Marketing teams can’t leave Reg S-P to security anymore

Reg S-P

Regulation S-P has long been filed away as a problem for privacy officers, cybersecurity teams and legal departments. That assumption is now a liability, and marketing teams sitting inside SEC-regulated firms could be the ones caught out.

According to Luthor, the reason is simple: modern marketing workflows are saturated with customer information. A testimonial, a case study draft, a product screenshot, a segmented email list, a webinar attendee export, a call transcript or substantiation tied to account outcomes can all carry customer data.

Luthor recently discussed Reg S-P for marketing teams, and also AI review privacy safeguards. 

The moment that material passes through an AI review tool, agency workflow, content platform or compliance vendor, Reg S-P becomes operationally relevant to marketing.

The SEC adopted amendments to Regulation S-P on 16 May 2024, requiring covered institutions to maintain incident response programmes, customer notification procedures, service-provider controls and related records covering unauthorised access to or use of customer information.

The rule took effect on 2 August 2024, with larger entities given 18 months from Federal Register publication to comply and smaller entities 24 months. As of July 2026, both compliance windows have closed.

The amended rule applies to broker-dealers, funding portals, investment companies, SEC-registered investment advisers and transfer agents.

Among the practical requirements: written incident response policies, procedures to detect and recover from unauthorised access, customer notification no later than 30 days after a firm becomes aware of a covered incident, and service-provider obligations to notify the institution within 72 hours of discovering an applicable breach. Firms must also keep written records demonstrating compliance with the safeguards and disposal rules.

Adding urgency, the SEC’s FY 2026 examination priorities explicitly flag Reg S-P preparation, including policies, internal controls, third-party vendor oversight and governance. This is no longer a paper-policy exercise.

Marketing may not own Reg S-P, but it creates the data flows the rule is designed to govern. Testimonial reviews can carry names, account context and performance details. Email segmentation can reveal customer status and financial interests. Custom audiences and suppression lists can expose customer relationships.

Agency handoffs can put customer quotes and screenshots into external hands. The compliance question is no longer just whether the campaign was compliant, but what customer information the workflow processed, where it went, who accessed it and what record was kept.

A privacy-safe AI review workflow should start before the model ever sees the content. That means intake classification to identify customer information, data minimisation and redaction, blocking unmanaged AI tools, vendor controls covering training and retention terms, qualified human reviewers, disciplined retention and a defined incident escalation path.

The simplest safeguard remains the most effective: never upload sensitive customer information into open or unapproved AI tools. Account numbers, customer names paired with financial facts, complaints, call transcripts, nonpublic performance data, lead lists, identity documents and breach investigation notes should all stay out. AI can still add value by reviewing redacted claims, templates, synthetic samples, rule logic or disclosure placement, without touching raw customer data.

Third parties are a common entry point for Reg S-P risk. Before customer information moves, firms should establish whether vendors process or train on the data, how long prompts and logs are retained, which subprocessors have access, what deletion and export rights exist, and whether incident notification timelines align with Reg S-P expectations. Agencies using AI should be required to disclose that use before assets reach compliance review.

Recordkeeping should not become over-collection. Firms should retain the approved asset, the review decision, the reviewer rationale and proof of publication, rather than attaching unredacted account files to marketing tickets. Over-collection heightens privacy risk and makes breach response harder.

Compliance platform Luthor argues that regulated marketing teams need systems that classify intake risk, route sensitive content to the right reviewer, preserve the approval record and keep customer-information handling visible, so AI review speeds up compliance decisions rather than scattering evidence across tools, threads and spreadsheets.

The lesson of Reg S-P is that marketing compliance is no longer only about claims and disclosures. It is also about the data flowing through the review process itself.

Read the full Luthor post here. 

Read the daily FinTech news

Copyright © 2026 FinTech Global

Enjoying the stories?

Subscribe to our daily FinTech newsletter and get the latest industry news & research

Investors

The following investor(s) were tagged in this article.