Third-party ratings governance

The third-party ratings governance requirement means you can only present third-party ratings in marketing when the SEC Marketing Rule conditions are met and you provide the required disclosures, with records that prove your basis for using the rating. Operationalize it by inventorying every rating, validating the rater and methodology, standardizing disclosures, and retaining substantiation and approvals. (17 CFR 275.206(4)-1)

Key takeaways:

• Treat every third-party rating as regulated “marketing content” that needs pre-use review, required disclosures, and recordkeeping. (17 CFR 275.206(4)-1)
• Build a repeatable intake workflow: rater due diligence, methodology capture, disclosure templating, and approval with evidence retention. (17 CFR 275.206(4)-1)
• Expect exam focus on substantiation, consistency of disclosures across channels, and whether you can reproduce what was shown to investors. (17 CFR 275.206(4)-1; 17 CFR 275.204-2)

“Third-party ratings governance” is a narrow requirement with outsized exam risk: once your firm references an external rating, ranking, award, or score in any advertisement or other marketing communication, you have to meet the SEC Marketing Rule conditions and disclosures, and you must be able to prove you did. (17 CFR 275.206(4)-1)

For a CCO or GRC lead, the operational challenge is rarely deciding whether a rating “sounds fine.” The problem is controlling sprawl: ratings get added to pitch decks, RFP responses, websites, social posts, factsheets, and consultant databases, often by different teams and agencies. You need one governance system that (1) prevents noncompliant use before publication, (2) forces consistent disclosures every time the rating appears, and (3) produces audit-ready evidence on demand. (17 CFR 275.206(4)-1; 17 CFR 275.204-2)

This page gives requirement-level implementation guidance you can put into a marketing review program quickly: scope, roles, step-by-step workflow, a control checklist, the artifacts to retain, and exam questions you should be ready to answer.

Regulatory text

Requirement (operator view): Use third-party ratings only when rule conditions and disclosures are met. (17 CFR 275.206(4)-1)

What you must do in practice:

1. Control when and how ratings are used in marketing. Any reference to a third-party rating should flow through a defined pre-use review and approval process so you can confirm required conditions and disclosures are satisfied before publication. (17 CFR 275.206(4)-1)
2. Provide disclosures that accompany the rating wherever it appears. Your governance must ensure disclosures are present, accurate, and consistent across channels (deck, web, social, factsheet, RFP), not just “somewhere else” on a different page. (17 CFR 275.206(4)-1)
3. Maintain books and records that substantiate the use of the rating. Your recordkeeping needs to allow you to reproduce the advertisement and support the basis for the rating and disclosures you presented. (17 CFR 275.204-2)

Plain-English interpretation of the requirement

If you show a rating, you own the compliance outcome. You cannot treat third-party ratings as “independent content” that marketing can paste into materials without controls. Your job is to (a) verify what the rating is and what it covers, (b) confirm it meets the rule’s conditions, (c) disclose the key context investors need to understand it, and (d) keep evidence that you did all of that. (17 CFR 275.206(4)-1; 17 CFR 275.204-2)

A useful internal standard: no rating goes live unless compliance can answer “who rated us, what exactly was rated, when, under what criteria, with what conflicts/fees, and what we disclosed.” (17 CFR 275.206(4)-1)

Who it applies to (entity and operational context)

Entity scope: Registered Investment Advisers that publish or distribute marketing materials referencing third-party ratings. (17 CFR 275.206(4)-1)

Operational scope (where ratings show up):

• Website pages (home, strategy pages, performance pages, “awards” pages)
• Pitch decks and one-pagers
• Factsheets and commentaries
• RFP/RFI responses and consultant questionnaires
• Social media posts and paid ads
• Email campaigns and event materials
• Third-party platforms (consultant databases, marketplaces) where you supply the content

Teams impacted:

• Marketing/IR (content creation, distribution)
• Sales and client service (RFPs, decks, follow-ups)
• Portfolio/strategy teams (product narratives)
• Compliance/Legal (review, approvals, recordkeeping)
• Third parties (PR firms, designers, web agencies) who publish on your behalf

What you actually need to do (step-by-step)

1) Create a controlled inventory of all third-party ratings in use

Goal: Find every rating and every place it appears.

• Crawl your website(s), investor portals, and content libraries for “award,” “rank,” “rating,” “stars,” “top,” and the names of known raters.
• Collect pitch decks and factsheets from all business lines, not just the “latest template.”
• Pull recent RFP responses and consultant submissions from the RFP team.
• Identify any “evergreen” badges in design files that get reused.

