← All posts

Reg S-P Just Changed Your AI Vendor List

By Jameson Daines · June 8, 2026 · 8 min read

The compliance deadline for smaller registered investment advisers under the SEC's amended Regulation S-P passed on June 3, 2026. If you're an independent RIA and you've been telling yourself you'd deal with the new requirements later, later has arrived.

Most of the coverage of these amendments focuses on the breach notification requirement, which is real and important. But the provision that has the most day-to-day impact on how independent advisers work is the service-provider oversight obligation. That obligation, applied to the AI tools advisers actually use, creates a new kind of vendor-management burden that most firms haven't fully mapped out.

I want to walk through what changed, what the shadow-AI problem looks like under the new rules, and why the architecture of the AI tools you use matters more now than it did before June.

What the Reg S-P amendments actually require

The Reg S-P amendments published in the Federal Register in May 2024 made several changes that are now in effect for smaller firms. The ones that matter most for AI use:

Holland & Knight's analysis of the amendments covers the service-provider definition and the documentation requirements in practical detail. The key point for AI tools: a service provider is any entity that receives, maintains, processes, or is otherwise permitted access to customer information on your behalf. An AI tool that you paste client financial data into almost certainly qualifies.

The shadow-AI problem, now a compliance problem

The industry has known for a while that most RIA advisers using AI are doing it informally. They're pasting client data into ChatGPT or Claude on personal accounts, not through any firm-approved tool, not documented anywhere, not overseen by the CCO. The estimate I've seen most consistently is that the majority of AI-using advisers at smaller firms are in this category.

Before the Reg S-P amendments, this was a risk-management and professional-judgment problem. You were potentially exposing client data and you didn't have documented controls around it. That was bad practice, but the specific regulatory trigger was softer.

After June 3, it's a service-provider oversight problem. If your advisers are pasting client data into ChatGPT, then OpenAI is receiving, maintaining, and processing customer information on your behalf, within the plain reading of the amended rule. Whether you've assessed OpenAI as a service provider, whether you have a written contract with OpenAI that addresses the Reg S-P obligations, whether you've built procedures to address OpenAI's potential failures, those are now questions your CCO needs an answer to.

The SEC's AI-washing enforcement actions in 2025 and 2026 showed the commission is willing to act on AI-related compliance gaps at investment advisers. The combination of those actions and the new Reg S-P service-provider obligation makes the shadow-AI situation materially riskier than it was a year ago.

What service-provider oversight means for your AI stack

Let's be concrete about what the oversight obligation looks like for the AI tools advisers actually use.

Jump is the category leader for AI meeting notes in the RIA space, with around 27,000 advisers using it. It has SOC 2 Type II certification, contractual no-training policies, and a real security posture. But under the amended Reg S-P, Jump is a service provider receiving customer information. You need a written contract with Jump that addresses the new requirements, you need to periodically assess Jump's practices, and you need procedures for what happens if Jump has an incident. If you're already on Jump and haven't revisited your contract since the amendments, that's a gap.

Zocks positions itself as privacy-forward, with a no-recording architecture where audio is processed locally and only notes are sent to the cloud. That's a meaningfully better posture than tools that store audio. But notes containing client financial information are still leaving your machine and arriving at Zocks' infrastructure. Same oversight obligation applies.

ChatGPT or Claude on a personal account: OpenAI and Anthropic have no contractual relationship with your firm for the purposes of Reg S-P. Consumer accounts have no data processing agreements, no explicit Reg S-P accommodations, and no SOC 2 coverage for your firm's use of their consumer product. This is the clearest gap.

The oversight burden compounds when you multiply it across every AI tool in the firm. Each one needs a vendor assessment, a written contract addressing the new obligations, and ongoing monitoring. For a small RIA with one or two staff members doing compliance part-time, that's a real burden.

The zero-vendor-surface option

There's a fundamentally different approach: use an AI tool where no AI vendor receives your client data at all.

With a local model running on your own hardware, the AI inference happens on your machine. Your client data never leaves your network as part of an AI request. There is no service provider receiving, maintaining, or processing that customer information, because it never went anywhere. Under the amended Reg S-P, there is no AI vendor to oversee, assess, or contract with for this data path.

This is architecturally different from a tool that promises strong data handling. A strong data handling promise is a contractual commitment about what a vendor does with data after it arrives. A local model means the data never arrives at any vendor. The Reg S-P service-provider oversight obligation simply does not attach to a vendor that never receives the data.

That's a significant simplification of your compliance posture, especially for a small firm where the CCO and the adviser are the same person.

The books-and-records angle

Rule 204-2 under the Investment Advisers Act requires RIAs to maintain certain records, including records of written communications. AI-generated outputs that touch client recommendations, meeting summaries, or investment rationale are increasingly in scope for that requirement.

If your AI-generated outputs live in a cloud vendor's database, you have a records-retention dependency on that vendor. If the vendor changes its pricing, gets acquired, or shuts down, your records situation becomes complicated. If you have an SEC examination and the relevant AI outputs are stored in a tool you no longer have access to, you have a production problem.

AI outputs that live as plain files on your own drive, in folders you control, are records you have direct custody of. You can produce them in an examination without depending on a vendor's cooperation or availability. This is a small but real advantage of the local-file architecture that most cloud AI tools don't offer.

Practical next steps for an independent RIA

If you're catching up after the June 3 deadline, the most urgent things:

  1. Inventory your AI tools. Every tool where client financial data is being entered, even informally, is a potential service provider under the amended rule. Get the list on paper.
  2. Assess the contractual posture. For each tool on that list, do you have a written contract that addresses data handling in a way that satisfies the Reg S-P service-provider requirements? If not, you have a gap to close.
  3. Document your incident-response program. This doesn't need to be elaborate, but it needs to exist in writing and it needs to cover your AI tools.
  4. Consider whether the local model path simplifies your posture. If the service-provider oversight burden is the main friction point, a local model removes it for the AI inference data path entirely.

Advisor Prep Hero is built for the RIA who wants to use AI seriously without adding to the compliance burden. When you run it with a local model, there's no AI vendor in your data path: no service provider to vet, no written contract to negotiate, no periodic assessment to document. Your outputs are plain Markdown files in a folder on your drive. The advisor workflow templates were built with input from practicing RIAs and include IPS drafting, meeting prep, and client communication templates. The local model setup guide walks through connecting Ollama so your client data stays on your hardware. For advisers evaluating the purpose-built meeting-notes tools, here's an honest comparison of Advisor Prep Hero and Jump, including where Jump is the better choice.

The Reg S-P amendments are in effect. The AI vendor you use for client work is now a compliance question, not just a product preference. The cleanest answer to that question is a tool where the question doesn't arise.

This is informational, not legal or compliance advice. Reg S-P obligations depend on the specific facts of your practice, your registration status, and the tools you use. Verify your compliance posture with your own compliance counsel or CCO before making changes to your vendor stack.

Try Advisor Prep Hero free for 30 days →