Solanasis Field Guide to Compliance in Wealth Management and Estate Planning

2026 Beginner-Friendly Study Book and Speaking Manual

Prepared for: Solanasis
Purpose: Help Dmitri speak clearly, accurately, and confidently about compliance in wealth management and estate planning, especially around the Securities and Exchange Commission’s Regulation S-P changes for smaller Securities and Exchange Commission registered investment advisers.
Status: Research-informed working guide, updated for March 2026
Important note: This guide is operational and educational. It is not legal advice. Solanasis should continue to position itself as the firm that verifies controls, tests recovery, improves operational resilience, and closes technical gaps, while outside counsel or a compliance consultant handles formal legal interpretation and regulator-facing legal advice.

How to use this guide

Use this in three ways.

First, use it as a study book. Read it front to back until the terms feel natural.

Second, use it as a speaking manual. The “How to explain this out loud” sections are designed so you can talk like a real operator instead of sounding like a generic compliance vendor.

Third, use it as a scope guardrail. A big part of credibility in regulated industries is knowing exactly where your role ends. Solanasis should sound precise, practical, and well-informed, while staying out of unauthorized legal advice.

Executive summary

If you remember only ten things, remember these.

In wealth management, “compliance” is not just about filing forms. It is about whether the firm’s actual behavior, disclosures, supervision, data protection, vendor oversight, and recordkeeping line up with what the law and examiners expect.
A registered investment adviser is a firm that gives investment advice for compensation and is registered either with the Securities and Exchange Commission or with a state securities regulator.
The most important distinction for the current Regulation S-P conversation is this: the amended Regulation S-P directly applies to Securities and Exchange Commission registered investment advisers, not to every state-registered adviser as a matter of federal Securities and Exchange Commission rule text.
For a smaller Securities and Exchange Commission registered investment adviser, the amended Regulation S-P compliance deadline is June 3, 2026.
For purposes of the Regulation S-P amendment’s tiered compliance timing, a “larger” registered investment adviser is one with $1.5 billion or more in assets under management. That means a smaller Securities and Exchange Commission registered investment adviser is generally below that threshold.
The amended Regulation S-P is not just a privacy notice rule anymore. It now requires a written incident response program, customer notice in certain incidents, and stronger service provider oversight.
The service provider piece is commonly oversimplified. The final rule did not require a universal written vendor contract mandate in the exact way proposed. It requires written policies and procedures reasonably designed to require oversight, including due diligence and monitoring, and to ensure service providers notify the firm as soon as possible, but no later than 72 hours after becoming aware of certain breaches.
For estate planning attorneys, there is no single “estate planning compliance rule” equivalent to Regulation S-P. Instead, the main framework is a combination of professional responsibility rules, confidentiality duties, technology competence, supervision duties, trust-account and client-property duties, data breach laws, and practical operational security expectations.
For attorneys, the key governing ideas are competence, confidentiality, reasonable efforts, communication, supervision, and truthful client-facing communications.
Solanasis is strongest when it says: we do the technical verification, resilience testing, vendor-risk reality check, restore testing, evidence gathering, and implementation roadmap; your lawyer or compliance consultant handles formal legal interpretation.

Part 1: The plain-English map

What “compliance” means in wealth management

In plain English, compliance means the firm does what it says, says what it does, documents what matters, protects client interests, and can prove it under scrutiny.

In wealth management, compliance is not only a legal issue. It is also a systems issue, a documentation issue, a training issue, a vendor issue, and a leadership issue.

A firm can fail compliance in at least five different ways:

It can break a rule directly.
It can say one thing in writing and do another in practice.
It can have weak supervision or weak controls.
It can fail to maintain records or evidence.
It can have “paper compliance” that collapses during an actual incident or examination.

That last one is where Solanasis has a strong voice. Many firms have policies. Fewer firms have working controls, tested recovery, and evidence that would survive examiner questions.

What “compliance” means for estate planning attorneys

For estate planning attorneys, compliance is more fragmented.

Instead of one regulator with one master playbook, attorneys usually sit inside a mix of:

professional conduct rules,
confidentiality obligations,
client communication duties,
supervision duties,
trust account or client property duties,
advertising and truthfulness rules,
breach notification laws,
privacy laws where applicable,
court rules, bar rules, and malpractice risk.

That means attorney compliance often feels less centralized than investment adviser compliance. It is still real, it is still enforceable, and it still gets firms in trouble when their operational reality is sloppy.

A shared password, an insecure intake form, a vendor with too much access, an untested backup, or casual use of public artificial intelligence tools can become an ethics problem, a breach problem, a malpractice problem, or all three at once.

Why this matters commercially for Solanasis

Solanasis does not need to become the law firm. It needs to become the trusted technical and operational partner that understands what the legal and compliance frameworks are actually trying to achieve.

The commercial opportunity is not “we are your regulator translator.” The opportunity is closer to this:

We help you make your controls real.
We test the things other firms only document.
We surface the operational blind spots that create exam pain and breach risk.
We give your counsel and compliance consultant cleaner ground truth to work from.

That is a strong lane.

Part 2: Who regulates whom

Wealth management regulator map

Securities and Exchange Commission

The Securities and Exchange Commission regulates Securities and Exchange Commission registered investment advisers and other securities market participants. For the current Solanasis conversation, it matters because Regulation S-P, Form ADV, the compliance program rule, the marketing rule, the custody rule, and examination priorities all sit in this universe.

State securities regulators

State securities divisions regulate state-registered investment advisers and investment adviser representatives. Even where a state-registered adviser is not directly covered by a particular Securities and Exchange Commission rule, state law and state exam expectations can still create similar practical obligations.

