The Custody Rule: What RIAs Get Wrong and Why It Matters

The custody rule — Rule 206(4)-2 under the Investment Advisers Act of 1940 — is one of the most consistently misunderstood provisions in investment adviser regulation. Examiners find custody deficiencies with remarkable frequency, and not just at unsophisticated firms. The rule is broader than most advisers expect, the trigger points are not always obvious, and the consequences of getting it wrong range from costly remediation to enforcement action.

This post covers what custody actually means, how advisers inadvertently trigger it, what the rule requires once custody is triggered, the fund audit exception that most private fund managers rely on, the current regulatory environment, and the deficiencies the SEC finds most often.

What Custody Means Under the Advisers Act

Under Rule 206(4)-2, an investment adviser has custody if it holds, directly or indirectly, client funds or securities, or has any authority to obtain possession of them. That last phrase — "authority to obtain possession" — is where most advisers get tripped up, because it extends well beyond physically holding a client's assets.

The rule identifies three specific circumstances in which an adviser is deemed to have custody:

• Physical possession. The adviser actually holds client funds or securities — for example, holding a client's stock certificates or receiving a check made payable to a client.
• Legal ownership or access. The adviser serves in a capacity that gives it legal access to client assets. The most common example: serving as the general partner (or managing member) of a private fund. Because the GP has authority to access the fund's assets, the adviser is deemed to have custody of those assets. This is true even if the assets are held at a qualified custodian and the adviser never physically touches them.
• Authority to deduct fees directly from client accounts. When an adviser has standing authorization to instruct a custodian to transfer funds from a client's account to pay the adviser's fees, the adviser has custody. This is the inadvertent custody trap that catches a large percentage of retail and separately managed account advisers.

There is also a fourth category that the SEC has addressed through guidance rather than the rule text: an adviser that receives written authorization from a client to transfer funds to a third party on the client's behalf — for example, to pay a client's bills or to transfer money between the client's own accounts — may be deemed to have custody even if the adviser never physically receives the funds.

The Qualified Custodian Requirement

Once an adviser has custody, the rule requires that client funds and securities be maintained with a "qualified custodian." The rule defines qualified custodians as: banks, registered broker-dealers holding client assets in customer accounts, futures commission merchants holding client assets in futures accounts, and certain foreign financial institutions that hold client assets in the ordinary course of their business. Advisers themselves are not qualified custodians, with a narrow exception for advisers to certain limited types of pooled vehicles.

The qualified custodian must hold the assets in an account under the client's name or under the adviser's name as agent for its clients. The custodian must send account statements directly to the client — not through the adviser — at least quarterly. This direct delivery requirement exists precisely to protect clients from advisers who might falsify account information. An adviser that intercepts account statements, or that uses a custodian that sends statements only to the adviser, violates this requirement regardless of whether any misappropriation occurs.

The Surprise Examination Requirement

When an adviser has custody, it must engage an independent public accountant to conduct a surprise examination at least annually. The examination verifies that the client assets the adviser claims to hold actually exist and are properly accounted for. It must be genuinely unannounced — the accountant selects the timing without prior notice to the adviser, so that the adviser cannot temporarily move assets into place for the examination and then move them out afterward.

The accountant must be registered with and subject to regular inspection by the Public Company Accounting Oversight Board (PCAOB), except for advisers to limited partnerships and other pooled investment vehicles that meet the fund audit exception described below. The adviser must file Form ADV-E with the SEC within 120 days after the examination, and the accountant must file a certificate attesting to the results. If the accountant finds material discrepancies, it must notify the SEC within one business day of finding them.

The surprise examination requirement is the most operationally burdensome aspect of the custody rule for advisers with individual client accounts. It is also the requirement that many advisers fail to satisfy, either because they do not recognize that they have custody or because they do not engage the accountant properly.

The Fund Audit Exception

For advisers to pooled investment vehicles — limited partnerships, LLCs structured as private funds, and similar entities — the rule provides an important alternative to the surprise examination. If the pooled vehicle has its financial statements audited annually by an independent public accountant registered with and subject to regular inspection by the PCAOB, and if those audited financial statements are distributed to all investors (limited partners, members, or other beneficial owners) within 120 days after the fiscal year end, the adviser is not required to conduct a surprise examination with respect to the pooled vehicle's assets.

This is how virtually every registered private fund manager satisfies the custody rule with respect to its fund assets. It is a well-established compliance framework. But it requires strict adherence to the conditions.

The 120-day deadline is not aspirational — it is a hard regulatory requirement. Advisers that routinely deliver audited financials at 150 or 180 days are not in compliance with the fund audit exception, even if the audit itself is substantively rigorous. When the exception is not met, the adviser must fall back on the surprise examination requirement, which it likely has not arranged for. The SEC has cited advisers specifically for late delivery of audited financials, and the consequences include both the Rule 206(4)-2 violation and potential disclosure failures on Form ADV.

