The SEC's 2024 amendments to Regulation S-P introduce the most comprehensive update to federal privacy and data security standards for SEC-regulated institutions since the rule was adopted. While the amendments are directed at investment advisers, registered funds, broker dealers, and transfer agents – not lenders – fund finance deal teams are already seeing the effects.
We have seen sponsors and their counsel increasingly focused on the changes relating to their need to due diligence their service providers, and their need to obtain notice within 72 hours of a service provider data breach. For banks and other regulated lending institutions, this raises important questions around regulatory scope, operational expectations and market standards.
This article summarizes the key regulatory changes, why sponsors are reacting the way they are, and why lenders generally should not be expected to take on Regulation S-P obligations when they are already subject to their own robust data privacy regimes.
Overview of the 2024 Regulation S-P Amendments
Regulation S‑P implements the privacy provisions of the Gramm-Leach-Bliley Act (GLBA) for SEC‑regulated entities. The most relevant part of the revised rule for the purposes of this article requires a covered institution to establish, maintain and enforce “written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of service providers.” Those policies and procedures “must be reasonably designed to ensure service providers take appropriate measures to: (A) protect against unauthorized access to or use of customer information; and (B) provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware that a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider.”
Importantly, the rule does not require that a covered person “obtain promises from” a service provider to take appropriate measures to protect unauthorized access to personal information provided to it by the covered institution. In this regard, when the amendments were proposed, they did contain a “written contract” requirement relating to service providers; however, the SEC specifically eliminated this requirement, in part to address comments to the effect that covered institutions should have the ability to take a “facts and circumstances” approach to overseeing their service providers.
Larger institutions including registered investment advisers with $1.5 billion or more in assets under management were required to comply with the amended regulations by December 3, 2025; all other covered institutions that don’t meet the size thresholds must comply with the amended regulations by June 3, 2026.
Why Fund Sponsors Are Heightened in Their Sensitivity
The amendments materially raise expectations for private fund advisers – particularly SEC‑registered advisers – and for affiliated service providers. As advisers prepared and are preparing for these compliance deadlines, fund finance transactions are feeling the downstream effects.
Several pressure points are emerging:
- Increased caution about sharing investor data. Investor commitments, names and contact information can constitute “customer information” under Regulation S‑P. Advisers feel pressure to demonstrate careful handling of such data.
- Sensitivity around vendor governance. Because the amended rule requires advisers to impose cybersecurity‑related obligations on their vendors, many sponsors are re‑evaluating how third parties – including lenders – handle any investor or fund‑level personal data.
- Heightened transactional rigor. Counsel for sponsors are increasingly looking for comfort that lenders have comparable safeguards, even if a lender is a heavily regulated financial institution subject to detailed data protection requirements.
Why Lender Banks Should Not Be Required to “Comply with Regulation S-P”
In recent transactions, some sponsors have attempted to require lenders to agree affirmatively to maintain systems in accordance with Regulation S‑P’s requirements. These requests are generally misplaced.
Banks and other regulated lending institutions, such as credit unions and thrifts, typically would not be covered institutions under Regulation S‑P unless they separately fall within the rule’s scope (e.g., if they act as a broker‑dealer or SEC‑registered adviser).
Most fund finance lenders are instead federally regulated insured depository institutions that are already subject to the GLBA privacy framework through prudential regulators and bound by extensive cybersecurity, vendor risk, and data protection rules, many of which are more prescriptive than Regulation S‑P.
Forcing a lender to “comply with Regulation S‑P” can create unnecessary ambiguity or even legal conflict. Bank regulators often impose standards that diverge from or exceed SEC requirements. Contractually binding a lender to the wrong regulatory regime adds no practical protection for the sponsor and may introduce operational risk. Moreover, advisers are not required by Regulation S-P to obtain detailed commitments from service providers, only to satisfy a due diligence requirement.
The more appropriate (and market‑aligned) approach is for lenders to confirm that they maintain information‑security and data protection programs consistent with applicable law and supervisory expectations. When an adviser is dealing with a heavily regulated lender it should be able to satisfy this requirement without obtaining detailed contractual commitments from the lender. Similarly, some lenders have gotten comfortable agreeing to provide notice of any data breach within 72 hours after it becomes aware of any such breach, as such banks are already subject to an even more stringent notice requirement in that respect.
A Practical Path Forward in Fund Finance Transactions
As the industry recently approached the 2025 Regulation S‑P compliance deadline, and as it approaches the 2026 deadline, fund finance lenders should expect continued focus on the 72-hour data breach notice obligation. By grounding negotiations in the proper regulatory framework, parties can protect investor information without imposing inappropriate or duplicative obligations on lenders.