Financial Industry Regulatory Authority

The Financial Industry Regulatory Authority is a self-regulatory organization for broker-dealers. This matters when a firm is dually registered or affiliated with a broker-dealer.

Financial Crimes Enforcement Network

The Financial Crimes Enforcement Network sits under the United States Department of the Treasury. It matters for anti-money laundering and suspicious activity reporting obligations.

North American Securities Administrators Association

The North American Securities Administrators Association is not itself the regulator. It is the association of state and provincial securities regulators. It publishes model rules and guidance that often shape how states regulate smaller advisers.

Legal profession regulator map

State supreme court and state bar structure

Attorneys are primarily regulated under state professional conduct rules and the disciplinary system in their jurisdiction.

Ethics rules and ethics opinions

The American Bar Association model rules and formal opinions are not always binding by themselves, but they strongly shape how many states think about lawyer duties, especially around confidentiality, competence, supervision, and technology.

State attorney general and breach laws

If a law firm suffers a data breach, state breach-notification law may apply whether or not a bar rule says much about notice timing.

Malpractice exposure

Even when a cyber incident does not become a formal bar case, it can still become a negligence, malpractice, business interruption, or reputational disaster issue.

Part 3: Core wealth management concepts you need to be able to explain

Registered investment adviser

A registered investment adviser, often shortened to RIA, is an investment advisory firm registered either with the Securities and Exchange Commission or with a state securities regulator.

The key beginner mistake is assuming all registered investment advisers are regulated the same way at all times. They are not. One of the most important differences is whether the adviser is Securities and Exchange Commission registered or state registered.

Securities and Exchange Commission registration versus state registration

A firm generally registers with the Securities and Exchange Commission when it is large enough or otherwise eligible under the federal registration rules. Broadly speaking, advisers may register with the Securities and Exchange Commission at $100 mi ll i o n * * in re gu l a t ory a sse t s u n d er mana g e m e n t, m u s t re g i s t er a t * *$ 110 million, and may generally remain Securities and Exchange Commission registered until they fall below $90 million.

This matters because some federal rules, including Regulation S-P for investment advisers, directly apply only to advisers registered with the Securities and Exchange Commission.

Fiduciary duty

A fiduciary duty is a legal duty to act in the client’s best interest within the scope of the relationship.

For investment advisers, the federal fiduciary duty is broad. It applies to the entire adviser-client relationship.

The easiest way to explain it out loud is this:

A fiduciary is not supposed to quietly put the firm’s interests ahead of the client’s interests. The firm has to give advice with care, disclose conflicts properly, and deal fairly.

Duty of care

The duty of care means the adviser should give advice based on a reasonable understanding of the client, the investment, the risks, the costs, and the circumstances.

This is why costs, risk tolerance, liquidity, investment objective, and suitability-like thinking matter even when people use different legal labels.

Duty of loyalty

The duty of loyalty means the adviser must not place its own interests ahead of the client’s interests. Conflicts are not always forbidden, but hidden or poorly handled conflicts are dangerous.

This is where compensation structures, proprietary products, revenue-sharing arrangements, side agreements, and sloppy disclosure can become serious problems.

Best execution

Best execution means the adviser should seek to maximize value for the client under the circumstances when placing trades.

This does not always mean the absolute lowest visible price. It means the adviser should consider the full circumstances, including execution quality, cost, speed, reliability, and client impact.

Form ADV

Form ADV is the main registration and disclosure form for investment advisers.

You should think of it in three practical pieces:

Part 1 is a structured regulatory filing with operational and business data.
Part 2A is the client brochure describing the firm, fees, services, conflicts, and disciplinary information.
Part 2B is the brochure supplement for certain supervised persons.

If the adviser has retail investors and is Securities and Exchange Commission registered, Part 3, also called Form CRS or Client Relationship Summary, may also apply.

Form CRS

Form CRS means Form Client Relationship Summary.

This is a short relationship summary for retail investors. It is meant to help individuals understand services, fees, conflicts, disciplinary history, and how to ask good questions.

Compliance program

A compliance program is the set of policies, procedures, supervision, training, monitoring, escalation paths, and corrective actions designed to prevent violations.

A policy binder is not a compliance program. A compliance program only becomes real when the firm can show implementation, monitoring, annual review, and follow-through.

Annual review

Securities and Exchange Commission registered advisers must review their policies and procedures annually to evaluate whether they are adequate and effective.

A weak annual review is one of the cleanest signals that the firm is treating compliance as paperwork instead of as an operating discipline.

Marketing rule

The marketing rule governs adviser marketing communications. This includes advertisements, testimonials, endorsements, performance claims, and hypothetical performance in certain circumstances.

This is a classic trap area because firms often market more aggressively than they supervise.

Custody

“Custody” means more than physically holding client cash.

In the investment adviser world, custody can be triggered in different ways, including authority or access arrangements. When custody exists, the custody rule can create significant obligations.

Qualified custodian

A qualified custodian is an approved type of financial institution, such as a bank or broker-dealer, that holds client assets under the custody rule framework.

The simple beginner explanation is: if the adviser has custody, client assets generally should not just sit wherever the adviser feels like putting them.

Identity theft red flags

The identity theft red flags rules require certain Securities and Exchange Commission regulated entities to have a written identity theft program designed to identify, detect, respond to, and update against identity theft risks in covered accounts.

This matters because account takeover and fraudulent transfer risk are exactly the kinds of incidents examiners care about.

Written information security program

A written information security program is often called a WISP, which means written information security program.

This is not a universally defined term across all regimes, but in practice it usually means the firm’s documented information-security policies and procedures.

A written information security program often includes access controls, password and authentication requirements, device security, incident response, vendor controls, training, backup expectations, encryption expectations, and policy ownership.

