Risk Management Update: Risk Management Steps for Dealing with Inadvertent Custody

Determining whether or not your investment advisory firm has custody is not an easy task, but it is necessary.  While having custody of client assets is not prohibited under Rule 206(4)-2 of the Investment Advisers Act of 1940, as amended (the “Custody Rule”), having custody without adhering to the requirements of the Custody Rule could result in significant regulatory sanctions being levied against the firm.

As a general practice, advisory firms usually don’t take physical custody of client assets unless they are dually registered as a broker-dealer. However, there are a number of ways an advisory firm can have non-physical custody, with the most common being the ability to debit advisory fees directly from a client’s account. In fact, there are times when a firm could be deemed to have custody even when it’s not intended.  Recently, the Securities and Exchange Commission (“SEC”) issued guidance on this topic[1], clarifying two additional ways an advisory firm could end up with non-physical custody.  One way is from Standing Letters of Authorization (“SLOAs”), which are written instructions clients give to custodians authorizing their investment adviser to instruct the custodian to withdraw account assets and send to a third party.  The other way is from language contained in the custodian agreement the client executes that gives the adviser authority to withdraw assets from a client’s account under certain circumstances.

Generally, an adviser with deemed custody (other than just debiting fees) is required under the Custody Rule to, among other things,[2] obtain an annual surprise audit from an independent third party accountant.  In this Risk Management Update, we discuss ways a firm could end up with unintentional (inadvertent) custody that triggers the surprise audit requirement, including those outlined in the SEC’s recent guidance and provide steps that eliminate the audit requirement while remaining in compliance with the Custody Rule.


Inadvertent Custody

The definition of custody turns on whether a firm holds “directly or indirectly” client funds and/or securities, or has the “authority to withdraw” such assets. Inadvertent custody can be imputed in a few unsuspecting ways, including but not limited to the following:

  • Temporary acceptance of cash or securities from a third party for the benefit of the client;
  • Having authority to withdraw or transfer client account assets through written documents you are not a party to (i.e., SLOAs and custodian agreements); and
  • Utilizing a client’s password to monitor or make trades in an online account, such as a 401k plan account.

In each of the above cases, there is the potential for client harm since an adviser has authority and access to the client’s assets.  Due to this authority and access, advisory firms must implement the risk management controls outlined in the Custody Rule.  However, in the situations listed above, the SEC has provided steps that if followed, will relieve a firm from having to obtain an annual surprise audit.

Risk Mitigation Protocols

1. Temporary acceptance of cash or securities from a third party for the benefit of the client – Firms may receive a check or stock certificate in the mail for the settlement of a class action suit, or from a client that wants to deposit it into their managed account. Sound familiar?  As temporary as these situations may be, the SEC takes the position that such possession is custody.

Steps to avoid having to obtain a surprise exam:

Checks and stock certificates received from third parties[3] must be returned to the sender within three business days, with the exception of: (i) tax refunds from tax authorities, (ii) client settlement proceeds from administrators in connection with class action lawsuits and other legal actions, or (iii) stock certificates, dividends, or evidence of new debt from issuers in connection with class action lawsuits involving bankruptcy or business reorganization.  These assets can be forwarded to the client or custodian but must be done within 5 business days of receipt.

For all of the above, firms should maintain the following records and information:

  1. A copy of the check or certificate;
  2. The date the asset was received;
  3. The identification of who sent the asset;
  4. Whether the asset was sent back or forwarded;
  5. The date the asset was sent back or forwarded; and
  6. The identification of who the asset was sent to.

2. Having the authority to withdraw or transfer client account assets through written documents you are not a party to (i.e., SLOAs and custodian agreements) – As a client servicing activity, advisory firms usually have a few clients that have implemented SLOAs so the adviser can facilitate reoccurring transfers of money from client accounts to third parties. In addition, clients generally check a box in the custodian agreement that authorizes the custodian to take instructions from the adviser regarding transfers and withdraws from the client’s account.

In the recently issued guidance, the SEC outlined that since SLOAs give an adviser authority to withdraw funds or securities from a client’s account, the advisory firm is deemed to have custody of those assets. 

Even more concerning, the SEC stated that, regardless of any language contained in advisory agreements, an adviser has custody over clients’ assets anytime custodian agreements include language giving an adviser authority to withdraw client assets (including most transfer activity).

Steps to avoid having to obtain a surprise exam:

For SLOAs, advisers must follow the requirements outlined in the SEC IAA No-Action Letter (February 21, 2017)[4], which include confirmation of steps being performed by custodians.

In regards to language in custodian agreements, the SEC has stated in their guidance that one way to eliminate the authority and avoid having custody is to obtain written confirmation from both the client and the custodian that the adviser’s authority is limited to “delivery vs. payment”.  Another consideration is to remove the authority language from the contracts, which generally requires a client to sign a new custodian agreement or amend the one currently in place.  Last but not least, depending on what authority the language in the agreement provides, firms can have each client sign an SLOA and then adhere to the SEC IAA No-Action Letter.

3. Utilizing a client’s password to monitor or make trades in an online account, such as a 401k plan account – This generally happens when the custodian of the 401K plan does not allow advisers to have independent access. However, utilizing the client’s password gives the adviser access to client funds and securities and in most cases, the ability to transfer or withdraw such assets.

Steps to avoid having to obtain a surprise exam:

The best-case scenario is to have independent access that does not allow activity other than trading.  Also, there are some custodians where the client’s access only allows trading and not the ability to transfer or withdraw, so the adviser could use the client’s login without triggering custody, but this should be periodically confirmed and documented.  Otherwise, advisers will need to give trade instructions to the client for implementation.


The interpretation of the Custody Rule can be difficult, but the repercussions of having custody without meeting the requirements of this rule can be very costly[5].  Importantly, as part of the annual review process, compliance personnel should perform an analysis to determine if any services are imputing custody and ensure all required steps are being followed.

For more information on the above, or if you have questions regarding the Custody Rule and how it applies to your firm, please contact us at (619) 278-0020, or click below to request time to talk to our team.


Author:  Tina Mitchell, Managing Director, Consultation Services; Core Compliance & Legal Services, Inc. (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, hedge funds, private equity Firms and banks on regulatory compliance issues. This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.


[1]Most recently, the SEC issued a no action letter to the Investment Advisers Association (February 21, 2017), updated its Frequency Asked Questions (“FAQs”) on custody, and issued written guidance on inadvertent custody.

[2] Under the Custody Rule, SEC registered advisory firms with custody must take the following minimum core steps: (i) ensure clients’ managed assets are maintained by a qualified custodian (as such term is defined in the Custody Rule), (ii) have a reasonable belief after due inquiry that clients are receiving accounts statements from their custodian containing certain information, including the amount of advisory fees debited from the account; and (iii) provide written notice to clients of the custodian’s name, address, and the manner in which the funds or securities are maintained anytime you open a custodian account on behalf of the client.

[3] Notably, firms can forward checks received from clients drawn on the client’s bank account without being deemed with custody.

[4] See  http://www.corecls.com/blog/no-action-letter-on-custody-pertaining-to-standing-letters-of-authorization

[5] “SEC Charges Three Firms with Violating Custody Rule” – https://www.sec.gov/news/press-release/2013-230

Leave a Reply

Your email address will not be published. Required fields are marked *