Third-party rating due diligence

The third-party rating due diligence requirement means you must validate a third party rating’s methodology and the rating provider’s disclosure conditions before you use that rating in any SEC-regulated marketing or client communications. Build a repeatable review workflow, require supporting documentation from the rating provider, and retain an audit-ready file proving the rating was fair, current, and properly disclosed. (17 CFR 275.206(4)-1)

Key takeaways:

• Treat third party ratings as regulated marketing content, not “nice-to-have” collateral. (17 CFR 275.206(4)-1)
• Your control objective is provable validation: methodology, eligibility/selection, time period, and required disclosures. (17 CFR 275.206(4)-1)
• Recordkeeping is part of compliance: keep a due diligence file that can survive an SEC exam request. (17 CFR 275.204-2)

“Third-party rating due diligence requirement” shows up operationally whenever marketing wants to cite awards, rankings, “top adviser” badges, star ratings, or list placements from a third party. The SEC’s marketing framework expects you to do more than copy/paste a logo and a footnote. You need to understand what the rating is, how it was produced, who was eligible, and what conditions the rating provider imposes for use, then disclose the rating in a way that is not misleading. (17 CFR 275.206(4)-1)

For a CCO or GRC lead, the fastest path is to standardize a pre-approval workflow: intake the rating, collect the rating provider’s methodology and licensing/disclosure terms, test the rating against your firm’s actual facts, and document what you did. Then lock it into marketing review and recordkeeping so a one-off “top list” mention does not become an exam finding. (17 CFR 275.206(4)-1) (17 CFR 275.204-2)

This page gives requirement-level implementation guidance you can drop into your marketing compliance program: applicability, step-by-step operating procedure, required artifacts, exam questions, and the mistakes that cause the most rework.

Regulatory text

Requirement (operator summary): “Validate third-party rating methodologies and disclosure conditions before use.” (17 CFR 275.206(4)-1)

What the operator must do:

1. Validate the rating methodology before use. That means you can explain, with documentation, how the rating was created and why presenting it in your context would not mislead a reasonable investor. (17 CFR 275.206(4)-1)
2. Validate disclosure conditions tied to the rating. Many ratings have required legends, time periods, eligibility notes, compensation disclosures, or restrictions on where/how the badge can be displayed. You must know and follow those conditions. (17 CFR 275.206(4)-1)
3. Retain records showing what was used and how it was reviewed/approved as part of your books and records obligations. (17 CFR 275.204-2)

Plain-English interpretation

If you want to say “Rated #1,” “5-star,” “Top RIA,” or display an award badge, you must be able to prove three things:

• The rating is real and explainable. You have the methodology or scoring criteria, not a marketing one-liner. (17 CFR 275.206(4)-1)
• The rating is presented with the right context. You can disclose the time period covered, who the rating provider evaluated, and any meaningful limitations (for example, if only paying participants were considered). (17 CFR 275.206(4)-1)
• Your use complies with the provider’s rules. You follow licensing terms and required disclosures, and you do not crop, reword, or repurpose the rating in a way the provider prohibits. (17 CFR 275.206(4)-1)

Who it applies to

Entity scope

• Registered Investment Advisers (RIAs) using third party ratings in advertisements or marketing communications. (17 CFR 275.206(4)-1)

Operational scope (where this shows up)

• Website pages (home page badges, “as seen in” sections)
• Pitchbooks, RFIs/RFPs, consultant databases
• Factsheets and strategy one-pagers
• Social posts and paid digital ads
• Email campaigns and newsletters
• Sales enablement collateral distributed by third parties (placement agents, solicitors, channel partners)

If a third party can see it and it could influence investment decisions, route it through the same rating due diligence workflow.

What you actually need to do (step-by-step)

Step 1: Set a bright-line definition and intake trigger

Create an internal definition of “third party rating” that captures awards, rankings, lists, star ratings, and badges created by third parties. Then set an intake rule: no rating is used unless it has a due diligence file and marketing approval. (17 CFR 275.206(4)-1)

Practical control: add a required field in your marketing request form: “Does this content include a third party rating or award?”

