Incident response program: written policies and procedures addressing assessment, containment, and notification when unauthorized access to or use of customer information occurs
- Customer notification within 30 days of determining that unauthorized access to or use of sensitive customer information has occurred or is reasonably likely to have occurred, as soon as practicable
- Service provider oversight: due diligence on service providers' ability to protect customer information and contractual provisions requiring notice to the firm of breaches at the service-provider level
Think of it this way: Pre-2024, Reg S-P required firms to safeguard customer information but did not require them to tell customers when the safeguards failed. The 2024 amendments closed that gap with a 30-day notification clock.
Exam Tip: Gotchas
- The 2024 Reg S-P amendments added a 30-day customer breach-notification window that did not exist before. A firm that learns of unauthorized access to sensitive customer info must notify affected individuals as soon as practicable but within 30 days. Pre-2024, no such notification was federally required at the SEC level.
- Large firms hit compliance December 3, 2025; small firms hit compliance June 3, 2026. The size definition turns on assets / AUM, not employee count or revenue.
Reg S-ID: Identity Theft Red Flags
SEC Regulation S-ID applies to broker-dealers, investment advisers, and other SEC-registered entities that maintain covered accounts.
Covered Accounts
A covered account is:
- An account offered or maintained primarily for personal, family, or household purposes that involves or permits multiple payments or transactions (for example, a brokerage account permitting wire transfers), OR
- Any other account where there is a reasonably foreseeable risk of identity theft
Pure proprietary trading accounts and most institutional accounts generally fall outside the definition because they do not exist for personal / family / household purposes and the foreseeable identity-theft risk is low.
The Written Identity Theft Prevention Program
A firm with covered accounts must maintain a written program with four functional elements:
| Element | Function |
|---|---|
| Identify | Identify relevant red flags for covered accounts |
| Detect | Detect those red flags in operations |
| Respond | Respond appropriately to prevent and mitigate identity theft |
| Update | Update the program periodically to reflect changing risks |
Five Categories of Red Flags
The rule's appendix lists 26 illustrative red flags grouped into five categories:
| # | Category | Examples |
|---|---|---|
| 1 | Alerts and notifications from consumer reporting agencies or service providers | Fraud alerts, address-discrepancy notices, credit-freeze indicators |
| 2 | Suspicious documents | Altered or forged identification, photos that do not match the customer, document with a photo of someone else |
| 3 | Suspicious personal identifying information | SSN that has not been issued, address mismatched to the SSN, address change inconsistent with known customer profile |
| 4 | Unusual use of, or other suspicious activity related to, a covered account | Sudden mail-redirect requests, unusual login patterns, dormant account suddenly active, transactions inconsistent with profile |
| 5 | Notice from customers, identity theft victims, law enforcement, or other persons regarding possible identity theft | Customer reports unauthorized account access; law enforcement contacts the firm about a customer's stolen identity |
Program Administration
The Program must be:
- Approved by the board of directors (or appropriate committee or designated senior management at firms without a board)
- Overseen by senior management, including responsibility for ongoing compliance
- Reviewed at least annually to address changes in identity-theft methodology
Exam Tip: Gotchas
- Reg S-ID applies to covered accounts, not to all accounts. A firm with only proprietary trading or pure institutional accounts may have no covered accounts and accordingly no Reg S-ID program obligation. The exam may test the scope question.
- Five categories of red flags, four functional elements (Identify / Detect / Respond / Update). Do not confuse the count: 5 red-flag categories, 4 program elements.
Reg S-P vs Reg S-ID: The Distinction
Both rules live in the SEC's privacy and identity-theft regulations and both protect customers. The difference is direction:
| Rule | Threat Direction | Protection |
|---|---|---|
| Reg S-P | Information leaving the firm (intentional or breach) | Privacy notices, opt-out, Safeguards Rule, breach notification |
| Reg S-ID | Fraudsters impersonating customers from outside | Identity theft red-flag program, four functional elements |
Think of it this way: Reg S-P guards the inside of the firm (the firm holds NPI; do not let it leak). Reg S-ID guards the outside of the firm (someone may be pretending to be your customer; spot the red flags).
Exam Tip: Gotchas
- Reg S-P = privacy and safeguarding of NPI; Reg S-ID = identity-theft red flags. The exam will sometimes describe a fact pattern (a fraudster opens an account using stolen credentials) and ask which rule governs. The answer is Reg S-ID. A different fact pattern (a vendor breach exposes customer data) is Reg S-P.