Custody Rule Requirements

If your advisory firm has “custody” of client funds or securities, the Custody Rule requires you to keep those assets with a qualified custodian, notify clients about the custodian, ensure clients get quarterly statements, and (in many custody scenarios) complete an annual surprise exam by an independent public accountant. Build a custody determination, map each custody trigger to controls, and retain exam-ready evidence. (17 CFR § 275.206(4)-2)

Key takeaways:

• Start by deciding, account-by-account, whether you have custody and why; that decision drives every downstream obligation. (17 CFR § 275.206(4)-2)
• Operationalize the rule with a qualified custodian oversight file, client notice workflow, statement-delivery verification, and accountant surprise exam readiness. (17 CFR § 275.206(4)-2)
• Exams fail on evidence: document custody triggers, custodian selection, notices, statement checks, and the accountant engagement and outputs. (17 CFR § 275.206(4)-2)

“Custody” is one of the fastest ways an SEC exam turns from routine to high-risk. The reason is simple: once an adviser can access client cash or securities (or appears able to), the rule expects specific safeguards that reduce misappropriation risk and improve client transparency. The Custody Rule is not a principles-only standard; it has concrete operational outputs: qualified custodian holding, client notifications, periodic statements, and an independent surprise examination in applicable scenarios. (17 CFR § 275.206(4)-2)

For a CCO or GRC lead, the work is less about drafting a policy and more about running a custody program that holds up under sampling. You need a repeatable method to (1) identify custody triggers (including indirect custody through authority or third parties), (2) route each trigger to the right control set, and (3) maintain proof that those controls operated throughout the period. That means clear ownership across compliance, operations, finance, and any third parties involved in client asset movement.

This page translates custody rule requirements into an execution checklist you can implement quickly, then sustain with audit-ready artifacts and a cadence of monitoring. (17 CFR § 275.206(4)-2)

Regulatory text

Operator requirement (what the rule demands): Investment advisers that have custody of client funds or securities must maintain those assets with a qualified custodian and comply with specific safeguarding, notice, and examination requirements. (17 CFR § 275.206(4)-2)

Regulatory excerpt (provided): “Investment advisers that have custody of client funds or securities must maintain those assets with a qualified custodian.” (17 CFR § 275.206(4)-2)

Practical reading for operators: Once your firm has custody, you must ensure client assets are held at a qualified custodian (for example, a bank, broker-dealer, or futures commission merchant), clients are promptly notified of the custodian and changes, clients receive quarterly account statements from the custodian, and an independent public accountant conducts an annual surprise examination in the custody scenarios that require it. (17 CFR § 275.206(4)-2)

Plain-English interpretation (what “good” looks like)

You are compliant when you can show, with evidence:

1. Custody is identified and scoped: you can explain which accounts/relationships create custody and why. (17 CFR § 275.206(4)-2)
2. Assets sit with a qualified custodian: client funds/securities are not held in-house, and you can prove who the custodian is for each account. (17 CFR § 275.206(4)-2)
3. Clients are informed: clients are notified about the custodian and any changes promptly, using a controlled, repeatable workflow. (17 CFR § 275.206(4)-2)
4. Statements are delivered: clients receive quarterly statements from the custodian (not solely from the adviser), and you can evidence your reasonable steps to ensure that happens. (17 CFR § 275.206(4)-2)
5. Independent check exists where required: an independent public accountant performs a surprise exam annually in custody contexts that require it, and you retain the engagement and outcomes. (17 CFR § 275.206(4)-2)

Who it applies to (entity and operational context)

Entity types (from provided applicability):

• Investment companies
• Portfolio managers

Operationally, it applies when your advisory business has custody of client funds or securities, which commonly arises through:

• Authority to move money or securities (standing letters/instructions, fee deduction authority, or other arrangements that allow disbursement). Your legal analysis should map the specific authority you have to the custody definition under the rule. (17 CFR § 275.206(4)-2)
• Physical possession of client securities/certificates or client checks made out in a way that puts you in the chain of control. (17 CFR § 275.206(4)-2)
• Access through third parties acting on your instructions (for example, administrators, platforms, or other outsourced providers that can effect movement based on adviser direction). Treat these as third-party risk items inside the custody program. (17 CFR § 275.206(4)-2)

If you are uncertain whether a specific arrangement is “custody,” treat that uncertainty as a control failure until resolved: freeze the movement pathway, document the analysis, and escalate to counsel/compliance leadership for a determination aligned to the rule text. (17 CFR § 275.206(4)-2)

What you actually need to do (step-by-step)

Step 1: Build a custody determination and inventory

Create a custody inventory that lists, for each product/account/vehicle:

• Client/entity name and account identifier
• Custodian name and custodian type (bank/broker-dealer/FCM)
• Adviser authorities (fee deduction, disbursement authority, trading authority)
• Third parties with payment/transfer roles (administrator, prime broker, platform, etc.)
• “Custody: Yes/No” conclusion and rationale tied back to the rule requirements

Output: “Custody Determination Memo + Custody Inventory” stored as a controlled compliance record. (17 CFR § 275.206(4)-2)

Step 2: Confirm qualified custodian status and account titling

For each in-scope relationship:

• Obtain onboarding documentation and custodian agreements.
• Confirm accounts are opened in the correct client name/structure and held at the custodian.
• Confirm your firm does not inadvertently become the holder of record for client assets outside permitted arrangements.

