In September 2024, the Securities and Exchange Commission (SEC) settled charges with nine registered investment advisors (RIAs) for making false or unsubstantiated claims in their advertisements. The charges — totaling more than $1.2 million in civil penalties — are part of the Commission's ongoing sweep into Marketing Rule violations and, more specifically, substantiation requirements.
Substantiation is at the top of the SEC's mind as it focuses on fighting false advertising and maintaining consumer protection amid rapid changes in advertising and referral practices, emerging technologies, and increased vendor usage. According to Venminder's State of Third-Party Risk Management 2025 survey, organizations are managing more vendors than ever, with a nearly 22% increase in programs handling 101-300 vendors and a 13% increase in those with over 1,000 vendors compared to last year.
How do vendor relationships impact advisors' compliance with substantiation requirements? How can RIAs navigate new products, services, technologies, and vendor relationships while maintaining compliance? Let's dive into what substantiation is and how third-party risk management (TPRM) can help protect your firm and clients' best interests.
Related: Broker-Dealers Third-Party Risk Management Regulatory Requirements
What are the Substantiation Requirements?
Substantiation refers to providing evidence or adequate documentation to support claims or recommendations. In short, RIAs must ensure they can substantiate their advice and actions to comply with regulatory requirements.
In 2020, the SEC adopted reforms under the Investment Advisers Act of 1940 to modernize marketing and solicitor payment rules, replacing the previous advertising and cash solicitation rules. RIAs must provide adequate documentation and evidence to support any claims or recommendations (as of November 4, 2022) to comply with regulatory standards and protect themselves from potential legal or regulatory issues.
According to the Commission, the rule applies to all investment advisors registered or required to be registered with the SEC under section 203 of the Act that directly (or indirectly) disseminate advertisements.
How do Substantiation Requirements Impact TPRM?
Outsourcing activities and services to third-party vendors is an everyday occurrence among RIAs and organizations across multiple industries. However, with new vendors come new risks, underscoring the importance of strong TPRM to ensure the right controls are in place.
As RIAs consider compliance with the new substantiation requirements, there are a few critical areas to consider regarding vendor relationships:
- Vendor selection and due diligence: The updated requirements put even more pressure on RIAs to properly select vendors, assess the associated risks, collect due diligence, and ensure third-party providers have the experience and resources to comply with the rules.
- Reporting requirements: The updated rule emphasizes the importance of accurate record-keeping and documentation. To stay compliant, RIAs should ensure their vendors have the right reporting tools and can generate accurate reports, performance summaries, and other documentation.
- Accountability and liability: RIAs are liable for third-party (and fourth-party) vendors’ activities. If an outsourced vendor makes a mistake or fails to adhere to the Marketing Rule, the associated RIA will reap the consequences.
- Costs and contractual terms: A common pitfall in vendor relationships is that the contract doesn’t adequately protect both parties or clearly state how they meet their contractual obligations. This problem can spell trouble for RIAs relying on vendors for marketing and outreach initiatives, record-keeping, and other critical services. If your current vendor contracts need additional information, consider an addendum to address any vague language or unwritten responsibilities.
Along with the substantiation requirements, the SEC has also proposed a rule prohibiting RIAs from outsourcing certain services or functions without meeting minimum requirements. While this rule has yet to be finalized, it serves as a reminder for RIAs and all organizations utilizing third-party relationships to carefully evaluate and consider the risks before jumping in headfirst.
Related: 6 Techniques to Manage Third-Party Compliance Risk
How RIAs Can Comply with Substantiation Requirements
A key element of successful TPRM is adaptability to external events, including evolving regulations.
Consider how you can integrate these best practices into your TPRM lifecycle to continuously identify and address potential risks associated with substantiation requirements:
- Update vendor policies and procedures: In a risk alert, the Division of Examinations underscores the importance of updating relevant policies and procedures to ensure they are “reasonably designed to prevent violations.” For example, RIAs may add a layer of review to all marketing and outreach materials created by third parties to ensure all necessary disclosures are included.
- Choose vendors wisely: Selecting a new vendor is exciting yet daunting. Before proceeding with the onboarding process, identify any potential issues that may arise down the road, especially as they pertain to substantiation requirements. Verify the vendor’s legal name, address, location, and ownership structure. Conduct OFAC checks, review the CFPB Complaint Database or the Better Business Bureau ratings, and search for any negative news or customer complaints.
- Perform due diligence: The substantiation requirements remind us of the importance of due diligence in vendor relationships. Consider the amount and types of inherent risks a vendor represents to determine the scope of your due diligence, ensuring vendors with higher levels of risk are evaluated and monitored closely.
- Beware of AI usage: In 2024, the SEC charged two investment advisers for AI washing, which is making false and misleading statements about their AI usage. While the substantiation requirements don’t explicitly mention AI, RIAs should still confirm whether their vendors’ use AI and ensure that all external use of AI (in marketing campaigns, for example) is documented and fact checked.
- Confirm compliance requirements: Contracts are the best way to ensure vendor compliance. Your formal contract should cover the duties and responsibilities of the parties involved and contain key provisions, including service level agreements (SLAs), confidentiality, and substantiation requirements. If you have questions about your vendor contracts, consider performing a contract compliance assessment with a trusted third-party risk management service provider.
- Keep records: Record-keeping for advertisements, internal working papers, performance-related information, and documentation for oral advertisements, testimonials, and endorsements is a critical component of the substantiation requirements. An effective vendor document collection process is a must to keep these records organized.
- Prepare with the end in mind: Not all third-party relationships end at the end of a contract period, so RIAs must proactively gather all necessary substantiation information in the case of a termination. Even if your relationship with a vendor ends, you could be liable for Marketing Rule violations resulting from vendor missteps. A successful exit strategy also considers how the organization will restore and resume operations with minimal disruptions after the vendor’s exit.
Related: Who is a Critical Vendor?
New rules and regulations, such as the substantiation requirements in the updated Marketing Rule, can impact your risk status. However, with a strong TPRM and tried-and-true best practices, RIAs can navigate evolving requirements while improving their risk management approach to better meet the ongoing challenges and opportunities in financial services.
Creating a TPRM program can be overwhelming and exciting. This checklist will help you define it, set goals, and create key governance documentation.
DOWNLOAD NOW
