The so-called RIA “Custody Rule” under the Investment Advisers Act of 1940 was designed to ensure additional oversight of an RIA that has actual possession of client assets, including both additional reporting to clients, and the requirement of a “surprise” annual audit of the firm. Given the costs involved to comply, most RIAs will go out of their way to avoid having custody so that the rules aren’t triggered.
Yet a recent SEC “Risk Alert”, rule warns that as many as 1/3rd of RIAs are failing to comply properly with the custody rule, most commonly because the RIA fails to realize it has custody in the first place! As the SEC notes, just using a third-party custodian like Schwab or Fidelity alone is not a safe harbor; there are many ways an RIA can indirectly trigger custody, from being a trustee on a client’s account, to providing bill-pay services, and even “just” having a client’s username and password for their 401(k) can be enough to trigger the rule sometimes!
Accordingly, as RIAs continue to expand their services to differentiate in today’s increasingly competitive environment, it is more crucial than ever for firms to be aware of where the line is when it comes to the custody rule. In some cases, firms may decide that having custody – and handling the additional compliance requirements – is worthwhile for the service that will be provided to clients. But if the goal is to not have custody, firms need to be more cautious than ever about how their services are executed – and some may need to step back from a line they’ve already crossed, when it comes to common situations like having client login details to rebalance their accounts!
Requirements Of The RIA Custody Rule 206(4)-2 Of The Investment Advisers Act
Under Section 206(4)-2 the Investment Advisers Act of 1940 and the supporting guidance from the SEC, a registered investment adviser (RIA) is deemed to have custody when it holds “directly or indirectly, client funds or securities or has any authority to obtain possession of them.” Such custody situations include situations where the advisor actually takes possession of the client’s assets to invest them (e.g., with a check made out to the advisor, or into certain pooled investment vehicles the advisor controls), or where the advisor has legal control of the funds being invested (e.g., as the trustee of a trust, or under a Power of Attorney).
Notably, the significance of an investment adviser having “custody” of client assets is not that it’s illegal to do so, but that having custody subjects the RIA to significant additional oversight requirements, meant to ensure that client assets are not stolen or otherwise misappropriated. The additional obligations for RIAs that have custody include, most significantly, a requirement for an annual “surprise” audit by an independent public accountant (at the adviser’s expense) to verify client assets. Once completed, the RIA must submit Form ADV-E to the SEC within 120 days, along with the accountant’s certification of the exam and its results. In the case of a pooled investment vehicle that the RIA controls, the RIA surprise audit may be waived, only by having the underlying investment vehicle undergo its own annual audit process. And RIAs subject to the custody rule also have additional requirements for providing notification to clients when accounts are opened, statements detailing their holdings, and must use a “qualified” third-party custodian or be subject to yet further additional audit and oversight requirements to verify the firm’s internal controls.
Notably, under these rules, even just having the power to withdraw an investment advisory fee from an account can be deemed custody – since the advisor has the ability to “control” at least a portion of the account, including being responsible for calculating the “appropriate” fee to be extracted in the first place – although if the RIA’s control is limited to just deducting its advisory fees, the audit requirement is waived. In addition, in more recent guidance the SEC also indicated that if the custodian makes all fee calculations based on the advisory contract, then the advisor is not deemed to have custody at all.
Given the substantive cost and time commitment of the surprise audit and the other requirements when having custody (beyond just the ability to sweep for management fees), in practice many/most investment advisers in turn try to take steps to avoid being deemed of having custody, unless there is truly a substantive business reason to take on the additional responsibility.
SEC Risk Alert On “Accidental” Compliance Failures Including Logging In With Client Passwords
While in the early days of investment advisers, whether an RIA had custody or not was a fairly straightforward determination, as advisory firms have increasingly expanded the depth of their “wealth management” services, an increasing number are triggering the custody rule by more indirect means. In fact, in 2013 the SEC issued a “Risk Alert” on the custody rule, noting that almost 1/3rd of firms recently examined had deficiencies pertaining to custody-related issues – most commonly triggered because the RIA didn’t even realize it had custody in the first place.