Control test: sample accounts and verify custodian holding and correct titling based on account documentation and custodian statements. (17 CFR § 275.206(4)-2)

Step 3: Implement a controlled client notice process

Create a notice workflow that triggers when:

• A new custodian relationship starts
• A custodian changes
• Material custody-related arrangements change (for example, new account structures or service model changes that affect custody obligations)

The workflow should include:

• Approved notice template(s)
• Defined owner (usually compliance/operations)
• Distribution method and proof of delivery (mail log, email receipt, portal confirmation)
• A change-management trigger from operations so compliance is not surprised

Evidence standard: retain the notice, date sent, population list, and delivery proof. (17 CFR § 275.206(4)-2)

Step 4: Ensure quarterly statements from the custodian (and verify)

You need operational comfort that clients receive custodian-issued statements quarterly. (17 CFR § 275.206(4)-2)

Practical controls:

• Contractually require statement delivery in your custodian relationship where possible.
• For omnibus/platform structures, confirm who sends statements (custodian vs. administrator) and retain documentation.
• Run periodic checks: obtain example statements, confirm statement frequency, and confirm client delivery channels are active (paperless enrollment status, returned mail handling, etc.).

Common exam-ready approach: maintain a quarterly “statement verification” log with samples and exceptions tracked to closure. (17 CFR § 275.206(4)-2)

Step 5: Determine whether an annual surprise exam is required, then operationalize it

The rule summary provided expects an annual surprise examination by an independent public accountant for advisers with custody in applicable scenarios. (17 CFR § 275.206(4)-2)

Operationalize it as a program:

• Engage an independent public accountant with a written engagement letter that covers the surprise exam.
• Create a readiness package: custody inventory, list of custodians, account lists, authority lists, and internal procedures.
• Define internal points of contact for rapid document production.
• Track delivery of accountant outputs and management responses to any findings.

Tip from practice: treat the surprise exam as a standing readiness state, not a calendar event. Your biggest risk is not being able to produce complete population data quickly. (17 CFR § 275.206(4)-2)

Step 6: Tie custody controls to third-party risk management (TPRM)

Custody programs fail when the firm assumes the custodian “covers it.” The custodian holds assets, but you still need evidence your firm met notice, statement, and exam obligations. (17 CFR § 275.206(4)-2)

Minimum TPRM actions for custodians and custody-adjacent third parties:

• Due diligence file: services, roles in asset movement, and statement delivery responsibilities
• Contract review for statement delivery, reporting, and change notification
• Operational contacts and escalation paths
• Incident response alignment if an error causes misdirection of funds

Tools like Daydream can help you keep the custody inventory, third-party due diligence artifacts, and control evidence in one place so you can answer exam requests with a single source of truth rather than a scramble across operations, finance, and email archives.

Required evidence and artifacts to retain

Maintain an exam-ready folder structure (by custodian and by period) with:

• Custody determination memo and custody inventory (current and historical versions) (17 CFR § 275.206(4)-2)
• Custodian agreements, account opening docs, and proof of qualified custodian relationship (17 CFR § 275.206(4)-2)
• Client custodian notices, change notices, recipient lists, and delivery proof (17 CFR § 275.206(4)-2)
• Quarterly statement verification logs and representative samples of custodian statements (redacted as needed) (17 CFR § 275.206(4)-2)
• Surprise exam engagement letter, document request lists, deliverables, and remediation tracking (17 CFR § 275.206(4)-2)
• Written procedures: custody identification, movement authority governance, exception handling, and escalation (17 CFR § 275.206(4)-2)
• Exception register: any statement delivery issues, returned mail, custodian changes, or authority deviations and how they were resolved (17 CFR § 275.206(4)-2)

Common exam/audit questions and hangups

Expect requests framed like:

• “Show us your custody determination for each product/account and the supporting rationale.” (17 CFR § 275.206(4)-2)
• “List all qualified custodians used, and show client notifications for each and for any changes.” (17 CFR § 275.206(4)-2)
• “Prove clients receive quarterly statements from the custodian; show your monitoring.” (17 CFR § 275.206(4)-2)
• “Do you have any authority to transfer client funds? Provide procedures and evidence of controls over disbursements.” (17 CFR § 275.206(4)-2)
• “Provide surprise exam documentation from the independent public accountant.” (17 CFR § 275.206(4)-2)

Hangups that slow teams down:

• No complete population list (accounts, authorities, custodians).
• Notices sent, but no delivery proof or no change-trigger record.
• Statement “assumptions” without verification artifacts.
• Surprise exam readiness depends on one person’s inbox.

