Custody: Qualified Custodian (SEC 206(4)-2)

If your advisory firm has custody of client funds or securities, you must ensure those assets are maintained with a “qualified custodian” (generally a bank, registered broker-dealer, registered futures commission merchant, or certain qualifying foreign financial institutions) and be able to prove it in an exam. This is the operational heart of the custody: qualified custodian (sec 206(4)-2) requirement. (17 CFR 275.206(4)-2(a)(1))

Key takeaways:

• Treat “qualified custodian” as a gating control: no account, no assets, no exceptions until qualification is documented. (17 CFR 275.206(4)-2(a)(1))
• You own the determination, even where a client “chooses” the custodian; exam teams will still ask for your due diligence file. (17 CFR 275.206(4)-2(a)(1))
• Crypto custody is a recurring exam focus and a recent enforcement area; unregistered trading platforms are a known failure mode. (IA-6835) (2024-exam-priorities)

This requirement is simple to state and easy to fail in practice: if your firm has custody, client assets must sit at a qualified custodian, not “wherever it’s operationally convenient.” The compliance work is less about the definition and more about building a repeatable approval process that survives edge cases: crypto arrangements, foreign custody, client-directed custodians, unusual asset types, and “temporary” holding patterns that become permanent.

Examiners usually test this two ways. First, they trace assets from your books and records to custody locations and ask you to explain why each location is a qualified custodian. Second, they stress-test governance: who can approve a new custodian, what evidence is required, and whether you re-check status over time. The SEC’s sweep actions on custody violations show they will bring cases where policies exist but aren’t implemented consistently. (2023-168) (2022-156)

This page gives requirement-level implementation guidance you can operationalize quickly: applicability, step-by-step actions, artifacts to retain, common exam questions, avoidable mistakes, and an execution plan you can assign to owners.

Requirement: custody: qualified custodian (sec 206(4)-2) requirement

Plain-English interpretation

• If you (as an investment adviser) have custody of client funds or securities, you must ensure those assets are held at a financial institution that meets the SEC’s “qualified custodian” definition, and you must be able to document that determination. (17 CFR 275.206(4)-2(a)(1))
• “Qualified custodian” generally means: (1) a federal or state-chartered bank or savings association, (2) a registered broker-dealer, (3) a registered futures commission merchant (FCM), or (4) certain foreign financial institutions that meet specified criteria. (17 CFR 275.206(4)-2(a)(1))

Why operators get tripped up

• Business teams often treat custody as an operations choice (“we use Platform X”), while the rule treats it as a regulatory constraint (“Platform X must qualify”).
• New asset classes (notably crypto) introduce custody arrangements that look like custody but don’t satisfy the qualified custodian definition. (IA-6835) (2024-exam-priorities)

Regulatory text

Regulatory excerpt (operator-relevant)

• The custody rule provides that an investment adviser registered (or required to be registered) under Section 203 of the Advisers Act shall maintain client funds and securities with a qualified custodian, and it describes the types of institutions that generally meet the definition. (17 CFR 275.206(4)-2(a)(1))

What the operator must do with that text

1. Identify all client funds/securities for which the firm has custody (including any “constructive custody” scenarios).
2. Identify where each asset is maintained (custody mapping).
3. Confirm each custody location is a qualified custodian under the rule’s definition and document the basis for the conclusion. (17 CFR 275.206(4)-2(a)(1))
4. Block or remediate any arrangement where assets are maintained at a non-qualified custodian (including “temporary” parking arrangements).

Who it applies to

Entity scope

• Registered investment advisers (RIAs) and advisers required to be registered that have custody of client funds or securities. (17 CFR 275.206(4)-2(a)(1))

Operational contexts that commonly trigger this requirement

• The firm (or a related person) can move client money or securities (e.g., standing letters, authority, or access).
• The firm holds client private keys/credentials for digital assets treated as funds or securities in a way that constitutes custody.
• The firm uses third-party platforms to hold assets on behalf of funds or separately managed accounts, and the platform is not clearly a bank/broker-dealer/FCM. (17 CFR 275.206(4)-2(a)(1))

Special attention: crypto

• The SEC has stated exam focus on whether advisers comply with the Custody Rule for crypto assets the SEC believes are funds or securities. (2024-exam-priorities)
• A concrete enforcement risk is relying on a crypto trading platform that does not meet the qualified custodian definition. (IA-6835)

What you actually need to do (step-by-step)

Step 1: Build a “custody map” inventory (control objective: completeness)

Create a single register that ties together:

• Legal entity (adviser and any related persons)
• Client type (fund, SMA, pooled vehicle, other)
• Asset type (cash, securities, crypto considered securities, etc.)
• Where the asset is held (institution + account type)
• Access model (who can move assets; how; approvals)
• Qualified custodian determination status (approved / pending / rejected) This inventory becomes the backbone for exams because it answers “what assets, held where, under whose control.”

