Contract Review Checklist

Identify whether this is a custody / sub-custody agreement, sub-advisor / solicitor agreement, vendor / SaaS MSA, marketing / referral arrangement, or client IAA. Tier as critical, high, moderate, or low based on access to client data, funds, or material business processes — the tier drives EDD depth and CCO sign-off requirements.

Screen the legal entity and any disclosed beneficial owners through Refinitiv World-Check, LexisNexis Bridger, or ComplyAdvantage. Document the screen ID and any near-match adjudications. PEP hits trigger enhanced due diligence before counsel review begins.

Pull current Form ADV (advisors), BrokerCheck / IAPD records (BDs, IARs), state insurance producer licensing, or applicable charter for banks. Confirm registrations are active in every state where the relationship will operate — not just home state.

Common gotcha: producer licensed resident-state but not in states where binding will occur.

Required for any vendor that touches client PII, custody data, or trading systems. Confirm report is current (within 12 months), covers the relevant Trust Services Criteria, and lists no material exceptions affecting our use case. Bridge letter required if last audit period ended more than 90 days ago.

Check the contract substance against the rules that govern this relationship — Advisers Act 206(4)-1 (advertising), 206(4)-2 (custody), 206(4)-3 (solicitors), FINRA 2210 (communications), 3110 (supervision), Reg BI for retail recommendations. Bank-side: TILA / Reg Z, RESPA, ECOA, GLBA where applicable.

Confirm governing law, venue, and arbitration forum (FINRA arbitration if BD-side; AAA / JAMS otherwise). Reject class-action waivers that conflict with state RIA rules. Note: client agreements with mandatory pre-dispute arbitration require ADV Item 11 disclosure.

If the contract introduces a new conflict (revenue share, soft dollar, principal trading, affiliated product), confirm ADV Part 2A Items 5, 10, 11, 12, and 14 will be amended and Form CRS updated. Material changes require interim ADV amendment within 30 days, not annual cycle.

Reject mutual indemnification that exposes the firm to consequential damages from counterparty's gross negligence or willful misconduct. LOL caps below 12 months of fees are typically unacceptable for vendors with PII access. Insurance must back the indemnity — verify in next section.

For AUM-based fees, document whether billed on average daily balance, period-end, or period-start — these produce materially different invoices. For sub-advisor splits, confirm the breakpoint schedule. Three-way reconciliation logic (invoice, custodian debit, internal calc) must be implementable.

Look for ticket charges, custody fees, platform fees, 12b-1 / sub-TA payments, soft dollar credits, and termination fees buried in schedules or addenda. Anything not disclosed in ADV Item 5 needs to be added before execution.

Confirm pro-rata fee refund, data return / destruction obligations, transition assistance period, and any liquidated damages. For custodian agreements, confirm ACATS support and bulk repapering assistance during transition.

Capture the plain-English fee summary that will go on Form CRS and the engagement letter. If this contract creates a new fee type or new conflict, the CRS must be redelivered to retail clients at next recommendation.

Collect a current COI naming the firm as additional insured where appropriate. Minimums for vendors with client data access: $5M E&O, $5M cyber, $2M general liability. Custodians and sub-advisors typically require $10M+ E&O. Confirm tail coverage on termination.

Force majeure should not excuse failure to maintain books and records, custody safeguards, or breach notification. Confirm the counterparty has a tested BCP / DR program with documented RTO and RPO compatible with our regulatory obligations.

Confirm cure periods, escalation contacts, and step-in rights. For custodian agreements, confirm SLOA safeguards align with the SEC's no-action letter conditions so we don't inadvertently take custody.

Contract must obligate the counterparty to maintain a written information security program meeting Reg S-P safeguards and the SEC's amended Reg S-P incident response and customer notification requirements. State-level overlays (NY DFS Part 500, MA 201 CMR 17.00) where applicable.

AES-256 at rest, TLS 1.2+ in transit, MFA on privileged access, role-based access, and key management standards documented in the security exhibit. Subcontractor / sub-processor list with flow-down obligations required.

72 hours from discovery is the typical floor; 24-48 hours preferred for vendors handling client funds or non-public personal information. Notification must include enough detail to support our 30-day Reg S-P customer notice obligation and any state AG filings.

If the vendor's reps will communicate with our advisors or clients, the contract must require use of archived channels (Smarsh, Global Relay, MyRepChat) — not personal email or unarchived text. The 2022-2024 SEC enforcement wave (over $2B in fines) makes this non-negotiable.

Trade execution timing, NAV / performance reporting deadlines, system uptime, support response, and GIPS-compliant reporting where applicable. Tie SLA misses to fee credits or termination-for-cause triggers.

Advisers Act Rule 204-2 records held by a vendor remain ours — the contract must guarantee access for the firm, our auditors, and SEC / FINRA examiners. Five-year retention minimum (first two years easily accessible). Bank-side: regulator examination access for OCC / FDIC / state DFI.

Critical and high-risk contracts require CCO sign-off plus an additional principal (CEO, COO, or General Counsel). Document the rationale for engaging this counterparty and any negotiated deviations from standard terms.

If the contract is rejected, capture the deal-breaker terms, the proposed redlines, and the renegotiation owner. Re-run this checklist after counterparty returns a revised draft.

Store the fully executed PDF, the COI, the SOC 2 / bridge letter, and this checklist in NetDocuments / Laserfiche under the counterparty's vendor record. Set the renewal / re-diligence reminder per the risk tier (annual for critical, biennial for moderate).