News Analysis: The Real Story Behind The SEC Warning That It Has Found “Widespread” Violations By RIAs Of The Custody Rule

Tuesday, March 05, 2013 19:32
News Analysis: The Real Story Behind The SEC Warning That It Has Found “Widespread” Violations By RIAs Of The Custody Rule

Tags: Dodd-Frank | RIA compliance | sec

The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations today warned RIAs that it is finding “widespread” non-compliance with the custody rule under the Investment Advisers Act of 1940. But the real story is that the SEC is flexing its muscle and enforcing the custody rule because it never paid much attnetion to this issue before.

This Website Is For Financial Professionals Only


“The NEP (National Examination Program) reviewed recent examinations that contained significant deficiencies,” says the alert issued by OCIE. “Approximately one-third of them (over 140) included custody related issues.”



Simultaneous to issuing the warning to RIAs, the SEC issued an “investor bulletin” explaining the custody rule to consumers.

The deficiencies NEP staff are finding can be grouped into four categories:

  • failure to comply with the rule’s “surprise exam” requirement
  • failure by an adviser to recognize that it has “custody” as defined under the custody rule
  • failure to comply with the “qualified custodian” requirement
  • failure to comply with the audit approach for pooled investment vehicles

As a reporter who has covered the RIA business for over 25 years, here’s my assessment of what’s happening.

About 90% or 95% of RIAs do not take custody of client assets. They outsource the job to escape the onerous requirements of serving as a custodian. If an RIA does not outsource the job of the custodian, the RIA must comply with rules that protect investors, costing them a lot of money and are an enormous hassle.

Requirements Of RIAs Taking Custody
RIAs in custody of client assets can elect to hold the assets at a “qualified custodian,” a broker-dealer or bank. The custody rule requires these RIAs to provide clients prompt written notification of the QC’s name and address and information about how his assets are being held. The RIA must also have an assurance from the QC that it will send the RIA’s clients their account statements at least quarterly.

In addition, RIAs taking custody of client assets and holding the assets at a qualified custodian must hire an independent accountant to conduct a surprise exam of the custodial arrangement at least annually to verify that client assets are indeed where they’re supposed to be.

Moreover, if the custodian is related to the RIA, the accounting firm that conducts your surprise audit must be registered with the Public Accounting Oversight Board, an accounting industry self-regulatory organization overseeing CPAs that audits public companies, and the RIA also must annually get a report from its auditor saying controls are in place to verify client assets are accounted for properly.

RIAs acting as a general partner in pool of client assets face even stiffer requirements, including the expensive task of annually providing clients with an audited financial statement. Obtaining an independent audit excuses an RIA from the surprise audit and QC statement requirements, however.

The Accidental Custodian
Of course, the vast majority of RIAs want to avoid all of the requirements associated with the custody rule and don’t take custody of client assets—at least not intentionally. They let qualified custodians (QCs) like Charles Schwab or TD Ameritrade serve as custodian of client assets under their management.

Apparently, however, RIAs are taking custody of client assets inadvertently. They’re accidental custodians, guilty of being sloppy or ignorant of the custody rule requirements. How can an RIA be an accidental custodian? Let’s count the ways.

1. Your client gives you the password and user ID for his 401(k) or other accounts. It’s not uncommon for an RIA to ask clients for their passwords to their 401(k)s and other accounts. RIAs want to manage the 401(k) assets one day and have an incentive to monitor held away assets. But if you gain access to an online account where you can trade, you’re a custodian of those assets.
2. You pay bills for your clients.
3. You have power of attorney over a client’s assets.
4. You have the client’s checkbook and he has told you to feel free to write checks and sign his name.
5. You are a successor trustee on a client’s account and after the client’s death become a trustee and are understandably deemed to be a custodian

Intentional Custodians
Then there’s the small number of RIAs that are intentionally acting as custodians. The 5% to 10% of RIAs intentionally acting as custodians are running pooled investment accounts or acting as general partners in a privately-held venture.