For instance, as a number of numbers have expanded services into providing bill-paying for clients – and therefore have authority to withdraw funds from client accounts to pay those bills, and/or to write checks on the client’s behalf – the custody rule can be triggered. If the advisor or any employees of the RIA are involved as a trustee for a client’s account(s) – or even “just” have a Power of Attorney – the control over client assets means the custody rule applies. In fact, even just taking possession of a check made payable to a client, or a client’s stock certificates, can trigger the custody rule, unless returned promptly within 3 business days (and notably, to avoid custody, checks payable to the client or stock certificates in the client’s name must be returned to the sender, not merely forwarded on to the final destination!).
Perhaps even most notable, given the practices of many RIAs, the SEC’s Risk Alert noted that just having online access to a client’s accounts can trigger custody, if the online access includes the ability to withdraw funds or transfer them to another account. In other words, just getting a client’s username and password to log in on their behalf and rebalance their 401(k) can actually trigger custody, unless the online portal truly limits the capabilities to just rebalancing and doesn’t allow any means to withdraw or transfer the assets.
Just because the advisor has authority to log in and make the trades under an Investment Advisory Agreement doesn’t mean the advisor is exempt from the custody rules if being able to log in grants “too much” control to the advisor over the client’s assets!
Complying With The SEC's RIA Custody Rule – Commit To Having Custody, Or Really Don’t!
As noted earlier, for most RIAs, the cost and operational commitments to complying with the custody rule makes it impractical to have custody, unless it’s truly a core part of the business plan to provide services/solutions that necessitate having custody. For instance, if the firm is really committed to providing bill-pay services for clients – and the custody that entails – then then the firm can budget accordingly for the surprise audit exam, and establish the other necessary internal controls to protect client assets.
On the other hand, as the SEC noted when issuing its Risk Alert, it is far more common that an RIA does not intend to have custody, but “accidentally” puts itself in that position anyway. Which means the firm now faces additional deficiencies for not being aware it has custody and not complying with the audit exam and other custody requirements!
Accordingly, for RIAs who don’t want to have custody of client assets, some may need to adjust the services being offered to clients, specifically to avoid having custody. This may include establishing a clear process for not taking stock certificates from clients (which should be returned promptly, so the client can deposit/deliver them directly to the custodian instead), and having clear policies that the advisor and other employees cannot be trustee or power of attorney for any client accounts.
Perhaps the greatest speed bump for many RIAs – if only because I find anecdotally, it is so common – is the possession of login details (usernames and passwords) for a client’s outside financial accounts, perhaps either to do rebalancing on the client’s behalf, or simply to have easy access for getting the account balance to update the client’s financial plan. Notably, having access to client accounts is not necessarily an automatic trigger of custody, but an RIA that allows advisors/employees to have such access would likely need to take additional steps to confirm and be able to demonstrate that the online account access really does not provide too much control. In addition, the RIA would arguably need a process to regularly (annually?) review those online accounts to be certain they still don’t provide too much control, as the capabilities of online access to financial accounts to change over time as companies add new “features” that could create problems for the RIA.
Accordingly, most RIAs will probably find it easier to just prohibit all advisors/employees from having login details for client accounts at all, and destroy any such information the firm currently has. For firms that still want to provide the service, getting updated account balances might be done instead through the use of a third-party account aggregation tool (e.g., ByAllAccounts, Wealth Access, Yodlee via MoneyGuidePro, the eMoney Advisor client portal, etc.), as just getting details about the client’s account balance but not access to the (online) account itself would not trigger custody. Similarly, if the advisor still wants to help clients rebalance, it could be done by having the client log into the account and do the rebalancing on the spot under the advisor’s guidance during an annual review meeting (where the client remains in control of the login details throughout).
The bottom line, though, is that as firms continue to try and expand and differentiate their services for clients in an increasingly competitive environment, it may be increasingly common for those RIAs to bump up against the line of what does and does not constitute custody. Firms that truly intend to cross the line and are prepared to have custody of client assets – and comply with the associated regulatory requirements – may certainly choose to do so, but if the intention is to not have custody, it is equally important to ensure that the appropriate steps are taken to avoid custody, too!