Using Client Usernames and Passwords
Custody.
Most advisers don’t think about how the custody rule can be triggered by a variety of different actions they take in their business. One such action? Keeping and using your client’s username and password. Many advisers keep track of this information so they can quickly and efficiently view statements and effect trades. Clients are happy because they receive excellent service and advisers don’t have to keep going back to their clients every time they need access to the client’s account. However, online access where the adviser has the ability to withdraw funds and securities from the client’s accounts meets the definition of custody. Advisers must obtain surprise examinations conducted by independent public accountants where they have custody of client funds and securities. SEC registered firms may maintain and utilize client login information so long as they meet custody requirements. However, some states do not agree with the SEC’s position.
On September 25, 2018, the State of Pennsylvania issued its position on the use of client login information to access client custodial accounts. The State found that using client usernames and passwords may meet the definition of custody. A Pennsylvania registered investment adviser with custody must be in compliance with all custody rules as outlined in the Pennsylvania Securities Act of 1972. This generally requires notification to the Pennsylvania Department of Banking and Securities (the “Department”), a net worth of $35,000, an annual audited balance sheet, completion of an internal control report that includes an opinion of an independent certified public accountant, and an annual surprise examination of client funds or securities by and independent certified public accountant.
However, the State of Pennsylvania has determined that the utilization of client usernames and passwords can potentially lead clients to violate their own custodial user agreements or void the custodian’s reimbursement policies for unauthorized withdrawals. By engaging in such practices, registered investment advisers are misrepresenting themselves as their clients to the custodian. Consequently, the State views the use of client usernames and passwords to access client custodial accounts as an unethical and dishonest practice. The State’s Bureau of Securities Compliance and Examinations will recommend administrative action unless the investment adviser takes remedial measures. The following remedial actions are required:
- Discontinue all use of client usernames and passwords to access client custodial accounts.
- Notify affected clients in writing to change their login information and security questions.
Most investment advisers prefer to avoid the added costs and complications associated with custody. So, what is the solution? There are several applications available that allow advisers to log in using their own credentials to view client accounts or consolidate client account information, even for accounts they are not actively managing. This enables advisers to access important information without needing to retain the client’s login details.
Do you have questions about whether you have custody? Give us a call today!
Author Bio
Leila Shaver is the Founder of My RIA Lawyer, a law firm that provides compliance and legal consulting for financial institutions. With extensive experience as a securities attorney and compliance expert, she has served as Chief Compliance Officer and General Counsel to RIAs, BDs, and TAMPs with billions in assets under management.
Leila understands the challenges RIAs face and is committed to helping RIAs streamline their processes, mitigate risks, and ensure compliance with regulatory requirements. She received her Juris Doctor from Atlanta’s John Marshall Law School and is a West Georgia Young Lawyers’ Association member. Leila has received numerous accolades for her work, including the Carroll County Bar Association’s Outstanding Young Lawyer Award in 2017.