Don’t Get Snared by the SEC’s Custody Rule

A Securities and Exchange Commission rule older than many of today’s registered investment advisers is rising swiftly on the SEC’s hit parade. After a few years of moderate enforcement and minimal fines, the SEC is putting a major emphasis on compliance with the Custody Rule. High-profile enforcement actions, with large penalties for relatively small violations, seem to be the current operating model.

The SEC is bearing down hard on chief compliance officers. CCOs need to be vigilant about their firms’ regulatory compliance to keep their companies out of hot water, but it doesn’t end there. Personal liability for firm compliance failures, instituted to make sure those CCOs had skin in the game, is real and damaging.

Why does this rule exist, and who does it cover?

The SEC’s Custody Rule 17 CFR 275.206(4)-2 under the Investment Advisers Act of 1940 was first adopted in 1962 and had major revisions in 2003 and 2009 after the discovery of the Bernard Madoff fraud. The rule’s objective is protection of customer assets which an adviser possesses or controls either directly or indirectly — or custody. It mandates that advisers adopt and implement policies and procedures to ensure compliance.

The rule covers all investment advisers registered under the Act, as well as many state registered advisers, since many states have adopted the SEC’s rule as their own.

How can investment advisers comply?

Managed account advisers must jump through several hoops to comply. Among other things, they must ensure that client assets are maintained under the client’s name with a qualified custodian, such as an SEC registered broker-dealer or bank, and that the client receives quarterly statements of all transactions directly from that custodian. The adviser may also need to undergo an annual surprise examination of all accounts in its custody, by an independent Public Company Accounting Oversight Board-registered and inspected accounting firm. The adviser may also need to receive an internal control report of any related qualified custodian; that report must also be prepared by an independent PCAOB-registered and inspected accountant.

Advisers for pooled investment vehicles, or PIVs, are automatically deemed to have custody of the client assets invested, as they have direct asset control. The rule makes it a little easier for them, providing relief from the surprise exam and other aspects of compliance if the PIV is audited by a PCAOB-registered and inspected firm, in accordance with GAAP, with an unqualified audit opinion. The audit must be distributed to investors within 120 days of the PIV’s fiscal year-end or 180 days for a fund-of-funds. PIVs must have a liquidating audit at their termination. This audit exemption provides the easiest method of compliance; after all, most PIV’s are audited. If you’re not, compliance is similar to the managed account regimen: a surprise exam, all privately owned securities held by a qualified custodian and quarterly customer statement delivery of all PIV transactions, which is not so easy. Investor privacy issues related to that transaction data can only be overcome by engaging an Independent Representative to stand in the shoes of the investors.

What can go wrong?

Some advisers unknowingly find themselves in the custody cross-hairs for innocuous issues like having client passwords, providing bill-pay services from client accounts, having power of attorney over client assets or serving as trustee on client accounts. These are often identified by routine SEC examination. There is no retroactive remedy to such a failure; correction happens prospectively by eliminating the issues that gave rise to the inadvertent custody and possibly having a surprise exam. A more troubling cause of noncompliance would be if an adviser was found to have comingled firm and client assets.

For PIV advisers, noncompliance is typically failure to comply with the audit exemption: having a qualified opinion, not being prepared in accordance with generally accepted accounting principles, the auditor lacking independence or qualifications, or simply missing the mandated delivery timeframe.

The SEC has brought high-profile rule enforcement actions of late, like the Sands Brothers Asset Management LLC cases from 2010 and 2015. The first penalty, $60,000 for the late delivery of PIV audits, was relatively painless compared to the $1 million fine for the second violation. The scary part about these fines was that they did not involve fraud, only late distribution of audits. Wise CCOs would do well to review their own procedures, with qualified professionals as appropriate, to avoid nasty surprises.