To become a registered transfer agent (TA), the SEC requires a formal set of Standard Operating Procedures (SOPs) that prove you can handle the “three pillars” of the role: Turnaround Speed, Accuracy, and Safeguarding.

​As of 2026, the SEC’s Division of Examinations has significantly heightened its focus on Regulation S-P (Data Privacy) and Cybersecurity Incident Response.

β€‹πŸ› οΈ Essential SOP Checklist for a Transfer Agent

​1. Item Processing & “Turnaround” SOPs

​Goal: Comply with the 3-day processing rule (Rule 17Ad-2).

  • ​[ ] Intake Log Procedure: A daily timestamped log for all incoming transfer requests (physical or digital).
  • ​[ ] Routine vs. Non-Routine Classification: Clear criteria to distinguish between standard transfers (3-day limit) and complex ones (e.g., legal transfers, death of a holder).
  • ​[ ] Error Handling: Procedures for notifying issuers and investors within 24 hours if a transfer request is “rejected” for missing info.

​2. Master Securityholder File & Recordkeeping

​Goal: Ensure the “Cap Table” is the absolute source of truth (Rule 17Ad-10).

  • ​[ ] Daily Reconciliation: Procedures for balancing the “Control Book” (total shares authorized) against the “Master Securityholder File” (total shares held by individuals).
  • ​[ ] Backup & Disaster Recovery: SOP for daily off-site or cloud-redundant backups of shareholder data.
  • ​[ ] Certificate Management: If issuing physical stock, a log of “blank” certificates and a destruction protocol for “cancelled” ones.

​3. Safeguarding Funds & Securities (Rule 17Ad-12)

​Goal: Prevent theft, loss, or unauthorized issuance.

  • ​[ ] Dual Control Policy: A requirement that two different employees must authorize any movement of funds or large issuance of shares.
  • ​[ ] Signature Verification: A protocol for verifying “Medallion Signature Guarantees” or digital cryptographic signatures.
  • ​[ ] Uncashed Check Monitoring: A monthly audit of all outstanding dividend checks to identify “aged” items.

​4. 2026 Priority: Regulation S-P & Cybersecurity

​Goal: Meet the 2024/2025 SEC amendments regarding data breach notification.

  • ​[ ] Incident Response Plan (IRP): A written plan to detect, respond to, and recover from a cyber-attack.
  • ​[ ] 30-Day Notification Rule: A strict SOP to notify affected individuals within 30 days if their “sensitive customer information” was likely accessed.
  • ​[ ] 72-Hour Vendor Notification: If you use a third-party software (like a cloud database), your contract/SOP must require them to notify you within 72 hours of a breach.
  • ​[ ] Disposal Rule: A specific protocol for the secure “shredding” of digital and physical investor data once the retention period ends.

​5. Lost Securityholder Search (Rule 17Ad-17)

​Goal: Find “missing” investors before their assets are escheated (sent to the state).

  • ​[ ] Database Search Protocol: Procedures to conduct at least two automated searches of national databases for any holder whose mail is returned as undeliverable.

β€‹πŸ“… The 2026 “Small Entity” Deadline

​If you are a smaller firm (under $500k in capital), your deadline to have these Regulation S-P safeguards fully operational is June 3, 2026. Larger entities were required to comply by December 2025.

​Would you like me to help you draft the specific language for the “Incident Response Plan” (IRP) so you have it ready for a potential SEC audit?

GONEN CORP FUNDS