What SEC Custody Rule 206(4)-2 Means for Securities
Dec 8, 2025
·
16 min read
Contents
The SEC Custody Rule is one of the most important regulations governing how investment advisors handle client assets. For fintech companies and registered investment advisers (RIAs), this rule defines what it means to have “custody” of client funds or securities and sets the standards for how they must protect those assets.
In practice, Rule 206(4)-2 is about safeguarding investor assets through clear custody arrangements, independent verification, and transparent reporting.
But as fintech platforms innovate, combining securities with crypto, embedding trading into mobile apps, or introducing new account structures, the boundaries of what counts as “custody” have become increasingly complex.
This article breaks down what the SEC Custody Rule requires, how it applies to modern fintech models, and where firms often get tripped up.
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013. If you need assistance with compliance or fintech regulations, click here.
Understanding the SEC Custody Rule
The SEC Custody Rule (Rule 206(4)-2) is a core part of the Investment Advisers Act of 1940 and was designed to prevent misuse or misappropriation of client assets. It sets the framework for how investment advisors safeguard client funds and securities.
The rule makes it unlawful for an advisor to have custody of client assets unless specific safekeeping procedures are followed. These include:
Having a qualified custodian maintain the funds and securities
Maintaining transparent account records
Ensuring the custodian provides regular statements to clients
Undergoing periodic independent verification
The rule’s primary purpose is investor protection. Clients can feel confident that their assets are held safely and separate from an advisor’s own accounts. This protection applies whether assets are traditional securities, cash, or newer products like tokenized investments and digital assets (categories that increasingly overlap with fintech business models).
Who Must Comply: RIAs, Fintechs, and Other Advisors
The Custody Rule applies primarily to SEC-registered investment advisors (RIAs), though many states have parallel versions for state-registered advisors.
Even if a fintech does not think of itself as an “investment advisor,” activities like discretionary portfolio management, or combining securities with other assets, can trigger RIA registration and with it, the Custody Rule.
Role of the SEC and Other Regulators
The U.S. Securities and Exchange Commission (SEC) enforces Rule 206(4)-2 and provides interpretive guidance through FAQs, risk alerts, and enforcement actions. The SEC’s Division of Examinations regularly reviews how firms apply the rule and identifies deficiencies during exams.
Other regulators may have overlapping jurisdiction depending on the asset type or entity structure:
FINRA oversees broker-dealers who act as custodians.
State securities regulators may apply similar custody rules for advisors under state oversight.
The CFTC (Commodity Futures Trading Commission) regulates custodial arrangements involving futures or commodity interests.
Understanding how these regulators intersect is crucial for fintech platforms that operate across multiple categories, e.g., firms offering both securities and payment or crypto products.
Core Requirements of the Custody Rule
The SEC Custody Rule establishes specific operational and procedural requirements for advisors with custody of client assets.
These requirements aim to create a transparent chain of control and verification so clients always know where their funds and securities are held:
Maintain Client Assets with a Qualified Custodian
Advisors with custody must maintain client funds and securities with a qualified custodian (typically a bank, registered broker-dealer, or futures commission merchant). The custodian holds the assets in either the client’s name or in an account clearly identified as belonging to the client.
The purpose is segregation. Client assets must stay separate from the advisor’s operational funds or proprietary holdings. In fintech, this usually means partnering with a regulated custodian or broker-dealer that can securely hold securities or cash while the fintech provides the technology layer.
Advisors should also confirm the custodian’s qualifications, internal controls, and audit practices. If an advisor uses an affiliated entity as a custodian, independent verification is critical to avoid conflicts of interest.
Provide Account Statements and Client Notifications
Whenever a custodial account is opened, the advisor must notify the client in writing with details about the custodian and where assets are held. Clients must also receive account statements directly from the custodian at least quarterly.
These statements list holdings and all transactions during the period. Advisors are expected to encourage clients to review and compare these statements with any internal reports or dashboards the advisor provides.
For fintech platforms, this requirement extends to digital interfaces. Client statements must remain accessible and reflect data consistent with custodial records, even if users interact solely through an app or web platform.
Conduct Annual Surprise Examinations and Fund Audits
If an advisor has custody, the SEC requires an annual surprise examination by an independent public accountant. The accountant verifies the existence of client funds and securities and files Form ADV-E after the examination.
Learn more about the Form ADV →
For advisors managing pooled investment vehicles, a fund-level audit performed annually by a PCAOB-registered auditor may substitute for the surprise exam, provided audited financial statements are delivered to investors within 120 days of year-end.
Missing or delaying these filings is one of the most common custody-related enforcement findings. Startups often underestimate how much coordination this process requires: scheduling, documentation, and auditor independence checks all take time.
See also:
Segregation of Client and Firm Assets
Client assets must be held separately from the advisor’s own accounts. This prevents commingling and provides a clear line of ownership if the advisor encounters financial or operational issues.
In digital environments, fintech firms must carefully map how money and securities flow through their systems to confirm segregation holds at every step. For instance, client deposits that briefly pass through the firm’s account, even for routing or settlement, could create a custody issue.