Frequent implementation mistakes and how to avoid them

1. Treating custody as a one-time legal conclusion.
   Fix: operationalize a custody review trigger tied to onboarding, product launches, custodian changes, and authority changes. Keep dated versions. (17 CFR § 275.206(4)-2)

2. Relying on adviser-generated performance reports as “statements.”
   Fix: document that custodian-issued statements go to clients quarterly and evidence your checks. (17 CFR § 275.206(4)-2)

3. Client notice process lives outside change management.
   Fix: require operations to open a compliance ticket for any custodian-related change; close the ticket only when notice evidence is stored. (17 CFR § 275.206(4)-2)

4. Surprise exam is under-scoped.
   Fix: maintain a standing engagement and a readiness binder keyed to the custody inventory; test your ability to produce complete populations on demand. (17 CFR § 275.206(4)-2)

Enforcement context and risk implications

No specific public enforcement cases were provided in the approved sources for this page. The risk logic is still operationally clear from the rule’s structure: custody creates direct client harm exposure if assets can be misdirected or if clients are not getting independent visibility through custodian statements and independent examination. Your control objective is to prevent unauthorized movement, detect errors quickly, and prove independent holding and reporting. (17 CFR § 275.206(4)-2)

Practical execution plan (30/60/90-day)

Time-boxed plans depend on firm size and complexity. Use phases to avoid false precision.

Immediate (stabilize and scope)

• Assign a single owner for the custody inventory and evidence repository. (17 CFR § 275.206(4)-2)
• Build/refresh the custody inventory and document custody triggers and conclusions. (17 CFR § 275.206(4)-2)
• Identify every qualified custodian and collect agreements and statement samples. (17 CFR § 275.206(4)-2)
• Document the current client notice process and locate prior notices and proof of delivery. (17 CFR § 275.206(4)-2)

Near-term (implement control routines)

• Implement a formal client notice workflow tied to custodian onboarding/changes. (17 CFR § 275.206(4)-2)
• Stand up quarterly statement verification with defined sampling, exception handling, and recordkeeping. (17 CFR § 275.206(4)-2)
• If surprise exam applies to your custody posture, engage the independent public accountant and assemble the readiness binder. (17 CFR § 275.206(4)-2)
• Add third-party due diligence expectations for custodians and custody-adjacent providers to your TPRM program, and centralize artifacts in Daydream or your system of record.

Ongoing (monitor and prove)

• Revalidate custody triggers as part of onboarding, product changes, and authority changes. (17 CFR § 275.206(4)-2)
• Track custodian changes and prove notices went out promptly. (17 CFR § 275.206(4)-2)
• Maintain statement verification evidence and resolve exceptions quickly. (17 CFR § 275.206(4)-2)
• Keep surprise exam readiness current with updated account populations and authority lists. (17 CFR § 275.206(4)-2)

Frequently Asked Questions

What counts as a “qualified custodian” under the custody rule requirements?

The rule summary identifies banks, broker-dealers, and futures commission merchants as examples of qualified custodians. Your operational file should show which category your custodian fits and document the relationship. (17 CFR § 275.206(4)-2)

If a custodian sends statements, do we still need to do anything?

Yes. You need evidence that clients receive quarterly account statements from the custodian and that you took reasonable steps to confirm delivery. Keep statement samples and a verification log with exceptions tracked. (17 CFR § 275.206(4)-2)

Do we have to notify clients every time we change custodians?

Yes. The rule summary calls for prompt notification to clients of the custodian’s identity and any changes. Build a change trigger so compliance is alerted before operational switches occur. (17 CFR § 275.206(4)-2)

How do we prepare for a surprise exam without disrupting operations?

Maintain a standing readiness binder: custody inventory, account populations, custodian contacts, authority documentation, and a document production plan. Run internal “mock pulls” so you can produce complete data fast. (17 CFR § 275.206(4)-2)

What evidence do examiners usually want first?

Start with your custody determination and inventory, proof of qualified custodians, client notices, and proof of quarterly custodian statements. If applicable, provide the independent public accountant surprise exam engagement and outputs. (17 CFR § 275.206(4)-2)

How should we handle third parties that can move money at our direction?

Treat them as custody-adjacent third parties in your TPRM process. Document their role in asset movement, confirm contractual responsibilities for statements/notifications, and retain due diligence and monitoring evidence. (17 CFR § 275.206(4)-2)