SEC Proposes Custody Rule Overhaul: Will More Obligations and Higher Costs Ensure More Security for Client Assets?

March 1, 2023

On February 15, 2023, the U.S. Securities and Exchange Commission (“SEC”) proposed significant revisions to the “Custody Rule” under the Investment Advisers Act of 1940 (the “Advisers Act”) applicable to registered investment advisers (“RIAs”). 

The proposal would replace Rule 206(4)-2 with a more comprehensive set of requirements in proposed Rule 223-1 (the “Safeguarding Rule”), and amend the recordkeeping rule and Form ADV to require additional records and information from RIAs (collectively, the “Proposal”).  The Proposal would dramatically increase the scope of client accounts and assets that are subject to the requirements, the burden of compliance for RIAs and their qualified custodians, and the cost that clients and investors will ultimately bear.  If adopted as proposed, the Safeguarding Rule would present significant challenges for a host of products and markets, including digital assets and derivatives.  The Commission hopes the Proposal will strengthen and clarify existing custody protections, in recognition of the evolution in products and services RIAs offer to their clients.  Whether there is real value to the strengthening in the face of these challenges and costs is a topic on which we expect significant comments. 

Similar to other recent compliance-related rules,[1] the Proposal would not apply to Exempt Reporting Advisers (“ERAs”), Foreign Private Advisers, the non‑U.S. clients of offshore advisers, Family Office advisers or clients for whom RIAs do not provide “investment advice.”  Accordingly, we expect many ERAs and Foreign Private Advisers to resist the reputational gains of SEC‑registration and investor suggestions to register, given that the burdens and costs of becoming an RIA have increased substantially under Chair Gensler’s SEC. 

Below is a summary of our headline observations and notable points from the Proposal, along with key interpretive issues that the industry will want to consider during the comment period.  The comment period will remain open for 60 days after publication in the Federal Register. 

Headline Observations

All client assets would be subject to the Safeguarding Rule and, with limited exceptions, be required to be kept with a qualified custodian.  Whereas the Custody Rule only applies to cash and securities of advisory clients over which an adviser has custody, the Safeguarding Rule would apply to all client assets, such as real estate, crypto and derivatives.  The exception for “privately offered securities” would be maintained and apply to all assets, but narrowed, requiring the adviser to document in writing that a qualified custodian cannot record and maintain the assets and that the adviser will reasonably safeguard the assets.

Discretionary authority, even without access to client funds and securities, would be deemed “custody” for RIAs.  RIAs would no longer be able to limit their ability to direct custodians to disburse or transfer cash and securities to avoid triggering the Safeguarding Rule.  The Proposal expressly captures advisers whose only authority over client assets is discretionary authority limited to instructing custodians to transact in assets that settle exclusively on a delivery versus payment basis.  This would create significant practical challenges for prime brokerage, swaps and other trading activities of RIAs for clients.

The Proposal provides no flexibility for crypto assets, which would be captured and, in many cases, not have compliant custody solutions available.  Crypto assets would be treated like any other asset and fully subject to the Safeguarding Rule, including using qualified custodians that have “possession or control” of the crypto assets.  As Commissioner Uyeda said in his statement accompanying the Proposal, “[t]his approach to custody appears to mask a policy decision to block access to crypto as an asset class.”  While there are some crypto assets and some custodians who offer compliant solutions, the new requirements for custodial arrangements as applied to crypto would present significant practical challenges at a minimum.

Many fewer Foreign Financial Institutions could serve as qualified custodians.  The Custody Rule permits Foreign Financial Institutions (“FFIs”) to serve as qualified custodians if they are the type of entity that customarily holds assets for customers and segregates client assets from proprietary assets.  The Proposal would impose much stricter requirements on FFIs to be more consistent with the requirements for U.S. entities, including requiring that the adviser and Commission be able to enforce judgments against the FFI and requiring the FFI to comply with anti-money laundering regulations similar to those of the Bank Secrecy Act.