Incident response program

An incident response program is the plan and operating method for detecting, containing, investigating, escalating, communicating about, and recovering from an incident.

The real-world test is simple: if a breach happens at 8:30 at night on a Thursday, does the firm know who does what next.

Business continuity versus disaster recovery

Business continuity means keeping the business functioning during disruption.

Disaster recovery means restoring systems and data after a disruptive event.

A firm can have a document called a business continuity plan and still be dangerously weak at actual recovery. That distinction matters a lot for Solanasis positioning.

Service provider oversight

A service provider is a vendor or outside provider that handles systems, software, infrastructure, communications, storage, or information on the firm’s behalf.

Oversight means the firm does not shrug and say, “that is the vendor’s problem.” It means the firm assesses, documents, monitors, and escalates vendor-related risk.

Due diligence

Due diligence means checking before trusting.

In this setting, it means evaluating a vendor, system, process, or control before relying on it.

Monitoring

Monitoring means checking after trust has already been extended.

Due diligence happens before or at the start. Monitoring continues during the relationship.

Operational resilience

Operational resilience is the ability to continue or restore important operations through disruption.

That concept sits naturally at the center of Solanasis. It ties together cybersecurity, recovery, vendor risk, governance, identity controls, documentation, and tested execution.

Part 4: Regulation S-P deep dive for smaller Securities and Exchange Commission registered investment advisers

What Regulation S-P is

Regulation S-P is the Securities and Exchange Commission’s privacy and safeguarding rule set for certain financial institutions under its jurisdiction.

Historically, many people thought of it mainly as a privacy notice rule. That is now too narrow.

The amended rule is now much more central to how covered firms handle customer information, incidents, and service provider oversight.

Who Regulation S-P directly applies to

The amended rule applies to:

brokers and dealers,
funding portals,
investment companies,
investment advisers registered with the Securities and Exchange Commission, and
certain transfer agents.

This is the point you should be especially careful with in conversation:

A state-registered investment adviser is not directly covered by Regulation S-P merely because it is an investment adviser. The Securities and Exchange Commission’s own materials are clear that Regulation S-P does not apply to investment advisers that are not registered with the Commission.

That does not mean state-registered advisers are free to ignore privacy, security, incident response, or vendor oversight. It means you must speak precisely about which rule creates the obligation.

Why smaller advisers care right now

For the 2024 amendments, the Securities and Exchange Commission used a tiered compliance timeline.

Larger entities had to comply sooner. Smaller entities have until June 3, 2026.

For registered investment advisers, the “larger entity” threshold is $1.5 billion or more in assets under management for this timing framework. So when Solanasis talks about “smaller registered investment advisers” in this context, it is generally talking about Securities and Exchange Commission registered advisers below that threshold.

What changed under the 2024 amendments

At a practical level, three changes matter most.

1. Written incident response program

Covered firms must develop, implement, and maintain written incident response policies and procedures designed to detect, respond to, and recover from unauthorized access to or use of customer information.

This is not just “have some cyber notes.” It means a real, maintained, written program.

2. Customer notice in certain incidents

Covered firms may have to notify affected individuals when unauthorized access to or use of customer information has occurred, or is reasonably likely to have occurred, unless an exception applies after reasonable investigation.

The general outside deadline is as soon as practicable, but not later than 30 days after awareness of the incident.

3. Stronger service provider oversight

Covered firms must have written policies and procedures reasonably designed to require oversight of service providers, including through due diligence and monitoring, and to ensure service providers notify the firm as soon as possible, but no later than 72 hours after becoming aware of certain breaches.

This is a major talking point because it puts real pressure on vendor inventory, contract hygiene, escalation paths, and incident communication.

Important nuance: the final rule is not just “put a 72-hour clause in every vendor contract”

A lot of summaries say the rule simply requires all vendor contracts to include a 72-hour notification term.

That is directionally useful, but legally incomplete.

The proposal originally leaned harder on a contract requirement. The final rule backed away from a universal written contract mandate and instead requires the firm’s written policies and procedures to require service provider oversight, including due diligence and monitoring, and to ensure timely vendor notice.

In practice, many firms will still want contractual notice language. But the right way to explain the rule is:

The final rule focuses on written policies and procedures that make oversight real, not just on a one-line contract clause.

That is a more precise and more sophisticated answer.

What “customer information” and “sensitive customer information” mean in practice

The rule’s scope is broader than many firms expect.

Sensitive customer information can include obvious things like Social Security numbers, but it also includes combinations of data that could reasonably be used to access or misuse an account.

A useful plain-English translation is this:

If the information could help someone impersonate a client, enter an account, move money, or materially harm the person, treat it like it matters.

When customer notice may be required

A covered firm generally must provide notice when it becomes aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.

There is an important exception. After a reasonable investigation, if the firm determines that sensitive customer information has not been, and is not reasonably likely to be, used in a way that would result in substantial harm or inconvenience, notice may not be required.

That means two things.

First, the firm needs real incident investigation capacity.

Second, “we are still looking into it” is not a long-term strategy. A weak detection and investigation capability can turn directly into notice and exam risk.

What examiners are likely to care about

Do not assume the firm will only be judged on whether a document exists.

The Securities and Exchange Commission’s 2026 examination priorities make clear that the Division will assess firms’ compliance with Regulation S-P and Regulation S-ID, including policies and procedures, internal controls, oversight of third-party vendors, and governance practices. The Division also says it will engage firms about progress preparing incident response programs and, after the applicable compliance dates, will examine whether firms have developed, implemented, and maintained the required administrative, technical, and physical safeguards.

That means the likely questions are not just:

Do you have a plan?
Do you have a policy?

