The Reg S-P clock is running — and most smaller firms still aren't ready. If your firm manages less than $1.5 billion in AUM, you have 35 days to implement a written incident response plan under the SEC's updated Regulation S-P. The compliance deadline is not a soft target. When examination staff arrives, the written incident response plan is one of the first documents they will request — and its absence is a straightforward deficiency finding, not a gray area.
The rule's scope is broader than most advisers have internalized. The requirement covers any incident involving unauthorized access to customer information — and it extends to breaches caused by your service providers and vendors, not just your own systems. If a third-party AI tool, CRM platform, portfolio management system, or meeting transcription service you use has access to client data and experiences a breach, your firm is responsible for the response. Contracting with a vendor does not transfer your compliance liability. The obligation stays with you.
"RIAs must notify affected individuals whose sensitive information was, or is reasonably likely to have been, accessed or misused — and document that an investigation was conducted."
The notification requirement is the sharpest edge of the rule. Affected clients must be notified promptly, and the documentation burden is just as significant as the notification itself. You must be able to demonstrate that your firm detected the incident, assessed its scope, contained it, and conducted a formal investigation. An undocumented response is treated the same as no response in an exam context. Firms that have invested in cybersecurity technology but skipped the written policy layer are in the most exposed position right now — because technology without documentation does not satisfy the rule.
Layered on top of Reg S-P, the SEC's 2026 Examination Priorities make AI governance a thread running through virtually every exam focus area this year — fiduciary duty, cybersecurity, AML, marketing compliance, and Form ADV disclosure accuracy are all being examined through an AI lens. Examiners are no longer asking whether you use AI. They are asking whether you can demonstrate human review of AI outputs, whether you have a documented governance framework, and whether your client-facing disclosures accurately reflect what AI does and does not do at your firm. AI washing — overstating AI capabilities in Form ADV or marketing materials — has already produced enforcement actions. The inverse is equally real: deploying AI without documented human oversight exposes your firm under Rule 206(4)-7.
Three things to complete before June 3 — in order of priority.
Draft your written incident response plan. The plan must cover four core elements: detection and assessment procedures, containment steps, client notification protocols, and documentation requirements. It must specifically address your vendor relationships — for each third-party service provider that has access to client data, your plan should name the vendor, describe the data it can access, and outline how you would coordinate with that vendor in the event of a breach. If your firm is small and you are the CCO, a well-structured two-page policy signed by you satisfies the baseline requirement. If you have outside compliance counsel, this is the week to call them. Templates are available from NSCP, the Investment Adviser Association, and most major compliance consultants — but the plan must be customized to your actual vendor and technology environment, not a generic form.
Build your AI tool inventory. Pull together a complete list of every AI-powered tool your firm currently uses — including tools that may not be labeled as AI but use machine learning under the hood, such as certain portfolio analytics, risk scoring, or client communication platforms. For each tool, document six things: who authorized its use, what client or portfolio data it can access, whether a data processing agreement exists with the vendor, how outputs are reviewed before acting on them, who is responsible for that review, and whether the tool is disclosed anywhere in your Form ADV. This inventory becomes the foundation of your AI governance framework — and if an examiner asks, having it ready demonstrates that your firm is managing AI risk intentionally rather than reactively.
Review every AI-related statement in your Form ADV and marketing materials. Pull your current Form ADV Part 2A and search for any mention of artificial intelligence, machine learning, algorithms, automated tools, or data-driven processes. For each mention, ask: is this description accurate as of today? Does it match how we actually use these tools? Are there tools we are now using that are not disclosed? Overstated AI claims — saying you use AI for investment selection when you don't — and understated claims — using AI tools that materially affect client outcomes without disclosing them — carry the same enforcement risk. The SEC has brought cases on both sides. If your next annual amendment is more than 60 days away and you identify a material gap, consider filing an interim amendment rather than waiting.
What the RIA Edge 100 actually found about AI and capacity. The most interesting data point from this year's RIA Edge 100 research is what didn't happen. Despite widespread AI adoption across the top-performing independent firms, not one of them plans to increase client-to-advisor ratios as a result.