For funds that are in wind-down or are otherwise unable to obtain an audit, the rule provides a further alternative: distribution of audited financials upon liquidation, within a reasonable time after liquidation. But this applies only when the fund is actually liquidating, not as a general escape from the annual audit requirement.

Additionally, any assets of a pooled vehicle that are not covered by the fund audit — for example, assets held outside the fund's regular custody arrangements — are not protected by the exception and may require separate compliance measures.

The Inadvertent Custody Trap: Fee Deduction Authority

The single most common custody trigger for retail-focused RIAs managing separately managed accounts is fee deduction authority. When a client signs an investment management agreement authorizing the adviser to instruct the custodian to debit the client's account for advisory fees, the adviser has custody. This is true even though the adviser never touches the money — the authority to direct transfers is itself custody under the rule.

The good news: the surprise examination requirement does not apply when the only basis for custody is fee deduction authority and the adviser satisfies two conditions: (1) a qualified custodian holds the client's assets and sends account statements directly to the client at least quarterly, and (2) the adviser sends its own account statement to the client at least quarterly, or the adviser instructs the qualified custodian to do so. Meeting this "account statement" safe harbor exempts the adviser from the surprise examination for those accounts.

Many advisers in this situation satisfy the first condition but fail the second — they rely entirely on the custodian's statements and do not send their own. Or they send statements that do not cover all required content. The SEC has found this deficiency repeatedly. The fix is straightforward once the adviser knows to look for it, but advisers who do not understand that fee deduction authority constitutes custody may not be looking.

The 2024 Safeguarding Rule Proposal: Where Things Stand

In February 2023, the SEC proposed a significant overhaul of the custody rule under the label "Safeguarding Advisory Client Assets." The proposal would have replaced Rule 206(4)-2 with a new Rule 223-1 with substantially broader scope — expanding coverage beyond "funds and securities" to include all client assets (including crypto assets, real estate, and other non-traditional assets), imposing enhanced written agreement requirements with qualified custodians, and creating new due diligence obligations for advisers selecting custodians.

As of this writing, the final safeguarding rule has not been adopted. The proposal was controversial, and the current SEC leadership has signaled a review of the prior administration's rulemaking agenda. Advisers should monitor developments, but existing Rule 206(4)-2 obligations remain fully in effect and are being actively enforced in examinations.

Common Deficiencies Found in SEC Examinations

The SEC's Division of Examinations has consistently identified custody rule compliance as one of its highest-priority examination areas. The deficiencies found most frequently fall into several categories:

• Failure to recognize custody triggers. Advisers that serve as GP or managing member of a fund and do not understand that this constitutes custody. Advisers with fee deduction authority that have never analyzed whether they have custody. Advisers with bill-payment or third-party transfer authority that have not addressed the custody implications. The threshold issue — whether custody exists — is where many programs fail.
• Inadequate documentation of the fund audit exception. Advisers that rely on the fund audit exception but cannot produce evidence that audited financials were timely delivered to all investors. Email records, investor correspondence, and delivery confirmations should be maintained as a matter of routine. An adviser that says "we always send them within 120 days" but has no documentation will not satisfy an examiner.
• Late delivery of audited financials. As noted above, the 120-day deadline is firm. Advisers that consistently miss it — even by a few weeks — are violating the rule every year, potentially without realizing it. Some advisers have incorrect understandings of when the clock starts (it is the end of the fund's fiscal year, not the date the audit is completed).
• Deficient account statement practices for SMA clients. RIAs relying on the fee deduction safe harbor who are not sending their own account statements or who are sending statements that omit required information.
• Qualified custodian issues. Using a custodian that does not meet the rule's definition, or maintaining assets at multiple institutions without recognizing that each requires separate analysis.

Enforcement Consequences

The SEC does not treat custody rule violations as technical matters. The custody rule exists to protect client assets from misappropriation, and the SEC's enforcement history reflects that seriousness. Advisers found to have violated the custody rule have faced civil penalties, disgorgement of fees received during the period of noncompliance, cease-and-desist orders, and, in cases involving individual principals, industry bars.

Importantly, the SEC has not limited enforcement to cases where client assets were actually harmed. The failure to have a surprise examination — even if all assets are exactly where they are supposed to be — is an independent violation that the SEC will charge. The prophylactic nature of the rule means that the absence of harm is not a defense to noncompliance.

The custody rule is also a frequent trigger for Form ADV disclosure issues. Advisers that have custody but do not disclose it accurately on Form ADV Part 1 face the additional charge of making materially false statements in a required filing. Getting custody right requires both operational compliance and accurate disclosure — neither alone is sufficient.