The misconception is understandable. Large firms have compliance departments. They have CCOs with staff, outside counsel on retainer, and enterprise IT security teams. When you read about new SEC regulations, the mental image is a 50-person RIA with a dedicated compliance infrastructure. You run a one-person or three-person shop. Surely there is a size threshold below which this does not apply to you.
There is no such threshold. The SEC’s amended Reg S-P (Release No. 34-100155) applies to registered investment advisers regardless of size. The only concession the rule makes to smaller firms is a longer implementation deadline — and for firms under $1.5 billion in regulatory assets under management, that deadline is June 3, 2026. That is not far away, and the SEC’s 2026 examination priorities explicitly name Reg S-P Incident Response Plan readiness as a focus area. Small RIAs are on the exam list.
The Size Exemption That Does Not Exist
When the SEC released its final amended Reg S-P rule, it established two implementation timelines. Larger investment advisers — those with $1.5 billion or more in regulatory assets under management — had an earlier compliance deadline. Smaller firms received an additional 18 months. The content requirements are identical for both groups.
The extra time is not a gift of reduced compliance burden. It is an acknowledgment that smaller firms need more lead time to implement the same requirements. The SEC was not saying “small firms can do less.” The SEC was saying “small firms need more time to do the same thing.” That distinction matters enormously if you have been operating under the assumption that your firm’s size gives you a compliance pass.
What “Under $1.5B RAUM” Actually Means for Your Deadline
If your firm’s regulatory AUM is below $1.5 billion — which describes the overwhelming majority of registered investment advisers — your compliance deadline is June 3, 2026. You need all five required documents in place and operational by that date. Not drafted. Not in progress. Implemented and documentable.
SEC examiners are already visiting firms and reviewing Reg S-P readiness. Deficiency letters for non-compliant firms are already being issued. Treating June 3 as the earliest possible start date rather than the final deadline is a serious strategic error.
The Solo RIA Challenge
Running a one-person advisory practice creates a specific compliance challenge that large-firm compliance frameworks are not designed to address. The five required Reg S-P documents were written with an assumed organizational structure in mind: a compliance officer, a technology team, an operations staff, and a legal department. A solo RIA has none of these. What a solo RIA has is one person who is simultaneously the advisor, the CCO, the operations staff, and the IT department.
The CCO Problem
Several of the required documents reference the Chief Compliance Officer by role — the IRP designates the CCO as the incident response lead, the vendor oversight policy identifies the CCO as the oversight authority, the notification procedure routes approvals through the CCO. In a solo firm, you are the CCO. That is legally acceptable. But your documents need to reflect that reality. A template that says “notify the CCO immediately” when you are the CCO is a document written for a different firm — and examiners know it the moment they read it.
Generic templates that assume a multi-person compliance structure will fail this test. Examiners reviewing a one-person RIA’s IRP that references “compliance staff” and “the IT security team” know immediately that the document was not written for that firm.
The Vendor Dependency Problem
Solo RIAs are, paradoxically, often more vendor-dependent than larger firms. Without internal IT support, you rely entirely on an MSP. Without internal operations staff, you rely more heavily on your custodian’s portal and your portfolio management software. Without a compliance team, you rely on compliance software or outsourced compliance services. Every single one of these vendors who touches client personal information is a covered service provider under Reg S-P, and each one needs a signed 72-hour notification addendum on file at your firm.
For a solo operator, assembling this documentation is genuinely time-consuming. You have to identify every covered vendor, review your existing agreements, determine what addenda language is needed, approach each vendor, get documents signed, and organize everything for potential examiner review. Doing this correctly from scratch takes significant effort — which is why most solo RIAs either skip it or do it badly.
The Technology Problem
The Recordkeeping Framework requires six years of retention for Reg S-P compliance records, with the first two years in an accessible location. Solo RIAs often store records in ways that create problems here: personal email accounts, local desktops, informal file structures. Getting your recordkeeping framework aligned with the rule’s requirements requires both a written policy and an actual change to how you store and organize compliance documents.
The Five Documents You Need — Adapted for Small RIAs
The required documents are the same regardless of firm size. What changes is how they are written and structured to reflect your actual operations.
1. Written Incident Response Plan
For a solo RIA, this document needs to explicitly address the reality that one person is responsible for detection, response, containment, notification, and recovery. It must include a named backup contact — an outside attorney or compliance consultant — who can assist if the incident occurs during a period when the principal is incapacitated. The plan must identify the specific systems that contain client personal information and describe detection methods that a non-IT specialist can realistically execute.