New requirements for custodial arrangements.  Qualified custodians would be required to have “possession or control” over the client assets, and advisers would be required to enter into written agreements with, and obtain reasonable assurances from qualified custodians.  These agreements would have to impose a variety of new requirements and restrictions on the custodians, including that custodians indemnify clients for losses due to the custodian’s mere negligence, which would be a significant change to current market practice.  We expect challenges in negotiating such arrangements with custodians, who are not subject to the rule, and anticipate that fees associated with custodial arrangements will increase substantially as a result with clients and investors ultimately bearing them.

New custodial arrangements could be required for a range of existing markets.  Because the Proposal would apply to more than just funds and securities and narrow current exceptions and arrangements on which RIAs rely to avoid the practical challenges and costs of the Custody Rule, the Safeguarding Rule would have significant implications for a variety of markets and products, including those markets currently subject to comprehensive CFTC regulation.  If adopted, the Proposal could lead many RIAs to implement custodial arrangements similar to those required for registered investment companies under the Investment Company Act of 1940.

Expansion of Assets Triggering Application of the Rule

The Custody Rule only applies where an RIA has or is deemed to have custody of the “funds” or “securities” of an advisory client.  The Safeguarding Rule, on the other hand, would apply to advisory clients’ “assets,” defined as “funds, securities, or other positions held in a client’s account.”  The term “other positions held in a client’s account” is broad, encompassing assets like crypto assets, financial contracts held for investment purposes, swaps, futures, and other derivatives, and physical assets, like artwork, or commodities, like lumber and precious metals.  The term also encompasses holdings that may not be recorded on a balance sheet as an “asset” for accounting purposes, such as short positions and written options. 

While we anticipated there would be some expansion in scope, the Proposal goes well beyond assets that have gotten attention in recent years.  The Commission states the expansion to assets is designed to remain “evergreen,” including new investment types as they evolve to highlight that the protections should not depend on which type of assets the client entrusts with the adviser.  RIAs with deemed custody would be required to move these newly-covered assets, including real property deeds and private keys held in a crypto asset wallet, to a qualified custodian.  The proposing release acknowledged that custodians may not currently be able to receive and hold such assets, meaning that it may be difficult to find qualified custodians that would allow RIAs to comply with the rule.

Discretionary Authority Would Constitute “Custody”

The Safeguarding Rule would significantly expand the group of RIAs who would be deemed to have custody by including advisers with “discretionary authority” to trade client accounts.  This captures advisers whose only control over the assets comes through the trading authority to instruct a broker-dealer or other custodian to effect or settle trades, including settling on a “delivery versus payment” or “DVP” basis where the Commission previously was comfortable that this presents only minimal risk of misappropriation by advisers.  The Commission believes this change will ensure that when client assets are at risk of loss, advisers with discretion over the assets remain accountable.

While advisers who have “custody” only as a result of discretionary authority limited to DVP settlement would not be required to comply with the surprise examination requirement of the Safeguarding Rule described below, they would still be required to comply with the other provisions of the Proposal.

Crypto Assets

In the Commission’s latest step to aggressively regulate crypto assets, the Proposal treats crypto assets like any other asset without exception.  The proposing release explicitly states that crypto assets would not be eligible for the privately offered securities exception, and are not physical assets eligible to be exempt from the qualified custodian requirement.  The result would be that RIAs with crypto assets must custody those assets with a qualified custodian.  While the Commission is engaged in ongoing litigation over when a crypto asset meets the definition of a “security,” the Proposal neatly sidesteps that debate by subjecting all assets, including but not limited to crypto assets that are not “securities,” to the same obligations if an RIA is deemed to have custody.

