17 CFR 248.30 and 248.10

SEC Reg S-P scan-to-email compliance for broker-dealers and investment advisers.

The 2024 SEC Reg S-P amendments at Release 34-100155 expanded the Safeguards rule at 17 CFR 248.30 and the customer-records delivery rule at 17 CFR 248.10, added a thirty-day customer notification obligation, and pulled multifunction printer scan-to-email into the written policies most broker-dealers and registered investment advisers have not yet updated. SecureMFP closes the obligation on every device in the fleet.

The Safeguards rule

What SEC Reg S-P requires under 17 CFR 248.30 Safeguards rule

SEC Regulation S-P is codified at 17 CFR Part 248 and implements GLBA section 501(b) for broker-dealers, investment companies, SEC-registered investment advisers, and funding portals registered under Regulation Crowdfunding. Section 248.30(a) requires every covered institution to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. The safeguards must be reasonably designed to insure the security and confidentiality of customer records, protect against anticipated threats or hazards, and protect against unauthorized access or use that could result in substantial harm or inconvenience to any customer. Multifunction printer scan-to-email is a technical-safeguards transmission path that plaintext SMTP cannot satisfy. The Chief Compliance Officer or Reg-S-P-officer is the named control owner inside the written policy register.

The 2024 amendments

The amended 248.10 customer delivery rule and what 2024 changed

SEC Release 34-100155 was adopted May 16, 2024, and amended both Section 248.30 Safeguards and Section 248.10 customer-records delivery. Section 248.30 was expanded to add a written incident-response program element, a thirty-day customer-notification obligation when sensitive customer information was or is reasonably likely to have been accessed without authorization, and a service-provider oversight element. Section 248.10(e) expanded the customer-records definition to include records from persons who were never customers if the records contain sensitive customer information. Compliance dates land December 3, 2025 for entities at or above 1.5 billion dollars in assets under management or 100 million dollars in total annual gross revenue, and June 3, 2026 for smaller entities. Both rules now reach the multifunction printer fleet at every covered institution.

Why the gap stayed hidden

Why MFP scan-to-email is a Reg S-P gap for broker-dealers and RIAs

The Reg S-P written policies most broker-dealers and registered investment advisers operate were built around the trading platform, the order-management system, the customer-relationship management surface, the email gateway, and the laptops and mobile devices that registered representatives carry. Multifunction printers were peripherals, not transmission endpoints. The Quocirca 2024 Print Security Landscape research found just sixteen percent of organizations are completely confident in their print security while sixty-seven percent suffered a print-related breach in the past year. A typical broker-dealer branch network of forty multifunction printers averaging twenty scans per device per day sends roughly three hundred thousand plaintext transmissions of customer information per year that the Chief Compliance Officer cannot attest to under the amended Section 248.30 written policies. The thirty-day notification clock starts the moment the gap becomes visible.

The examiner walkthrough

The FINRA examiner walkthrough on customer-record scanning

FINRA examiners working a cycle examination or a cause examination walk through every customer-record transmission path with the same four-question sequence federal banking examiners use under the Interagency Guidelines. The multifunction printer fleet is now in scope. Plaintext SMTP scan-to-email fails all four. The broker-dealer that registers SecureMFP inside the Section 248.30 written policies answers all four in a single audit log. The sequence below mirrors the FINRA cybersecurity report language.

Examiner questionWhat plaintext SMTP returns
Who sent this scan-to-email transmission?MFP header. Easily forged. No mutual authentication.
Who received this scan-to-email transmission?Recipient list. Partial. No retrieval confirmation.
Was the content encrypted device to recipient?Opportunistic TLS at best. Fallback to plaintext on many relays.
Can you produce one scan from 90 days ago for retention testing?Mailbox dependent. Often deleted. Uncontrolled at the recipient.
The workflows in scope

Common broker-dealer scan workflows that touch nonpublic personal information

Broker-dealers and registered investment advisers move customer records across multifunction printers every day in workflows that the Section 248.30 written policies often do not enumerate. New-account application packets carry the customer agreement, the Form W-9, the Patriot Act customer identification documents, and the new-account questionnaire. Account-transfer forms including the ACATS transfer initiation form and beneficiary-designation forms for IRA accounts carry Social Security numbers and routing details. Customer agreements for options trading, margin lending, and managed accounts carry signatures and account numbers. Trust-account documentation, power-of-attorney forms, and corporate-authority resolutions carry beneficial-ownership data. Each of these workflows produces multiple plaintext SMTP transmissions per file. Each is a Section 248.10(e) customer record. Each triggers the Section 248.30 safeguards obligation at the moment it leaves the device.