These investment advisors are making a deliberate decision to be dealmakers in private ventures or are essentially running their own private mutual funds. Because the activities of these RIAs are far more opaque than the business of the vast majority of RIAs, the custody rule imposes special requirements on them. These RIAs must either outsource to a qualified custodian or hire an independent CPA firm to audit the pooled assets or partnership deals and provide a financial statement opining on the condition of each investment entity.

The Real Story Behind Today’s SEC Alert
Many, if not most, of the RIAs regulated by the SEC—all of which are firms with more than $100 million AUM—are small businesses run by one or two principals and a few support staffers. They’re mom and pop shops. They’re not run by professional managers and the director of operations is often an office manager who gets promoted when the firms gets successful.

While it is obvious that holding a client’s physical assets—stock certificates, bonds, deeds, partnership agreements, and other valuables—would make you a custodian and trigger the custody and all its requirements, the less obvious ways enumerated above can make an RIA a custodian accidentally, and that’s where RIAs are probably falling short.
In a way, this is good news. These deficiencies highlights in the SEC warning to RIAs are mistakes and not criminal violations. There’s no pattern of fraud that the SEC is saying it is concerned about.

But the real story here is that the SEC is proactively doing something about the custody rule. The SEC for as long as I’ve been covering this business has always tolerated widespread deficiencies in RIA compliance with the custody rule.

Fraud by RIAs was probably not enough of a problem to merit enforcement of the custody rule. The SEC had bigger fish to fry. That all changed after the market crash of 2008 revealed a small number of RIAs as Ponzi schemes, including the Bernie Madoff fraud.

The custody rule has been in place since 1962, according to the SEC’s alert today. While the details of the rule have been updated, including some changes made as recently as 2010, the rule has been on the books for over 50 years. The real story is that the SEC is actually doing something to enforce it now.


Related reading:

SEC Staff Responses to Questions About the Custody Rule



Comments (6)

Good and balanced editorial. This is an extremely important issue. The notion of qualified custodians is typically overlooked. Your last article lumped RIA firms with investment company firms.
brentb843 , March 06, 2013
A compliance guru who spoke at a Schwab gathering last summer said that having log-in credentials to 401k is specifically NOT custody. Advisor may not disperse funds as paperwork is required with client signsture - FYI.
chance , March 06, 2013
I called a compliance attorney before posting to check that fact. I confirmed that, if an advisor has a client's password and user ID can can, thus, trade the account, he was a custodian.

But you are saying that, as long as the advisor cannot sell an investment and pull cash from the account, he would not be deemed to have taken custody. Since the intent of the custody rule is centered on an RIA's ability to pull cash from the account, you may be right.

I will get a compliance expert to answer us to confirm you are correct. Thanks for that! Interesting.
agluck , March 06, 2013
From a link at the bottom of your own post, from the SEC.

Q: If an adviser has the ID number and password to a client's pension fund account to rebalance and adjust investments in the account, does the adviser have custody?

A: The adviser has custody if password access provides the adviser with the ability to withdraw funds or securities or transfer them to an account not in the client's name at a qualified custodian. (Posted May 20, 2010)

Additionally, my compliance consultants (who are attorneys) have also confirmed that we don't have custody just because we have passwords. Of course the key is that we can't withdraw money by using the password.
tonyp781 , March 07, 2013
Andy - one thing that I think is getting lost here is what is an RIA. An RIA is a firm registered under the 1940 Act, or State.

I may be wrong, but your articles seems geared towards RIA being a couple of independent advisors's office. If you look at the firms that were examined, they were the big ones Merrill, Smith Barney, etc that HAD custody of clients assets. These firms also operate RIAs.
brentb843 , March 11, 2013
Maybe this is better. An RIA is not somebody that does not work at the wirehouse. Its a firm, by registration.

I had a wholesale from Jackson National call me a few weeks ago. His pitch was 'he worked with RIAs and fee only advisors.' I asked, aren't all RIAs by regulation fee only?

His response - "RIAs are guys that hang out their own shingle." The SEC examines very few 'mom and pop' RIAs.
brentb843 , March 11, 2013

Write comment

You must be logged in to post a comment. Please register if you do not have an account yet.