Output artifact: A “Third-Party Ratings Register” with: rater name, rating title, subject being rated (firm/product/person), date/period, distribution channels, owner, approval status, and link to evidence package. (17 CFR 275.206(4)-1; 17 CFR 275.204-2)

2) Define what qualifies as a “third-party rating” for intake purposes

You need an internal definition that is broader than what marketing intuitively labels a “rating.” Treat these as in-scope until compliance clears them:

• Scores, grades, stars, medals, badges
• “Top manager” lists or rankings
• Awards where a third party selects winners
• “Best places to work” style recognitions used in investor-facing communications

Control: Add a mandatory “Is this a third-party rating?” question to your marketing/RFP intake form, with examples and decision prompts. (17 CFR 275.206(4)-1)

3) Implement a ratings intake and due diligence packet (rater + rating)

For each rating, require a standardized packet before approval:

• Rater identity and independence: Who issued it and what relationship they have with the firm.
• Methodology summary: What criteria were used and what universe was evaluated (as provided by the rater).
• Time period: What dates the rating covers.
• Compensation/fees: Whether the firm paid to participate, apply, be considered, or promote the rating (capture invoices or attestations if applicable).
• Permission to use: Evidence you have rights to display the rating/badge/logo in marketing materials.

Practical tip: Ask the business for the rater’s methodology link or documentation at intake. If they cannot provide it, do not approve until they can. (17 CFR 275.206(4)-1)

Tooling note: Many firms operationalize this as a short questionnaire in their marketing review system. Daydream can be the system of record for the rating register, intake questionnaire, and evidence package so you can answer exams without hunting through email threads.

4) Standardize disclosures with channel-ready templates

Build disclosure templates that can be pasted into:

• Deck footnotes
• Web page disclosure blocks
• Social posts (linking to a disclosure landing page, if your compliance position allows; ensure the disclosure is actually delivered with the rating in the manner you approve)
• Factsheet fine print
• RFP attachments

Governance rule: Disclosures must travel with the rating. If a channel format cannot support the required disclosure, treat that as a design constraint and either modify the creative or prohibit that use case. (17 CFR 275.206(4)-1)

Artifact: “Third-Party Rating Disclosure Template Library” with version control and required fields tied to the rating register entry. (17 CFR 275.206(4)-1)

5) Enforce pre-use review with a clear approval matrix

Set a RACI that matches your risk:

• Marketing drafts content and completes intake fields.
• Compliance verifies conditions/disclosures are satisfied and approves use.
• Legal reviews IP/permission and contractual constraints where needed.
• Business owner attests the rating is presented accurately and not misleading.

Approval matrix (example):

• New rater or new rating: Compliance + Legal approval required.
• Existing rating, new channel: Compliance approval required (confirm disclosure format works).
• Refreshing a date or reusing existing content: Compliance verifies that the rating is still current and disclosures still match.

Artifact: Approval record that links the final material to the rating register and evidence package. (17 CFR 275.204-2)

6) Lock recordkeeping to what was actually distributed

Recordkeeping failures often happen because teams save drafts, not finals.

• Store the final, distributed version of each asset.
• Keep screenshots or exports for web pages and social posts as they appeared publicly.
• Retain the disclosure text as shown, not just an internal template.
• Maintain the underlying substantiation packet (methodology, fee/compensation info, permission).

This aligns with the books-and-records expectation that you can reproduce and substantiate advertisements and related materials. (17 CFR 275.204-2)

Required evidence and artifacts to retain

Use this as your audit-ready checklist:

Artifact	What it proves	Owner
Third-Party Ratings Register	Complete inventory and governance coverage	Compliance / Marketing Ops
Rating intake questionnaire + attachments	Conditions/disclosures evaluated based on documented facts	Marketing (input) + Compliance (review)
Rater methodology documentation (link/PDF)	Basis for describing the rating and its scope	Compliance
Compensation/fee evidence (invoice, receipt, attestation)	Whether compensation relationships exist for disclosure evaluation	Finance / Compliance
Permission/license to display badge/logo	Right to use in marketing	Legal / Marketing
Final approved marketing pieces + screenshots	What investors actually saw	Marketing Ops
Compliance approval record (workflow ticket)	Pre-use review occurred	Compliance
Disclosure template version history	Consistency and controlled changes	Compliance

Record retention should align to your adviser recordkeeping obligations. (17 CFR 275.204-2)

Common exam/audit questions and hangups

Expect questions that test whether your process is real, not aspirational:

