The RIA Custody Rule: Understanding Hidden Triggers That Create Compliance Risks

Given the imperative that the SEC places on safeguarding client funds and securities, it's no surprise that compliance with the Investment Advisers Act's Custody Rule – found in Rule 206(4)-2 under the Investment Advisers Act of 1940 – is perennially one of the most heavily scrutinized areas during SEC exams. However, the Custody Rule is far from intuitive and is a common source of misunderstanding among RIAs.

For instance, a common misconception is that custody only involves physical possession of client assets. As a result, advisers often overlook other circumstances that also constitute custody and require compliance with the Custody Rule. In addition, the detailed requirements that apply once an RIA has custody (and when exemptive relief can be claimed) frequently breed violations of the Custody Rule. Unfortunately, this means that the SEC continues to discipline RIAs for violations, making it essential that RIAs understand when they have custody and what obligations follow to comply with the Custody Rule.

While the Federal Custody Rule governs the activities of SEC-registered RIAs, most states have adopted their own variations of the Custody Rule. As a result, state-registered RIAs must navigate custody-related requirements specific to their state, which may differ in scope and complexity from those under the Federal Custody Rule.

What Is Custody Under The Custody Rule?

Custody is one of the most complex concepts in the Investment Advisers Act. While it may sound like something that applies only when an RIA physically holds a client's cash or stock certificates, the Custody Rule captures a much broader variety of situations. Under the Custody Rule, custody can exist any time an RIA has the ability to access or take possession of a client's funds or securities – even if that capability is never exercised.

A single sentence in an account agreement, a convenience designed to streamline service, or even a forgotten login credential saved in the back office can be enough to trigger custody status under the Custody Rule. Once the Custody Rule applies, the RIA is generally required to keep assets with a qualified custodian, notify clients of the custodial arrangement, ensure the custodian sends quarterly account statements directly to clients, and – unless an exemption is available – arrange a surprise examination by an independent public accountant. These safeguards can be expensive and time-consuming, making it essential for SEC-registered RIAs to recognize when custody is triggered and understand the compliance obligations that flow from having custody.

Physical Possession Of Client Funds Or Securities

The most intuitive way to trigger custody is by physically possessing client funds and securities – including, among other things, stock certificates and securities of private investments.

For example, if a client stops by to drop off a rollover check or mails a stock certificate for re-registration, and the receptionist places it in the operations inbox to be sent to the custodian, the RIA may have triggered custody under the Custody Rule, depending on how the situation is handled. Many advisers mistakenly believe that simply forwarding a client's check to the custodian avoids custody. But, under the rule, even brief possession of client funds or securities generally constitutes custody, because it creates the potential for misuse of client assets.

The only safe harbor, in most cases, is to return the check or security directly to the sender – unaltered – within three business days. Once the firm takes possession, forwarding it to the custodian does not negate custody.

Importantly, the payee and the drawer of the check both matter. If the RIA receives a check made payable to the client – even if drawn from the client's own account – custody is triggered, because the RIA holds an instrument it could theoretically endorse or negotiate. The risk arises from the RIA's practical ability to misappropriate the funds, not from whether the client or another party issued the check. In this case, the way to avoid custody would be to return the check to the client or sender within three business days.

A narrow exception applies when a third party (not the client) sends a check representing a client's tax refund or class action settlement proceeds. In those cases, custody is not triggered if the RIA promptly forwards the check – unaltered – to the client or custodian.

Custody also is not generally triggered if the check is made payable to the custodian or another qualified third party, and the RIA forwards it promptly and without alteration. This is true because a check made out to a party other than the client does not constitute the client's funds or securities.

Regulators routinely cite custody violations where advisers hold client checks or securities beyond the permitted timeframe or wrongly assume that forwarding alone is enough to avoid custody.

Deducting Advisory Fees From Client Accounts

Another common convenience is direct fee debiting. Many RIAs authorize custodians to deduct advisory fees directly from client accounts, avoiding the need to send invoices and chase payments. However, this authority to direct custodians to move client funds is considered custody under the Custody Rule.

