Ask most RIA advisors about their Reg S-P compliance gaps and they will focus on the Incident Response Plan or the privacy notice. Those are visible, familiar compliance documents. The harder problem — the one that most firms have not even begun to address — is the vendor contract 72-hour notification requirement.
The typical small RIA vendor stack looks like this — and none of these standard agreements contain the language Reg S-P now requires:
- A custodian like Schwab or Fidelity
- A CRM like Redtail or Wealthbox
- Portfolio management software like Orion or Black Diamond
- Financial planning tools like eMoney or RightCapital
- Cloud infrastructure like Microsoft 365 or Google Workspace
All of these vendors have contractual access to your client data. None of their standard service agreements contain a clause requiring them to notify you within 72 hours of a security incident involving your clients’ information.
Under Reg S-P’s 2024 amendments (SEC Release No. 34-100155), you are required to have that clause. Getting it into your contracts is your problem, not your vendors’. And for most RIAs, this is the compliance requirement that takes the most time to execute and the one with the most realistic chance of being incomplete when June 3, 2026 arrives.
What the 72-Hour Requirement Actually Means
The vendor oversight provisions of the amended Reg S-P require covered institutions to maintain written policies and procedures for overseeing service providers that receive, maintain, process, or otherwise access customer information. That oversight framework must include contractual provisions requiring service providers to:
- Implement appropriate safeguards to protect customer information
- Notify the covered institution as soon as possible — and no later than 72 hours — after becoming aware of a security incident involving the covered institution’s customer information
The 72-hour clock runs from when the vendor becomes aware of the incident. The vendor’s notification to you starts your own 30-day customer notification clock. The entire chain — from vendor discovery to vendor notification to your firm’s customer notification — is a connected timeline with real regulatory deadlines at each link.
If your vendor contracts do not contain the 72-hour notification provision, you have no contractual right to receive timely notification of a breach at that vendor. You might find out through their public press release. You might find out when your clients call asking about news coverage of a breach at your CRM provider. You might find out months after the fact during the vendor’s own regulatory proceedings. None of these notification paths allows you to comply with the 30-day customer notification requirement — because you have no reliable way to know the clock started.
Why This Is the Hardest Part of Reg S-P Compliance
Every other Reg S-P deliverable is something your firm produces internally. Your IRP, your privacy notice, your notification procedure, your recordkeeping framework — these are documents you write, or that a compliance service writes for you, and you control the timeline completely.
The vendor addenda are different. You need other companies — some of them very large companies with compliance departments, legal teams, and standard form agreements — to agree to modify their contractual terms to include language they may not have in their standard contracts. You cannot produce this document unilaterally. You need signatures.
Here is what the practical execution process looks like for most small RIAs:
Step 1: Identify All Covered Vendors
Start by inventorying every service provider that receives, maintains, processes, or otherwise accesses your customer information. This list is typically longer than advisors expect:
- Primary custodians: Schwab, Fidelity, Pershing, Axos
- CRM platforms: Redtail, Wealthbox, Salesforce Financial Services Cloud, Practifi
- Portfolio management: Orion, Black Diamond, Tamarac, Morningstar Office
- Financial planning software: eMoney, MoneyGuidePro, RightCapital, NaviPlan
- Document management: LaserFiche, DocuSign, SmartVault
- Email and productivity: Microsoft 365, Google Workspace
- Client portal providers: Any portal through which clients access their account data
- IT and cybersecurity vendors: Your MSP, your cybersecurity monitoring service, any cloud backup provider storing client data
- Virtual meeting platforms used for client sessions where financial information is discussed and recordings are retained with client data
Every vendor on that list needs to have a 72-hour notification addendum signed and on file. Missing even one major vendor leaves a gap in your compliance program that an examiner will identify.
Step 2: Understand What Each Vendor Will and Won’t Do
Vendors fall into roughly three categories when it comes to Reg S-P addenda:
Vendors with existing compliance frameworks
Major custodians like Schwab and Fidelity, and some of the larger fintech platforms, have already developed their own compliance addenda frameworks in response to the Reg S-P amendments. They typically have a process for RIAs to request and execute the required addendum through their advisor services team. The addendum exists; you just need to request it through the right channel and get it executed.
