Understanding SEC Custody Rules: From SLOAs to Login Credentials
How RIAs Can Stay Compliant and Avoid Unintended Triggers
Subscribe to our original industry insights
For Registered Investment Advisors (RIAs), compliance with the SEC’s custody rule is an ongoing challenge—especially when custody is unintentionally triggered by day-to-day activities. Most advisors use qualified custodians, but certain actions—even those made in the name of client service—can result in a firm being deemed to have custody of client assets. The consequences can be significant, including surprise audits, amended filings, and enhanced policies and procedures.
What Triggers Custody?
The SEC defines custody broadly. An RIA is deemed to have custody not just when it holds client funds or securities, but also when it has the authority to withdraw them or access client accounts.
Some of the most common triggers include:
Fee Deduction Authorization
Automatically deducting advisory fees from client accounts constitutes custody. While this form of custody does not require a surprise verification audit, it still must be disclosed properly.
Physical Possession of Assets
Accepting checks or securities—especially if made payable to the advisory firm—can trigger custody. Simply returning a check made payable to the advisory firm to the client is not sufficient to avoid custody. The check must be returned to the original sender. If improperly handled, even briefly possessing these items can create compliance issues.
Control Over Client Accounts
This includes situations where advisors or associated persons are named as trustees, executors, or have power of attorney. These roles allow access to client funds and therefore fall under the custody rule.
Standing Letters of Authorization (SLOAs)
These authorize custodians to transfer assets to third parties. While the SEC issued a no-action letter in 2017 providing a safe harbor, RIAs must meet all seven outlined conditions.
- The client provides an instruction to the qualified custodian, in writing, that includes the client’s signature, the third party’s name, and either the third party’s address or the third party’s account number at a custodian to which the transfer should be directed.
- The client authorizes the investment adviser, in writing, either on the qualified custodian’s form or separately, to direct transfers to the third party either on a specified schedule or from time to time.
- The client’s qualified custodian performs appropriate verification of the instruction, such as a signature review or other method to verify the client’s authorization, and provides a transfer of funds notice to the client promptly after each transfer.
- The client has the ability to terminate or change the instruction to the client’s qualified custodian.
- The investment adviser has no authority or ability to designate or change the identity of the third party, the address, or any other information about the third party contained in the client’s instruction.
- The investment adviser maintains records showing that the third party is not a related party of the investment adviser or located at the same address as the investment adviser.
- The client’s qualified custodian sends the client, in writing, an initial notice confirming the instruction and an annual notice reconfirming the instruction.
Many custodians take responsibility for only part of the framework—leaving the remainder to the advisor.
Login Credentials
Holding a client’s credentials to access their 401(k) or other accounts—even with the client’s consent—can be deemed custody if it provides the ability to move funds.
Many of these actions arise from a desire to provide excellent service. However, well-intentioned activities can create significant regulatory exposure if custody is inadvertently triggered.
What Happens When Custody Is Triggered?
Once custody is established, firms must:
- Amend Their Form ADV. Item 9 of Form ADV Part 1A must be updated to reflect the number of accounts and total assets under custody. ADV Part 2A must also be amended to disclose custody practices.
- Engage a PCAOB-Registered Accountant. For custody that extends beyond fee deduction, RIAs must engage an independent public accountant to conduct a surprise verification audit within six months of discovery.
- Update Policies and Procedures. Firms must build or revise their compliance framework to include ongoing supervision, internal controls, and documentation for all accounts subject to custody requirements.
- Enhance Training and Oversight. Staff must be educated on custody triggers and proper handling procedures—especially those in client-facing or operational roles.
It is critical that firms understand their responsibilities and maintain clear oversight. Firms must know these nuances to remain in compliance.
The Importance of Ongoing Monitoring
Custody risk is not a one-time evaluation. Regular assessments of custodial relationships, third-party access, and operational processes are essential to maintaining compliance. Activities that were permissible at one point may evolve into custody triggers due to changes in custodial agreements or internal processes.
Oyster recommends including custody evaluations as part of:
- Annual Compliance Reviews
- Testing under Rule 206(4)-7
- Operational Risk Assessments
- New Account and Service Offerings
Unintentional custody can be discovered during SEC examinations or internal reviews. Regardless of how it is uncovered, the SEC expects prompt action and full compliance once custody is established.
RIA Custody Rule Compliance Support
Oyster Consulting’s regulatory compliance consultants help RIAs identify and manage custody risks before they become regulatory problems. Our experts work with firms to evaluate operations, review custodial agreements, and implement strong internal controls. We guide clients through the steps required when custody is triggered, including amending ADV filings, engaging auditors, and enhancing compliance programs.
Whether you’re responding to a surprise discovery or proactively strengthening your compliance framework, Oyster provides the insight and support your firm needs to stay aligned with regulatory expectations and protect your clients’ assets, our regulatory compliance experts have the experience and perspective registered investment advisors need to comply with the SEC’s custody requirements. From Books and Records to Form ADV disclosures, our consultants ensure that your compliance program will meet regulatory expectations.