Recognizing that this type of custody is widespread, the SEC waives the surprise examination requirement when fee debiting is the only basis for custody, provided certain conditions are satisfied (discussed later).

Effecting Transactions With Non-DVP Arrangements

Trading discretion by itself usually does not trigger custody, thanks to Delivery Versus Payment (DVP) protections. In a proper DVP arrangement, securities and cash move simultaneously through the custodian or clearing firm, which means the RIA never actually touches client funds or securities.

Custody risks arise when RIAs engage in transactions that fall outside DVP protections. This can happen in private placements, bespoke debt instruments, or cryptocurrency transfers where settlement processes don't tie the delivery of securities directly to payment. Even when authority is limited to trading, custody may still arise if the RIA can initiate payments without corresponding security delivery (e.g., by wire or crypto wallet).

Money Movement Arrangements

Handling money transfers for clients, especially to third parties, creates another well-meaning but risky scenario that can trigger custody. Common examples include bill payment services where RIAs handle recurring payments like tax estimates, tuition, or charitable donations without requiring the client to sign each time to disburse funds.

Transfers between a client's own accounts generally don't create custody, provided the instructions list both account numbers and the accounts are identically registered. However, vague instructions – such as authorizing "transfers to my bank account" without specifying which account – or discrepancies in ownership details (e.g., when transfers involve jointly held or trust accounts) can still lead to custody findings.

As discussed later, the SEC has granted limited exemptive relief from the Custody Rule's surprise examination requirement for certain Standing Letters Of Authorization (SLOA) arrangements, which allow RIAs to direct transfers of client funds from the qualified custodian to specified third-party accounts with no need for the client to sign for each request.

Access To Client Account Credentials

When an RIA holds or controls login credentials that allow for the movement of funds or securities out of the account, the SEC views such arrangements as constituting custody – even if the authority is never used.

Many RIAs may not even be aware they are in possession of client account credentials. For instance, RIAs increasingly offer account aggregation services and use consolidated reporting tools that pull data from held-away accounts. Many of these systems require client-level credentials (including usernames and passwords) to access balances or transaction details. Even storing passwords in a credential vault or using screen-scraping tools that require logins can turn dozens or even hundreds of held-away accounts into custody accounts under the Custody Rule.

General Powers Of Attorney

Another way custody is triggered is when a client grants the RIA a general power of attorney, often to allow the RIA to help manage broader aspects of their financial affairs beyond investment management. This authority can grant the adviser authority not only to trade securities but also to move client funds – for example, by directing disbursements and transferring cash or securities to third parties – as well as to change account ownership details. This broad authority creates the potential for misuse or misappropriation of client assets, which is exactly what the Custody Rule is designed to guard against.

By contrast, limited powers of attorney authorize the RIA only to trade in the client's account – without the ability to move or withdraw funds – do not trigger custody. These trading authorizations allow the adviser to implement the client's investment strategy without gaining control over client assets.

This distinction highlights the importance of carefully drafting client agreements and structuring and documenting client authorizations. Advisers should regularly review the scope of their authority to ensure they're not inadvertently creating custody and triggering additional regulatory obligations.

Serving As Trustee Or Executor For Clients

Custody also arises when an RIA or its personnel serve in legal roles that go beyond their advisory relationship, such as a trustee of a client trust or executor of a client's estate. In such roles, RIAs typically have full legal authority to move or control client assets, even if no transactions are ever initiated. The Custody Rule treats this legal power as generally triggering custody because the RIA has unfettered access to the assets.

Even acting as co-trustee or co-executor alongside another party can be enough to trigger custody obligations unless the RIA cannot move funds or securities without the prior written consent of the other co-trustee or co-executor. A limited exception exists when an employee of an RIA is appointed as trustee because of a family or personal relationship with the grantor or beneficiary – not due to employment with the adviser.