The likely questions are also:

Who owns it?
When was it last updated?
Which systems are in scope?
How do you detect incidents?
Who are your service providers?
How do you monitor them?
What evidence do you keep?
When did you last test restore?
How do you decide whether notice is required?
Who can authorize communications to clients?
How fast can you act on a Thursday night incident?

That is exactly where Solanasis can sound strong.

Common mistakes smaller firms make with Regulation S-P

Mistake 1: confusing “policy exists” with “control exists”

A document that says “we will respond promptly” is not a response capability.

Mistake 2: not knowing who their vendors really are

Many firms cannot produce a clean inventory of which vendors touch customer information, who approved them, what access they have, or how offboarding works.

Mistake 3: weak detection

The thirty-day customer-notice clock is dangerous if the firm does not discover incidents quickly.

Mistake 4: assuming the managed service provider solves everything

A managed service provider can help, but the regulated firm still owns the regulatory obligation.

Mistake 5: not testing recovery

A backup that has never been restored is not proof of recoverability.

Mistake 6: sloppy internal access

Many incidents are not sophisticated nation-state attacks. They are weak authentication, stale accounts, over-privileged users, shared credentials, and poor offboarding.

Mistake 7: talking about Regulation S-P as though it directly applies to every state-registered adviser

This hurts credibility with serious compliance people.

What a good Regulation S-P readiness project looks like

A good readiness project is not “write a policy and move on.”

A serious project usually includes:

Scope the business, systems, data, and vendors.
Identify where customer information lives.
Confirm who has access and how authentication works.
Build or refine the incident response program.
Establish a real vendor inventory.
Review vendor oversight, due diligence, and monitoring.
Confirm breach escalation paths and legal review workflow.
Test disaster recovery and key restore assumptions.
Gather evidence.
Train the right people.
Run at least a tabletop or structured incident exercise.
Produce a prioritized remediation roadmap.

That is a practical and believable Solanasis framing.

How to explain Regulation S-P out loud in one minute

Regulation S-P started as a privacy and safeguarding regime, but the 2024 amendments made it much more operational. For Securities and Exchange Commission registered advisers, especially smaller ones facing the June 3, 2026 deadline, the big issues are whether they have a real written incident response program, whether they can investigate and notify fast enough, and whether they actually oversee vendors instead of assuming the vendor has it handled. The firms that will struggle are the ones with paper compliance, weak detection, messy access control, no vendor inventory, and untested recovery.

How to explain the scope issue out loud without sounding awkward

One nuance that matters: the amended Regulation S-P directly applies to Securities and Exchange Commission registered advisers, not automatically to every state-registered adviser. That said, state-registered firms still face very similar practical expectations under state law, state exam culture, privacy and security obligations, and simple client-trust reality. So even where the exact federal rule does not directly apply, the operational work often looks very similar.

That is a clean, credible answer.

Part 5: The rest of the wealth management compliance stack

Compliance program rule

Securities and Exchange Commission registered advisers must maintain policies and procedures reasonably designed to prevent violations and must review them annually.

This is the backbone rule. Many other compliance topics hang off it.

If you want a practical translation:

The firm must have a real compliance operating system, not just scattered documents.

Form ADV and disclosure discipline

Form ADV is where many firms quietly create future problems.

If the brochure says one thing, the website says another thing, internal practice says a third thing, and vendor reality says a fourth thing, the firm has a disclosure-control problem.

This is one reason Solanasis should not just say “we help with cyber.” It should say something closer to:

We help firms make their operational reality line up with what they disclose and what examiners expect.

Marketing rule and communication discipline

The marketing rule is especially dangerous in firms that market aggressively but supervise weakly.

Testimonials, endorsements, hypothetical performance, rankings, and selective claims can all create exposure if the underlying supervision is weak or the presentation is misleading.

You do not need to be the marketing-rule lawyer to speak about this. You only need to understand that accuracy, substantiation, disclosure, and supervision matter.

Custody rule

If an adviser has custody of client funds or securities, the custody rule can require the firm to maintain assets appropriately, provide notices and account statements, and undergo an annual surprise examination by an independent public accountant, subject to important details and exceptions.

The exact custody analysis can get technical very fast. Solanasis should avoid pretending it is giving legal custody opinions unless working with counsel or a compliance specialist.

The right operational angle is:

Where does access exist?
Who can move money or assets?
What authority exists?
What evidence supports the current position?
Are the relevant controls actually working?

Identity theft red flags

For covered entities, the identity theft red flags rules require a written program designed to identify relevant red flags, detect them, respond appropriately, and update the program periodically.

Operationally, this touches account takeover, wire fraud prevention, new account fraud, password-reset abuse, and suspicious transfer patterns.

Anti-money laundering status for investment advisers

This is a place where it is easy to sound out of date.

A final anti-money laundering rule for registered investment advisers and exempt reporting advisers was issued, but the effective date was postponed from January 1, 2026 to January 1, 2028.

That means you should not talk as though every registered investment adviser is already live under a new anti-money laundering program obligation today. The industry should still pay attention, but timing matters.

Artificial intelligence and automation risk

There is not a final Securities and Exchange Commission cybersecurity rule for advisers in force from the old proposal, because that proposal was formally withdrawn in 2025.

That does not mean the Securities and Exchange Commission stopped caring. Quite the opposite.

The 2026 examination priorities say the Division remains focused on automated investment tools, artificial intelligence technologies, algorithms, related risks, the accuracy of representations, and whether operations and controls are consistent with disclosures made to investors.

This matters for Solanasis because “Responsible Artificial Intelligence for Financial Services” is a viable lane if it is framed as governance, access boundaries, logging, review, accuracy, and control alignment.

