Agency Compliance and Risk Management Checklist

Pull every live campaign with comparative, performance, or health-adjacent claims. Confirm a substantiation file exists for each — clinical study, third-party data, or competitive teardown — per FTC Act §5. Pay particular attention to superlatives (#1, best, fastest) and numeric claims; NAD challenges almost always start here.

Spot-check live posts across Instagram, TikTok, and YouTube for clear material-connection disclosure per the FTC Endorsement Guides (16 CFR Part 255). Whitelisted and dark-posted content needs the same disclosure as organic. Pull a sample from CreatorIQ or Aspire and screenshot any non-compliant posts for the manager to remediate.

For any pharma, alcohol, financial-services, or cannabis client, confirm category-specific controls: pharma fair balance and ISI on-screen and legible, alcohol age-gated targeting and 71.6% LDA composition, FINRA pre-approval stamps on financial creative, state-by-state compliance for cannabis. Document the most recent legal sign-off date for each.

Pull every Commercials Contract with a 21-month use cycle expiring in the next 90 days. Cross-reference holding fees, lift fees, and Pension & Health contributions. Spots that keep airing past expiry without an extension generate unauthorized-use claims and back-fee exposure — calendar these well before the date.

Open negotiations with talent agents through the Casting Bureau or Casting Networks before the cycle ends. Build the buyout vs. cycle-extension comparison for the client; the wrong choice on a hero spot is six figures in unnecessary residuals.

For every spot in market, confirm sync (publisher), master (label or library), and performance (ASCAP/BMI/SESAC/GMR) licenses cover the actual channels, geo, and term in use. The classic failure: TV-only sync used in a YouTube cutdown. Cross-check Musicbed, Artlist, or Epidemic Sound terms for any work-for-hire library tracks.

Spot-check Bynder or Brandfolder records for Getty, Shutterstock, and Adobe Stock assets. Editorial-only licenses on commercial product pages are the most common takedown trigger. Confirm model and property releases are attached for every commercially-used image.

For client sites serving EU, California, or other privacy-state traffic, confirm the OneTrust or Cookiebot CMP gates marketing pixels until consent. The common failure is a Meta or TikTok pixel firing pre-consent on a GDPR session — DPA inquiries land within weeks.

Pull the IAS or DoubleVerify post-buy report for the last 30 days across DV360 and The Trade Desk. Update inclusion and exclusion lists; review any flagged adjacencies. MFA (made-for-advertising) sites and IVT spikes are the two patterns to act on this quarter.

Check Klaviyo, Iterable, and Braze sends for accurate header info, valid physical postal address, and unsubscribe processed within 10 business days. For SMS programs, verify prior express written consent records exist — TCPA private-action exposure is $500-$1,500 per message.

Identify any client whose campaigns reach children under 13 — toys, kids' food, family entertainment. Confirm no PII collection without verifiable parental consent, and that media buys exclude COPPA-restricted inventory. Default YouTube made-for-kids settings are a common trap.

Pull Harvest or Workamajig actuals against scoped hours per project. Flag accounts burning over 80% of hours before 60% of the SOW timeline — that is the signal to write a change order, not eat the overage.

Walk each over-budget project with the AE and producer. Generate change orders for any out-of-scope work and route to the client for countersignature before further work proceeds. Verbal approvals do not survive year-end finance review.

Pull the AR aging report from Workamajig or Advantage. For every invoice past 60 days, confirm the AE has escalated and the client's AP contact has acknowledged. AR over 90 days needs the Managing Director on the next call — not another reminder email.

Refresh the register with new exposures from the quarter — added regulated-category clients, new international markets, novel platform risks (e.g., generative-AI creative claims). Score each on likelihood and impact; assign a named owner for any rated High.

Pull the Errors & Omissions and Media Liability policies; compare aggregate limits against active production budgets and total media handled. A $5M E&O cap on $40M of in-flight buys is the kind of mismatch that becomes obvious only after a claim.