Back to Resources

PII Compliance for Wealth Managers in 2026 — US, Australia, UK & NZ

The 2026 regulatory landscape has reshaped how wealth advisors, banks and financial institutions must handle client data — across the US, Australia, the UK and New Zealand. Here's what's changed, what's enforced, and how to actually defend it.

Wealth managers sit on the highest-value personal data in the economy: identity documents, tax file numbers, account balances, beneficiary structures, source-of-wealth narratives. Regulators across every jurisdiction USC Data serves have spent 2024–2026 tightening the rules — and the penalties — around how that data is held, shared, and surfaced into AI tools.

This is the 2026 view: what's actually in force in your market, what's coming next, and the operational controls that keep advisors out of enforcement headlines.

The 2026 regulatory landscape — by jurisdiction

🇺🇸 United States

• SEC Regulation S-P (amended May 2024, in force 2025–2026): Registered investment advisers and broker-dealers must maintain written incident response programs and notify affected individuals within 30 days of discovering unauthorised access to customer information.
• GLBA Safeguards Rule (FTC): Mandatory written information security program, designated qualified individual, MFA, encryption of customer data at rest and in transit, and annual board reporting.
• NYDFS Part 500 (amended Nov 2024): Expanded governance, 72-hour breach notification, and explicit board accountability for cybersecurity.
• State privacy laws: CCPA/CPRA (California), plus comprehensive laws now live in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Jersey, New Hampshire, Maryland, Minnesota, Tennessee, Kentucky and others — each with its own definitions of "sensitive data," opt-out rights, and consumer access timelines.
• Colorado AI Act (effective Feb 2026): First US state law governing high-risk AI systems — relevant when advisers use AI for suitability, profiling, or eligibility decisions.

🇦🇺 Australia

• Privacy and Other Legislation Amendment Act 2024: Introduced a statutory tort for serious invasions of privacy, expanded OAIC enforcement powers, civil penalties up to AU$50M (or 30% of adjusted turnover), and a Children's Online Privacy Code rolling out in 2026.
• Tranche 2 Privacy Act reforms (2025–2026): Removal of the small business exemption, "fair and reasonable" test for handling personal information, automated decision-making transparency, and direct individual right of action.
• Australian Privacy Principles (APPs): APP 11 (security), APP 1 (open and transparent management) and APP 6 (use and disclosure) remain the day-to-day operating standard.
• APRA CPS 234 (Information Security): Binding on banks, insurers and superannuation trustees — board-level accountability, capability proportional to threats, and timely incident notification to APRA.
• Notifiable Data Breaches scheme: Eligible breaches must be reported to OAIC and affected individuals "as soon as practicable."
• AML/CTF Act reforms (2026): Tranche 2 brings accountants, lawyers and real estate agents into scope — wealth firms with adjacent service lines should reassess.

🇬🇧 United Kingdom

• Data (Use and Access) Act 2025: Reformed UK GDPR — clearer rules for legitimate interests, automated decision-making, and international transfers, while retaining EU adequacy.
• FCA Consumer Duty: Now in full force across closed products — firms must evidence good outcomes, including in how client data drives advice.
• ICO enforcement: Continued focus on unstructured PII, third-party processor failures, and AI-driven profiling in financial services.

🇳🇿 New Zealand

• Privacy Act 2020 + 2025 amendments: Notifiable privacy breach regime, expanded OPC compliance notice powers, and tightened cross-border disclosure rules under IPP 12.
• FMA conduct expectations: CoFI regime now live for licensed financial institutions — fair conduct programs must address how customer information informs advice.

The operational controls regulators now expect

Across all four markets, the supervisory pattern in 2025–2026 is the same: regulators stopped accepting "we have a policy" as evidence. They want to see the controls operating. These are the eight categories that show up in every modern enforcement matter and audit finding.

Staff training and awareness

Every employee must understand the importance of PII protection and the firm's compliance obligations. Regular training equips staff to identify potential issues early and respond appropriately.

Regular audits and assessments

Ongoing audits ensure PII protection measures stay effective as regulations evolve. They surface vulnerabilities, validate security practices, and inform protocol updates. For wealth management firms, navigating PII compliance is a continuous discipline — not a project.

What are the best practices for protecting PII in wealth management?

Firms that fail to protect PII stand to lose far more than client data. Regulatory fines, forensic investigations, remediation spend, and credit-monitoring obligations stack up fast. Worse, breaches erode trust, drive client attrition, disrupt operations and damage morale. Clients harmed by breaches may file lawsuits, and firms can face severe fines — even license suspension — for non-compliance.

Are your PII protections strong enough?

PII protection in wealth management is a continuous concern — firms must constantly assess their controls to ensure compliance and best practice. The starting point is always the same: know what data you hold, where it lives, and who can touch it.