Serving As General Partner Or Manager Of Entities With Client Funds Or Securities

Similarly, when an RIA serves as general partner, managing member, or equivalent control person of a pooled investment vehicle – such as a private equity fund, hedge fund, or real estate fund – or another entity (e.g., a limited liability company, limited partnership, or other pooled investment vehicle) that holds client funds or securities, custody is generally triggered. The RIA's legal authority to manage the entity and its accounts is usually sufficient to meet the Custody Rule's definition.

However, an RIA can generally avoid the surprise examination requirement when serving as a general partner or managing member of such an entity if it follows the requirements of the pooled investment vehicle audit exemption (discussed later).

Access To Client Credit Card Information

A lesser-known way RIAs can fall into custody is through possession or control of client credit or debit card information that allows them to initiate transactions. This risk is often overlooked in situations where advisers assist clients with setting up recurring payments – for financial planning services, insurance premiums, charitable contributions, or digital asset subscriptions. Even when offered as a convenience, storing credit card numbers or similar credentials that would enable unauthorized transactions can be enough to create custody under SEC guidance.

Custody Through Arrangements With Related Persons

Custody can arise not only from the RIA's own arrangements but also through those of its certain "related persons". Under the Custody Rule, a related person is any person or entity directly or indirectly controlled by the RIA, that controls the RIA, or that is under common control with the RIA. This intentionally broad definition captures a wide range of relationships that RIAs may not immediately recognize as creating regulatory risk.

The term "control" itself is also defined expansively. It includes the power to direct the management or policies of another person or entity – whether through ownership of voting securities, by contract, or otherwise. Generally, a 25% ownership stake creates a presumption of control, though actual influence over management or policies can also establish control even at lower levels.

Importantly, related persons include not only entities but also individuals associated with the RIA. In practical terms, a related person could include:

• An affiliate of the RIA, such as a sister company under the same holding company, or a subsidiary owned by the RIA or its principals.
• A parent company that owns the RIA.
• Another company owned or controlled by the RIA's owners, partners, or senior officers.
• An RIA's CEO, President, COO, CIO, Treasurer or other employee with decision-making authority for the firm.
• Operational affiliates providing services like custodial support, back-office processing, or data management for the RIA.

An RIA is deemed to have custody when a related person holds, directly or indirectly, client funds or securities, or has any authority to obtain possession of them, in connection with advisory services the RIA provides to clients. RIAs often miss custody arising through related persons because they underestimate the regulatory significance of informal or operational relationships. Common examples include:

• Sharing office space, technology platforms, or employees with an affiliated entity that handles client assets.
• Having RIA personnel in control positions at another entity with custody.
• Relying on related persons for accounting, administrative, or custodial services without recognizing the indirect custody implications.
• Holding minority interests or contractual arrangements that confer indirect influence over another entity.

When custody is triggered through a related person, the RIA is subject to the same obligations as if it had direct custody itself. The SEC expects RIAs to conduct rigorous due diligence on their corporate affiliations and the key personnel roles to identify and mitigate any indirect custody risks.

The expansive definition of related persons highlights the importance for RIAs to map not just their organizational and affiliate structures but also the roles and outside positions held by their senior personnel. Without this awareness, RIAs can find themselves unintentionally swept into the Custody Rule's compliance framework.

Even small operational oversights – such as a missing account number on a standing transfer instruction, a forgotten client password stored in a file, or a missed audit deadline – can have significant compliance consequences. Taking a proactive approach, carefully reviewing every operational and legal relationship that touches client assets, and seeking guidance is essential for RIAs aiming to build custody compliance practices that withstand regulatory scrutiny.

Unpacking The Regulatory Requirements For RIAs With Custody

Once an RIA is deemed to have custody, the Custody Rule imposes a series of obligations designed to provide independent checks and safeguards. These requirements aim to assure clients and regulators alike that RIAs are handling client funds and securities with integrity and transparency. While the steps may seem straightforward, they're often the source of compliance failures, often due to subtle operational missteps or overlooked details.