Proposed and withdrawn items you should not accidentally oversell

Cybersecurity rule proposal for advisers

There was a proposed Securities and Exchange Commission cybersecurity rule for investment advisers and certain funds. It was withdrawn in 2025. Do not speak as if it is active law.

Outsourcing proposal

There was also a proposed outsourcing rule for advisers. It was withdrawn in 2025. Do not present it as an active requirement.

Customer identification program proposal for advisers

There has been discussion and proposal activity around customer identification program obligations for investment advisers, but you should be careful not to describe a proposal as final law.

Part 6: State-registered advisers — what is true without overstating it

This is where a lot of bad summaries go wrong.

What is true

State-registered advisers still face serious privacy, cybersecurity, supervision, disclosure, and fiduciary expectations.

The North American Securities Administrators Association adopted an information security and privacy model rule package in 2019 for state-registered investment advisers, and its materials make clear that states are pushing toward written cybersecurity and privacy policies, annual privacy policy delivery, and related recordkeeping and conduct expectations. The association has also developed model rules and guidance around broader adviser policies and procedures.

What is not safe to say casually

It is not safe to say that every state has adopted every model rule in the same way.

It is also not safe to say that a state-registered adviser is directly bound by Securities and Exchange Commission Regulation S-P in the same way as a Securities and Exchange Commission registered adviser.

The clean speaking position

State-registered advisers may not be directly under the federal Regulation S-P adviser framework, but many of them still face very similar practical expectations through state rules, state examinations, fiduciary duties, breach laws, privacy obligations, and vendor-risk reality. So the operational readiness work often ends up looking similar even when the exact legal hook is different.

That is the right level of precision.

Part 7: Estate planning attorney compliance deep dive

Why estate planning firms are a serious data-security and compliance story

Estate planning firms hold some of the most sensitive information a family can hand over.

That can include:

wills,
trusts,
powers of attorney,
tax information,
family relationships,
health-related planning details,
beneficiary designations,
business ownership information,
identity documents,
financial statements,
inheritance instructions,
guardian details,
digital asset access information.

A breach is not just embarrassing. It can expose elder abuse risk, impersonation risk, fraud risk, leverage risk, and serious family harm.

That is why “reasonable efforts” means more than a shrug and a firewall.

The core attorney duties that matter most

Competence

Lawyers must provide competent representation. In Colorado, the competence rule expressly says a lawyer should keep abreast of changes in the law and practice, and of changes in communications and other relevant technologies.

That means technology competence is not optional fluff. It is part of competence.

Confidentiality

Lawyers must make reasonable efforts to prevent inadvertent or unauthorized disclosure of, or access to, information related to the representation of a client.

This is one of the clearest bridges between ethics and cybersecurity.

Communication

Lawyers have duties to keep clients reasonably informed. If a material data breach affects representation or client information, that communication duty can become very real.

Supervision

Lawyers must properly supervise staff and certain outside helpers. A vendor mistake can become a lawyer problem if supervision and oversight were weak.

Client property and trust-account discipline

If the firm handles funds or property, segregation and safeguarding duties matter. Even when the estate planning firm is not a financial institution in the securities-law sense, mishandling client property is high-risk.

Truthful public communications

A law firm should not make false or misleading statements about its services. That matters for websites, intake language, privacy/security claims, artificial intelligence claims, and client expectations.

Attorney confidentiality versus attorney-client privilege

These are related but not identical.

Attorney-client privilege is an evidentiary doctrine that can protect certain communications from compelled disclosure in legal proceedings.

Confidentiality is the broader professional duty not to reveal or expose client information improperly.

For cyber and operations conversations, confidentiality is usually the more relevant frame.

“Reasonable efforts” in plain English

The confidentiality rule does not say a lawyer must guarantee zero risk.

It says the lawyer must make reasonable efforts to prevent unauthorized access or disclosure.

The comments to the rule explain that reasonableness depends on factors such as:

the sensitivity of the information,
the likelihood of disclosure if more safeguards are not used,
the cost of additional safeguards,
the difficulty of implementing them,
and whether the safeguards would make legal work unreasonably hard.

That is actually a very practical framework. It means the answer is not “buy everything.” The answer is “use a defensible level of controls relative to the sensitivity and risk.”

For estate planning, the sensitivity is high. So the floor should not be low.

Secure communications

The American Bar Association’s Formal Opinion 477R explains that lawyers may need special security precautions when required by law, by agreement, or when the nature of the information requires a higher degree of security.

That matters because some firms still act as though ordinary unstructured email habits are automatically sufficient for everything.

A practical translation is:

Routine email is not always automatically unethical, but higher-risk information may require stronger handling. The more sensitive the matter, the less casual the communication approach should be.

Breach response and restoration

The American Bar Association’s Formal Opinion 483 says that when a breach of protected client information is suspected or detected, the lawyer must act reasonably and promptly to stop the breach and mitigate damage.

The opinion also points toward the importance of incident response planning and restoring operations.

This is a major talking point for Solanasis because it aligns perfectly with the idea that untested recovery is not good enough.

Artificial intelligence use by lawyers

The American Bar Association’s 2024 Formal Opinion 512 says lawyers using generative artificial intelligence must fully consider ethical obligations including competence, protection of client information, client communication, and reasonable fees.

The point is not “never use artificial intelligence.” The point is “do not use it carelessly.”

For estate planning firms, the practical questions are:

Does the tool receive client confidential information?
Is data retained or used for model training?
What access controls exist?
Is there human review?
Are outputs accurate enough for legal work?
Are clients being misled about how the work is done?
Does the firm understand the vendor’s security and privacy posture?

That is a strong Solanasis lane if positioned as governance and safeguards, not as legal advice.