Maintaining transparent account structures and reconciliations is a core control area that compliance teams should document and review regularly.
Need help with RIA compliance?
Fill out the form below and our experts will get back to you.
Required Form ADV Disclosures
Advisors with custody must disclose it in Form ADV, Item 9, along with details about qualified custodians, audits, and surprise examinations. For advisors to private funds, related disclosures also appear in Schedule D, Section 7.B.
These disclosures help regulators and clients identify which firms have custody and what controls they use.
Failing to update Form ADV after an audit or structural change, such as when a new custodian is added, is a common compliance deficiency cited in SEC examinations.
When Does an Advisor Have “Custody”?
For fintechs and investment advisors, custody often arises in specific operational scenarios rather than by intent. A fintech may be considered to have custody when its systems or agreements give it access to client funds or securities.
Possession of Client Funds or Securities
If an advisor or one of its employees physically holds client funds or securities, that constitutes custody. The only exception is if the advisor accidentally receives a check made out to a third party and forwards it promptly, usually within three business days.
Physical possession is rare in fintech settings, but digital equivalents matter. If client assets move into a company-controlled account, even temporarily, that’s considered custody.
Authority to Withdraw or Transfer Assets
An advisor also has custody if they can withdraw or transfer a client’s funds or securities at will. This could be through a power of attorney, a transfer authority, or a standing instruction that allows money to move without the client’s direct action.
For fintech firms, automated transfers between linked accounts, or features that move assets between investment products, can trigger this kind of custody. A compliance review should confirm whether the platform’s processes give the advisor, or its affiliates, custody over client assets.
Standing Letters of Authorization (SLOAs)
A Standing Letter of Authorization allows an advisor to transfer assets on behalf of a client to a designated third party. The SEC considers this custody because it provides withdrawal authority.
However, in 2017, the SEC staff issued a limited no-action position: advisors may avoid the annual surprise exam if the SLOA meets certain conditions. These include written client instructions, transfers only to named recipients, and the custodian sending transaction confirmations directly to the client.
Even with that relief, advisors must document SLOAs carefully. They are a common area where well-intentioned client service practices overlap with custody obligations.
Discretionary Authority and Its Limits
Having discretionary trading authority (permission to make investment decisions and place trades in client accounts) does not automatically create custody. It becomes custody only when that authority includes the ability to move or withdraw funds.
Fintech advisors offering automated portfolio management should confirm that their discretion is limited to investment actions within custodial accounts, not withdrawals or payments. Many compliance issues arise from unclear client agreements that blur these boundaries.
See also:
Related Persons and Affiliates Holding Assets
If a related person of the advisor (e.g., an affiliated broker-dealer, fund, or technology partner) has custody of client assets, the advisor is also considered to have custody. This concept prevents firms from shifting control to affiliates to avoid direct responsibility.
Advisors must document and monitor these relationships carefully. If custody is held through an affiliate, an independent internal control report from a qualified auditor is typically required.
Custody via Login Credentials or Trustee Roles
Holding client login credentials, even for convenience or account aggregation, can create custody if those credentials allow fund transfers or asset movements. Advisors should avoid storing or using client passwords in ways that provide account access beyond viewing.
Similarly, if an advisor or its principal serves as a trustee or executor for a client account, that position gives control over assets and qualifies as custody. These roles are acceptable but must be disclosed and monitored under the Custody Rule.
Compliance Challenges and Common Misconceptions
Even experienced compliance teams can misinterpret the SEC Custody Rule (Rule 206(4)-2). For fintechs, the mix of innovative business models, automation, and nontraditional asset types often introduces custody risks that are not obvious at first.
The most common challenges and misconceptions include:
Inadvertent Custody Triggers in Fintech Models: Many fintech firms assume they do not have custody because they never physically touch client money. In reality, custody can arise through system design, including when funds briefly pass through a platform account or when a firm can redirect assets between products.
Confusion Over Qualified Custodians: The rule requires client assets to be held by a qualified custodian, like a bank or registered broker-dealer. But for digital assets, identifying who qualifies can be complex. Some fintechs use state-chartered trust companies for crypto custody, which the SEC has only recently acknowledged as “banks” under certain conditions. Using unqualified custodians can leave a firm exposed to regulatory action, even if the assets are secure in practice.
Misunderstanding Discretionary Authority vs. Custody: Having discretion to trade within a client’s account is allowed under the rule. Custody only arises if that authority extends to withdrawing or transferring assets. Many fintech advisors blur this line unintentionally when, for example, algorithms execute trades and also move cash between accounts. Reviewing client agreements and API permissions is essential to confirm where discretion ends and custody begins.
Execution Gaps: Firms that recognize they have custody must complete either an annual surprise examination or, for pooled funds, a yearly audit. Missing these deadlines or using auditors who aren’t properly independent is a recurring enforcement theme. These lapses often stem from underestimating the coordination and lead time required for the audit process.
