Contract Review Checklist

Add the agreement to the firm's vendor / contract register with counterparty name, effective date, term, renewal type (auto-renew vs. evergreen vs. fixed), and contract owner. The CCO uses this register at annual vendor due diligence and ADV update.

Classification drives the rest of the review. Critical vendor contracts (custodian, portfolio accounting, CRM, archiving) and any agreement that touches client NPI trigger enhanced diligence under Reg S-P and the firm's vendor management policy.

Verify the legal entity name matches the firm's ADV Part 1 filing — common error is signing as the dba rather than the registered RIA. For the counterparty, confirm the signer has authority (officer, member, or authorized representative) and pull a recent good-standing certificate for entity counterparties.

For client IAAs and solicitor agreements: confirm fee schedule, services, and conflicts described in the contract match Form ADV Part 2A Items 4, 5, and 10. Mismatch is a common SEC exam finding and forces an ADV amendment.

Solicitor and subadvisor agreements require the counterparty to be appropriately registered (Series 65/66 IAR or RIA registration in client states). Insurance-linked agreements require state producer licensing. Pull CRD / IARD or NIPR before signing.

Any vendor with NPI access needs a written information security agreement, breach notification SLA (typically 72 hours), and a return / destruction clause at termination. SEC's amended Reg S-P (effective 2025-2026) requires written incident-response procedures with vendors.

For vendors with NPI access, request the most recent SOC 2 Type II report (not Type I, not older than 12 months) and review the bridge letter covering any gap. File alongside the executed contract for annual vendor due diligence.

For client IAAs, confirm AUM tiers, householding rules, and billing frequency match the fee schedule disclosed in ADV Part 2A Item 5. For vendor agreements, validate per-account or per-user pricing against the budgeted run-rate before sign-off.

Watch for travel, implementation, data feed, and integration fees buried in exhibits. Confirm whether the firm or the client absorbs custodian transaction costs, ACATS fees, and wire fees — ambiguity here drives client-billing disputes.

Net-30 vs. advance, ACH vs. invoice, and the auto-renewal notice window. Multi-year evergreen agreements with 90-day notice windows are the most common reason firms get locked into vendors past usefulness — flag and add a calendar reminder 120 days before renewal.

Match the statement of work to what operations actually expects — data feeds, reconciliation cadence, reporting deliverables, support hours. Vague scope ("portfolio reporting services") leads to scope-creep arguments at renewal.

For trading, custody connectivity, and archiving vendors, confirm uptime SLA (99.9% minimum for critical), incident response time, and remedies. Email archiving outages are exam-reportable — the SLA needs teeth, not just credits.

Identify dependencies: data conversion from incumbent vendor, custodian feed setup, single sign-on integration. Most portfolio management or CRM migrations slip — bake in milestone-based payment rather than full upfront.

Termination-for-cause should be available without penalty for SLA breach, regulatory issue, or change of control. Termination-for-convenience usually carries a fee — negotiate down for any agreement over 12 months.

Confirm the counterparty represents authority to contract, regulatory good standing, no pending enforcement actions, and IP ownership of any deliverables. For data vendors, look for accuracy / fitness representations — most vendors disclaim them, which is a flag for downstream client reporting risk.

Mutual indemnification is the floor. For vendors with NPI access, push for a data-breach carve-out from the liability cap (typical caps of 12 months' fees do not cover a real breach). Confirm cyber and E&O insurance coverage amounts in the insurance exhibit.

Confirm governing law and venue are workable — out-of-state arbitration in a vendor-friendly jurisdiction is common boilerplate. For client IAAs, FINRA / state arbitration provisions must be disclosed in ADV Part 2A Item 9 if applicable.

Summarize unresolved issues for CCO review. High-risk findings (uncapped liability, no breach notification, no SOC 2, missing licensure) trigger escalation rather than counter-signature.

Document the specific concerns, proposed redlines, and counterparty position. CCO and managing principal sign off jointly before re-engaging counsel or counterparty.

Send through DocuSign or the firm's e-signature platform. Confirm the signer is the authorized officer per the firm's authority matrix — bind decisions over the matrix threshold require board or managing-member resolution.

Save the fully-executed PDF, all exhibits, SOC 2, and COI in the contract folder. Update the vendor register with the renewal-notice calendar reminder. Books and records under Rule 204-2 require retention for 5 years (first 2 in an easily accessible place).