Colorado data breach law

Colorado’s data breach law generally requires entities to notify Colorado consumers when personal information may have been compromised. In most instances, notice must happen within 30 days after the entity determines that a breach has occurred that may lead to misuse.

This matters even for firms that are too small to fall under broader privacy statutes.

Colorado Privacy Act

The Colorado Privacy Act is a broader consumer privacy law, but many smaller estate planning firms may not hit its size thresholds.

It is still worth knowing about, especially for firms that process data at scale, use modern intake and marketing systems, or have larger consumer-data footprints.

The practical mistake to avoid is assuming that if the broad privacy law does not apply, the firm has no privacy problem. Ethics duties and breach laws can still apply.

Estate planning firm risk themes you should be able to talk about

Intake and document collection risk

Client data often enters through forms, email attachments, scanning workflows, and portal uploads. Weak intake design can leak sensitive information before the legal work even starts.

Shared mailbox and assistant access risk

Many small firms run critical client communications through shared mailboxes and weak delegation practices. That creates confidentiality and impersonation risk.

Draft document storage risk

Estate plans often sit in shared drives, desktop folders, email attachments, and vendor portals. That creates retention, access, and version-control risk.

Estate planning matters often involve older clients, changed instructions, and emotionally charged family dynamics. That makes impersonation and fraudulent change requests especially dangerous.

Vendor dependency risk

Practice-management software, e-signature systems, cloud storage, transcription, billing systems, and artificial intelligence tools can all create hidden exposure.

Business continuity risk

A small estate planning firm with no tested recovery path can fail clients exactly when those clients are dealing with death, incapacity, guardianship, or urgent decision-making.

How to explain attorney compliance out loud in one minute

For estate planning attorneys, compliance is less about one giant federal rule and more about whether the firm is meeting its ethical and operational duties in a real way. The key themes are competence, confidentiality, supervision, secure communication, breach response, and truthful client-facing practices. In practical terms, that means a firm handling wills, trusts, powers of attorney, and beneficiary data should have stronger operational discipline than most small professional-services firms, because the information is unusually sensitive and the downstream harm can be severe.

Part 8: Shared operational risks across both industries

These are the problems that show up again and again whether the firm is a registered investment adviser or an estate planning practice.

Weak identity and access management

Examples:

shared credentials,
stale accounts,
former staff with lingering access,
no enforced multi-factor authentication,
too many global administrators,
no role-based access.

Email as the weak center of gravity

Email becomes the unofficial system of record, the intake portal, the approval tool, the document repository, and the incident-notification channel all at once.

That is dangerous.

Vendor sprawl

Small firms often do not know how many vendors they truly have, what data those vendors touch, or who approved them.

Untested backup and restore

Many firms can say “we have backups.” Far fewer can say “we restored critical systems and data under controlled conditions and proved it works.”

Invisible shadow software

A partner, assistant, adviser, or attorney signs up for a tool without governance. Now client data lives in a place leadership barely understands.

Casual artificial intelligence use

Staff paste sensitive text into consumer tools, save prompts with client details, or use outputs without review.

Weak offboarding

A departing employee, contractor, or vendor leaves behind live accounts, tokens, mailbox access, or synced data on personal devices.

Poor documentation

When something goes wrong, the firm cannot show who approved what, when a control was tested, which vendor was reviewed, or what the intended process actually was.

Part 9: What Solanasis should say — and not say

Good positioning language

We help you verify that your controls are real, not just written.
We test recovery, not just backup existence.
We help you build evidence that your firm can use in an exam or incident.
We work alongside your compliance consultant, your lawyer, and your internal or external information technology team.
We help you identify where operational practice is not lining up with regulatory expectations.
We help you establish incident response, vendor oversight, access-control discipline, and restore confidence.
We do the technical and operational verification so your legal and compliance advisors have cleaner ground truth.

Language to avoid

We make you compliant.
We guarantee exam success.
Regulation S-P applies to every state-registered adviser.
We provide legal advice.
Your managed service provider already has this handled.
A written information security program alone solves the issue.
Your vendor is responsible, so you are covered.
If you use artificial intelligence carefully, there is no risk.

Better replacements

Instead of “we make you compliant,” say:

We help you become materially more ready for examination, incident response, and evidence-backed remediation.

Instead of “we give legal advice,” say:

We help you prepare operationally and technically; your legal and compliance advisors handle formal legal interpretation.

Part 10: Solanasis site alignment notes

This section exists so your public materials stay sharp.

What already aligns well

The site’s overall posture is strong. It positions Solanasis as the technical and operational verifier that works alongside existing compliance and information technology providers, and it clearly says the work does not constitute legal advice.

That is good and should be preserved.

What should be tightened

Regulation S-P scope wording

Current Solanasis resource copy says that if a firm is Securities and Exchange Commission registered or state registered, the amended Regulation S-P requirements apply to it.

That should be tightened.

A safer replacement is:

If your firm is a Securities and Exchange Commission registered investment adviser, these amended Regulation S-P requirements apply directly. If your firm is state registered, you may face similar operational expectations through state law, state examination priorities, privacy obligations, and fiduciary duties, but the exact legal framework is different.

That one change will make the site sound more credible to serious compliance readers.

Vendor contract wording

Current copy leans toward “every vendor agreement touching customer data needs updated language.”

That is usually directionally smart, but the safest, most accurate public wording is:

Firms should review vendor agreements and vendor oversight practices to ensure they support the firm’s obligations, including timely incident notification and evidence-backed oversight.

That better matches the final rule structure.

Part 11: Beginner glossary

This glossary is intentionally plain.

Advisers Act

The Investment Advisers Act of 1940, the main federal law governing investment advisers.