Core Custody Rule Requirements For RIAs

1. Assets Must Be Held By A Qualified Custodian. At the heart of the Custody Rule is the requirement that client assets be held by a qualified custodian. RIAs cannot hold client funds in their own firm's accounts, nor can they rely on informal arrangements or operational shortcuts. Qualified custodians, which are defined precisely by the SEC, include FDIC-insured banks or savings associations, registered broker-dealers, futures commission merchants registered with the Commodity Futures Trading Commission (CFTC), and certain foreign financial institutions that customarily hold financial assets.

Client assets must be held either in the client's name or in the RIA's name as agent or trustee. Compliance issues often arise when assets are inadvertently held outside these channels – such as when an affiliated entity handles client cash, or when private securities are not maintained according to the exception for privately offered securities (described later).

2. Clients Must Be Notified Of Custodial Arrangements. In addition to securing assets with a qualified custodian, RIAs must notify clients in writing whenever a custodial account is opened on their behalf. This notice must include the custodian's name, address, and how the assets are being held. If there is any change in the custodian or how the account is registered, the client must be notified promptly in writing.

This obligation is often overlooked when firms onboard clients quickly and fail to document that the required notices were sent, or when custodial arrangements change (such as moving to a new custodian platform) and no follow-up notice is provided. The SEC's FAQs remind RIAs that even if the custodian sends its own welcome letter or documentation, the RIA still has an independent duty to provide this written notice.

3. Clients Must Receive Direct Custodian Statements. RIAs must have a reasonable belief that qualified custodians send account statements directly to clients at least quarterly. These statements must detail all holdings and transactions to provide clients with an independent record of their assets.

The SEC expects RIAs to take reasonable steps to verify this process and to explicitly encourage clients to compare custodian statements to any performance or consolidated reports received from the adviser. Failure to do so can raise red flags, especially if it appears that the RIA is substituting its own reporting for the independent custodian's statements.

4. Surprise Exams Are Required If No Exemption Applies. RIAs with custody – and without a valid exemption – must arrange for a surprise examination by an independent public accountant registered with and subject to inspection by the Public Company Accounting Oversight Board (PCAOB). The exam must be conducted each calendar year at a time chosen by the accountant without prior notice to the RIA, with the accountant verifying client funds and securities and filing Form ADV-E with the SEC within 120 days of starting the exam. If material discrepancies are found, the accountant is obligated to notify the SEC within one business day of discovery.

This requirement is often the most burdensome and costly aspect of the Custody Rule, which generally ranges from $15,000 to $50,000 depending on the scope of the RIA's business and the number and types of accounts over which the RIA is deemed to have custody. RIAs that fail to comply with any of these requirements can be sanctioned.

5. Custody Status Must Be Accurately Reported in Form ADV. Finally, although not specifically delineated in the Custody Rule, RIAs must accurately disclose their custody status in Form ADV, particularly in Part 1A, Item 9. This section requires firms to report whether they or any related person have custody and to specify the amount of client assets involved.

Although this might seem like a simple administrative task, errors here are common and carry significant risk. Firms sometimes overlook the need to update their ADV after operational changes – such as adopting SLOAs or beginning to serve as a private fund's general partner – and may mistakenly report "no" to custody questions. Examiners routinely cross-check custody disclosures against firm operations, and discrepancies can lead to deficiency letters or formal sanctions.

Navigating The Surprise Examination Requirement

For RIAs subject to the Custody Rule's annual surprise examination requirement, preparing for the surprise examination is about more than simply hiring a PCAOB-registered firm and waiting for the exam to take place. The quality of the accountant, the clarity of the engagement, and the RIA's internal readiness can make the difference between a smooth exam that satisfies regulatory requirements and a deficiency that draws scrutiny from the SEC. There are several practical considerations RIAs should evaluate when vetting accountants and facilitating the surprise exam process to reduce risk and demonstrate strong compliance practices.

