Consulting Agreement for Financial Services

The unique risks of financial-services consulting

The first risk is regulatory characterization. A consultant who is "compensated" for "advising others about securities" is an investment adviser under Investment Advisers Act Section 202(a)(11), full stop. Saying "I'm just consulting" in the engagement letter does not change the test. If the consultant is helping a wealth firm pick funds, building a model portfolio, or even ghost-writing investment commentary that goes out to clients, the engagement may need to be structured as a subadvisory relationship, sit under the firm's RIA umbrella with formal supervision, or be restructured to remove the regulated activity.

The second risk is privacy. Reg S-P (17 CFR Part 248) — as amended in May 2024 with compliance starting December 2025 for larger firms and June 2026 for smaller — now requires written incident response programs, a 30-day customer notification of unauthorized access to nonpublic personal information (NPI), and explicit oversight of service providers handling NPI. The amended FTC Safeguards Rule (16 CFR Part 314) requires written designation of a Qualified Individual, an information security program, and as of May 13, 2024, written notice to the FTC within 30 days for incidents affecting at least 500 consumers. The consultant's contract has to support both.

The third risk is books-and-records. SEC-registered advisers preserve records for five years under Rule 204-2(e) (17 CFR 275.204-2). Broker-dealers preserve under Exchange Act Rule 17a-4 (17 CFR 240.17a-4), which in 2022 was updated to allow electronic storage with WORM or audit-trail alternatives. If a consultant produces working papers, model code, or compliance memos and then deletes them at engagement end, the firm just lost responsive material for the next SEC exam. The contract has to require preservation for the client's full retention period.

Industry-specific clauses to include

• No Investment Adviser / Broker-Dealer Activity: Express representation that the consultant will not engage in activity that would require registration under Advisers Act Section 202(a)(11) or Exchange Act Section 15(a), and will escalate to client if scope would cross that line.
• Reg S-P Customer Notification SLA: Consultant notifies client within 24 hours of suspected unauthorized access to NPI, supporting client's 30-day customer notice obligation under 17 CFR 248.30(a)(3) (effective December 3, 2025 for large entities, June 3, 2026 for smaller).
• FTC Safeguards Rule Compliance: Consultant maintains an information security program meeting 16 CFR 314.4, with annual written review and submission of evidence to client; required for non-bank financial institutions including mortgage brokers, payday lenders, and certain fintechs.
• Books-and-Records Preservation: All emails, working papers, drafts, models, and deliverables preserved in original form for the longer of (a) 5 years for SEC advisers / 6 years for broker-dealers (first 2 in easily accessible place), or (b) the client's specified retention period; delivered to client at termination.
• Marketing Rule Compliance (17 CFR 275.206(4)-1): If consultant authors any communication that the client may use in advertising, the content meets the seven prohibitions of Rule 206(4)-1(a), including substantiation, no untrue statements, no misleading omissions, and required testimonial/endorsement disclosures.
• BSA/AML & OFAC Sanctions Screening: Consultant warrants it has screened personnel against OFAC SDN list and will not perform services if any beneficial owner appears on a sanctions list; if engagement involves AML model validation or independent testing under 31 CFR 1020.210, the consultant warrants independence from the AML function.
• Material Nonpublic Information (MNPI) Wall: If consultant may receive MNPI about an issuer, an information barrier is documented (named recipients, restricted list procedures, no trading or tipping), with insider trading policy acknowledgement under Exchange Act 10b-5 and 10b5-1.
• Conflicts & Independence Disclosure: Written disclosure of competing engagements (same product category, same counterparty), referral arrangements, and any compensation from third parties; required because Section 206 of the Advisers Act creates a fiduciary duty including conflict disclosure.
• Cloud / AI / Subprocessor Pre-Approval: No transmission of NPI or MNPI to public LLMs, no use of unapproved cloud storage, no offshore subcontracting without written approval; reflects FFIEC guidance and OCC Bulletin 2023-17 on third-party risk management.
• Regulatory Cooperation: Consultant cooperates with SEC, FINRA, state insurance department, CFPB, OCC, FDIC, NCUA, state banking regulator, and external auditor requests at no additional cost for 6 years after engagement.

Common mistakes in financial-services consulting agreements

• Letting the consultant draft client-facing investment commentary. If the consultant pens the firm's quarterly market outlook that goes to retail clients, two things just happened: an unregistered person produced advisory content, and the firm is now using a "testimonial or endorsement" under the new marketing rule if the consultant is credited.
• Engaging a "former regulator" without a cooling-off review. Former SEC, FINRA, CFTC, and Federal Reserve staff carry post-employment restrictions (e.g., one-year ban on appearing before former agency under 18 USC 207). The consultant should warrant compliance and the contract should require disclosure of former employer.
• Treating NPI like ordinary "confidential information." NPI under GLBA has a specific legal definition (15 USC 6809(4)) and triggers specific safeguards. The contract should name NPI separately, prohibit aggregation or re-identification, and require destruction certification on termination.
• Success fees on capital markets advisory work. If the consultant gets paid more when a deal closes, FINRA may view this as transaction-based compensation requiring broker-dealer registration under Exchange Act Section 15(a). The 2013 M&A Brokers No-Action Letter creates a narrow exception, but it does not cover all scenarios.
• Consultants accessing core systems via shared credentials. Bank examiners and SEC OCIE will flag shared logins as a control weakness. The contract should require named individual accounts, MFA, and audit-trail preservation.
• No retention clause for working papers. When the SEC asks for "all materials related to" the model validation the consultant did 3 years ago, the firm needs the working papers. The contract should require delivery and preservation, not just final deliverable.