Control-by-control mapping

How SecureMFP maps to 248.30(a)(1) through (3) and 248.10(e) delivery

SecureMFP intercepts scan-to-email at a stateless gateway between the fleet and the mail relay. The plaintext SMTP hop becomes encrypted transport with mutual authentication. The mapping below ties each control surface to the Section 248.30 element the FINRA examiner references during the walkthrough.

Reg S-P elementSecureMFP control surface
248.30(a)(1) ConfidentialityEncrypted transport replaces plaintext SMTP for every scan transmission.
248.30(a)(2) Anticipated threatsMutual authentication prevents SMTP-relay interception and credential theft.
248.30(a)(3) Unauthorized accessRecipient retrieves through authenticated session, eliminating mailbox-copy risk.
248.30 Incident responsePer-document audit log produces the timeline evidence for the response plan.
248.30 Customer notificationPer-document recipient log supports the 30-day notification determination.
248.30 Service-provider oversightBotdoc SOC 2 Type II evidence supplied for the vendor management file.
248.10(e) Customer-records deliveryAuthenticated retrieval session replaces the email attachment delivery method.
The CCO perspective

The Chief Compliance Officer and Reg-S-P-officer perspective on the gap

The Chief Compliance Officer signs the Section 248.30 written policies and stands behind them during the FINRA cycle examination. The Reg-S-P-officer at larger broker-dealers carries the day-to-day operational responsibility for the safeguards program. The 2024 amendments added the thirty-day customer-notification clock and the written incident-response element that both attach to a documented safeguards posture. A plaintext SMTP scan-to-email gap creates two problems at once. It is a control deficiency at the cycle examination. It is a notification trigger if a recipient mailbox is later compromised or a misdirected scan reaches a third party. SecureMFP closes both surfaces with one encrypted transport channel, one audit log, and one control-language draft that drops into the written policy register before the next examination cycle begins.

FAQ, the regulation

What SEC Reg S-P covers across broker-dealers and investment advisers

Reg S-P implements GLBA section 501(b) for the SEC and FINRA regulatory perimeter. Section 248.30 is Safeguards. Section 248.10 is customer-records delivery. Both rules now reach the multifunction printer fleet at every covered institution after the 2024 amendments.

What does SEC Reg S-P require for broker-dealer scan-to-email?

17 CFR 248.30(a) requires every broker-dealer, investment company, and SEC-registered investment adviser to adopt written policies and procedures addressing administrative, technical, and physical safeguards for customer records and information. The safeguards must protect against anticipated threats and unauthorized access. Plaintext SMTP scan-to-email cannot satisfy the technical safeguards element for customer records that include nonpublic personal information. The 2024 amendments at SEC Release 34-100155 added incident-response and notification obligations that flow from the same safeguards failure.

FAQ, the 2024 amendments

What the 2024 Reg S-P amendments changed and the compliance dates

SEC Release 34-100155 was adopted May 16, 2024, and is the most significant Reg S-P rewrite in two decades. Two compliance dates landed in 2025 and 2026 based on asset size and revenue. The amendments added an incident-response program, a thirty-day notification clock, and service-provider oversight elements that all reach the multifunction printer fleet.

What changed in the 2024 Reg S-P amendments?

SEC Release 34-100155, adopted May 16, 2024, amended both Section 248.30 and Section 248.10. Section 248.30 now requires written incident-response policies, customer notification within 30 days of a breach affecting sensitive customer information, and service-provider oversight. Section 248.10(e) expanded the customer-records definition. Large entities had a compliance date of December 3, 2025. Smaller entities have a compliance date of June 3, 2026.

FAQ, the regulated perimeter

Which SEC-registered entities Reg S-P actually covers

Reg S-P reaches the broker-dealer, the investment company, the SEC-registered investment adviser, and the funding portal registered under Regulation Crowdfunding. State-registered investment advisers fall under state law that mirrors the federal framework. Joint broker-dealer and investment adviser registrations sit inside both rule perimeters. The Safeguards rule and the customer-records delivery rule both reach the fleet at every covered institution.

Does Reg S-P apply to SEC-registered investment advisers?

Yes. Reg S-P applies to broker-dealers, investment companies including mutual funds and exchange-traded funds, and SEC-registered investment advisers. Funding portals registered under Regulation Crowdfunding are also covered. State-registered investment advisers fall under state law, which often mirrors the federal Reg S-P framework. The Safeguards rule and the customer-records delivery rule both reach the multifunction printer fleet at every covered institution.

FAQ, FINRA enforcement

How FINRA enforces Reg S-P during cycle and cause examinations

FINRA examines under the Rule 3110 supervision and Rule 4530 reporting frameworks. The Chief Compliance Officer is the named control owner inside the written policy register. Enforcement actions surface in routine cycle examinations, in cause examinations, and in cybersecurity sweeps. The SEC also carries direct enforcement authority over registered entities outside the FINRA membership.

