Regulation D continues to serve as a critical framework for private capital formation in the United States, providing exemptions from the U.S. Securities and Exchange Commission (“SEC”) registration for certain private offerings. However, recent regulatory changes are significantly reshaping compliance requirements for fund managers and investment advisers.
In May 2024, the SEC adopted major updates to Regulation S-P aimed at strengthening data privacy and cybersecurity standards. Key provisions include mandatory written incident response programs, customer breach notifications within 30 days, and enhanced oversight of service providers with prompt reporting obligations. These rules establish a federal baseline for breach response and vendor management, making cybersecurity a core regulatory requirement. Large registered investment advisers (RIAs) with over $1.5 billion in assets under management must have been in compliance by December 2025, while smaller firms have until June 2026.
To reduce friction in capital raising, the SEC recently eased verification standards under Rule 506(c). Issuers may now rely on written investor attestations and high minimum investment thresholds (e.g., $2 million or more) as sufficient proof of accredited investor status, eliminating the need for intrusive financial documentation. This change promotes efficiency and flexibility while maintaining investor protection, provided issuers adopt reasonable verification procedures and maintain proper records.
The Bank Secrecy Act (BSA) rule for RIAs was finalized in August 2024, extending anti-money laundering and counter-terrorist financing obligations, including risk-based programs, Suspicious Activity Reports (SARs), and recordkeeping, to RIAs and Exempt Reporting Advisers. Although originally scheduled for January 2026, the compliance deadline has been postponed to January 1, 2028, giving firms additional time to implement robust frameworks. A related Customer Identification Program (CIP) rule remains under proposal and is expected before 2028, requiring identity verification and beneficial ownership data collection. RIAs should begin preparing now by developing AML policies, enhancing KYC procedures, and updating vendor oversight to ensure readiness for these sweeping changes.
As regulatory expectations continue to expand across cybersecurity, investor verification, and AML compliance, RIAs should take a proactive approach to operational readiness. This includes conducting gap assessments, documenting policies and procedures, and ensuring service providers can support heightened reporting and monitoring obligations.
For more information about this topic, please get in touch with Nick Donovan using the details below.
Visit our funds overview page for information on our comprehensive services.
Key Contact:
General Counsel, Americas
View Bio | Email Nick | LinkedIn