Browse CIRO Exam Guides: CIRE, RSE, Trader, Supervisor & Derivatives

Product Due Diligence Policies and Procedures

March 23, 2026

Study how product due diligence policies and procedures should reflect the dealer’s business model and the types of securities and derivatives it offers.

On this page

Product due diligence should be embedded in written policies and procedures. A dealer that performs ad hoc review without clear governance, ownership, and escalation standards is unlikely to demonstrate a strong product-governance framework. The CCO should therefore treat the policy architecture itself as a control issue.

The curriculum emphasizes that these policies and procedures should reflect the dealer’s business model and the types of securities and derivatives offered. That means the policies should be tailored, not generic.

What This Lesson Is Usually Testing

This lesson is usually testing whether the candidate can tell the difference between having a policy and having a usable operating framework.

The main judgment questions are:

  • whether the policy matches the dealer’s actual product set and business model
  • whether the procedures are detailed enough to govern approvals, reassessment, and restrictions
  • whether business change has made the policy stale

That is why many scenarios describe a formal policy that looks complete on paper but does not fit the current shelf.

Why Policies Must Match the Business Model

An OEO dealer, a managed-account dealer, an institutional dealer, and a dealer selling structured products or derivatives do not need identical product-governance procedures. Each business model creates different product-approval questions, different training needs, different supervisory expectations, and different monitoring triggers.

For that reason, a dealer’s written policies should reflect how the business actually operates. A policy copied from another context may look complete but still be inadequate if it does not match the products, channels, and account structures used by the firm.

Policy weaknessStrongest first compliance conclusion
Generic policy not tied to current products or channelsThe policy may not be governing the real business at all
New products or distribution channels added without revisionThe framework has likely become stale and incomplete
Procedures do not identify owners, restrictions, or reassessment triggersThe operating standard is too weak to support real product governance
Staff rely on informal practice instead of documented procedureThe paper policy is not controlling the business effectively

Why Policies Must Match the Product Set

Policies and procedures should also reflect the kinds of securities and derivatives the dealer offers. A shelf limited to conventional mutual funds and broad-market ETFs will not require exactly the same review architecture as a shelf that includes options, structured notes, leveraged ETFs, private products, or crypto-linked offerings.

This affects:

  • what information must be collected before approval
  • who must review the product
  • what training must occur before distribution
  • which accounts may access the product
  • what monitoring and reassessment triggers should exist

The strongest exam answer usually recognizes that a generic policy may become wrong even if it is well written. If the product set changes materially, the policy framework should change as well.

What Strong Policies Usually Contain

A strong product due-diligence policy usually identifies:

  • who is responsible for initial assessment
  • what criteria must be evaluated
  • who has approval authority
  • what documentation must be retained
  • what conditions or restrictions may be attached to approval
  • what events trigger reassessment
  • how issues are escalated to the UDP, board, or committee structure when necessary

The policy should also connect product due diligence to training, supervision, marketing review, and complaint monitoring. Product governance is strongest when these functions are linked rather than treated as separate silos.

Triggers to Revise Policies and Escalate

Generic policies often fail in one of two ways. They are either too broad to guide real decisions, or too narrow to cover new products and service models. The exam therefore tends to reward the answer that redesigns the policy framework when the firm’s business changes, rather than the answer that assumes an old policy can simply be applied to a new product line.

Common triggers for policy review include:

  • expansion into new product categories or derivatives
  • changes in business model or distribution channel
  • recurring exceptions, complaints, or supervisory findings
  • regulatory change or new guidance
  • mergers, affiliate integration, or outsourcing changes
    flowchart TD
	    A[Business model or product set] --> B[Draft tailored due-diligence policy]
	    B --> C[Define owners, criteria, restrictions, monitoring, and escalation]
	    C --> D{Business or risk profile changes?}
	    D -->|No| E[Continue monitoring and policy testing]
	    D -->|Yes| F[Revise policy and escalate material gaps]

The key message is that policy quality is measured by whether it helps the dealer make real product-governance decisions under its actual business model.

What Stronger Answers Usually Do

Stronger answers usually:

  • test the policy against the current business model and shelf
  • identify exactly what operating step is missing or stale
  • connect policy weakness to approval, restriction, reassessment, or escalation failure
  • explain why a generic policy can be worse than it appears because it creates false comfort

That is stronger than saying only that the policy should be updated periodically.

Common Pitfalls

  • Copying a generic policy from another dealer or another business line.
  • Writing a policy that describes broad principles but does not identify owners, criteria, or restrictions.
  • Treating product due diligence as separate from training, communications review, and supervision.
  • Failing to update policies when the shelf, channel structure, or risk profile changes.

Key Takeaways

  • Product due-diligence policies should be written, structured, and tailored to the dealer’s actual business.
  • The firm’s business model and product shelf should shape the content of the policies and procedures.
  • Strong policies connect approval, training, supervision, marketing review, monitoring, and escalation.
  • Generic policies are weak if they do not help the firm make real product-governance decisions.
  • In a scenario, the best answer usually tailors the policy framework to the firm’s changed risk profile.

Quiz

Loading quiz…

Sample Exam Question

An Investment Dealer historically sold conventional mutual funds and ETFs through an advisory branch network. It now adds options, structured products, and an online distribution channel, but it keeps the same short product due-diligence policy. The policy does not identify who may approve complex products, what restrictions may apply, how online distribution changes monitoring, or when issues must be escalated to senior governance bodies.

What is the strongest CCO conclusion?

  • A. The only gap is the absence of a longer glossary.
  • B. The policy is weak because it no longer reflects the dealer’s business model, product set, approval needs, monitoring triggers, or escalation framework.
  • C. The product-approval committee can solve the problem informally without changing the written policy.
  • D. The policy remains adequate because it already states that the firm performs product due diligence.

Correct answer: B.

Explanation: A policy should reflect the business the firm actually conducts. Once the dealer changes its product shelf and distribution model materially, a generic or legacy policy may no longer guide real decisions. The missing elements in the fact pattern are core governance components, not minor drafting details. Options 1, 3, and 4 all understate the need for a tailored written framework.

Revised on Thursday, April 23, 2026
3.11 Product due diligence and exemptions