Understanding SEC Custody Rules: From SLOAs to Login Credentials

How RIAs Can Stay Compliant and Avoid Unintended Triggers

By Oyster Consulting LLC

Suspension bridge tower in close-up silhouette at dusk

For Registered Investment Advisors (RIAs), compliance with the SEC’s custody rule is an ongoing challenge—especially when custody is unintentionally triggered by day-to-day activities. Most advisors use qualified custodians, but certain actions—even those made in the name of client service—can result in a firm being deemed to have custody of client assets. The consequences can be significant, including surprise audits, amended filings, and enhanced policies and procedures.

What Triggers Custody?

The SEC defines custody broadly. An RIA is deemed to have custody not just when it holds client funds or securities, but also when it has the authority to withdraw them or access client accounts.

Some of the most common triggers include:

Fee Deduction Authorization

Automatically deducting advisory fees from client accounts constitutes custody. While this form of custody does not require a surprise verification audit, it still must be disclosed properly.

Physical Possession of Assets

Accepting checks or securities—especially if made payable to the advisory firm—can trigger custody. Simply returning a check made payable to the advisory firm to the client is not sufficient to avoid custody. The check must be returned to the original sender. If improperly handled, even briefly possessing these items can create compliance issues.

Control Over Client Accounts

This includes situations where advisors or associated persons are named as trustees, executors, or have power of attorney. These roles allow access to client funds and therefore fall under the custody rule.

Standing Letters of Authorization (SLOAs)

These authorize custodians to transfer assets to third parties. While the SEC issued a no-action letter in 2017 providing a safe harbor, RIAs must meet all seven outlined conditions.

  • The client provides an instruction to the qualified custodian, in writing, that includes the client’s signature, the third party’s name, and either the third party’s address or the third party’s account number at a custodian to which the transfer should be directed.
  • The client authorizes the investment adviser, in writing, either on the qualified custodian’s form or separately, to direct transfers to the third party either on a specified schedule or from time to time.
  • The client’s qualified custodian performs appropriate verification of the instruction, such as a signature review or other method to verify the client’s authorization, and provides a transfer of funds notice to the client promptly after each transfer.
  • The client has the ability to terminate or change the instruction to the client’s qualified custodian.
  • The investment adviser has no authority or ability to designate or change the identity of the third party, the address, or any other information about the third party contained in the client’s instruction.
  • The investment adviser maintains records showing that the third party is not a related party of the investment adviser or located at the same address as the investment adviser.
  • The client’s qualified custodian sends the client, in writing, an initial notice confirming the instruction and an annual notice reconfirming the instruction.

Many custodians take responsibility for only part of the framework—leaving the remainder to the advisor.

Login Credentials

Holding a client’s credentials to access their 401(k) or other accounts—even with the client’s consent—can be deemed custody if it provides the ability to move funds.

Many of these actions arise from a desire to provide excellent service. However, well-intentioned activities can create significant regulatory exposure if custody is inadvertently triggered.

What Happens When Custody Is Triggered?

Once custody is established, firms must:

  • Amend Their Form ADV. Item 9 of Form ADV Part 1A must be updated to reflect the number of accounts and total assets under custody. ADV Part 2A must also be amended to disclose custody practices.
  • Engage a PCAOB-Registered Accountant. For custody that extends beyond fee deduction, RIAs must engage an independent public accountant to conduct a surprise verification audit within six months of discovery.
  • Update Policies and Procedures. Firms must build or revise their compliance framework to include ongoing supervision, internal controls, and documentation for all accounts subject to custody requirements.
  • Enhance Training and Oversight. Staff must be educated on custody triggers and proper handling procedures—especially those in client-facing or operational roles.

It is critical that firms understand their responsibilities and maintain clear oversight. Firms must know these nuances to remain in compliance.

The Importance of Ongoing Monitoring

Custody risk is not a one-time evaluation. Regular assessments of custodial relationships, third-party access, and operational processes are essential to maintaining compliance. Activities that were permissible at one point may evolve into custody triggers due to changes in custodial agreements or internal processes.

Oyster recommends including custody evaluations as part of:

Unintentional custody can be discovered during SEC examinations or internal reviews. Regardless of how it is uncovered, the SEC expects prompt action and full compliance once custody is established.

RIA Custody Rule Compliance Support

Oyster Consulting’s regulatory compliance consultants help RIAs identify and manage custody risks before they become regulatory problems. Our experts work with firms to evaluate operations, review custodial agreements, and implement strong internal controls. We guide clients through the steps required when custody is triggered, including amending ADV filings, engaging auditors, and enhancing compliance programs.

Whether you’re responding to a surprise discovery or proactively strengthening your compliance framework, Oyster provides the insight and support your firm needs to stay aligned with regulatory expectations and protect your clients’ assets, our regulatory compliance experts have the experience and perspective registered investment advisors need to comply with the SEC’s custody requirements. From Books and Records to Form ADV disclosures, our consultants ensure that your compliance program will meet regulatory expectations.

About The Author
Photo of Suspension bridge tower in close-up silhouette at dusk

Understanding SEC Custody Rules: From SLOAs to Login Credentials

More About

Related Content

Rippling water represents affects of unintentionally triggering custory

Podcast

Are You Unintentionally Triggering Custody?

Navigating the Complexities of the Custody Rule Navigating the Securities and Exchange Commission (SEC) Custody Rule 206(4)-2 remains one of the most challenging compliance areas for registered investment advisors. What seems like simple client service can unexpectedly trigger regulatory requirements with significant consequences. Financial advisors can unknowingly find themselves deemed to have custody of client […]

Learn More
female exec working at laptop represents AML risk assessment

Blog

Your AML Risk Assessment Is Not an Audit (and why it matters)

Regulators Are Watching—And Fines Are Steep Broker-dealers face steep consequences for anti-money laundering compliance failures. Regulators have imposed fines of up to $3 billion on some financial institutions for anti-money laundering (AML) failures, including failures that were the result of inadequate risk management. A common root cause? Many firms mistakenly equate their AML independent audits […]

Learn More
Close-up purple gemstone represents marketing review

Blog

Don’t Overlook Your Marketing Review Program

Simplifying Marketing Review Compliance In today’s content-driven environment, firms are producing more client-facing communications than ever. With that visibility comes regulatory scrutiny. Firms must ensure that each piece meets regulatory standards, including modernized SEC Rule 206(4)-1—and that their policies and procedures support consistent, documented compliance. While advertising and marketing review is one of those areas […]

Learn More
Get In Touch Scroll Up