Assets under management

The amount of client assets an adviser manages for purposes defined by the rules.

Broker-dealer

A firm in the securities industry that buys and sells securities and may also have sales and brokerage functions different from an investment adviser’s role.

Business continuity plan

A plan for keeping important operations running during disruption.

Client Relationship Summary

A short disclosure document for certain retail investor relationships, formally called Form CRS.

Compliance consultant

An outside advisor focused on regulatory obligations, policies, exam preparation, and interpretation. This is not always the same as the firm’s technical security team.

Custody

A regulated status that can exist when an investment adviser holds or can access client funds or securities in certain ways.

Data breach

An event in which protected information is exposed, stolen, accessed without authorization, destroyed, or rendered unusable in a material way.

Disaster recovery

The process of restoring systems and data after an incident or outage.

Due diligence

Pre-relationship checking and evaluation before trusting a vendor, system, or process.

Fiduciary duty

A duty to act in the client’s best interest within the relationship.

Financial Crimes Enforcement Network

A Treasury bureau focused on anti-money laundering and related financial-crime reporting.

Form ADV

The main Securities and Exchange Commission and state registration and disclosure form for investment advisers.

Form CRS

The Client Relationship Summary delivered by certain Securities and Exchange Commission registered advisers and broker-dealers to retail investors.

Information security

The protection of data and systems against unauthorized access, misuse, disruption, or destruction.

Managed service provider

An outside information technology firm that manages systems, devices, or infrastructure on an ongoing basis.

Monitoring

Ongoing oversight after the vendor or control is already in place.

Multi-factor authentication

A login method requiring more than one factor, such as a password plus a code or device approval.

Regulation S-ID

The Securities and Exchange Commission identity theft red flags rule framework for covered entities.

Regulation S-P

The Securities and Exchange Commission privacy and safeguarding rule framework for covered entities, including Securities and Exchange Commission registered investment advisers.

Registered investment adviser

An investment-advisory firm registered either with the Securities and Exchange Commission or a state regulator.

Service provider

A vendor or outside provider that handles systems, information, or operational functions on the firm’s behalf.

State-registered adviser

An investment adviser registered with a state regulator rather than with the Securities and Exchange Commission.

Written information security program

A documented set of information-security policies and procedures, often shortened to WISP, meaning written information security program.

Part 12: How to answer common prospect questions

“Does the new Regulation S-P apply to us?”

Good answer:

If you are a Securities and Exchange Commission registered investment adviser, yes, the amended rule applies directly. If you are state registered, the answer is more nuanced; the federal rule does not apply in the same direct way to state-registered advisers, but many state-registered firms still face similar practical expectations through state rules, state exams, privacy obligations, and fiduciary duties.

“What actually changed?”

Good answer:

The biggest practical changes are that covered firms need a real written incident response program, a workable path for customer notice in certain incidents, and stronger service provider oversight, including the ability to get fast incident notice from vendors.

“Can’t our managed service provider handle that?”

Good answer:

Your managed service provider can help with pieces of it, but the regulated firm still owns the obligation. The real question is whether your controls, recovery, vendor oversight, and evidence would stand up in an exam or a real incident.

“We already have a written information security program. Aren’t we fine?”

Good answer:

Maybe, maybe not. A written information security program is a starting point. The harder question is whether it is current, implemented, aligned to your actual systems and vendors, and backed by testing and evidence.

“Why should estate planning attorneys care about this?”

Good answer:

Because estate planning firms hold unusually sensitive data, and their duties around competence, confidentiality, supervision, secure communication, and breach response are real even if the regulatory map looks different from the investment adviser world. A weak operational setup can become an ethics issue, a malpractice issue, and a client-trust failure all at once.

“What does Solanasis actually do in this process?”

Good answer:

We do the technical and operational verification. We identify where sensitive data lives, how access works, which vendors are really in play, whether incident response is usable, whether recovery has actually been tested, and where the evidence gaps are. Your compliance consultant or counsel handles the formal legal interpretation.

Part 13: A practical 30-60-90 day roadmap

For a smaller Securities and Exchange Commission registered investment adviser

First 30 days

Confirm whether the firm is Securities and Exchange Commission registered or state registered.
Confirm whether the firm falls into the smaller-entity timing bucket.
Build a clean vendor inventory.
Identify systems containing customer information.
Review access control, administrator count, and authentication requirements.
Assess the current incident response plan.
Assess current backup and restore posture.
Review the website, Form ADV brochure, and internal security claims for consistency.

Days 31 to 60

Build or revise the incident response program.
Define legal, operational, and client-notification escalation paths.
Review service provider oversight process.
Update evidence collection practices.
Run a restore test on something that actually matters.
Run a tabletop exercise.
Define remediation priorities with owners and dates.

Days 61 to 90

Close the highest-risk identity and access gaps.
Fix the worst vendor oversight gaps.
Establish recurring review cadence.
Train the people who would actually be involved in a breach.
Clean up stale accounts and shadow software.
Finalize leadership-ready documentation and roadmap.

For an estate planning law firm

First 30 days

Map where client data enters, lives, and exits.
Inventory vendors and shared systems.
Assess mailbox security, delegation, and authentication.
Confirm backup and restore coverage.
Review intake forms, file-sharing methods, and portal practices.
Identify where public artificial intelligence tools are being used.

Days 31 to 60

Build or refine incident response procedures.
Tighten role-based access and staff permissions.
Review vendor terms and security posture.
Establish secure handling guidance for especially sensitive matters.
Review business continuity for urgent client needs.
Confirm client communication procedures during incidents.

Days 61 to 90

Run a tabletop exercise.
Test restoration of critical documents or systems.
Train staff on phishing, impersonation, and data handling.
Clean up shared accounts and stale access.
Align written policies with actual practice.
Establish a quarterly resilience and oversight review.