Step 2: Define qualified custodian eligibility criteria in your procedures

Your written procedures should:

• Enumerate acceptable custodian categories: bank/savings association, registered broker-dealer, registered FCM, certain foreign financial institutions. (17 CFR 275.206(4)-2(a)(1))
• State explicit exclusions you will treat as non-qualified unless proven otherwise, such as: insurance companies (not in the rule’s general definition), unregistered trading platforms, and “custody tech providers” without the required regulatory status. (17 CFR 275.206(4)-2(a)(1))

Step 3: Implement an approval workflow (control objective: no unapproved custodian goes live)

Minimum workflow:

1. Business request intake: new custodian or new product at existing custodian.
2. Compliance review: determine which category the custodian claims to fit.
3. Evidence collection: capture proof of status (see “Evidence and artifacts”).
4. Risk review for edge cases:
   • Crypto: confirm the custodian meets the rule’s definition; do not assume trading venue equals qualified custodian. (IA-6835)
   • Foreign custody: document how the institution meets the rule’s criteria for foreign financial institutions. (17 CFR 275.206(4)-2(a)(1))
5. Formal approval: documented sign-off by Compliance/CCO (and Operations as co-owner).
6. System gating: operations cannot open accounts or transfer assets until approval is complete.

Practical tip: put the approved list into the same tooling your onboarding team uses. If it’s in a PDF nobody reads, it will fail under real workload.

Step 4: Contract and operational alignment (control objective: custody reality matches the memo)

Confirm your operational setup matches your determination:

• The account is titled correctly (client name / fund name, not adviser name unless structure requires).
• Statements and reporting lines support transparency to the client/investors (even though this page focuses on qualified custodian status, mismatches here often reveal custody weaknesses during exams).
• Your access controls (who can instruct movements) are documented and consistent with policies.

Step 5: Ongoing monitoring (control objective: custodian stays qualified)

At least annually (or upon trigger events), re-perform and document:

• The custodian’s regulatory status (e.g., broker-dealer registration status for a crypto custody provider that claims broker-dealer standing). (17 CFR 275.206(4)-2(a)(1))
• Material changes: M&A, regulatory actions, loss of registration, service-model changes.
• Inventory reconciliation: every custody location in the books remains on the approved list.

This is where a system like Daydream fits naturally: tracking third parties (custodians) as regulated entities, attaching evidence, and generating an exam-ready package without rebuilding it from email threads.

Required evidence and artifacts to retain

Keep these artifacts in a dedicated “Qualified Custodian Due Diligence” file per custodian (and link to each client/fund using it):

Core determination

• Qualified custodian determination memo (one per custodian) stating which category applies and why. (17 CFR 275.206(4)-2(a)(1))
• Approved qualified custodian list (current version + version history).

Status evidence (examples; tailor to custodian type)

• For banks/savings associations: documentation supporting chartered status. (17 CFR 275.206(4)-2(a)(1))
• For broker-dealers: evidence of broker-dealer registration. (17 CFR 275.206(4)-2(a)(1))
• For FCMs: evidence of FCM registration. (17 CFR 275.206(4)-2(a)(1))
• For foreign financial institutions: documentation package addressing the rule’s criteria. (17 CFR 275.206(4)-2(a)(1))

Operational evidence

• Custodian agreements and account opening documentation.
• Custody map register (current) and periodic reconciliation sign-offs.
• Annual re-certification checklist and results (including exceptions and remediation tickets).

Common exam/audit questions and hangups

Expect examiners to ask questions like:

• “List all custodians where client assets are held and show why each is a qualified custodian.” (17 CFR 275.206(4)-2(a)(1))
• “Show the approval process for adding a new custodian, and provide the file for the most recent one.”
• “Do you use any crypto trading platforms? If so, why do you believe they qualify?” (IA-6835) (2024-exam-priorities)
• “Do clients ever select the custodian? Show how you assessed qualified custodian status anyway.” (17 CFR 275.206(4)-2(a)(1))
• “Show evidence of ongoing monitoring. How do you learn about changes in custodian status?”

Hangup to plan for: teams can describe the process verbally but cannot produce a dated determination memo and supporting evidence quickly. That often becomes an exam deficiency even if the custodian is, in fact, qualified.

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails	How to avoid
Treating “name brand” as proof of qualification	Market reputation is not the rule’s definition.	Require a determination memo + status evidence before first funding. (17 CFR 275.206(4)-2(a)(1))
Approving a trading platform as a custodian for crypto securities	Recent SEC enforcement shows this can be non-qualified.	For crypto assets, confirm the entity fits the qualified custodian definition; do not assume the platform qualifies. (IA-6835)
Letting clients “choose” a custodian without your diligence	The obligation remains with the adviser.	Create a client-directed custodian intake with the same evidence requirements. (17 CFR 275.206(4)-2(a)(1))
No re-check after onboarding	Registrations and business models change.	Set a periodic re-certification and trigger-based review.
Evidence scattered across email	Exams reward speed and completeness.	Centralize files per custodian in a system of record (e.g., Daydream) or a controlled repository.