How does FINRA enforce Reg S-P on broker-dealers?

FINRA examines broker-dealers under the Rule 3110 supervision framework and the Rule 4530 reporting framework. Reg S-P violations surface in routine cycle examinations, in cause examinations following customer complaints or media reports, and in cybersecurity sweeps. FINRA has issued enforcement actions against firms that failed to encrypt customer information in transit. The Chief Compliance Officer or Reg-S-P officer is the named control owner for the safeguards program.

FAQ, customer records at the MFP

Which customer records the Reg S-P perimeter actually reaches at the device

The customer-records definition was expanded in 2024 to include records from persons who were never customers if the records contain sensitive customer information. The fleet sees these records daily in new-account workflows, account-transfer requests, beneficiary designations, and customer agreement signing packets. Each crosses the multifunction printer at the moment it enters the firm.

What customer records does Reg S-P cover at an MFP?

New account application forms, account transfer forms, beneficiary designation forms, customer agreements, options agreements, margin agreements, signature cards, IRS Form W-9 and W-8 packets, Patriot Act customer identification documents, and any document containing nonpublic personal information about a current or prospective customer. The 2024 amendments at Section 248.10(e) expanded the customer-records definition to include records from a person who was never a customer if the records contain sensitive customer information.

FAQ, the notification clock

How the thirty-day customer notification rule reaches scan-to-email

A misdirected scan, a compromised recipient mailbox, or unauthorized retrieval of stored mail copies can all start the thirty-day clock under the amended Section 248.30. The Chief Compliance Officer needs evidence the safeguard was in place to defend the response timeline. The per-document audit log is the artifact the cycle examination references.

Does the 30-day breach notification reach scan-to-email?

Yes. The amended Section 248.30 requires customer notification within 30 days of becoming aware that sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. A misdirected scan-to-email transmission, a compromised recipient mailbox, or an unauthorized retrieval of stored mail copies all trigger the obligation. The Chief Compliance Officer needs evidence the safeguard was in place to defend the response timeline.

FAQ, the Patriot Act intersection

How the Customer Identification Program intersects the Reg S-P safeguards

The Customer Identification Program collects documents that become Reg S-P customer records at the moment of capture. The scan-to-email path triggers the Section 248.30 safeguards obligation immediately. The fleet is the first point of contact between the customer identification document and the firm. The control register has to recognize that surface.

Does the Customer Identification Program intersect Reg S-P?

Yes. The Customer Identification Program under USA PATRIOT Act Section 326 and the FinCEN rule at 31 CFR 1023.220 requires broker-dealers to collect identification documents at account opening. Those documents become customer records under Reg S-P at the moment they are collected. The scan-to-email path that moves driver-license images and Social Security numbers into the new-accounts queue triggers the Section 248.30 safeguards obligation immediately.

FAQ, the cycle examination

How FINRA cycle examination expectations are shifting on scan-to-email

FINRA cybersecurity reports and recent examination findings have flagged unencrypted document workflows including the scan-to-email path across both retail and institutional broker-dealer populations. The 2024 Reg S-P amendments raised the bar across the entire broker-dealer population by requiring written incident-response policies and a thirty-day notification clock. Pre-registration of the control inside the written policies is the cleanest defense before the next cycle.

Will FINRA examiners ask about scan-to-email walks?

Increasingly yes. FINRA cybersecurity reports and routine examination findings have started flagging unencrypted document workflows including scan-to-email. The 2024 Reg S-P amendments raised the bar by requiring written incident-response policies and 30-day customer notification, which forces the safeguards conversation upstream. Broker-dealers that pre-register the scan-to-email control inside the Section 248.30 written policies get a smoother cycle examination outcome.

Talk to a specialist

Talk to a SecureMFP specialist about your Reg S-P obligations

A SecureMFP specialist will walk through the 17 CFR 248.30 and 248.10 mapping for your specific multifunction printer fleet, supply the written policies control-language draft your Chief Compliance Officer can register, and coordinate with your FINRA examiner or external audit firm ahead of the next cycle examination. Thirty minutes is the standard slot. The walkthrough covers the Section 248.30(a)(1) through (3) per-element mapping for scan-to-email, the incident-response and thirty-day notification evidence requirements, the service-provider oversight artifacts, and the Section 248.10(e) delivery-rule alternative for customer records. Forward-thinking broker-dealers and registered investment advisers are closing the gap before the next cycle examination cites it. The standard rollout is two to four weeks for a typical branch network.