The Commission addresses the “possession or control” requirement (discussed further below) in depth as it applies to crypto assets.  In explaining the point that a qualified custodian does not need to have exclusive possession or control of an asset so long as it is required to participate in a change in beneficial ownership, the Commission highlights the example of an advisory client and the qualified custodian simultaneously holding copies of a client’s private key.  The Commission explains that this would be permitted so long as the adviser cannot change beneficial ownership of the crypto asset without the custodian’s involvement.  However, as a practical matter, to execute a trade on a digital asset exchange, cash and crypto generally need to leave the possession or control of the Qualified Custodian.  In order to execute a trade, the Qualified Custodian will not have possession or control.  The Commission acknowledges this challenge when it warns that where a crypto trading platform requires investors to pre-fund trades by transferring the funds or assets to the exchange prior to execution, and the exchange is not a qualified custodian, an adviser with custody over client assets would not be able to trade on such an exchange in compliance with the Safeguarding Rule.  The practice of pre-funding trades on a crypto exchange is very common and the Proposal would require RIAs to solely use exchanges that do not require pre-funding, or to avoid using crypto exchanges entirely.  Additionally, because advisers may find it difficult to be certain that a private key arrangement does not allow the transfer of crypto assets without the custodian’s involvement, and there are still relatively few qualified custodians (including exchanges) for crypto assets,[2] this aspect of the Proposal raises the risks for advisers investing in crypto.  As Commissioner Peirce notes in her dissenting statement, “by insisting on an asset neutral approach to custody we could leave investors in crypto assets more vulnerable to theft or fraud, not less,” by driving the assets away from entities that have “developed innovative safeguarding procedures for those assets.”

Categories of Qualified Custodians

The Custody Rule contains four categories of “qualified custodians:”  (1) banks and savings associations that have deposits insured by the FDIC, (2) broker-dealers, (3) futures commission merchants (“FCMs”), and (4) FFIs that customarily hold financial assets for customers, provided the FFIs segregate customer assets from proprietary assets.

The Safeguarding Rule would impose an additional requirement for banks and savings associations—that they must hold the client assets in an account “designed to protect such assets from creditors of the bank or savings association in the event of insolvency or failure” of the custodian.  As applied to cash, this standard seems in tension with the manner in which banks and savings institutions generally hold customer cash.  Cash deposits at most of these institutions are held in general deposit accounts.  Banks do not segregate cash credited to general deposit accounts but instead reuse that cash in their business, e.g., to make loans.  Although depositors of FDIC-insured banks may have priority to other unsecured creditors in the event the bank becomes insolvent, the cash they deposit is arguably not “protected from the bank’s creditors.”  We expect comments on this aspect of the proposal and anticipate that, at least for cash, this could change in the final rule.

FFIs would face numerous additional requirements, similar to those applicable to “Eligible Foreign Custodians” under Rule 17a-5 of the Investment Company Act of 1940.  To be a qualified custodian under the Safeguarding Rule, FFIs would be required to:

  • Be regulated by a foreign government, agency, or regulatory authority as a banking institution, trust company, or other financial institution that customarily holds financial assets for customers;
  • Be incorporated or organized under the laws of a country or jurisdiction other than the United States, provided that the adviser and the Commission are able to enforce judgments, including civil monetary penalties, against the FFIs;
  • Be required by law to comply with anti-money laundering and related provisions similar to those of the Bank Secrecy Act and regulations thereunder;
  • Hold financial assets for customers in an account designed to protect such assets from the FFI’s creditors in the event of the insolvency or failure of the FFI;
  • Have the requisite financial strength to provide due care for client assets;
  • Be required by law to implement practices, procedures, and internal controls designed to ensure the exercise of due care with respect to the safekeeping of client assets; and
  • Not be operated for the purpose of evading the provisions of the Safeguarding Rule.