Regulatory landscape

Federal anchors: Investment Advisers Act of 1940 Section 202(a)(11) defines investment adviser; Section 206 imposes fiduciary duty; Rule 206(4)-1 (Marketing Rule, effective November 2022) governs advertising and testimonials. Securities Exchange Act of 1934 Section 15(a) requires broker-dealer registration for transaction-based compensation. Investment Company Act of 1940 applies to fund advisers. Bank Secrecy Act (31 USC 5311 et seq.) and FinCEN regulations at 31 CFR Chapter X impose AML obligations; the AML Act of 2020 expanded enforcement. Gramm-Leach-Bliley Act (15 USC 6801 et seq.) and Regulation P (12 CFR Part 1016) and Reg S-P (17 CFR Part 248) govern privacy of NPI. FTC Safeguards Rule (16 CFR Part 314, as amended December 2021 and May 2024) covers non-bank financial institutions. Sarbanes-Oxley Section 404 internal controls obligations flow to consultants helping with ICFR. Dodd-Frank whistleblower protections (15 USC 78u-6) and CFPB rules under 12 USC 5481 et seq. apply for consumer financial products.

Insurance overlay: state insurance department licensing (NAIC Model Producer Licensing Act), NAIC Insurance Data Security Model Law (now adopted in 24 states including NY DFS 23 NYCRR Part 500, which requires CISO designation and 72-hour incident notice). Banking overlay: OCC Bulletin 2023-17 (Interagency Guidance on Third-Party Relationships), Federal Reserve SR 13-19, FDIC FIL-29-2023. Capital markets: FINRA Rules 3110 (supervision), 4511 (books and records), 4530 (reporting). Crypto: SEC v. Coinbase, SEC v. Binance, and the 2024 court rulings on Howey application to digital assets remain in flux; consultants advising on token economics or token launches should explicitly disclaim Section 5 and Section 17 securities-act analysis.

Cross-border: GDPR (EU 2016/679) Article 28 processor obligations for EU customer data; UK GDPR for UK data; if cross-border transfer is involved, SCCs (2021/914 module 2) or UK IDTA must be in place. DORA (EU 2022/2554, effective January 17, 2025) imposes ICT third-party risk requirements on EU financial entities and their critical service providers — US consultants supporting EU subsidiaries may need DORA-compliant terms. EU AI Act (2024/1689, phased compliance through August 2026) classifies certain credit-scoring and insurance-pricing models as high-risk AI systems.

Sample fee structure

Financial-services consulting prices are high and vary by specialty and seniority; the following ranges reflect US market data through 2026:

• Compliance consultant / former CCO: $250–$500/hour for project work; $8,000–$25,000/month for fractional CCO retainer; $30,000–$120,000 for a full Reg S-P or Marketing Rule compliance program build.
• Former SEC/FINRA enforcement staff: $500–$900/hour for examination response and enforcement defense; $1,200+/hour for partners at boutique firms.
• AML / BSA independent testing (31 CFR 1020.210(c)): $25,000–$150,000 annually depending on bank size and product mix; required annually for banks and quarterly testing for higher-risk institutions.
• Model validation (SR 11-7 / OCC 2011-12): $40,000–$250,000 per model family; quants charge $300–$600/hour.
• Capital markets / M&A advisory: Retainers $25,000–$100,000/month plus 1–2% success fee at close for transactions $25M–$500M; flat $1.5M+ for deals above $500M (Lazard, Houlihan Lokey, and middle-market boutiques set the benchmark).
• Core system implementation / digital transformation: Big Four / strategy consultancy day rates $3,500–$6,000 for senior managers, $1,800–$3,000 for consultants; programs run $1M–$25M+ over 12–36 months.
• Cyber / IT audit support: $200–$400/hour; SOX 404 ICFR readiness $50,000–$300,000 per fiscal year.

Success fees and contingent compensation should be vetted by counsel against broker-dealer registration analysis (Section 15(a)) and, in advisory work, the performance-fee restrictions of Advisers Act Section 205. The Two-Hat Problem (consultant + broker) is a frequent SEC enforcement theme.

How to draft this in Word with LexDraft

Start from the LexDraft consulting agreement template and select the financial-services overlay clauses (Reg S-P notification SLA, FTC Safeguards Rule, MNPI wall, books-and-records preservation). For early-stage discussions with an issuer or counterparty, the NDA template is the right standalone document. The broader templates library covers structuring the engagement across firm-wide vs. project-based work, and LexDraft vs Spellbook compares drafting workflows for finance teams.

Frequently asked questions