Technically, Reg S-P Just Got Technical

This article lives at the changing of the guard — from co-work, to co-pilot, to OpenClaw, to whatever Grandma vibe-coded. It traces how the movement from on-prem to on-cloud shaped today's transformer models, and how Reg S-P compliance will become the most significant compliance cost for decades to come.

Wow, Pikachu never looked so good — sitting off the coast of Cyprus next to Gandhi. As impressive as today's transformer models are, that photo amounts to one thing for Nintendo: a copyright violation. But from an investor perspective, if 'AI' can make something as improbable as that photo, it's time to invest — and everyone is. Today, large construction companies whose employees have trouble typing are investing heavily in 'AI' agents as a panacea for their employees' lack of keyboard training; speech-to-text does things their typing never will. But while we have normalized the copyright violations as harmless and praised practical LLM use cases like the construction example, we ignore one glaring facet: what is being done with the voice biometrics of Bob the builder?

In the best case, Bob's voice is under an enterprise license agreement (ELA) — a private commercial contract, not enforced by any regulator specifically, though the FTC or DOJ will periodically step in if there are allegations of antitrust or fraud (not the standard contract breach). At this point, with enforcement on the lighter side, here is some relevant historical context on enterprise-agreement violations: Oracle v. Rimini Street ran from January 2010 to July 2025 — 15 years. SAP v. Diageo ran from 2004 to 2017 — 13 years. HP/HPE v. Oracle ran from March 2011 to August 2021 — 10 years. Indiana v. IBM ran from 2009 to 2017 — 8 years.

And if none of those strike your fancy, there is an operation called the Business Software Alliance (BSA — not to be confused with the other BSA, the Bank Secrecy Act) which has had numerous findings against Microsoft and Adobe ongoing since 2005. Ironically, the Business Software Alliance is notably funded by Microsoft — so their funding the entity that fines them looks a lot like the AAA we discussed in our prior essay on No Comment letters.

Bob's biometrics are secured under encryption at rest, technically speaking. But what if one day they aren't? Consider how long each of those case examples took to address: the world changed dramatically in the time it took for them to actualize. Bob's kids can go to university and earn doctorates before he can get relief from his biometrics being compromised — and again, we are still referring to the 'best case.'

What about the 'worst case'? It is the one where Bob doesn't even realize his voice print is now as popular as David Attenborough, and people are using it the way the world uses Pikachu images today. And while that may not matter for other industries, for asset managers this is a Reg S-P violation — and the buck stops with the 'covered entities.'

Asset managers are now in a sea of potential enterprise-agreement violations on sheer telemetry alone — and that could be enforced in the most unintended of ways. This is a long-term structural issue that will show up in the cases. But the legal exposure needs to be considered: the SEC will be graceful, at least initially, unless something is egregious.

The real issue for firms today is the on-cloud movement — the telemetry, the co-work, the co-pilot, the 'bossware,' the co-creep. The IP of trading strategies now has the potential to be reverse-engineered. Client order flow can be front-run not by the traditional HFTs, but by a new powerful player: your MSP's agent. Clients are potentially routed away in a world where you aren't paying enough on your enterprise agreement. The world just got worse for asset managers. As regulators wake up to this reality, considering your OS (operating system) in the future could become akin to the process firms use today when considering their executing broker.

While other compliance servicing firms will give you Reg S-P compliance under the guise of peddling policy-manual procedure updates, this is window dressing for the true rules of Reg S-P. The 72-hour clock. The 30-day notification policy if your systems can't prove that no combination of material client information was accessed externally. Your vendors and MSPs are included. You might as well notify your clients weekly on an automated email cron to desensitize them to reality.

At street, we offer a future focused on your business strategy — and on how your infrastructure and workflow can potentially create the Reg S-P enforcement actions of tomorrow while undermining your IP or client flow today. If any of this interests you, please contact us. Don't let Bob's biometrics be your Reg S-P exposure.