Choosing An Experienced Custody Rule Examiner

Not every PCAOB-registered accounting firm has a deep understanding of how to conduct Custody Rule surprise exams. RIAs benefit from selecting an accountant who has meaningful experience with Custody Rule examinations and understands the SEC's expectations. Asking for references from other RIAs or compliance consultants can help identify accounting firms with a strong track record of conducting surprise exams that have withstood regulatory review. Familiarity with the nuances of custody compliance and documentation standards is often just as important as technical qualifications.

Clarifying The Scope In The Engagement Letter

The engagement letter with the accountant should clearly define the scope of work and specify that the exam will be conducted on a surprise basis, as required by the Custody Rule. It's important to confirm that the engagement letter does not unintentionally limit the scope of the exam in a way that could lead to an incomplete review. RIAs may also find it helpful to review the engagement letter with legal counsel or compliance professionals familiar with the Custody Rule to ensure the terms align with regulatory requirements.

Maintaining Internal Readiness

Even though the exam itself will be unannounced, RIAs should proactively prepare in advance by ensuring custodial records, internal logs, fee billing records, SLOA documentation, and any other relevant materials are complete, current, well-organized, up to date, and accessible. Delays in providing the required records at the start of a surprise custody examination can make it difficult for the accountant to complete the exam within the mandated 120-day period.

If records are not readily available, the accountant is obligated to note these deficiencies in the report filed with the SEC, which could draw regulatory scrutiny. Regular periodic reviews can help ensure the firm is prepared to respond promptly to surprise examination requests.

Coordinating Communications And Access

Clear communication protocols with the accountant are essential. RIAs may wish to identify a point person or small internal team to serve as the primary contact for the accountant. This person or group should be prepared to provide timely access to necessary information. Having a communication plan in place can avoid unnecessary confusion or delays once the process is underway.

Documenting The Exam Process

Finally, RIAs should track and document the entire surprise exam process, from engagement through completion. This includes retaining the engagement letter, communications with the accountant, any checklists or materials provided during the exam, and a copy of Form ADV-E, which is filed with the SEC at the conclusion of the exam. In the event of follow-up questions from regulators or future examinations, this documentation demonstrates that the RIA took its obligations seriously and managed the process with care.

Custody Compliance Requires Ongoing Vigilance

Each of these requirements – from understanding when custody is triggered to preparing for the surprise examination – reflects the SEC's broader goal of ensuring that client funds and securities are protected by independent controls and operational transparency. The mistakes that commonly arise underscore why custody compliance demands more than simply understanding the Custody Rule itself. It requires ongoing awareness and operational discipline to ensure that no inadvertent custody scenarios are overlooked.

Custody Rule Requirements For State-Registered RIAs

While SEC-registered RIAs are subject to the Federal Custody Rule, state-registered RIAs face their own custody obligations as each state sets its own custody rules. While many states model their rules on the SEC's framework, they often impose additional requirements that differ in scope or emphasis, with the goal of enhancing client protection. These state rules are enforced alongside – or sometimes, in place of – the Federal standards.

Net Capital And Surety Bond Requirements

One of the most common state-level variations involves financial safeguards such as net capital minimums and surety bond requirements. Many states mandate that RIAs with custody maintain a minimum level of net worth as a safeguard against insolvency that could jeopardize client assets. These thresholds are often expressed as a fixed dollar amount – commonly between $10,000 and $35,000, though rules very significantly. Importantly, not all assets count toward meeting this threshold – states typically exclude intangible assets like goodwill or deferred tax assets from the calculation.

RIAs that fall below the required net capital threshold may be required to post a surety bond as an alternative safeguard. In some states, bonding is required regardless of net capital levels. These bonds act as a financial backstop to protect clients by providing restitution if client funds or securities are misused.

Bond amounts vary widely depending on the jurisdiction. Some states set a flat dollar figure, while others scale the bond amount based on the value of client assets over which the RIA has custody. These requirements can become especially relevant following major business changes – such as distributions, large expenses, or ownership transitions – that affect the firm's balance sheet and could impact net capital standing.