Vendors with enterprise compliance departments but no RIA-specific addendum
Companies like Microsoft, Google, and Zoom are not RIA-specific vendors and do not have pre-built Reg S-P addenda. They do have Data Processing Agreements and Business Associate Agreements from other regulatory contexts (GDPR, HIPAA). The approach here is to request the most relevant data breach notification addendum they offer and document in your Vendor Oversight Policy why it meets or substantially meets the Reg S-P notification requirement. For very large technology companies, this is often the practical maximum you can achieve.
Small or mid-size vendors with no formal compliance infrastructure
Smaller fintech vendors, independent software providers, and specialized tools often have no standard addendum and no compliance department to route the request through. Here you will typically need to send them a proposed addendum — drafted in plain business language — and negotiate its execution directly with whoever handles vendor agreements.
Step 3: Execute and Document
Every signed addendum goes into your Vendor Oversight Policy records. Every vendor who declines to sign, or from whom you have received no response after documented attempts, also goes into your records — with documentation of your outreach efforts, the vendor’s response (or non-response), and your risk assessment rationale for continuing to use the vendor despite the absence of a signed addendum.
That last point matters. The SEC does not expect RIAs to immediately terminate relationships with vendors who won’t sign an addendum — it is not always feasible, especially for major custodians or platforms deeply integrated into firm operations. What the SEC does expect is documented evidence that your firm identified the gap, made documented efforts to remediate it, assessed the risk, and made a reasoned business decision with appropriate mitigating controls in place.
Why Most RIAs Discover They Have No Contractual Right to Be Notified
Pull out your current service agreements with your top five vendors right now. Search each one for the word “notification.” What you will find, in most cases, is notification language about service changes, fee adjustments, and contract terminations. You will not find language requiring the vendor to notify you within 72 hours of a security incident.
This is not because your vendors are being malicious. It is because prior to the Reg S-P 2024 amendments, there was no federal regulatory requirement driving this contractual provision, and vendors — especially large technology companies — do not voluntarily add notification obligations to standard service agreements.
The result is that most RIA firms are in a position where, if their CRM or portfolio management platform experienced a breach today, they would be entirely dependent on the vendor’s voluntary decision about when and how to notify them. The vendor’s contractual obligation, absent an addendum, is zero. They can notify you immediately, notify you in 30 days, notify you via a press release, or not notify you directly at all.
That is not a compliance program. That is a dependency on vendor goodwill in a scenario where vendors have significant incentive to manage disclosure carefully.
The Specific Vendors You Need to Address
Schwab and Fidelity
Both major custodians have compliance frameworks for institutional clients. For Schwab, the Reg S-P addendum request process runs through your Schwab Advisor Services relationship. Fidelity’s institutional channel has a similar process. These are the highest-priority addenda to get executed because custodians hold the most sensitive client data — actual account numbers, holdings, transaction histories, and personally identifiable information.
Redtail CRM
Redtail has been one of the more proactive fintech vendors on this issue, given their deep penetration of the independent RIA market. They have received enough addendum requests from compliance-conscious RIAs that they have a framework for this. Reach out through your account contact and request the Reg S-P notification addendum specifically.
Orion and eMoney
Both platforms serve institutional advisory clients and have compliance infrastructure. Similar process: contact through your institutional relationship and request the addendum. Get the request in writing so you have documentation of the outreach date.
Microsoft 365 and Google Workspace
These are the most complex cases because Microsoft and Google are not financial services companies and do not maintain RIA-specific compliance addenda. Both companies do maintain GDPR Data Processing Agreements and enterprise security notification frameworks. For Microsoft 365, your Microsoft Customer Agreement includes security incident notification provisions in the Online Services Terms and Data Protection Addendum. For Google Workspace, similar provisions exist in the Google Workspace Data Processing Amendment.
The practical approach for these vendors is to execute the available data protection addendum they offer, confirm the notification provision exists within it, and document in your Vendor Oversight Policy that this represents the maximum available contractual protection from these vendors given their market position and standard terms.