Step 2: Collect the minimum documentation from the rating provider

For each rating, request and store:

• Methodology description (criteria, weighting, data sources, scoring process) (17 CFR 275.206(4)-1)
• Universe/eligibility rules (who could be rated, geographic/asset-class filters, whether participation or subscription was required) (17 CFR 275.206(4)-1)
• Time period covered (the measurement window for performance, surveys, or votes) (17 CFR 275.206(4)-1)
• Disclosure and licensing conditions (required legends, attribution text, renewal/expiry terms, placement restrictions, whether compensation is required to apply or promote) (17 CFR 275.206(4)-1)
• Proof of your firm’s rating outcome (certificate, ranking notice, or provider confirmation) (17 CFR 275.206(4)-1)

Step 3: Perform a structured “methodology reasonableness” review

Use a checklist that forces a real conclusion, not a box-check:

• What does the rating measure? Performance, service, AUM, growth, popularity, peer voting, editorial selection, or paid placement. Document the answer. (17 CFR 275.206(4)-1)
• Could the rating be misunderstood as something else? Example: a “service award” presented next to performance charts can read like a performance endorsement. Your review should address placement risk. (17 CFR 275.206(4)-1)
• Any selection bias? If only paying participants or nominees are evaluated, treat that as a material limitation that must be disclosed or the rating should not be used. (17 CFR 275.206(4)-1)

Output artifact: a short memo (one page is fine) stating whether the rating is approved, approved with conditions (specific disclosure language/placement), or rejected. (17 CFR 275.206(4)-1)

Step 4: Write the required disclosure block and lock the approved language

Create an “approved disclosure” snippet for each rating and store it in a central library used by marketing.

Your disclosure block should cover, as applicable:

• Name of rating provider and rating name
• Time period of the rating
• Brief methodology summary or where it can be found
• Whether compensation was involved (if relevant to the provider’s process/conditions)
• Any eligibility/participation constraints that could change how a reader interprets the rating (17 CFR 275.206(4)-1)

Operational tip: treat disclosure text as controlled content. Marketing can copy it; marketing cannot edit it.

Step 5: Pre-use approval and placement review

Before first use (and before major reuse in a new context), confirm:

• The rating is current per provider terms and not expired
• The disclosure appears proximate to the rating where a reader will see it
• The rating is not paired with statements that change its meaning (for example, “best performing”) unless the methodology truly supports that claim (17 CFR 275.206(4)-1)

Step 6: Recordkeeping and retention

Maintain an exam-ready file for each rating instance or rating “package” that includes:

• Final approved creative (PDF/screenshot of webpage/social post, final pitch deck) (17 CFR 275.204-2)
• The due diligence package (methodology, eligibility, time period, provider terms) (17 CFR 275.206(4)-1)
• Compliance approval evidence (ticket, sign-off email, or GRC workflow record) (17 CFR 275.204-2)
• The exact disclosure language that ran with the content (17 CFR 275.206(4)-1)

If you use Daydream, the practical win is consolidation: keep the rating provider docs, your review memo, and the final approved creative in one control record so you can answer exam requests without chasing marketing across shared drives. (17 CFR 275.204-2)

Required evidence and artifacts to retain (audit-ready list)

Artifact	Purpose	Where teams stumble
Rating methodology document	Proves you validated how the rating is produced. (17 CFR 275.206(4)-1)	Saving a marketing summary instead of the real methodology.
Provider disclosure/licensing terms	Proves you complied with conditions of use. (17 CFR 275.206(4)-1)	Missing required legends or misusing a badge.
Internal review memo/checklist	Demonstrates a real analysis and decision. (17 CFR 275.206(4)-1)	“Approved” with no rationale or conditions.
Final published/used materials	Shows what investors actually saw. (17 CFR 275.204-2)	Retaining drafts, not the final version.
Approval workflow record	Evidence of supervision and pre-use review. (17 CFR 275.204-2)	Approvals happen in chat, then disappear.

Common exam/audit questions and hangups

Expect questions along these lines:

• “Show me the support for this ‘Top Adviser’ claim and the methodology for the ranking.” (17 CFR 275.206(4)-1)
• “Where are the disclosures, and how do you ensure they are included every time this rating is used?” (17 CFR 275.206(4)-1)
• “Do you have records of the advertisement as disseminated?” (17 CFR 275.204-2)
• “Who approves third party ratings, and what is the escalation path if methodology is unclear?” (17 CFR 275.206(4)-1)
• “How do you prevent stale/expired awards from staying on the website?” (17 CFR 275.206(4)-1)

Hangup to plan for: marketing frequently reuses a badge across formats (website, deck, social) and assumes the same disclosure “covers everything.” Your workflow should force a placement check each time the context changes. (17 CFR 275.206(4)-1)