Practical Considerations For State-Registered RIAs

For state-registered RIAs, one of the first practical steps is to research and confirm the specific bond and net capital requirements in each state where the firm is registered. State rules vary widely, and firms can benefit from consulting regulator websites, compliance counsel, or experienced compliance consultants to compile and maintain a clear summary of all applicable requirements.

To stay in compliance, RIAs should implement a system that tracks the firm's net capital on an ongoing basis – not just at periodic reviews at quarter- or year-end. This means maintaining internal financial records that clearly distinguish liquid assets from excluded categories like intangible assets or unsecured receivables. Working with their financial team or accountant to build reports aligned with state requirements can help avoid last-minute surprises even as the business evolves.

RIAs required to obtain a surety bond, selecting a reputable provider familiar with RIA regulatory obligations can help streamline the underwriting process. RIAs should be prepared to provide financial statements, organizational documents, and other information required by the bonding company. Comparing terms from multiple providers can help ensure competitive pricing and appropriate coverage.

Documentation is also critical in demonstrating compliance. RIAs should retain proof of surety bonds and related correspondence in a well-organized compliance file. This includes the bond certificate itself, any renewal confirmations, and communications with the bonding company. Similarly, records of net capital calculations, internal reports, and financial statements submitted to regulators should be maintained in a format that can be easily provided during a regulatory exam.

Finally, it's helpful to build net capital and bonding deadlines into the firm's compliance calendar and assign responsibility for monitoring them to a specific team member or officer. This ensures timely bond renewals, accurate tracking of net capital, and awareness of any business changes that could affect custody status or financial requirements.

Key Exemptions Under The Custody Rule

The SEC recognizes that not every custody situation presents the same level of risk to client assets. To balance investor protection with practical realities, the Custody Rule provides several forms of exemptive relief designed to ease the compliance burden for RIAs with limited or low-risk custody situations. These exemptions can provide relief by significantly reducing compliance burdens, but they are subject to specific technical requirements that are often misunderstood or overlooked, leading to deficiencies and, in some cases, enforcement actions.

Deduction Of Advisory Fees

One of the most common exemptions applies when an RIA has custody solely because of its authority to deduct fees directly from a client's custodial account. This still constitutes custody under the rule, but the SEC waives the surprise examination requirement if fee deduction is the only basis for the RIA having custody of client funds and securities and the other requirements of the Custody Rule have been satisfied.

RIAs often (incorrectly) assume that merely having fee deduction authority qualifies them for the exemption. But the SEC's FAQs emphasize that RIAs must have a reasonable belief that clients are receiving account statements – and that belief must be demonstrable to examiners. Failure to verify that custodians are consistently sending account statements is a common compliance gap.

Standing Letters Of Authorization (SLOAs)

Because Standing Letters Of Authorization (SLOAs) give RIAs the authority to withdraw client funds, they create custody under the Custody Rule. Recognizing the widespread use of SLOAs, the SEC offered relief through a 2017 no-action letter, eliminating the need for a surprise exam if all seven of the following conditions are satisfied:

1. Detailed written instructions. The client must provide written authorization that clearly designates the recipient of the funds, the account number, or other specific information that identifies where the custodian is to send the money.

This is not satisfied by vague or open-ended instructions. The SEC has emphasized that the instructions must be sufficiently detailed so that the RIA does not have discretion to choose the recipient or account on behalf of the client.

2. Custodian confirmation. Before executing the transfer, the custodian must confirm the RIA's directions to disburse funds in accordance with the client's instructions.

This confirmation provides an independent check that the RIA is not initiating unauthorized transfers. RIAs often assume that simply providing the custodian with the SLOA is enough, but the relief hinges on the custodian verifying each disbursement before it occurs.

3. Client notifications. The custodian must promptly notify the client each time a transfer is made pursuant to the SLOA.

This ensures the client is immediately aware of every disbursement and can identify unauthorized activity. The SEC's FAQs point out that this notice is a critical safeguard and that RIAs must have a reasonable belief that the custodian consistently provides it.

