Welcome to the December 19, 2025 edition of On The Docket, which includes the following content:
- AI Compliance: Applying Existing SEC Regulatory Frameworks To Fast-Moving Technologies
- NY LLCs and Beneficial Ownership: Get Ready for The New York LLC Transparency Act
- Using an SEC Settled Order to Understand the Identity Theft Red Flags Rule (Reg S-ID)
- Reg S-P and the Encryption Incentive
🌐 All past On The Docket editions (as well as other article, video, and podcast content) are available by visiting the On The Docket page of the Beach Street Legal website.
📥 If this edition was forwarded to you, you can subscribe directly by clicking here.
💬 Prefer to follow along via social media? You can follow us below:
- X / Twitter
- YouTube (more to come)
Happy reading.
– Chris
* * * * *
AI Compliance: Applying Existing SEC Regulatory Frameworks To Fast-Moving Technologies
In my latest article for Michael Kitces‘ Nerd’s Eye View, you’ll find AI-derived quotes from the Notorious B.I.G., TLC, and Spiderman.
If you’re interested in learning about the historical and current regulatory state of affairs governing the use of artificial intelligence for RIAs, this one’s for you. I walk through:
→ A previously proposed but since withdrawn SEC rule related to AI
→ Recent ‘AI Washing’ enforcement actions
→ SEC Exam Priorities (which include AI)
→ An SEC roundtable on AI in the financial services industry
→ The SEC Investor Advisory Committee’s recommendations re: AI
→ How AI evolved from being perceived as creating “systemic risk” to the SEC itself creating an AI Task Force
→ Applying the existing regulatory framework to RIAs’ use of AI (research, content ideation, meeting recording/transcription/summarization, and portfolio/financial plan design)
Happy reading:
AI Compliance: Applying Existing SEC Regulatory Frameworks To Fast-Moving Technologies
NY LLCs and Beneficial Ownership: Get Ready for The New York LLC Transparency Act
Beneficial owners of New York LLCs (whether domestic or foreign qualified) remain subject to a NY-specific version of the mostly defunct federal Corporate Transparency Act.
The “New York LLC Transparency Act” takes effect on Jan 1, 2026, and requires beneficial ownership reports to be filed w/in 30 days for new LLCs created thereafter (and for existing LLCs by Jan 1, 2027).
This article provides a helpful overview for those unfortunate enough to have not escaped beneficial ownership reporting, as well as exceptions that may apply.
Using an SEC Settled Order to Understand the Identity Theft Red Flags Rule (Reg S-ID)
One of the benefits of reviewing SEC settled orders is that they often include a helpful ‘TLDR’ of the rule that the subject of the order screwed up.
Even if you skip the part of the order in which the SEC rakes the respondent over the coals, you can still extract a helpful rule summary in the SEC’s own words.
Take the SEC’s recent settled order with a dually-registered RIA and broker-dealer that violated the Identity Theft Red Flags Rule (Reg S-ID). Not sure what Reg S-ID is all about but want a high-level primer direct from the horse’s mouth? Look to the settled order itself:
“{{Respondent}} also violated the Identity Theft Red Flags Rule, which requires certain financial institutions and creditors, including broker-dealers and investment advisers registered or required to be registered with the Commission, to develop and implement a written Identity Theft Prevention Program (“Program”) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.
The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities. Each financial institution’s Program must include reasonable policies and procedures to:
(i) identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those Red Flags into the Program;
(ii) detect Red Flags that have been incorporated into the Program;
(iii) respond appropriately to any Red Flags that are detected pursuant to the Program to prevent and mitigate identity theft; and
(iv) ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.
Appendix A to Regulation S-ID directs firms to incorporate relevant identity theft Red Flags from sources like past incidents of identity theft that the firm has experienced and methods of identity theft that the firm has identified. The Identity Theft Red Flags Rule also requires certain financial institutions to periodically determine whether they offer or maintain covered accounts.”
The full settled order is linked here.
Reg S-P and the Encryption Incentive
Newly amended Reg S-P doesn’t contain an explicit “encryption safe harbor” per se, but the SEC *strongly* suggests that all investment advisers should be encrypting all sensitive client information and provides an incentive to do so.
To quote the Reg S-P amendment’s adopting release:
“[…] we agree with commenters that it is important to incentivize the use of encryption[…]. The final amendments’ approach accomplishes this goal while also addressing concerns that any particular approach to encryption may become outdated as technologies and security practices evolve.”
The “incentive” to use encryption is as follows:
- Investment advisers now have a prescriptive obligation to notify clients w/in 30 days if their “sensitive customer information” was, or is reasonably likely to have been, accessed or used w/out authorization.
- If sensitive customer information is accessed or used w/out authorization, *but such sensitive customer information is encrypted*, an investment adviser may reasonably determine that the encrypted representation of that information is *not* sensitive customer information if the encryption renders the cipher text sufficiently secure (i.e., that the client notification requirement would not apply).
TLDR: Compromised customer sensitive information that’s encrypted may justifiably moot the client notification requirement that would otherwise apply.
Encryption should be cybersecurity blocking and tackling at this point, but the added regulatory incentive further drives home the point.
PS – For the hell of it, I entered the following prompt into Gemini’s Nano Banana to create the cover image for this post: “Generate an image that incorporates the logo of the U.S. Securities and Exchange Commission and a bunch of digital files that are encrypted and secure. It should look futuristic and cool.” I rate my prompting at a 2 out of 10, but the image it generated ain’t bad. AI is pretty wild.
—–Resources—–
🔖 Reg S-P
You must be logged in to post a comment.