Contract Review Checklist

Add the agreement to the firm's vendor / contract register with counterparty name, effective date, term, renewal type (auto-renew vs. evergreen vs. fixed), and contract owner. The CCO uses this register at annual vendor due diligence and ADV update.

Classification drives the rest of the review. Critical vendor contracts (custodian, portfolio accounting, CRM, archiving) and any agreement that touches client NPI trigger enhanced diligence under Reg S-P and the firm's vendor management policy.

For client IAAs and solicitor agreements: confirm fee schedule, services, and conflicts described in the contract match Form ADV Part 2A Items 4, 5, and 10. Mismatch is a common SEC exam finding and forces an ADV amendment.

Solicitor and subadvisor agreements require the counterparty to be appropriately registered (Series 65/66 IAR or RIA registration in client states). Insurance-linked agreements require state producer licensing. Pull CRD / IARD or NIPR before signing.

Any vendor with NPI access needs a written information security agreement, breach notification SLA (typically 72 hours), and a return / destruction clause at termination. SEC's amended Reg S-P (effective 2025-2026) requires written incident-response procedures with vendors.

For client IAAs, confirm AUM tiers, householding rules, and billing frequency match the fee schedule disclosed in ADV Part 2A Item 5. For vendor agreements, validate per-account or per-user pricing against the budgeted run-rate before sign-off.

Watch for travel, implementation, data feed, and integration fees buried in exhibits. Confirm whether the firm or the client absorbs custodian transaction costs, ACATS fees, and wire fees — ambiguity here drives client-billing disputes.

Match the statement of work to what operations actually expects — data feeds, reconciliation cadence, reporting deliverables, support hours. Vague scope ("portfolio reporting services") leads to scope-creep arguments at renewal.

For trading, custody connectivity, and archiving vendors, confirm uptime SLA (99.9% minimum for critical), incident response time, and remedies. Email archiving outages are exam-reportable — the SLA needs teeth, not just credits.

Identify dependencies: data conversion from incumbent vendor, custodian feed setup, single sign-on integration. Most portfolio management or CRM migrations slip — bake in milestone-based payment rather than full upfront.

Confirm the counterparty represents authority to contract, regulatory good standing, no pending enforcement actions, and IP ownership of any deliverables. For data vendors, look for accuracy / fitness representations — most vendors disclaim them, which is a flag for downstream client reporting risk.

Mutual indemnification is the floor. For vendors with NPI access, push for a data-breach carve-out from the liability cap (typical caps of 12 months' fees do not cover a real breach). Confirm cyber and E&O insurance coverage amounts in the insurance exhibit.

Confirm governing law and venue are workable — out-of-state arbitration in a vendor-friendly jurisdiction is common boilerplate. For client IAAs, FINRA / state arbitration provisions must be disclosed in ADV Part 2A Item 9 if applicable.

Document the specific concerns, proposed redlines, and counterparty position. CCO and managing principal sign off jointly before re-engaging counsel or counterparty.

Send through DocuSign or the firm's e-signature platform. Confirm the signer is the authorized officer per the firm's authority matrix — bind decisions over the matrix threshold require board or managing-member resolution.