4. Client control. The client must have the ability to terminate or change the SLOA at any time.

This condition reinforces the client's control over the arrangement and provides a means to stop disbursements if concerns arise. RIAs sometimes overlook the importance of confirming that the custodian will honor a client's termination or modification of the letter promptly.

5. No RIA discretion. The RIA must have no authority or ability to designate or change the identity of or information about the third-party recipient. The RIA's role is purely ministerial – limited to submitting instructions that align exactly with the client's written authorization.

This condition prevents RIAs from using SLOAs as a tool for discretionary transfers and is often misunderstood. Some RIAs inadvertently violate this condition by allowing their staff or systems to alter recipient details or by relying on overly flexible SLOA language.

6. Annual notice. The custodian must send the client, at least annually, a written notice confirming the instructions under the SLOA.

This annual notice gives clients a recurring opportunity to review and reaffirm the arrangement. A frequent oversight is failing to ensure that the custodian actually sends this notice, as RIAs sometimes assume it occurs automatically without verification.

7. No related recipients. The third-party recipient of the funds must not be a related person of the RIA.

This prevents the potential for misappropriation through the SLOA. RIAs occasionally miss this requirement by directing funds to entities controlled by the RIA's owners or affiliates without recognizing that this disqualifies the arrangement from exemptive relief.

Each of these conditions must be satisfied to claim relief from the surprise examination requirement. The SEC emphasizes that RIAs must take reasonable steps to confirm that both their internal procedures and their custodians' procedures align with these safeguards.

Firms often fall short of these requirements by focusing on their own controls without verifying that custodians are fulfilling their critical role in the SLOA process. That's why a detailed review of both RIA and custodian practices is essential before relying on this relief.

Pooled Investment Vehicles

RIAs who are general partners or managing members of pooled investment vehicles can avoid the surprise examination requirement by relying on the audit exemption. To qualify:

• The fund is audited annually by an independent public accountant registered with the PCAOB;
• Financial statements are prepared in accordance with US Generally Accepted Accounting Principles (GAAP); and
• Audited financials must be distributed to investors within 120 days of the fund's fiscal year-end, or 180 days in the case of a fund-of-funds.

Despite its popularity, RIAs frequently misapply this exception by selecting unqualified auditors, missing the delivery deadlines, or using non-GAAP financials, leading to sanctions for such violations.

Another common error occurs when RIAs assume that engaging an auditor alone is sufficient, overlooking the need to actually distribute the audited financials to investors on time. The SEC has underscored in its FAQs that missing these deadlines negates the exception and results in a Custody Rule violation.

The Custody Rule applies when RIAs have custody of client funds or securities held at any time during the pooled investment vehicle's fiscal year. Which means that a pooled investment vehicle launched late in the fiscal year still requires an audit for this ‘stump' period. Likewise, a final liquidation audit is required when a pooled vehicle winds down.

Privately Offered Securities

The Custody Rule also provides limited relief for RIAs whose custody arises solely from holding or having access to privately offered securities such as interests in private funds, limited partnerships, or other private entities. Because they are not freely transferable (and may not have physical certificates that can easily be deposited with a custodian), these securities are often impractical to hold with a qualified custodian.

This relief focuses specifically on exempting RIAs from the qualified custodian requirement, which means that RIAs are not required to maintain these securities with a qualified custodian. To qualify for this relief, several strict conditions must be met:

• The securities must be acquired directly from the issuer in a transaction not involving a public offering, as defined under the Securities Act of 1933. In other words, these are securities obtained in a private placement that were not available to the general public.
• The securities must be uncertificated, meaning no physical certificate exists, and they must be recorded only on the books of the issuer or its transfer agent in the client's name.
• If the securities are certificated, they must be held in a secure location under the RIA's or a related person's control and be subject to verification during a surprise examination by an independent public accountant.
• The securities must be transferable only with prior consent from the issuer or other security holders to reduce the risk that the securities could be improperly sold or transferred without the oversight or agreement of other parties.

