Financial Services Project Initiation Checklist

Spell out which advisor teams, account types, and client segments are in scope. Common gotcha: scoping by AUM band but forgetting trust accounts or held-away 401(k) assets that touch the same workflow. Capture explicit out-of-scope items so they're not assumed in later phases.

At minimum: Principal/COO as sponsor, plus CCO, CIO or Director of Investments, and Operations Manager. For projects touching retail recommendations, add the Reg BI principal reviewer.

Charter covers business case, success metrics, decision rights, and escalation path. Tie metrics to firm-level KPIs the principal already tracks — net new AUM, NIGO rate, client retention — so success isn't subjective.

Sequence around the regulatory calendar — avoid go-live in the 90 days before fiscal-year-end ADV amendment cycle, RMD season (October-December), or quarter-end fee billing. These windows starve operations of bandwidth.

Capture vendor costs (Orion, eMoney, Riskalyze/Nitrogen, Smarsh, etc.), internal FTE percentage by role, and contingency. Operations and CSA time is typically under-estimated by 30-50% on platform-migration projects.

Cover trade execution risk, custody-rule exposure, fee-billing accuracy, books-and-records retention, off-channel communications, and vendor concentration. For platform migrations, add ACATS reconciliation gaps and cost-basis transfer risk.

Use the firm's existing risk-rating scale if there is one — don't invent a parallel scale just for this project. Risks rated High/High should be reviewed by the CCO before the project proceeds past planning.

Material changes to advisory services, fee structure, custodian, or conflict disclosure trigger a Form ADV Part 2 amendment within prompt timing (typically 30 days, plus brochure delivery to clients). When in doubt, the CCO makes the call — document the determination either way.

Each risk gets a named mitigation, a residual-risk rating after mitigation, and a trigger condition for escalation. Avoid "monitor and review" as a mitigation — that's a placeholder, not a control.

Owner is a person, not a department. Compliance owns regulatory risks; Operations owns execution risks; the CIO owns investment-process risks. Sponsor breaks ties.

Map across SEC (ADV, custody, advertising 206(4)-1, books-and-records 204-2), FINRA (Rule 2210 communications, Rule 3110 supervision, Reg BI), state securities regulators, BSA/AML (CIP, CDD, OFAC, SAR), and Reg S-P privacy. Bank/CU-side projects add TILA, RESPA, ECOA, and CRA where applicable.

CCO walks the workflow end-to-end and flags supervision gaps. Common findings: principal review checkpoint missing on retail recommendations, no archived approval trail for marketing collateral, off-channel comms not addressed.

Amend the brochure, file via IARD, and trigger client delivery of the updated Part 2A. Track delivery confirmation per client — skipped delivery is a recurring SEC exam citation. Update Form CRS in parallel if the change affects retail recommendations or fees.

Route any new website pages, one-pagers, social posts, or pitch decks through principal pre-approval per FINRA Rule 2210 / SEC marketing rule. Performance figures need GIPS-aligned disclosures; testimonials and endorsements need the marketing-rule disclosures and recordkeeping.

Map every artifact this project will produce — approvals, communications, calculations — to the 5-year (advisor) or 6-year (BD) retention requirement and the storage location. Confirm Smarsh / Global Relay / Bloomberg Vault capture covers any new channels.

Separate internal audiences (advisors, CSAs, operations, compliance, executive) from external (clients, custodian, vendors, regulators). Each audience gets a named owner, a cadence, and a channel.

30 minutes weekly with sponsor, project lead, CCO, and operations lead. Standing agenda: progress vs. plan, risks needing decisions, regulatory items in flight. Skip the status read-out; pre-share it.

Custodian changes, fee-structure changes, advisor reassignments, and material service changes typically require a written client notification with negative consent or affirmative consent depending on the change. CCO confirms which standard applies.

Letter goes through compliance pre-approval before mailing or e-delivery. Track per-client delivery confirmation in the CRM (Wealthbox, Redtail, Salesforce FSC). Build in a 30-day client response window before the change goes live where consent rules require it.

Schedule role-specific sessions — advisors on the client conversation script, CSAs on the new-account workflow, operations on reconciliation and exception handling. Record sessions for the books-and-records training file.

Map data flows across CRM (Wealthbox/Redtail/Salesforce FSC), portfolio management (Orion/Black Diamond/Tamarac/Addepar), planning (eMoney/MoneyGuide/RightCapital), and custodian feeds (Schwab, Fidelity, Pershing, Altruist). Identify single points of failure where one integration break halts the whole workflow.

Confirm production credentials, rate limits, and SLA. ACATS-related projects: validate full and partial transfer reconciliation and cost-basis carry-over. Schwab and Fidelity have different file formats — don't assume parity.

Confirm encryption at rest and in transit, role-based access, and the Identity Theft Red Flags Program (ITPP) covers any new client touchpoints. Vendor SOC 2 Type II reports on file before production go-live; request bridge letters where the SOC report is older than six months.

Any new channel — texting via MyRepChat or Hearsay Relate, social via Hearsay/Smarsh, video via Zoom — must be captured by the archive before it goes live. Off-channel comms drove $2B+ in SEC enforcement against BDs in 2022-2024; do not skip this.

Final readiness review with sponsor, CCO, operations lead, and CIO. Each domain owner signs off independently; any "go with conditions" gets the conditions captured with named owner and resolution date.