Workflow Templates for Financial Services: Contract Review Checklist

Intake and Counterparty Diligence

Classify the contract type and risk tier

Identify whether this is a custody / sub-custody agreement, sub-advisor / solicitor agreement, vendor / SaaS MSA, marketing / referral arrangement, or client IAA. Tier as critical, high, moderate, or low based on access to client data, funds, or material business processes — the tier drives EDD depth and CCO sign-off requirements.

Run OFAC and adverse-media screen on counterparty

Screen the legal entity and any disclosed beneficial owners through Refinitiv World-Check, LexisNexis Bridger, or ComplyAdvantage. Document the screen ID and any near-match adjudications. PEP hits trigger enhanced due diligence before counsel review begins.

Collect counterparty regulatory registrations

Pull current Form ADV (advisors), BrokerCheck / IAPD records (BDs, IARs), state insurance producer licensing, or applicable charter for banks. Confirm registrations are active in every state where the relationship will operate — not just home state.

Common gotcha: producer licensed resident-state but not in states where binding will occur.

Request the counterparty's SOC 2 Type II report

Required for any vendor that touches client PII, custody data, or trading systems. Confirm report is current (within 12 months), covers the relevant Trust Services Criteria, and lists no material exceptions affecting our use case. Bridge letter required if last audit period ended more than 90 days ago.

Legal and Regulatory Review

Verify compliance with SEC, FINRA, and state rules

Check the contract substance against the rules that govern this relationship — Advisers Act 206(4)-1 (advertising), 206(4)-2 (custody), 206(4)-3 (solicitors), FINRA 2210 (communications), 3110 (supervision), Reg BI for retail recommendations. Bank-side: TILA / Reg Z, RESPA, ECOA, GLBA where applicable.

Review jurisdiction and dispute resolution clauses

Confirm governing law, venue, and arbitration forum (FINRA arbitration if BD-side; AAA / JAMS otherwise). Reject class-action waivers that conflict with state RIA rules. Note: client agreements with mandatory pre-dispute arbitration require ADV Item 11 disclosure.

Confirm Form ADV and Form CRS disclosure alignment

If the contract introduces a new conflict (revenue share, soft dollar, principal trading, affiliated product), confirm ADV Part 2A Items 5, 10, 11, 12, and 14 will be amended and Form CRS updated. Material changes require interim ADV amendment within 30 days, not annual cycle.

Flag indemnification and limitation-of-liability terms

Reject mutual indemnification that exposes the firm to consequential damages from counterparty's gross negligence or willful misconduct. LOL caps below 12 months of fees are typically unacceptable for vendors with PII access. Insurance must back the indemnity — verify in next section.

Financial Terms

Confirm fee calculation methodology

For AUM-based fees, document whether billed on average daily balance, period-end, or period-start — these produce materially different invoices. For sub-advisor splits, confirm the breakpoint schedule. Three-way reconciliation logic (invoice, custodian debit, internal calc) must be implementable.

Identify hidden charges and pass-through fees

Look for ticket charges, custody fees, platform fees, 12b-1 / sub-TA payments, soft dollar credits, and termination fees buried in schedules or addenda. Anything not disclosed in ADV Item 5 needs to be added before execution.

Verify termination and wind-down financial terms

Confirm pro-rata fee refund, data return / destruction obligations, transition assistance period, and any liquidated damages. For custodian agreements, confirm ACATS support and bulk repapering assistance during transition.

Document fee disclosure for Form CRS

Capture the plain-English fee summary that will go on Form CRS and the engagement letter. If this contract creates a new fee type or new conflict, the CRS must be redelivered to retail clients at next recommendation.

Risk and Insurance

Verify counterparty insurance coverage

Collect a current COI naming the firm as additional insured where appropriate. Minimums for vendors with client data access: $5M E&O, $5M cyber, $2M general liability. Custodians and sub-advisors typically require $10M+ E&O. Confirm tail coverage on termination.

Review force majeure and BCP provisions

Force majeure should not excuse failure to maintain books and records, custody safeguards, or breach notification. Confirm the counterparty has a tested BCP / DR program with documented RTO and RPO compatible with our regulatory obligations.

Evaluate breach and remediation procedures

Confirm cure periods, escalation contacts, and step-in rights. For custodian agreements, confirm SLOA safeguards align with the SEC's no-action letter conditions so we don't inadvertently take custody.

Data Security and Privacy

Confirm Reg S-P and GLBA safeguards language

Contract must obligate the counterparty to maintain a written information security program meeting Reg S-P safeguards and the SEC's amended Reg S-P incident response and customer notification requirements. State-level overlays (NY DFS Part 500, MA 201 CMR 17.00) where applicable.

Verify encryption and access control commitments

AES-256 at rest, TLS 1.2+ in transit, MFA on privileged access, role-based access, and key management standards documented in the security exhibit. Subcontractor / sub-processor list with flow-down obligations required.

Confirm breach notification timing

72 hours from discovery is the typical floor; 24-48 hours preferred for vendors handling client funds or non-public personal information. Notification must include enough detail to support our 30-day Reg S-P customer notice obligation and any state AG filings.

Review off-channel communications restrictions

If the vendor's reps will communicate with our advisors or clients, the contract must require use of archived channels (Smarsh, Global Relay, MyRepChat) — not personal email or unarchived text. The 2022-2024 SEC enforcement wave (over $2B in fines) makes this non-negotiable.

Performance, Reporting, and Sign-Off

Define KPIs and service level commitments

Trade execution timing, NAV / performance reporting deadlines, system uptime, support response, and GIPS-compliant reporting where applicable. Tie SLA misses to fee credits or termination-for-cause triggers.

Confirm audit and books-and-records access

Advisers Act Rule 204-2 records held by a vendor remain ours — the contract must guarantee access for the firm, our auditors, and SEC / FINRA examiners. Five-year retention minimum (first two years easily accessible). Bank-side: regulator examination access for OCC / FDIC / state DFI.

Conduct CCO and senior management review

Critical and high-risk contracts require CCO sign-off plus an additional principal (CEO, COO, or General Counsel). Document the rationale for engaging this counterparty and any negotiated deviations from standard terms.

Document remediation plan for rejected terms

If the contract is rejected, capture the deal-breaker terms, the proposed redlines, and the renegotiation owner. Re-run this checklist after counterparty returns a revised draft.

File the executed contract in the vendor record

Store the fully executed PDF, the COI, the SOC 2 / bridge letter, and this checklist in NetDocuments / Laserfiche under the counterparty's vendor record. Set the renewal / re-diligence reminder per the risk tier (annual for critical, biennial for moderate).