Importantly, while this relief exempts RIAs from using a qualified custodian, it does not exempt them from other Custody Rule obligations. For example, RIAs may still be required to obtain a surprise examination unless they qualify for another exemption, such as the pooled investment vehicle audit exception. A common mistake is assuming this exemption eliminates all custody-related requirements. RIAs that do not satisfy the other Custody Rule requirements have been sanctioned for failing to maintain assets with a qualified custodian.

To rely on this relief, RIAs must carefully document and demonstrate compliance with each element of this exemption. Challenges can arise, for example, when certificated securities are held without proper safeguards, when securities don't fully meet the definition of privately offered securities, or when clear records are not maintained to show that the securities are recorded solely in the client's name on the issuer's books. Examiners have noted deficiencies in situations where RIAs relied on this exemption but were unable to produce sufficient evidence that the securities were uncertificated or subject to proper transfer restrictions.

In each of the above-described scenarios, the SEC's intent is to provide narrowly tailored relief that reflects the reduced risk posed by certain forms of custody, while still ensuring that client assets are protected through appropriate safeguards. Difficulties often stem from the assumption that partial compliance or good intentions are enough. In practice, the relief is highly technical, requiring RIAs to closely coordinate their internal practices, documentation, and third-party relationships – including those with custodians and auditors – to ensure that every condition is met. Even a minor oversight can inadvertently turn a well-meaning attempt at compliance into a regulatory concern.

Avoiding Pitfalls In Custody Rule Compliance

Because of the intricacies of the Custody Rule and ongoing changes in an RIA's business, custody compliance works best when approached proactively. Rather than reacting to a regulator's deficiency letter, RIAs can reduce risk by building firm-wide processes that identify custody triggers early and document how those situations are managed with care and diligence.

A good starting point is for RIAs to inventory all client accounts and relationships to examine how the firm interacts with client assets in every scenario. This includes determining whether the firm is ever listed on client accounts with withdrawal rights or power of attorney, directly deducts fees from client accounts, or serves in roles such as trustee, executor, general partner, or managing member for any client entities. Firms should also review whether they have any SLOAs in place and whether those arrangements are properly documented and monitored. Even operational practices like receiving client checks or stock certificates can inadvertently trigger custody if not managed carefully. Once potential custody situations are identified, documenting the firm's analysis in a compliance matrix or tracking sheet helps demonstrate a thoughtful, systematic approach that can be shown during an examination. Regulators expect to see not only what the RIA did but also how the RIA systematically evaluated and monitored custody exposure.

Training is another cornerstone of custody risk mitigation. Even well-designed policies can be undermined if frontline staff aren't aware of how everyday actions can create custody. Client service teams, operations personnel, and other staff who handle client requests or paperwork should receive regular training tailored to the firm's operations to illustrate how seemingly routine actions – like forwarding a check or processing a third-party payment request – can introduce compliance risk. Training sessions held at least annually that reinforce key points can help maintain vigilance across the team.

Finally, documentation is the linchpin of any successful custody compliance program. Regulators want to see clear, organized records that show how the firm is managing custody risk. Best practices include maintaining thorough records of fee deduction authorizations, check logs, SLOA documentation and related custodian confirmations, communications with auditors regarding surprise exams or fund audits, Form ADV amendment submissions and confirmations, and the results of internal custody reviews and compliance checklists. A well-organized custody file not only supports the firm's practices during a regulatory exam but also helps protect the firm's reputation and reduces the risk of costly and time-consuming enforcement inquiries.

---

The SEC's Custody Rule, along with state-level counterparts, is designed to ensure that clients' assets are handled with transparency and care. But the rules aren't always intuitive, and the compliance responsibilities don't always align with how RIAs perceive risk.

Ultimately, the key to strong custody compliance is not just understanding when custody arises, but building day-to-day operational controls that prevent accidental violations. Internal reviews, qualified service providers, consistent staff training, and accurate disclosures all help demonstrate that the firm takes its role seriously.

And when custody compliance is done well, the benefits go beyond regulatory peace of mind. It signals to clients, auditors, and prospective partners that the firm prioritizes trust – and backs that up with clear, well-executed safeguards!