Reg S-P vs. Reg S-ID: Two Rules, Two Jobs, One Firm That Needs to Handle Both

The short version

Reg S-P (the Safeguards Rule + Privacy/Opt-Out Notices) protects customer financial information from unauthorized access. It was adopted in 2000 under the Gramm-Leach-Bliley Act and significantly amended in 2024.

Reg S-ID (the Red Flags Rule) requires firms to detect, prevent, and mitigate identity theft in connection with covered accounts. It was adopted in 2013 under the Dodd-Frank Act, implementing Section 114 of the Fair Credit Reporting Act.

They come from different statutes, have different triggers, and impose different requirements. Compliance with one does not satisfy the other.

Side by side

Reg S-P: what it requires

The full set of Reg S-P obligations for RIAs:

• Privacy notices (initial and annual) explaining your information-sharing practices
• Opt-out rights for sharing with non-affiliated third parties
• Safeguards Rule: Written policies to protect customer information
• Incident response program (new in 2024): detect, respond to, and recover from unauthorized access
• 30-day breach notification (new in 2024): notify affected individuals
• 72-hour vendor notification (new in 2024): contractual obligation for service providers
• Record-keeping of all compliance activities

Reg S-ID: what it requires

Reg S-ID requires a written Identity Theft Prevention Program (ITPP) that includes:

• Identification of red flags relevant to your firm (patterns, practices, or activities that signal possible identity theft)
• Detection of red flags in day-to-day operations
• Response procedures when red flags are detected
• Periodic updates to the program
• Senior management oversight and approval
• Staff training on the program

What are "covered accounts"?

Reg S-ID applies to firms that maintain "covered accounts," defined as:

1. An account used primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions, or
2. Any other account that poses a reasonably foreseeable risk of identity theft

If you have discretionary authority over client accounts, you almost certainly have covered accounts. The SEC has indicated that most RIAs likely do. Unless you've specifically analyzed your accounts and documented why they don't qualify, assume Reg S-ID applies.

Red flags RIAs should watch for

The SEC provides 26 examples across five categories. For RIAs, the most relevant include:

• Alerts from credit reporting agencies
• Suspicious documents (IDs that appear altered)
• Inconsistent personal information (SSNs that don't match, unfamiliar addresses)
• Unusual account activity (unauthorized transfer requests, wire instructions to unfamiliar accounts)
• Notice from clients, law enforcement, or other sources about potential identity theft

Where they overlap

Both rules require written policies and staff training, plus periodic program updates. When a security incident occurs, both programs may be triggered at the same time.

For example: if an employee's email is compromised and a bad actor sends fraudulent wire instructions using a client's name, you have a Reg S-P issue (unauthorized access to customer information) and a Reg S-ID issue (identity theft red flag). Your response should address both.

How to integrate them

You do not need two separate compliance programs that never talk to each other. Build one coordinated program around three documents:

1. Privacy Policy and Notices (Reg S-P): Your information-sharing disclosures and opt-out provisions
2. Written Information Security Plan and Incident Response Plan (Reg S-P Safeguards + 2024 amendments): Your data protection policies and breach response procedures
3. Identity Theft Prevention Program (Reg S-ID): Your red flags identification, detection, and response procedures

These three documents should cross-reference each other. Your IRP should include a step to assess whether identity theft red flags are present. Your ITPP should reference your incident response procedures for when a red flag indicates a data breach.

Enforcement

The SEC has been more active on Reg S-P enforcement. Cetera Advisers paid $300,000 in 2021 for inadequate cybersecurity policies after email compromises. R.T. Jones Capital Equities Management paid $75,000 in 2015 for having no cybersecurity policies at all.

Reg S-ID enforcement against RIAs has been quieter, but the Division of Examinations still reviews Identity Theft Prevention Programs during exams. Deficiency letters for missing or weak ITPPs are common. It may not make headlines, but examiners are checking.

Common misconceptions

• "Reg S-ID doesn't apply to RIAs." It almost certainly does, if you have discretionary authority over client accounts.
• "They're basically the same rule." Different statutes, different triggers, different requirements.
• "The 2024 amendments combined them." Nope. The 2024 amendments only changed Reg S-P. Reg S-ID is untouched.
• "Small RIAs are exempt from Reg S-ID." No size exemption exists. If you have covered accounts, you need an ITPP.

What to do

If you're focused on the Reg S-P amendments right now (and you should be, given the June 2026 deadline), don't let Reg S-ID slide. It is already in effect. Check whether you have an Identity Theft Prevention Program. If you don't, build one. If you do, dust it off and make sure your staff actually know about it.

Then connect the dots between your programs. Examiners want to see coordination, not three unrelated binders on a shelf. BlackSheep keeps it all connected.