Public enforcement cases

Use these cases as calibration for what the SEC actually charges and what facts they focus on.

• In the Matter of Galois Capital Management LLC (IA-6835): The SEC brought an action involving custody rule issues tied to crypto assets held at FTX Trading Ltd., which was not a qualified custodian; the press release notes a a material amount penalty. (IA-6835)
  Practical lesson: document qualified custodian status for crypto custody arrangements; “platform custody” can create a direct Rule 206(4)-2 exposure.

• SEC Charges Two Advisory Firms for Custody Rule Violations, One for Form ADV Violations, and Six for Both (2022-156): A sweep action that signals the SEC’s willingness to charge custody rule compliance failures where procedures did not match actual practice. (2022-156)

• SEC Charges Five Advisory Firms for Custody Rule Violations (2023-168): Another sweep action reinforcing that custody violations remain exam and enforcement priorities. (2023-168)

Enforcement context and risk implications

Two risk vectors matter operationally:

1. Investor harm risk: custody failures are often coupled with loss scenarios, particularly when assets are held at entities that are not regulated as qualified custodians. (IA-6835)
2. Process risk: even without a loss, the SEC has brought actions in sweeps where firms failed to comply with custody requirements and/or failed to implement written procedures in day-to-day operations. (2023-168) (2022-156)

If your firm touches crypto (directly or through fund investments), assume examiners will ask for your custody analysis and evidence package. The SEC explicitly called out crypto asset custody rule compliance as an exam consideration. (2024-exam-priorities)

Practical execution plan (30/60/90-day)

Use this as an operator checklist; adjust sequencing to your business cycle.

First a defined days (stabilize and stop new exposure)

• Freeze onboarding of any new custodian until a documented qualified custodian determination exists. (17 CFR 275.206(4)-2(a)(1))
• Build the first version of the custody map register (all clients/funds, all custody locations).
• Identify any custody locations that are not clearly banks, broker-dealers, or FCMs and flag for escalation. (17 CFR 275.206(4)-2(a)(1))
• For crypto exposure, compile every wallet/platform/exchange used and route through an immediate qualified custodian analysis. (2024-exam-priorities)

Days 31–60 (institutionalize the workflow)

• Publish a written qualified custodian approval SOP and require it for any account opening. (17 CFR 275.206(4)-2(a)(1))
• Create an approved qualified custodian list, map each client to approved custodians, and document exceptions with remediation owners.
• Centralize evidence files per custodian (repository or Daydream) and require attachments before approval.

Days 61–90 (prove it works; get exam-ready)

• Re-perform determinations for all existing custodians and close evidence gaps.
• Run an internal “mock exam” request: produce the custody map + custodian files on short notice.
• Stand up an ongoing monitoring calendar and trigger events (e.g., service-model change, regulatory status change).

Ongoing

• Periodically re-check qualified custodian status and reconcile the custody map against accounts and statements. (17 CFR 275.206(4)-2(a)(1))

Frequently Asked Questions

Does a client-directed custodian relieve the adviser of responsibility?

No. The rule places the obligation on the adviser to ensure client funds and securities are maintained with a qualified custodian, even if the client prefers a specific institution. (17 CFR 275.206(4)-2(a)(1))

Are insurance companies qualified custodians under the custody rule?

Not under the general qualified custodian categories described in the provided rule excerpt. Treat insurance companies as non-qualified unless counsel provides a specific, documented basis tied to the rule’s definition. (17 CFR 275.206(4)-2(a)(1))

Can we treat a crypto exchange as a qualified custodian if it “offers custody”?

Do not assume that. The SEC’s Galois Capital matter involved crypto assets held at FTX Trading Ltd., which was not a qualified custodian. You need a documented analysis that the entity meets the qualified custodian definition. (IA-6835)

What evidence will an examiner expect for qualified custodian status?

Expect to produce a determination memo plus documentary proof tied to the custodian’s category (bank charter, broker-dealer registration, FCM registration, or foreign financial institution criteria package). (17 CFR 275.206(4)-2(a)(1))

How often should we re-verify that a custodian remains qualified?

The rule requires the assets be maintained with a qualified custodian; operationally, you should re-verify on a periodic schedule and upon trigger events like M&A or service-model changes. Keep the re-verification evidence with the original determination. (17 CFR 275.206(4)-2(a)(1))

What’s the fastest way to become exam-ready on this requirement?

Build a custody map, create a short qualified custodian determination memo for each custodian with supporting evidence, and implement a hard approval gate so new accounts cannot be opened without compliance sign-off. (17 CFR 275.206(4)-2(a)(1))