Investment Advisor Held Away Account Access Advisory

The Corporations, Securities, and Commercial Licensing Bureau (“Bureau”) within the State of Michigan Department of Licensing and Regulatory Affairs recommends that state registered investment advisers carefully review their use of third-party platforms that provide access to view and trade held-away client assets. The Bureau is aware that some state-registered investment advisers are engaging unregistered, third-party digital platforms to actively view, manage, trade, and sometimes bill on assets in held-away accounts.

The Bureau believes an adviser’s use of such platforms may cause the adviser to have custody of client funds or securities, to create cybersecurity risks to client data and information, and to violate the adviser’s fiduciary duties to clients. This advisory document is intended to address regulatory concerns of the Bureau and to identify various compliance matters for advisers to consider before using these platforms in the provision of advisory services to clients.

Traditionally, investment advisers who manage client assets enter into agreements with the custodian of the clients’ accounts. These agreements may give the adviser the ability to place trades in the client’s account through the custodial broker-dealer. If an adviser does not have an agreement with the custodian, the adviser is typically not able to place trades in the client’s accounts. In these cases, the adviser would review the client’s account statements and make recommendations on how to allocate assets within the account; then, the client could choose to follow the adviser’s advice and execute those transactions on the held-away account’s platform. 

The agreement and understanding among the client, the custodian, and the adviser ensures that each party involved is aware of their rights and obligations with respect to the arrangement. It also permits the custodian of the client’s held-away assets to appropriately manage private client data and to make and keep accurate required records related to client log-ins and transactions.

There has been a recent increase in state-registered advisers entering into agreements with third parties that provide the adviser with access to the client’s held-away accounts without the adviser or the third party entering into an agreement with the custodian. These third parties allow the adviser such direct access to the held-away accounts without the adviser directly possessing the client’s unique log-in information. The service providers enter into an agreement with an investment adviser to collect client log-in information without the adviser having access to it; to bypass multi-factor authentication protocols put in place by the custodian; and, to provide a portal through which the adviser can view and to make trades within the held-away account.

Unlike account aggregator platforms, which enable read-only access to an account, investment advisers using these services are also able to order trades in client accounts through a third-party portal. These portals to held-away accounts do not appear to allow an adviser to
withdraw client funds, and rebalancing of client accounts appears to be the most common use by advisers.

Advisers that utilize third party services to access held-away client assets should carefully consider the risks associated with such use, including but not limited to inadvertent custody of client funds or securities; violation of the adviser’s fiduciary duty to clients by failing to disclose material cybersecurity and personal data risks associated with the use of such platforms; and potential overcharging of fees to clients.

At least one of the unregistered third-party platforms has marketed its service as allowing advisers to manage held-away accounts without custody. The Bureau reminds advisers that marketing statements are not determinative about whether custody in fact exists. An adviser has custody if it holds client funds or securities, directly or indirectly, or has authority to obtain possession of such assets. Advisers should independently review and understand their ability and authorization to access client funds or securities. Such a review should examine the powers of attorney, agreements between the customer and the third-party platform, and any agreements between the customer and the custodian of each held away account that is accessed by the third-party platform. Advisers should ensure that none of the agreements confer upon the adviser or the third-party platform the authority to access or withdraw client funds or securities from a held away account.

In addition, it appears that some platforms might add the investment adviser or investment adviser representative as a supplemental or authorized user on the customer’s custodial account to navigate account authentication procedures during log-in. In that circumstance, it would be important to know what rights the supplemental or authorized users are given by each custodian, most notably whether supplemental or authorized users have the ability (whether used or not) to withdraw funds or securities from the account. Investment advisers with custody of customer assets must affirmatively disclose this and are subject to heightened safeguarding requirements.

Platforms that provide access to held-away accounts without the custodian’s knowledge rely on the client providing its log-in credentials to the platform. At least one of these service providers encourages the client to replace their own phone number used for multi-factor
authentication with a “fake” number that will forward the relevant multi-factor authentication code to the adviser and to the client when a log-in is attempted.

Log-ins to the client account by the adviser are done without the knowledge or consent or the custodian, who is resultingly unaware of who is accessing the client’s account. This raises cybersecurity, Anti-Money Laundering, Bank Secrecy Act, and recordkeeping concerns. The
client providing their log-in credentials to a third party may put the client’s assets and personal financial information at risk if the security of the third party is compromised. Third party entities that are not registered as investment advisers or broker dealers are not subject to securities regulations regarding policies and procedures, recordkeeping, and net capital requirements. If the third party, rather than the client, receives the multi-factor authentication messages from the custodian, it also may take longer for the client to become aware of unauthorized access.

Third-party access services also may cause clients to violate their agreements with custodians of held-away assets. Agreements differ among custodians, but some contain limitations of the client’s permission to share their log-in credentials, and many waive the liability of the
custodians in circumstances in which the client has shared their log-in credentials. A client’s sharing of the passwords with a third party may cause the client to lose protections relating to their custodial account. Further, an adviser’s recommendation that the client use the third-party service may be a violation of the adviser’s fiduciary duty to their client, particularly in the absence of a disclosure to the clients about the various risks described within this guidance document.

Advisers should also consider the reasonableness of fees charged on held-away client assets. For example, many 401(k) plans have a limited menu of mutual funds available, none of which are chosen by the adviser, and many of which will automatically rebalance based upon the
client’s stated risk tolerance and investment objectives. Advisers should carefully weigh how to charge fees on held-away assets, particularly when there are limited investment options available. This includes whether it is appropriate to charge a fee to a client at all depending on the available investment choices in the held-away account. Advisers should also consider the adverse impact that their fees may have on clients in the form eroded returns, particularly in light of the broad availability of target date funds that will rebalance automatically for the client. Advisers, as fiduciaries, are required to act in the best interests of their clients, including with respect to held-away assets.

An adviser’s use of this type of third-party service may or may not violate the Michigan Uniform Securities Act and the rules thereunder depending on the specifics of the adviser’s arrangement with the third party. Investment advisers and investors are encouraged to consider the noted issues and conduct the appropriate inquiry necessary to address these concerns prior to engaging a third party to access investment accounts.