Frequent implementation mistakes (and how to avoid them)

1. Relying on the badge alone. A logo is not due diligence. Require the methodology and universe description before approval. (17 CFR 275.206(4)-1)
2. Letting disclosures drift. Marketing edits disclosure text for brevity and changes meaning. Fix this with a locked disclosure library and a “no edits” rule. (17 CFR 275.206(4)-1)
3. Treating licensing as “legal’s problem.” Licensing conditions are part of disclosure conditions. Put them in the same intake packet and require compliance sign-off. (17 CFR 275.206(4)-1)
4. Weak recordkeeping. If you cannot reproduce the final ad and its disclosure quickly, you will burn time during exams. Store the final-as-used artifact with the due diligence file. (17 CFR 275.204-2)
5. No re-validation trigger. Methodologies and eligibility change. Add re-review triggers: provider updates methodology, rating expires, or you change how/where it’s displayed. (17 CFR 275.206(4)-1)

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not cite specific actions. The practical risk is still clear: third party ratings can become misleading if the methodology is weak, the universe is constrained, or disclosures are missing or buried. That risk maps directly to your marketing rule obligations and your books-and-records exposure if you cannot produce support on request. (17 CFR 275.206(4)-1) (17 CFR 275.204-2)

Practical execution plan (30/60/90-day)

First 30 days: Stabilize and stop unreviewed use

• Inventory all third party ratings currently in use across web, decks, and factsheets.
• Put a temporary gate in the marketing workflow: new ratings require compliance review and a due diligence file. (17 CFR 275.206(4)-1)
• Create a standard intake checklist and a one-page review memo template. (17 CFR 275.206(4)-1)

Day 31–60: Standardize controls and centralize evidence

• Build a controlled “approved ratings register” with: rating name, provider, approved disclosure, expiry/review triggers, and storage location. (17 CFR 275.206(4)-1)
• Implement recordkeeping rules for final-as-used artifacts and approvals. (17 CFR 275.204-2)
• Train marketing and sales on the intake trigger and the “no edits to disclosure” rule. (17 CFR 275.206(4)-1)

Day 61–90: Operational hardening and testing

• Run a sample test: pick a few recently used ratings and confirm your file has methodology, conditions, final creative, and approvals. Fix gaps. (17 CFR 275.206(4)-1) (17 CFR 275.204-2)
• Add monitoring: periodic website scans and a quarterly marketing content spot check focused on ratings and disclosures. (17 CFR 275.206(4)-1)
• If you adopt Daydream, configure a single workflow that ties intake, review memo, approvals, and evidence retention to one record per rating/provider so you can respond to exam requests consistently. (17 CFR 275.204-2)

Frequently Asked Questions

What counts as a “third party rating” for this requirement?

Treat awards, rankings, “top lists,” star ratings, and badges issued by a third party as third party ratings if you use them in marketing or client communications. If the item could influence an investor’s perception, route it through the same due diligence and disclosure process. (17 CFR 275.206(4)-1)

Do I need the full methodology document, or is a webpage summary enough?

You need enough documentation to validate how the rating was determined and what limitations apply. If the provider only offers a short summary, document your request for more detail and decide whether the rating can be used without creating a misleading impression. (17 CFR 275.206(4)-1)

How often should we re-review third party ratings?

Re-review when the rating expires, when the provider changes its methodology or eligibility, or when your use changes context (for example, from a website footer to a performance page). Define these triggers in your ratings register and workflow. (17 CFR 275.206(4)-1)

Can we post the badge on social media without the full disclosure text?

If the disclosure conditions require specific legends or proximity, you need a compliant format for the channel (for example, short-form disclosure plus a clear link to the full disclosure landing page, if consistent with provider conditions). Document how the disclosure requirement is met for each channel you approve. (17 CFR 275.206(4)-1)

Who should own approvals: compliance, marketing, or legal?

Compliance should own the regulatory review and final approval for marketing use, while legal may review licensing terms depending on your operating model. Put both in one workflow so the methodology and disclosure conditions are evaluated together before publication. (17 CFR 275.206(4)-1)

What records do we need to keep to satisfy exams?

Keep the methodology, provider terms, your internal review/approval, and the final advertisement or communication as disseminated. Store them together so you can produce the file quickly under books-and-records expectations. (17 CFR 275.204-2)