Part 14: The smartest Solanasis angle

The most differentiated Solanasis angle is not “we know lots of rules.”

It is this:

We help small, regulated, trust-based firms turn vague compliance expectations into tested, evidence-backed operational reality.

That is stronger than generic cybersecurity talk.

It is stronger than generic compliance talk.

It also naturally fits both wealth management and estate planning.

The throughline is not “checklists.” The throughline is operational resilience for high-trust firms handling high-consequence information.

Part 15: What to study next if you want to go deeper

If you want the next layer after this guide, study in this order.

The Securities and Exchange Commission’s small entity compliance guide for the Regulation S-P amendments.
The full Regulation S-P adopting release sections on incident response, service providers, and customer notice.
Securities and Exchange Commission 2026 examination priorities for investment advisers.
The Securities and Exchange Commission’s fiduciary-duty interpretation for advisers.
Form ADV instructions and common adviser disclosure mistakes.
The custody rule basics.
The identity theft red flags rules.
American Bar Association Rule 1.6 and comments.
American Bar Association Formal Opinions 477R, 483, and 512.
Colorado competence and breach-notification materials.

Reviewer pass: key corrections, cautions, and uncertainties

Confirmed and high-confidence

The amended Regulation S-P directly applies to Securities and Exchange Commission registered investment advisers.
Smaller entities must comply by June 3, 2026.
The larger-entity threshold for registered investment advisers in this timing framework is $1.5 billion in assets under management.
The final rule uses a service-provider oversight structure centered on written policies and procedures, due diligence, monitoring, and 72-hour notification, rather than a universal standalone written contract mandate.
The anti-money laundering rule effective date for registered investment advisers was delayed to January 1, 2028.
The prior Securities and Exchange Commission cybersecurity proposal for advisers was withdrawn in 2025.
Estate planning attorney obligations are grounded primarily in ethics, confidentiality, competence, supervision, communication, and breach law, not in one single adviser-style federal rule.

Needs careful state-by-state treatment

What a state-registered investment adviser must do depends on the state.
The North American Securities Administrators Association model rules are influential, but state adoption varies.
Do not casually assume every state has identical cybersecurity, privacy, annual-review, or written-policy requirements.

Areas where Solanasis should stay in lane

Whether a particular adviser is deemed to have custody.
Whether a particular incident legally triggers notice.
Whether a particular disclosure satisfies the marketing rule.
Whether a law firm’s conduct satisfies professional responsibility law in a specific fact pattern.

Those are lawyer or compliance-consultant calls, even if Solanasis helps gather the facts.

Source list

Final takeaway

The firms that will struggle most are not always the firms with the fewest tools.

They are the firms where no one can clearly answer four questions: what data do we have, who can access it, what happens when something goes wrong, and can we actually restore the business when it matters.

That is the heart of the opportunity for Solanasis.

The more precisely you can speak about those questions, the stronger you will sound in both wealth management and estate planning.

Solanasis Docs

Explorer

solanasis-wealth-management-estate-planning-compliance-guidebook-2026

Solanasis Field Guide to Compliance in Wealth Management and Estate Planning

2026 Beginner-Friendly Study Book and Speaking Manual

How to use this guide

Executive summary

Part 1: The plain-English map

What “compliance” means in wealth management

What “compliance” means for estate planning attorneys

Why this matters commercially for Solanasis

Part 2: Who regulates whom

Wealth management regulator map

Securities and Exchange Commission

State securities regulators

Financial Industry Regulatory Authority

Financial Crimes Enforcement Network

North American Securities Administrators Association

Legal profession regulator map

State supreme court and state bar structure

Ethics rules and ethics opinions

State attorney general and breach laws

Malpractice exposure

Part 3: Core wealth management concepts you need to be able to explain

Registered investment adviser

Securities and Exchange Commission registration versus state registration

Fiduciary duty

Duty of care

Duty of loyalty

Best execution

Form ADV

Form CRS

Compliance program

Annual review

Marketing rule

Custody

Qualified custodian

Identity theft red flags

Written information security program

Incident response program

Business continuity versus disaster recovery

Service provider oversight

Due diligence

Monitoring

Operational resilience

Part 4: Regulation S-P deep dive for smaller Securities and Exchange Commission registered investment advisers

What Regulation S-P is

Who Regulation S-P directly applies to

Why smaller advisers care right now

What changed under the 2024 amendments

1. Written incident response program

2. Customer notice in certain incidents

3. Stronger service provider oversight

Important nuance: the final rule is not just “put a 72-hour clause in every vendor contract”

What “customer information” and “sensitive customer information” mean in practice

When customer notice may be required

What examiners are likely to care about

Common mistakes smaller firms make with Regulation S-P

Mistake 1: confusing “policy exists” with “control exists”

Mistake 2: not knowing who their vendors really are

Mistake 3: weak detection

Mistake 4: assuming the managed service provider solves everything

Mistake 5: not testing recovery

Mistake 6: sloppy internal access

Mistake 7: talking about Regulation S-P as though it directly applies to every state-registered adviser

What a good Regulation S-P readiness project looks like

How to explain Regulation S-P out loud in one minute

How to explain the scope issue out loud without sounding awkward

Part 5: The rest of the wealth management compliance stack

Compliance program rule

Form ADV and disclosure discipline

Marketing rule and communication discipline

Custody rule

Identity theft red flags

Anti-money laundering status for investment advisers

Artificial intelligence and automation risk

Proposed and withdrawn items you should not accidentally oversell

Cybersecurity rule proposal for advisers

Outsourcing proposal

Customer identification program proposal for advisers