FINRA Rule 2210 requires that all retail communications be reviewed by a registered principal before use. SEC Regulation Best Interest (Reg BI) requires broker-dealers to implement written compliance policies and procedures — and documented legal sign-off is the minimum evidence that those policies exist. For any financial product operating under FINRA or SEC oversight, AI-generated boilerplate Terms and Privacy Policy documents that have never been reviewed by counsel are not just a liability risk — they are a direct violation of the written supervisory procedures requirement. Even for non-FINRA entities, documented legal review is the threshold evidence in FTC Section 5 deceptive practices cases that distinguishes negligence from willfulness.
Info because the absence of documented review evidence does not directly harm users but creates significant legal exposure when disclosures are later found to be deficient, especially under FINRA Rule 2210 and SEC Reg BI written procedures requirements.
Create COMPLIANCE_CHECKLIST.md at the project root to document legal review milestones. The file must contain a specific reviewer name or team, not a blank template:
# COMPLIANCE_CHECKLIST.md
## Pre-Launch Review
- [x] Terms & Conditions — reviewed by: Legal Team, 2024-01-10
- [x] Privacy Policy — reviewed by: Legal Team, 2024-01-10
- [x] Fee schedules — reviewed by: Compliance Officer, 2024-01-12
- [x] Reg Z / TILA disclosures — verified by: outside counsel, 2024-01-14
- [x] Legal sign-off: J. Smith, General Counsel — 2024-01-15
## Regulatory Change Log
| Date | Regulation | Change Applied |
|------------|------------------|------------------------------|
| 2024-04-01 | FTC Click-Cancel | Updated cancellation flow |
Version this file in git so sign-off is auditable. The FINRA Rule 2210 principal review requirement applies to registered entities; even non-registered fintechs benefit from the same paper trail.
ID: finserv-disclosure.presentation-quality.legal-review
Severity: info
What to look for: Search the codebase for evidence of a legal review process. Check for: COMPLIANCE_CHECKLIST.md, LEGAL_REVIEW.md, README sections mentioning legal review, code comments referencing legal sign-off, or commit messages containing "legal review" or "compliance review". Count the number of evidence items found.
Pass criteria: At least 1 documented artifact exists that evidences legal review: a compliance checklist file, a README section mentioning legal review, or code comments referencing legal approval. The artifact must include a specific reference to a person, team, or date (not just a blank template). Quote the evidence found and the file path.
Fail criteria: No evidence of legal review process anywhere in the codebase (no compliance checklist, no README mention, no code comments, no commit messages referencing legal review).
Skip (N/A) when: The project is a prototype, educational tool, or personal project with no legal or regulatory requirements.
Detail on fail: Example: "No evidence of legal review process in the codebase. No COMPLIANCE_CHECKLIST.md file. Terms & Conditions and Privacy Policy appear to be AI-generated boilerplate with no legal sign-off. 0 evidence artifacts found."
Remediation: Implement a legal review checkpoint by creating COMPLIANCE_CHECKLIST.md in the project root:
# COMPLIANCE_CHECKLIST.md
## Pre-Launch Checklist
- [ ] Privacy Policy written and reviewed by legal team
- [ ] Terms & Conditions written and reviewed by legal team
- [ ] Fee schedules reviewed by compliance officer
- [ ] Regulatory disclosures (Reg B, Reg Z, TILA) verified by legal
- [ ] All disclosures tested in user journey (QA)
- [ ] Legal team sign-off: ___________________________
- [ ] Date: ___________________________
## Regulatory Change Log
| Date | Regulation | Change | Status |
|------|-----------|--------|--------|
| 2024-01-15 | CFPB | Updated fee disclosure format | Implemented |