Instead, the leaders of these firms describe AI as creating what one executive called "invisible efficiency" — faster meeting prep, sharper client communications, better data retrieval — without changing the fundamental ratio of human attention to client relationships. The implication for your practice is worth sitting with: the productivity gain from AI is real, but its competitive value may come not from serving more clients but from serving existing clients more deeply.
The firms winning with AI in 2026 are the ones using it to go deeper, not wider. Compliance-aware tools like Microsoft Copilot deployed with formal governance are outperforming general-purpose AI chatbots deployed informally — not just from a regulatory standpoint, but from a practice quality standpoint.
The clearest plain-English breakdown of this year's examination priorities available. Covers how private fund oversight, AI governance, Reg S-P, and fiduciary duty are now being examined as interconnected issues rather than separate checklist items. If you read one compliance document this month, make it this one.
Six additional developments from this week's source sweep that didn't make the lead sections but belong on your radar.
Fed · April 29, 2026
Rates held at 3.5%–3.75% — with four dissenters, the most since 1992. The April FOMC decision was no surprise, but the internal fracture was. Governor Miran voted to cut 25bps. Three others objected to the statement's easing bias. Kevin Warsh's Senate Banking Committee confirmation vote cleared the same day. He takes the chair May 15. The next FOMC meeting is June 16–17 — Warsh's first.
NASAA · May 4, 2026
NASAA modernizes state-level advertising rules — testimonials and endorsements now permitted. Effective May 4, NASAA adopted amendments to four model investment adviser advertising rules, bringing state standards into closer alignment with the SEC's 2020 marketing rule. State-registered advisers can now use client testimonials, endorsements, and third-party ratings under defined guardrails. If you are state-registered and have been sitting on client testimonials for your website, the regulatory path just opened. Check whether your state has adopted the model rule before acting.
FINRA · 2026 Oversight Report
FINRA explicitly requires human monitoring of all GenAI model outputs — including autonomous agents. The 2026 FINRA Regulatory Oversight Report added a new GenAI governance section this year. Key expectation: controls must address hallucinations, bias, and cybersecurity risks. Autonomous AI agents require novel oversight frameworks including action tracking and restricted system access. Dually registered firms should treat this as parallel to the SEC's AI governance posture — the standard is converging.
FINRA · Pending Rule
FINRA's proposed outside business activity rule narrows what must be reported — but adds a new carve-out for unaffiliated RIA activity. The proposed rule filed with the SEC reduces the scope of reportable outside activities significantly, limiting disclosure requirements to investment-related activities only. Notably, activity at an unaffiliated RIA would no longer require broker-dealer supervision and recordkeeping as if executed on behalf of the member. This reverses long-standing guidance and has direct implications for dually registered advisors. Rule is pending SEC approval; effective date TBD.
Compliance Calendar · May 15, 2026
Form 13F quarterly filing due May 15. Applicable to institutional investment advisers exercising discretion over $100M or more in Section 13(f) securities. If this applies to your firm, the deadline is ten days away. Electronic filing only — confidential treatment requests must also be filed electronically.
NASAA · May 5, 2026
NASAA Public Policy Symposium convened in Washington this week. State securities regulators gathered to discuss market trends and regulatory priorities. Senior investor protection, state-federal coordination on AI governance, and the franchise broker regulatory gap were on the agenda. No binding outputs from a symposium, but NASAA's stated priorities tend to surface as model rules within 12–18 months.
Source Intelligence
This issue was compiled from 62 verified sources monitored weekly, including SEC.gov press releases and rulemaking, FINRA regulatory notices and oversight reports, NASAA current headlines and model rules, Federal Reserve FOMC statements, BLS economic releases, CFP Board enforcement, Federal Register SEC materials, OFAC sanctions updates, CME FedWatch, FRED economic data, U.S. Treasury yield data, and eight RIA trade publications including Kitces.com, Advisor Perspectives, Investment News, ThinkAdvisor, Wealth Management, and Financial Planning.
A Note From The Brief
This is Issue 001. Basis Points Brief exists because independent advisors deserve the same quality of synthesized regulatory and practice intelligence that large wirehouse research desks produce — delivered in five minutes, not five hours. If this was useful, forward it to one advisor who needs it. That is how we grow.
Next week: Warsh's first FOMC meeting is June 16. What his rate posture means for your fixed income allocations — and the Reg S-P incident response plan template you can use today.