Wealth Management Outreach Playbook — Reg S-P Compliance Services

Version: 1.0 Date: 2026-04-14 Purpose: Operational playbook for WM pipeline outreach sessions Related:

Templates: solanasis-scripts/wm-pipeline/templates.py
Config: solanasis-scripts/wm-pipeline/config.py
Daily briefing: solanasis-scripts/wm-pipeline/generate_daily_outreach.py
ICP pain briefs: playbooks/icp-pain-briefs-2026-03.md
Cold email templates: playbooks/cold-email-problem-first-templates-2026-03.md

1. ICP Summary

Target: SEC-registered RIAs (Registered Investment Advisers), $100 M -$ 1.5B AUM, Boulder/Denver metro and greater Colorado

Decision Makers:

CCO (Chief Compliance Officer) — primary
Managing Partner / Principal — secondary
Operations Director — tertiary

The Wedge: The June 3, 2026 Reg S-P compliance deadline for smaller advisers (under $1.5B AUM). Larger advisers had a December 2025 deadline; the smaller adviser group is next.

Core Insight: Most RIAs have “paper compliance” — policies written by compliance consultants. But policies are not controls. SEC examiners are now asking for evidence of testing, not just documentation. That gap between paper compliance and working controls is where Solanasis fits.

2. Pain Points That Resonate

Pain Point	One-Liner	When to Use
Untested incident response plans	”Most RIAs have an incident response plan on file. Almost none have tested it under pressure.”	Universal opener; every RIA relates
Backup restore never verified	”Two-thirds of restore tests fail on the first attempt. For an RIA holding client financial data, that’s a regulatory risk.”	When they say “we have backups”
Service provider oversight gap	”Reg S-P requires service provider oversight, including 72-hour breach notification. Most vendor contracts don’t include it.”	RIAs with multiple tech vendors
SEC exam anxiety	”SEC examiners are now asking for evidence of testing, not just policies. That’s a new standard for 2026.”	When they mention exams or audits
Paper compliance vs. working controls	”Compliance consultants write great policies. But a policy that says ‘test backups quarterly’ isn’t the same as actually testing them.”	When they mention having a compliance consultant
Cost uncertainty	”Our 10-day assessment is a fixed fee. No surprises, no ongoing contract, no scope creep.”	When they ask about cost or seem budget-conscious
Compliance consultant gap	”Your compliance consultant writes the policies and files the ADV. We test whether the controls behind those policies actually work. Different skill set, same goal.”	When they say “we already have a compliance consultant”
Client data sensitivity	”RIAs hold Social Security numbers, account numbers, and net worth data. That’s more sensitive than what most banks hold per customer.”	When they say “we’re too small to be a target”

3. Objection Handling

Objection	Response
”We already have a compliance consultant"	"Good. They handle the regulatory filings and policy writing. We handle the technical verification: does the backup actually restore, does the incident response plan work under pressure, do your vendors have the right notification clauses. Different skill set, same compliance goal."
"We’re too small to be a target"	"93% of investment management firms reported a cyber incident in the last year. Size doesn’t matter; data sensitivity does. An RIA with 200 clients and their Social Security numbers is a high-value target."
"How much does this cost?"	"Fixed fee for a 10-day assessment. Typically $5 K -$ 10K depending on firm size and number of vendors. No ongoing contract, no surprises. You get a board-ready report at the end."
"We already have backups"	"Great. When was the last time you tested a full restore? Two-thirds of restore tests fail on the first attempt. Having backups and having verified backups are two different things, and regulators know the difference."
"We don’t have time before June 3"	"The assessment takes 10 business days. We can start this week and finish well before the deadline. Even if you start after June 3, having the assessment in progress shows good faith to examiners."
"Our custodian handles security"	"Custodians protect the assets they hold. But Reg S-P applies to your firm’s systems, your client data, your incident response. The custodian doesn’t test your backups or verify your vendor contracts."
"We need to talk to our compliance consultant first"	"Absolutely. In fact, your compliance consultant would be a great person to have on the kickoff call. They can help us align the technical assessment with your regulatory filings. We send them the report too.”

4. Phone Script (30 seconds)

Hi, this is Dmitri Sunshine from Solanasis. I’m reaching out to [FIRM NAME] because we work with registered investment advisers on compliance readiness, specifically around the Reg S-P deadline coming up on June 3rd.

Quick question: has your team ever tested whether your backups actually restore, or walked through your incident response plan under pressure?

Most haven’t, and that’s exactly what our 10-day assessment covers. Would it make sense for me to send over a one-pager?

5. Voicemail Script (15 seconds)

Hi [FIRST NAME], Dmitri Sunshine from Solanasis. Quick message: we help RIAs verify their Reg S-P compliance readiness, backup systems, and incident response plans. I’ll send a brief email with details. My number is 303-900-8969. Thanks.

