How Often Should RIAs Review Vendor Contracts for Compliance?
TL;DR: There's no single fixed interval written into the rule. The working standard compliance teams are converging on is a formal annual review for every vendor that touches client data, cybersecurity, or investment operations — plus continuous monitoring in between, and an unscheduled review the moment a vendor has a breach, a material service change, or a new subprocessor. Annual-only, contract-signing-only review no longer holds up under SEC scrutiny.
If you're a compliance officer at an RIA asking this question, you've probably already noticed the honest answer isn't in the rule text. Regulation S-P doesn't specify "review every vendor contract every X months." What it does say is that your firm needs written policies and procedures reasonably designed to protect client information, and that oversight of the service providers who touch that information is now an explicit, examinable part of your compliance program. The frequency question gets answered by risk tiering and by what the exam staff are actually asking for, not by a single number in the Federal Register.
What's the baseline review cadence RIAs should use?
Tier your vendors by what they touch, then set a cadence per tier:
- High-risk vendors — anyone with access to client PII, custodial data, or core investment operations (portfolio management systems, CRM, custodians, cybersecurity tools) — get a formal annual review at minimum. That review should reassess the vendor's security controls, certifications (SOC 2, ISO 27001 where applicable), and confirm the contract language hasn't quietly drifted since last year.
- Medium-risk vendors — tools that touch some firm or client data but aren't core to operations (scheduling, internal communication, marketing platforms) — a lighter annual check-in is reasonable, often just confirming no material changes and no lapsed certifications.
- Low-risk vendors — no client data exposure — periodic review is fine; this is where most firms should not be spending compliance hours.
Annual is the floor, not the ceiling. The SEC's 2026 exam priorities describe a genuinely more integrated view of this than firms have been used to: examiners are treating cybersecurity, vendor oversight, and Reg S-P/Reg S-ID compliance as one connected picture rather than three separate checkboxes. That means a vendor review that only asks "did anything change in the contract" without also asking "has anything changed in their security posture, their subprocessors, or their incident history" doesn't fully answer what an examiner is now likely to probe.
Does an annual review actually satisfy the SEC's expectations?
Annual review satisfies the floor, but not the whole obligation. The exam guidance describes an expectation of ongoing oversight — annual reviews plus documentation of what happens between them. In practice, that means your compliance manual should describe:
- How vendors are evaluated and approved before onboarding
- How you're monitoring vendor risk between annual reviews (not "we'll catch it next year")
- What triggers an out-of-cycle review
- Where vendor monitoring records live and how long they're retained
An RIA that can produce an annual review file but has no answer for "how would you have caught a vendor's terms changing in March" is the gap examiners are increasingly built to find. Annual review answers "did we check," not "how would we know if something changed in between."
What should trigger an out-of-cycle vendor review, outside the annual cycle?
Four things should pull a vendor's review forward regardless of where it sits in the annual calendar:
- A disclosed breach or security incident at the vendor, even one that doesn't directly involve your firm's data.
- A material change to the vendor's terms of service, privacy policy, or subprocessor list — this is the category that's easiest to miss, because most of these changes show up as a routine "we've updated our terms" email that nobody re-reads line by line.
- A new integration or expanded data flow — if a vendor relationship grows (more data, new modules, new access scopes), the risk profile changed even if the contract technically didn't.
- A lapsed or downgraded certification — SOC 2 and similar attestations expire; a vendor that quietly let one lapse is a different risk than one that renewed on schedule.
The common thread across all four is that none of them respect your annual review calendar. They happen whenever the vendor decides to change something, which is exactly why "we review vendors once a year" was never going to be sufficient on its own — it was designed around your schedule, not the vendor's.
How do compliance teams realistically monitor vendor terms between annual reviews?
Most firms handle this one of three ways today, in ascending order of reliability:
- Manual spot-checks — someone on the compliance team periodically re-visits vendor terms-of-service and privacy-policy pages. This works until it doesn't; it depends entirely on someone remembering to do it and having time to do it thoroughly, and vendors don't announce changes in a consistent place.
- Calendar reminders tied to contract renewal dates — better than nothing, but still only checks at one point in the year, and a vendor's unilateral terms update (the kind buried in "incorporated by reference" language) doesn't wait for your renewal date.
- Automated monitoring of vendor legal documents — software that continuously watches vendor privacy policies, terms of service, and security policies for changes and flags them for review as they happen, rather than waiting for the next scheduled check-in. Legal Sentinel runs this kind of continuous monitoring on a 15-minute cycle against every tracked vendor document, and every detected change routes to a human for explicit review — nothing is auto-approved or auto-dismissed.
The point of continuous monitoring isn't to replace the annual review — it's to close the gap the annual review can't close on its own: the months in between, where most of the actual exposure sits.
What should a vendor contract review actually cover?
Whatever the cadence, a real review — not a rubber stamp — should cover:
- Vendor identification and scope of services (what data or systems they touch, and how that's changed since last review)
- Cybersecurity posture: encryption, access controls, incident response plan, backup/disaster recovery
- Compliance certifications and their current status
- Financial stability, where the vendor's failure would create operational risk
- Contract language specific to your obligations under Reg S-P — data handling, breach notification timelines, subprocessor disclosure
Documentation matters as much as the review itself. If the file can't show what was checked, when, and by whom, the review effectively didn't happen from an exam perspective.
The bottom line
Set a risk-tiered annual review cadence as your floor — every vendor touching client data or core operations, at least once a year, with real substance rather than a signature. Then build a way to catch the changes that happen in between, because that's where the exposure — and increasingly, the exam scrutiny — actually lives. For firms already stretched thin on compliance bandwidth, that second half is usually the one that gets skipped. We put together a one-page checklist of the 11 vendor contract clauses most likely to change without notice — worth a look if you want a starting point for what to watch for between reviews.
This is the part of the review cycle Legal Sentinel exists for. The platform checks every tracked vendor document — terms of service, privacy policies, DPAs, sub-processor lists — on a 15-minute cycle, and any material change routes to a person for explicit review, acknowledgment, or escalation; nothing is auto-approved or auto-dismissed. That's the mechanism that catches the four out-of-cycle triggers above without waiting for next year's review date. At RFG Advisory, that same monitoring caught four separate instances of a vendor changing its terms to allow AI training on client data, across three months — each one exactly the kind of change an annual-only cadence would have missed. Read the full case study.
Disclosure: Emily Mora, author of this post, is Cofounder & US Commercial Lead, Legal Sentinel and holds profit-sharing in the company.