The Securities and Exchange Commission’s (SEC) risk alerts provide valuable guidance for RIA compliance – shining light on areas in which firms may be unknowingly lacking.
With that in mind, we’ve published a series on common adviser deficiencies based on those very alerts. This third piece in our series centers on the custody rule, which provides crucial investor protections to adviser clients.
Related: Read Part 1 on the Books and Records Rule and Part 2 on the Code of Ethics Rule
Let’s explore the core requirements of the custody rule, where advisers are getting it wrong and three key steps you can take to stay compliant with custodial regulations.
What is the custody rule?
The SEC’s custody rule, also known as Rule 206(4)-2 of the Investment Adviser’s Act, sets forth guidelines for how federally registered firms hold client securities and funds. Its purpose is to protect investors and minimize risk of misappropriation by advisers who have access to their funds.
Key requirements of the custody rule include:
- Safekeeping of assets, which is an overarching element of the rule that prohibits fraudulent activity and misuse of funds, while also ensuring firms choose qualified custodians for their clients.
- Annual audits, which will provide independent verification and shall be conducted by a public accountant.
- Separation of assets, meaning that client funds are each kept in separate accounts with the appropriate names attached.
- Distribution of client statements, to be sent each quarter and which should include all transactions from that time period.
- Notices to clients, which provide written notice to clients of any custodial accounts opened on their behalf.
The above list is by no means exhaustive and doesn’t touch on exceptions to the requirements but serves as a baseline overview of the custody rule.
Note: If your firm is state registered, you must be mindful of state rules, while SEC registered firms will follow Rule 206(4)-2.
Related: What RIAs Must Know to Comply with the Custody Rule
Proposed amendments to the custody rule
It’s also worth noting that the SEC proposed enhanced custody requirements in early 2023, with a provision to expand the rule to include all client assets (including cryptocurrencies) rather than just securities and funds.
SEC Chair Gary Gensler said:
“Congress gave us authority to expand the advisers’ custody rule to apply to all assets, not just funds or securities. Further, investors would benefit from the proposal’s changes to enhance the protections that qualified custodians provide. Thus, through this expanded custody rule, investors working with advisers would receive the time-tested protections that they deserve for all of their assets, including crypto assets, consistent with what Congress envisioned.”
The proposed rule also includes updates to the Form ADV, as well as further investor protections. While this is yet to be adopted into law, it’s important to keep these potential amendments on your firm’s radar.
Related: SEC Custody Rule proposal: What it means for your advisory firm
Common deficiencies with the custody rule
The custody rule has been around for many years, and while RIA deficiencies have varied throughout that time, there are a few common areas in which firms across the board may need further attention.
Namely, failure to recognize custody of a client’s assets.
Custodial requirements apply if an adviser simply has access to withdraw, trade or manage funds. Acting as a trustee, holding power of attorney or even obtaining client passwords could also mean you have a responsibility to follow the custody rule.
Note: Standing Letters of Authorization (SLOAs) where clients give a firm standing orders regarding the account are considered custody if that SLOA instructs the RIA to move funds from the client’s account to a third-party.
Furthermore, a “related person” having access to funds also counts, with related persons defined as “including officers, partners, directors, most employees, and anyone controlled by, controlling or under common control with the adviser.”
Beyond recognizing custody, the SEC also recently charged several firms for custody rule violations. These charges included failure to perform or distribute annual independent audits within the designated timeframes, as well as improperly disclosing audit statuses in their Form ADVs.
Related: What went wrong: SEC custody rule violations totaling more than $500,000
Lastly, the SEC noted that:
“…certain advisers did not provide independent public accountants performing surprise examinations with a complete list of accounts over which the adviser has custody or otherwise provide information to accountants to permit the accountants to timely file accurate Form ADV-Es.”
These examinations are key to independently verifying custodial compliance, and failure to do so compromises investor safety. The SEC also noted that audits occurring at the same time each year were not sufficient in that they “may not have been conducted on a “surprise” basis.”
How to comply with the custody rule
Here are three key steps you can take to stay compliant with custodial regulations:
Recognize custody.
Understanding what qualifies a client as under your custodial care is crucial to keeping compliant. At the most basic level, the SEC says “an adviser has custody if it has the authority to withdraw client assets maintained with a qualified custodian upon the adviser’s instruction to the custodian.”
If you have online account access (even via just knowing their login information) or have the ability to access funds in any other capacity, you may have custody.
It’s best to regularly review your team’s book of clients and identify all “related persons” to ensure you’re aware of all clients that may be in your custody.
Complete annual audits correctly.
Annual audits must be conducted by “an independent public accountant registered with, and subject to regular inspection by the PCAOB” (Public Company Accounting Oversight Board).
Your annual audits should be on a surprise basis only – meaning your firm has no forewarning and the audits aren’t conducted at the same time each year.
Update your clients and Form ADV.
After completing those audits, your firm must deliver those reports to clients and update Form ADV sections accordingly, and within the set timeframes. Generally, advisers have 120 days from the end of the fiscal year to distribute audit reports to clients and update the Form ADV-E.
Being aware of common RIA deficiencies can help your firm stay on track for compliance and bring attention to areas you may not even know are lacking. Recent risk alerts and SEC charges point toward the custody rule as a key place for firms to focus their attention – and these three steps offer a great starting point for RIAs wishing to keep compliant.
Learn more with COMPLY
Our full-service compliance software can help your team stay apprised of changing regulations and meet custody rule requirements. Click here to learn more or book a free demo today.