6. Email Template Quick Reference

Variant	Name	When to Use	Subject Line
1	Reg S-P Urgency	SEC-registered RIA, website mentions Reg S-P or compliance	`reg s-p readiness, {first_name}`
2	Backup Verification	SEC-registered, A/B tier, no specific compliance mention	`quick backup question, {first_name}`
3	Compliance Gap	Website mentions compliance, no existing security vendor	`paper compliance vs. working controls`
4	Local Peer	Colorado-based, casual opener	`quick question from a fellow Colorado firm`
5	Peer Question	Generic fallback for any prospect	`how does {company_name} handle security verification?`

Follow-ups:

Day 5: Value-add follow-up — “does {company_name} have a documented incident response plan that’s been tested in the last 12 months?”
Day 10: Break-up email — “wanted to close the loop on this.”

7. Reg S-P Talking Points

Key points for phone conversations and email follow-ups:

June 3, 2026 deadline for RIAs under $1.5B AUM (smaller advisers). Larger advisers had until December 2025.
Written incident response program required — must include procedures for unauthorized access, use, or misuse of customer information.
Customer notification within 30 days — firms must notify affected individuals as soon as practicable, no later than 30 days after discovery.
Service provider oversight — firms must require service providers to implement and maintain safeguards. Vendors must notify within 72 hours of a breach.
Recordkeeping — firms must maintain records of compliance for 5 years (first 2 years in an easily accessible place).
SEC examiners now asking for EVIDENCE of testing — not just documentation. Having a policy on file is no longer sufficient; firms must demonstrate they have tested their controls.
“Paper compliance” is the risk — most compliance consultants write solid policies. But policies don’t test whether backups restore, whether incident response plans work under pressure, or whether vendors actually have notification clauses in their contracts.
10-day assessment scope: real backup restore test, incident response walkthrough, service provider oversight review, compliance documentation gap analysis, board-ready report.

8. Daily Outreach Ritual

Step-by-step process for each outreach session:

Open daily briefing at solanasis-docs/daily-outreach/YYYY-MM-DD-wm.md
- Review today’s prospects, pre-written emails, and follow-ups

Run cold email preflight before first send:

cd solanasis-scripts
python cold_email_preflight.py

Send each email via the mailto link (plain text only, no HTML, no tracking pixels)

Mark as sent after each successful send:

cd solanasis-scripts/wm-pipeline
python generate_daily_outreach.py --mark-sent id1,id2,id3

Pacing: Max 5-8 emails per day during warmup period. Space sends at least 2 hours apart.
Check follow-ups section — send any due Day 5 or Day 10 follow-ups
Research queue — spend 5 minutes per prospect finding personal email addresses (check LinkedIn, firm website about page, SEC ADV filings)

Safety reminders:

Plain text only, no attachments, no tracking
2+ hours between sends
Max 5-8/day during warmup (first 30 days)
Never send from anything other than your primary email client
Check solanasishq.com DMARC/SPF status before starting

9. Pipeline Commands

# Daily briefing generation
cd solanasis-scripts/wm-pipeline
secret run solanasis-scripts -- python generate_daily_outreach.py
 
# Pipeline status
python generate_daily_outreach.py --status
 
# Mark prospects as sent
python generate_daily_outreach.py --mark-sent prospect-id-1,prospect-id-2
 
# Discovery (dry-run first, always)
python discover_sec_iapd.py --dry-run
python discover_ddg.py --dry-run
secret run solanasis-scripts -- python discover_google_maps.py --dry-run
 
# Full pipeline run
python discover_sec_iapd.py
python discover_ddg.py
python import_prospects.py --iapd data/intermediate/sec_iapd_filtered.csv --ddg data/raw/ddg_wm_batch1.csv
python enrich_websites.py
python score_prospects.py
secret run solanasis-scripts -- python migrate_to_directus.py --plan
secret run solanasis-scripts -- python migrate_to_directus.py --run
 
# Generate daily briefing
secret run solanasis-scripts -- python generate_daily_outreach.py

10. Metrics to Track

Metric	Target	How to Measure
Open rate (inferred)	N/A	No tracking pixels; infer from replies
Reply rate	5-10%	Count replies / emails sent
Meeting rate	2-5%	Count meetings booked / emails sent
Best variant	Compare by reply rate	Track per-variant in Directus outreach_status
Pipeline velocity	5-8 new emails/day	Daily briefing count
Follow-up compliance	100% Day 5 + Day 10 sent	Tracker JSON audit

Solanasis Docs

Explorer

Wealth_Management_Outreach_Playbook