Red Flags in Your Current Vendor Contracts
When you review your existing service agreements, these are the warning signs:
- No data security or incident notification section whatsoever
- Notification obligations that run only from you to the vendor — not from the vendor to you
- Notification language that is conditioned on the vendor “determining” a breach occurred, which gives them indefinite discretion about when, if ever, to notify
- Notification requirements with no specified timeframe
- Language limiting the vendor’s liability for notification failures to a refund of fees paid, which does nothing to protect your clients or your regulatory compliance
- Force majeure clauses that could be invoked to excuse notification delays
What Your Vendor Oversight Policy Must Document
The addenda themselves are only part of the compliance deliverable. Your Vendor Oversight Policy must establish the framework governing how your firm manages all service providers with customer data access. That policy must address:
- How your firm conducts initial due diligence on new service providers before granting data access
- The minimum security requirements your firm expects service providers to maintain
- The 72-hour notification addendum requirement and the process for obtaining signed addenda from all covered vendors
- Ongoing monitoring procedures for existing vendor relationships
- The process for handling vendors who decline to sign addenda — including risk assessment and mitigating controls
- The process for onboarding new vendors, including the requirement to execute an addendum before granting data access
- Termination procedures when a vendor’s security practices fall below acceptable thresholds
This policy must be integrated with your Incident Response Plan — because when a vendor notifies you of an incident under the 72-hour provision, your IRP needs to specify that this triggers the IRP response process and starts the 30-day customer notification clock.
The Timeline Problem
Here is the operational reality most RIAs are not accounting for: getting vendor addenda executed takes time. Not because the process is complicated, but because vendors have their own review processes, their own compliance approval timelines, and their own bureaucratic friction.
A request sent to a major custodian’s advisor services team in March might not result in an executed addendum until late April or May. A request sent to a smaller fintech vendor might require three rounds of back-and-forth negotiation over the language before both parties sign. If you start this process in May 2026, you will not have all your addenda executed by June 3.
The vendor addendum campaign needs to start now. Send the requests while you are building the other four compliance documents, not after.
The Real Risk: A Vendor Breach Without Contractual Notification Rights
Here is the scenario the 72-hour requirement is designed to prevent: a vendor experiences a breach, decides to investigate quietly for three weeks before notifying anyone, and eventually notifies your firm — which then has only nine days remaining to notify affected customers within the 30-day window, with incomplete information about the breach scope, and no pre-built notification procedure to execute.
Without a contractual 72-hour obligation, that three-week delay is entirely within the vendor’s discretion. You have no recourse. You are dependent on their voluntary disclosure timeline. And your Reg S-P compliance obligations — and the liability that comes with missing them — are entirely intact regardless of the vendor’s behavior.
The 72-hour addendum is your mechanism for creating contractual rights that align your vendor relationships with your regulatory obligations. Without it, there is a structural gap between what Reg S-P requires of your firm and what your vendors are obligated to provide you. That gap is your liability.
Getting This Done Before June 3, 2026
The vendor addendum campaign is the most time-sensitive element of your Reg S-P compliance program because it depends on other parties. Your IRP, privacy notice, notification procedure, and recordkeeping framework are in your control. Your vendor addenda are not — they require vendor cooperation.
Start now. Build the addendum request letter, identify all covered vendors, send requests through the right channels at each vendor, track responses, follow up on non-responses, document everything, and file executed addenda into your Vendor Oversight Policy records as they come in.
Your Vendor Oversight Policy document — the written policy that governs this entire process — needs to be drafted in parallel with the addenda outreach. The policy is what an examiner reviews first. The executed addenda are what the examiner asks to see next.
Both need to exist by June 3, 2026.
The 72-hour requirement cannot be satisfied by internal policy. It requires external signatures. Start the outreach process now — not because vendors will delay maliciously, but because contract negotiations at large financial technology companies move slowly. Schwab’s advisor services team processes hundreds of addendum requests. Getting to the front of that queue takes time that firms at the back of the timeline don’t have.
Need the pre-drafted addendum language for the 20 most common RIA vendors? Our compliance package includes a complete vendor addendum library.
Your firm’s complete Reg S-P compliance package — including a Vendor Oversight Policy with 72-hour notification addendum templates for all major RIA vendors, a firm-specific Written IRP, and all other required deliverables, attorney-reviewed and delivered in 3 business days — is available at mrfixitgeeks.com/reg-sp-compliance. Everything your firm needs to be compliant before the June 3 deadline.