These requirements would significantly raise the bar on qualifications for FFIs compared to the relatively flexible requirements for FFIs under the Custody Rule.  RIAs that use FFIs as qualified custodians should consider whether alternative arrangements will be needed if the Proposal is adopted.[3] 

Requirements and Obligations for Qualified Custodians

“Possession or Control” Requirement

The Proposal would require that a qualified custodian have “possession or control” over the client assets.  “Possession or control” of assets would mean that (1) the custodian is required to participate in any change in beneficial ownership of those assets, (2) the custodian’s participation would effectuate the transaction involved in the change in beneficial ownership, and (3) the custodian’s involvement is a condition precedent to the change in beneficial ownership.  The Commission notes that the definition is consistent with the authority most qualified custodians already have over the client assets they hold, and the Proposal would formalize that understanding in order to help ensure that the custodian would be involved in any change of ownership.  The proposing release specifically highlights the practice of “accommodation reporting”—custodians listing assets on account statements for which they do not accept custodial liability—which would not meet the “possession or control” standard.  The “possession or control” requirement would not, however, require “exclusive” possession or control, and can be satisfied so long as the custodian is required to participate in a change of beneficial ownership. 

Written Agreement and Oversight by RIAs

In a stark change from the Custody Rule, the Proposal would require that RIAs—and not only clients—enter into a written agreement with each qualified custodian.  The adviser would need to reasonably believe that the written agreement:

  • Requires the qualified custodian to, upon request, provide client asset records to the Commission or an independent public accountant; 
  • Requires the qualified custodian to send account statements at least quarterly to the client and the investment adviser, unless the client is an entity which relies on the audit exception from the surprise examination requirement;
  • Requires the qualified custodian to provide the adviser, at least annually, a written internal control report that includes an opinion of an independent public accountant; and
  • Specifies the adviser’s agreed-upon level of authority to effect transactions in the custodial account, as well as any applicable terms or limitations.

When the Commission proposed new rules for private fund advisers (the “PE Proposal”) in February of 2022, we noted overlap and inconsistencies with the Custody Rule.[4]  The Proposal resolves some of those issues in a way that defaults to the higher obligation.  For example, the PE Proposal would require a quarterly statement for private funds to be distributed within 45 days of the end of each calendar quarter.  We expect that many RIAs will look to satisfy that requirement with the quarterly reports required under the Proposal.  That means, however, that the exception in the Proposal from the quarterly account statement requirement for client accounts that receive audited financials pursuant to the audit exception is unlikely to be widely used by those RIAs.

Reasonable Assurances Obtained by Adviser

The Safeguarding Rule would also require the adviser to obtain “reasonable assurances in writing” that the custodian will comply with certain requirements.  Critically, these requirements include that the custodian indemnifies the client (and has insurance arrangements in place that will adequately protect the client) against the risk of loss—not only for recklessness and willful misconduct, but also for simple negligence—and that the custodian will not be excused from its obligations to the client as a result of any sub-custodial or other similar arrangements.  The PE Proposal also would prohibit advisers from seeking indemnification or limitation of liability from a private fund or investors for simple negligence, meaning that custodians would be held to the same standard as advisers if both rules are adopted as proposed.  If, as expected, the final private fund adviser rule is adopted before the Proposal, the market will get some insight into the Commission’s landing point on this issue.  The Safeguarding Rule, as with the PE Proposal, signals a willingness to ban practices the Commission does not like, even when such practices are highly negotiated by sophisticated parties.

The reasonable assurances requirement also captures ensuring that the custodian will: (1) exercise due care and implement appropriate safeguarding measures, (2) not subject client assets, unless the client agrees in writing, to security interests, liens and the like in favor of the custodian or its related persons or creditors, (3) segregate client assets from the custodian’s assets and liabilities, and (4) create an account structure that protects client assets from the qualified custodian’s insolvency or bankruptcy.  The Safeguarding Rule would still allow for an omnibus client account, rather than segregating assets by each individual client account.  Furthermore, the Proposal recognizes that custodied assets may be subject to security interests or liens where authorized by the client, such as in cases of securities lending or margin account arrangements. 

