The Problem With Having Client Passwords | Nerd's Eye View by Michael Kitces
The so-called “Custody Rule” under the Investment Advisers Act of 1940 was designed to ensure additional oversight of an RIA that has actual possession of client assets, including both additional reporting to clients, and the requirement of a “surprise” annual audit of the firm. Given the costs involved to comply, most RIAs will go out of their way to avoid having custody so that the rules aren’t triggered.
Yet a recent SEC “Risk Alert”, rule warns that as many as 1/3rd of RIAs are failing to comply properly with the custody rule, most commonly because the RIA fails to realize it has custody in the first place! As the SEC notes, just using a third-party custodian like Schwab or Fidelity alone is not a safe harbor; there are many ways an RIA can indirectly trigger custody, from being a trustee on a client’s account, to providing bill-pay services, and even “just” having a client’s username and password for their 401(k) can be enough to trigger the rule sometimes!
Accordingly, as RIAs continue to expand their services to differentiate in today’s increasingly competitive environment, it is more crucial than ever for firms to be aware of where the line is when it comes to the custody rule. In some cases, firms may decide that having custody – and handling the additional compliance requirements – is worthwhile for the service that will be provided to clients. But if the goal is to not have custody, firms need to be more cautious than ever about how their services are executed – and some may need to step back from a line they’ve already crossed, when it comes to common situations like having client login details to rebalance their accounts!