Form ADV Disclosure Errors: Advisors must disclose custody in Form ADV, Item 9. Many fail to update this form when circumstances change. Late or missing updates are common triggers for SEC penalties.
SEC’s 2023 Proposed Safeguarding Rule
In February 2023, the SEC proposed a new Safeguarding Rule that would replace and expand the current Custody Rule.
The proposal broadens the definition of “assets” to include not only funds and securities but also crypto assets, commodities, and other financial instruments. It would extend custody obligations across all asset types and require written agreements between advisors and qualified custodians, outlining each party’s safeguarding responsibilities.
The rule would also make custodians responsible for maintaining possession or control of client assets while strengthening audit and reporting requirements.
If adopted, this Safeguarding Rule would substantially increase compliance responsibilities, especially for fintech firms handling crypto or hybrid asset models.
Impact on Crypto, Digital Assets, and Alternative Investments
The SEC intends to close regulatory gaps that left many digital asset custodians outside the Custody Rule’s reach. Crypto advisors, tokenization platforms, and other fintechs working with digital assets would be required to use qualified custodians that meet stricter standards.
This development addresses one of the industry’s longest-standing uncertainties: how to treat digital assets under custody regulations. However, it also increases operational demands requiring fintechs to reevaluate their custodial relationships, documentation, and independent audit processes.
Narrowed Exceptions and Conditional Relief
Under the proposed changes, certain exceptions would be narrowed. For example, advisors relying on exemptions for privately offered securities would need to show that no qualified custodian is available and that alternative safeguards are in place.
At the same time, some conditional relief may formalize long-standing no-action positions, such as when custody arises only through fee deductions or standing letters of authorization. These scenarios could remain exempt from the annual surprise exam if strict procedural controls are followed.
No-Action Relief for State Trust Companies
In late 2025, the SEC staff granted no-action relief confirming that certain state-chartered trust companies qualify as “banks” under the Investment Advisers Act. This means RIAs may use them as qualified custodians for digital assets, provided they meet the necessary operational and financial control requirements.
This clarification offers much-needed regulatory certainty for fintech firms that hold crypto assets through state-chartered entities. Still, the SEC expects firms to perform due diligence and verify that their chosen custodians operate within the approved framework.
Practical Takeaways for Fintechs and RIAs
The SEC Custody Rule defines how advisors safeguard client assets at every level: operational, technical, and strategic.
For fintechs, it’s not just a regulatory obligation but a design constraint that touches system architecture, data handling, and vendor oversight.
Questions to Ask When Assessing Custody Risk
When reviewing your business model, start with a few essential questions:
Do we or any of our affiliates have direct or indirect access to client assets?
Can our systems or integrations move funds without new client authorization?
Are all assets held with qualified custodians that meet SEC standards?
Do our client agreements or API permissions inadvertently grant custody rights?
Answering these questions early helps identify where compliance frameworks need to be strengthened.
Steps to Build Custody Compliance into Your Business Model
Building custody compliance into your business model starts with structure. These steps help translate regulatory requirements into clear operational controls that can scale with your firm:
Map all asset flows. Identify every point where client funds or securities enter, move within, or exit your platform.
Confirm custodian qualifications. Verify that custodial partners meet the SEC’s definition of a qualified custodian and maintain proper internal controls.
Document control boundaries. Clearly separate trading authority from fund transfer authority in both agreements and system permissions.
Plan annual reviews. Ensure surprise examinations or fund audits are scheduled well in advance to avoid timing and independence issues.
Keep disclosures current. Update Form ADV filings as soon as custody arrangements or auditors change.
These operational steps reduce regulatory uncertainty and prepare the firm for SEC or investor scrutiny.
See also:
How to Work with Custodians, Auditors, and Compliance Partners
Strong communication with custodians and auditors is vital. Custodians must send accurate statements directly to clients, while auditors confirm asset existence and test controls. Compliance teams should coordinate both processes to avoid duplication or gaps.
For fintech firms, this collaboration often extends into technology integrations, syncing data between custodial and platform systems for transparency.
That is where having a partner with fintech regulatory experience adds value. InnReg, for example, operates as an extension of a client’s compliance team, coordinating audits, managing filings, and maintaining operational readiness across complex fintech structures.
—
The SEC Custody Rule (Rule 206(4)-2) remains one of the most consequential regulations for investment advisors and fintech firms managing client assets. Its requirements touch every operational layer, from how custodians are selected to how audits are managed and disclosures are maintained.
For fintechs, where technology and regulation intersect daily, strong coordination between compliance, custodians, and auditors is critical. Transparent processes not only meet regulatory expectations but also strengthen investor trust.
How Can InnReg Help?
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013.
We are especially effective at launching and scaling fintechs with innovative compliance strategies and delivering cost-effective managed services, assisted by proprietary regtech solutions.
If you need help with RIA compliance, reach out to our regulatory experts today:
Published on Dec 8, 2025
Last updated on Dec 8, 2025
Related Articles
Featured LinkedIn Posts