2. Vendor Oversight Policy with 72-Hour Notification Addenda
Your vendor list is probably shorter than a large firm’s, but each vendor relationship carries significant risk because of how deeply integrated they are in your operations. At minimum, you need signed addenda from your MSP, your CRM provider, your portfolio management software vendor, and any outsourced compliance service that accesses client data. The policy itself is scaled to what one person can actually manage — no elaborate annual audit procedures that will never happen in a solo practice.
3. Updated Privacy Notice
Your current privacy notice needs to be reviewed against your actual data practices as of 2026. If you have added new technology tools, new service providers, or new data collection practices since the notice was last updated, those changes need to be reflected. The notice is cross-referenced against your Form ADV Part 2B disclosures.
4. 30-Day Customer Notification Procedure
For a solo RIA, this document is particularly important because there is no organizational structure to fall back on if you are the one who discovered the breach. The procedure needs to be clear enough that you — or someone acting on your behalf — can execute it correctly under stress. It must include a pre-drafted notification template so you are not composing a breach notice from scratch during an incident.
5. Recordkeeping Framework
Specify exactly where Reg S-P compliance records are stored, how long each type of record is retained, and how you would produce them in response to an SEC examination request. For a solo practitioner, a simple, well-organized cloud storage structure with clear folder naming and version control for policy documents is sufficient — but it must be documented and consistently used.
What Getting Compliant Actually Looks Like
For a solo or small RIA starting from scratch, the path to June 3, 2026 compliance looks like this:
- Obtain the five required documents in firm-specific form — either written from scratch, developed with legal counsel, or obtained through a compliance service that produces customized documents
- Review each document to confirm it reflects your actual operations, your actual vendors, and your actual compliance authority structure
- Identify all covered service providers and approach each one with the notification addendum for signature
- Update your Form ADV if the privacy notice reveals conflicts with existing ADV disclosures
- Establish your recordkeeping structure and file all documents with version history and adoption dates clearly marked
- Document the entire process — the fact that you went through these steps is itself a compliance record
Done correctly, this takes two to three weeks for a solo practitioner doing it for the first time. June 3 is not so far away that you have unlimited runway, and exam risk does not wait for the deadline — examiners are already reviewing Reg S-P readiness at firms that have not yet hit their compliance date.
Choosing a Compliance Solution for Small RIAs
The compliance solution options for small RIAs fall into three categories, and only one of them makes practical sense.
Generic templates ($0 to $300): These fail for the reasons described throughout this article. They are not firm-specific, they do not include vendor addenda, and they were not written for one-person operations. An examiner can tell within 30 seconds that a solo RIA’s IRP was not written for that firm. Templates are a false economy — they create the illusion of compliance without the substance.
Full legal counsel engagement ($8,000 to $15,000+): This is the right answer for large or complex firms. For a solo practitioner with a straightforward client base, it is not a financially rational choice. The cost does not scale with the risk level.
Attorney-reviewed compliance packages ($1,500 to $2,500): This is the category that makes sense for small RIAs. Documents built on attorney-reviewed frameworks, customized to your specific firm, at a price point that reflects the actual complexity of a small advisory practice. This is where you get genuinely compliant documents without paying for a compliance infrastructure sized for a 20-person firm.
Red Flags: Signs You’re Not Actually Compliant
- Your IRP references “the compliance team” or “IT security staff” — you have neither
- You have not signed anything with your MSP that mentions 72-hour notification
- Your privacy notice was last updated before 2024
- You cannot locate a signed vendor agreement for your CRM or portfolio software
- Your compliance documents are stored in your personal email inbox
- You are relying on a document you downloaded from the internet and filled in your firm name
- You have not thought about what you would actually do in the first 72 hours of a data breach
Any of these is a problem. Most of them together represent a firm that will not survive an SEC examination focused on Reg S-P readiness.
The Bottom Line for Solo and Small RIAs
Size does not exempt you from Reg S-P. The June 3, 2026 deadline applies to you. There are no extensions expected. The five required documents are the same as what large firms need. The examiner who reviews your firm will apply the same standard. What you need is not a watered-down version of compliance — you need compliance designed for how a solo or small RIA actually operates. That means firm-specific documents, realistic procedures, and a vendor oversight program you can implement and maintain with one person.
Solo and sub-$500M RIAs are the firms least likely to have built-in compliance infrastructure — and the ones who can least afford an exam finding. See what exam-ready Reg S-P compliance looks like for a firm your size.
MrFixItGeeks.com provides a complete Reg S-P compliance package built for small and solo RIA firms — all 5 required documents, written to reflect one-person operations, attorney-reviewed, and delivered in 3 business days.
Get your Reg S-P compliance package at mrfixitgeeks.com/reg-sp-compliance