We expect these provisions to receive a cool reaction from qualified custodians.  Whether or not custodians submit comments, advisers should expect difficult negotiations with custodians, in particular around what constitutes “reasonable assurances” that the custodian is complying with the requirements, and significantly higher custody costs if the simple negligence indemnity is adopted.  This struggle—with advisers attempting to comply with a new rule from the Commission while facing resistance from counterparties indirectly affected by the rule—has already occurred in the wake of the implementation of the new Rule 206(4)-1 (the “Marketing Rule”), which contains a similar oversight requirement for advisers.[5] 

If adopted, the Proposal’s requirements regarding qualified custodians will result in substantial additional costs for custodians and advisers, which will likely be passed along to advisory clients.  While the PE Proposal would limit an adviser’s ability to pass certain costs onto the clients, costs relating to custody were not among those included.

More Limited “Privately Offered” Asset Exception

The Custody Rule provides an exception from the requirement to maintain securities with a qualified custodian for certain privately offered securities, defined to mean securities that (1) were not acquired in a public offering, (2) are uncertificated, with ownership recorded only on the books of the issuer or its transfer agent in the name of the adviser’s client, and (3) are transferable only with prior consent of the issuer or holders of the outstanding securities of the issuer.  The Custody Rule also provides that privately offered securities of a pooled investment vehicle are only exempt if the pooled investment vehicle is subject to a surprise examination (or annual audit exception). 

The Safeguarding Rule would contain an exception for privately offered assets, not only securities, but would significantly narrow this exception by requiring that the RIA reasonably determine and document that the relevant assets cannot be maintained with a qualified custodian.  In addition, the exception would not be available under any circumstances for crypto assets, which would have to be maintained with a qualified custodian.

The other conditions to rely on the exception would be: the adviser takes reasonable steps to safeguard the assets; the assets are subject to the surprise examination or annual audit; the adviser notifies the independent public accountant within one business day of any purchase, sale, or transfer of the assets; and the accountant verifies any such purchase, sale or transfer and notifies the Commission within one day if any material discrepancy is found.

The proposing release notes that this was designed to be a limited exception, reserved for “circumstances that truly warrant it,” given the Commission’s belief that “the bulk of advisory client assets are able to be maintained by qualified custodians.”  The Commission seems convinced that the exception has been over-used by advisers and so decided to tighten it, and impose more stringent obligations on RIAs that use it, including stating that the required frequency of the adviser’s determination would depend on the type of asset and the market, and that “it would likely be unreasonable for an adviser to annually assess the custodial market for an asset for which developing custodial services are well publicized as imminent.”

Surprise Examination Modification

Under the Custody Rule, investment advisers must hire an independent public accountant to perform an annual “surprise examination” over funds and securities in the custody of the adviser.  Many advisers currently rely on the “annual audit” exception from this requirement, which provides an exception where the client account is subject to an annual audit by an accountant that is registered with, and subject to regular inspection by, the Public Company Accounting Oversight Board (“PCAOB”), and the audited financial statements are distributed to the beneficial owners within 120 days of the end of the client account’s fiscal year (or 180 days in the case of a fund of funds or 260 days in the case of a fund of funds of funds).  This exception to the surprise examination requirement is currently only available where the client account is a limited partnership, limited liability company, or other pooled investment vehicle. 

The Safeguarding Rule would revise the audit exception in a few ways: the exception would be available for all types of client accounts—not only pooled investment vehicles; the adviser or client must have a written agreement with the auditor that requires the auditor to notify the Commission within four business days of the auditor’s termination or within one business day of issuing a report with a modified opinion; and the adviser must “reasonably believe” that the written agreement between the adviser and the accountant has been implemented—i.e., that the accountant has completed the surprise examination and has filed with the Commission a certificate on Form ADV-E. 

Self-Executing Exceptions

The Safeguarding Rule would add two new exceptions to the surprise examination requirement, which do not require an annual audit: an adviser deemed to have custody solely because (1) it has discretionary authority that is limited to instructing the custodian to transact in assets that settle exclusively on a DVP basis, or (2) a standing letter of authorization (“SLOA”) authorizes the adviser to direct the custodian to transfer assets to a third-party recipient on a specified schedule. 