• “Show me every third-party rating currently used across channels, and where each appears.” (17 CFR 275.206(4)-1)
• “For this rating on your website, show the methodology, time period, and what disclosures were shown to investors.” (17 CFR 275.206(4)-1; 17 CFR 275.204-2)
• “How do you prevent sales from adding ratings to bespoke decks or RFPs without review?” (17 CFR 275.206(4)-1)
• “How do you evidence the final version of a web page on a specific date?” (17 CFR 275.204-2)
• “When a rating is refreshed or re-awarded, what changes and who re-approves?” (17 CFR 275.206(4)-1)

Hangups that slow exams:

• Disclosures stored in a separate document but not presented with the rating
• Inability to show the final distributed version
• No documented basis for the rating’s scope or selection criteria

Frequent implementation mistakes and how to avoid them

1. Treating “awards” as PR, not marketing rule content. Fix: route awards through the same intake and approval workflow as other advertisements. (17 CFR 275.206(4)-1)
2. Copy-paste disclosure drift. Teams manually retype disclosures and introduce inconsistencies. Fix: controlled templates tied to the specific rating register entry. (17 CFR 275.206(4)-1)
3. Approving the rater once and forgetting channel constraints. A disclosure that fits in a deck may not fit in a social post. Fix: require a “new channel” review step. (17 CFR 275.206(4)-1)
4. Saving drafts, not finals. Fix: enforce “publish package” archiving (final PDF, final HTML snapshot, final image). (17 CFR 275.204-2)
5. No proof of permission. Marketing may have an email saying “go ahead,” but no durable record. Fix: store licenses/permissions in the evidence package. (17 CFR 275.204-2)

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not summarize specific matters.

Practically, the risk profile is consistent: third-party ratings are highly visible, easy to misunderstand, and often reused across channels. Weak governance produces two exam problems at once: potential Marketing Rule violations and recordkeeping deficiencies when you cannot substantiate what you presented or why it met the conditions. (17 CFR 275.206(4)-1; 17 CFR 275.204-2)

Practical 30/60/90-day execution plan

30 days: Stabilize and stop new issues

• Stand up a temporary rule: no new ratings published without compliance ticket and evidence packet. (17 CFR 275.206(4)-1)
• Build the first version of the Third-Party Ratings Register and populate it with what you can find quickly. (17 CFR 275.204-2)
• Create a minimum disclosure template and require marketing to use it consistently while you refine. (17 CFR 275.206(4)-1)

60 days: Operationalize governance across channels

• Launch the full intake questionnaire with required attachments (methodology, time period, compensation/fees, permission). (17 CFR 275.206(4)-1)
• Add controls into RFP workflows so sales cannot submit ratings without compliance approval. (17 CFR 275.206(4)-1)
• Implement a recordkeeping “publish package” standard for web, social, decks, and factsheets. (17 CFR 275.204-2)

90 days: Make it auditable and sustainable

• Complete an end-to-end test: pick a rating used on three channels and confirm disclosures, approvals, and archived finals are consistent and retrievable. (17 CFR 275.204-2)
• Train marketing, sales, and agencies on the definition of third-party ratings and the intake path. (17 CFR 275.206(4)-1)
• Move the register, workflows, and evidence storage into a system of record (Daydream fits well here) so you can produce materials quickly during exams. (17 CFR 275.204-2)

Frequently Asked Questions

What counts as a “third-party rating” for governance purposes?

Treat any external ranking, award, score, or rating you reference in marketing as in-scope until compliance clears it. Build your intake process to capture the rater, methodology, time period, and required disclosures before use. (17 CFR 275.206(4)-1)

Do we need to keep evidence of the rating methodology?

Yes, you should retain documentation (or a stable link capture) that explains how the rating was determined so you can substantiate what you presented. Store it with the approval record and the final distributed asset. (17 CFR 275.206(4)-1; 17 CFR 275.204-2)

Can we put disclosures on a separate webpage and link to it from a social post?

Treat this as a channel governance decision: your control objective is that disclosures accompany the rating as you approved it. If the disclosure is not reliably delivered with the rating, block that use case or redesign the post format. (17 CFR 275.206(4)-1)

How do we handle ratings that sales adds to custom pitch decks?

Require sales to request decks only from approved templates or route any bespoke deck through the same marketing review workflow. Auditors will test whether your process covers one-off materials, not only standardized collateral. (17 CFR 275.206(4)-1; 17 CFR 275.204-2)

What if the third party won’t share detailed methodology?

Do not approve the rating for marketing until you have enough documentation to support the conditions and disclosures you will present. If the rater cannot provide that, the governance-safe choice is not to use the rating. (17 CFR 275.206(4)-1)

What records are most likely to be missing during an exam?

Teams often cannot produce the final “as distributed” web page or social post, and they lack a complete evidence package tied to that exact rating. Fix this with a publish-package archive standard and a single register that links rating, disclosures, and final artifacts. (17 CFR 275.204-2)