Notably, these new exceptions to the surprise examination requirement would not exempt the adviser from the other requirements in the Proposal, including maintaining the assets with a qualified custodian.  However, in these situations the adviser is often not heavily involved with the custodian and the Proposal could lead to violations of the Safeguarding Rule by advisers who may not be aware they have deemed custody.  For example, if an adviser limits its activities to making recommendations to a client, and that client keeps assets with a custodian, if the client directs the custodian to grant the adviser discretionary authority over the assets, the adviser would be deemed to have “custody” over the assets, regardless of whether the adviser ever uses this authority (or indeed, even knows it has such authority).  We expect comments on this aspect of the Proposal.

Continuing Tension with PE Proposal over non-GAAP financial statements

The PE Proposal discussed above would require RIAs to obtain an annual GAAP audit of private funds that they advise.  The PE Proposal noted that the requirement is based on the current Custody Rule requirement, but that compliance with one rule does not automatically satisfy the requirements of the other.  As we noted in our Firm’s Alert Memorandum on the PE Proposal, the Custody Rule can be satisfied by annual surprise examinations instead of annual audits, an option that is often chosen by advisers who produce non-GAAP financial statements that cannot be easily reconciled to GAAP.  Under the PE Proposal, those advisers would still need to obtain a GAAP audit, regardless of the financial statements that are most appropriate for the relevant fund’s investors or that may be required by overseas regulators.

The Safeguarding Rule would not remedy this gap.  Advisers to private funds would be required under the PE Proposal to obtain the annual GAAP audit regardless of whether they choose to satisfy the Safeguarding Rule with a surprise examination.  Furthermore, an adviser to a private fund relying on another exception from the surprise examination requirement (e.g., advisers with custody solely because of its discretionary trading authority on a DVP basis), would still be required to obtain an annual GAAP audit under the PE Proposal, even though under the Safeguarding Rule, the adviser would not be required to obtain either an audit or a surprise examination. 

Recordkeeping Requirements and Form ADV Updates

The Proposal would expand the Advisers Act recordkeeping rule, including by requiring more detailed records of trade and transaction activity as well as position information for each client account over which an RIA has custody.  The Proposal would also amend Form ADV to bring the reporting requirements in line with the various aspects of the Proposal, as well as to eliminate confusion over certain existing items in the Form related to reporting of custody.  Among other things, reporting would be required on the type of authority the adviser has over a client’s assets, any exception the adviser is relying on from the Safeguarding Rule, and details about the qualified custodian used for each client’s assets.

[1] See our Firm’s prior Alert Memoranda on the February 2022 PE and Cybersecurity Proposals, the May 2022 ESG Proposal, the August 2022 Form PF Proposal, and the October 2022 Outsourcing Proposal.

[2] The categories of allowable qualified custodians are not necessarily entities that are capable of holding crypto assets, or even allowed to hold such assets.  For example, the Commission’s longstanding position has been that broker-dealers cannot hold customer assets other than securities or cash.  The Commission has even extended this view to crypto securities, with the exception of special purpose broker-dealers as described in the Commission’s 2021 Release, which allows such special purpose broker-dealers to hold crypto securities (though not securities other than crypto).  Furthermore, FCMs would be prohibited from investing customer funds in crypto assets under Rule 1.25 and would need to consider CFTC guidance and caution around holding such assets for customers at all.  Given these restrictions, U.S. broker-dealers would not be able to serve as qualified custodians for non-security crypto assets, and U.S. FCMs, while technically allowed to serve as qualified custodians for crypto assets, would face serious regulatory hurdles.  This would leave advisers that wish to use U.S.-based custodians limited, in most cases, to banks or savings associations.

[3] On the other hand, FFIs are not subject to the same limitations related to crypto holdings as U.S. banks and bank affiliates are.  Unless changed in the final rule, this could provide an opportunity for FFIs to grow market share in the crypto space.

[4] See our Firm’s Alert Memorandum on the February 2022 PE and Cybersecurity Proposals

[5] See Marketing Rule Adopting Release, December 22, 2020, and our Firm’s Alert Memorandum on the December 2020 Marketing Rule.