Custody: Comprehensive Compliance (SEC 206(4)-2)

To meet the custody: comprehensive compliance (sec 206(4)-2) requirement, you must first determine whether your adviser has “custody,” then ensure client assets are held with a qualified custodian, deliver required client notices, confirm custodial statements go directly to clients, and complete either an annual surprise exam or timely audited financials for pooled vehicles. (17 CFR 275.206(4)-2)

Key takeaways:

• Start with a written custody determination per client, account, and fund; most downstream obligations depend on it.
• Build two compliance tracks: (1) qualified custodian + notices + statement oversight, and (2) surprise exam or pooled vehicle audit delivery.
• Expect SEC exams to test Form ADV custody accuracy and audit/surprise exam execution based on stated priorities. (2024-exam-priorities)

Custody compliance fails in predictable ways: the firm underestimates what creates “custody,” misses a surprise examination cycle, delivers private fund audited financials late, or cannot prove that clients received custodian notices and statements. SEC exam staff repeatedly focuses on these basics, including accurate reporting and the timeliness of private fund audits and distribution of audited financial statements. (2024-exam-priorities)

This page is requirement-level implementation guidance for a CCO, Compliance Officer, or GRC lead who needs to operationalize Rule 206(4)-2 quickly and defensibly. The operating goal is simple: if you have custody, client assets must sit with a qualified custodian, clients must be informed, the custodian must send statements to clients, and an independent verification mechanism must run on schedule (surprise exam or pooled vehicle audit delivery). (17 CFR 275.206(4)-2)

Use this as a build sheet for policies, calendars, third-party oversight (custodians and auditors), evidence retention, and exam readiness. Where enforcement context matters, this page points to recent administrative orders and SEC sweep releases to show how technical “process” gaps turn into findings and penalties. (2022-156) (2023-168)

Plain-English interpretation (what the rule requires)

If your SEC-registered investment adviser has custody of client funds or securities, you must:

1. keep those assets with a qualified custodian;
2. notify clients about the custodian and your custody;
3. have a reasonable belief the qualified custodian sends account statements to clients; and
4. complete an independent verification step: an annual surprise exam by an independent public accountant, or for pooled investment vehicles, distribute audited financial statements to investors. (17 CFR 275.206(4)-2)

Two practical implications drive your operating model:

• You cannot “paper over” custody with disclosures. The rule is operational: where assets sit, who controls movement, and what independent checks occur. (17 CFR 275.206(4)-2)
• Your compliance evidence must match your Form ADV custody answers and the actual custody mechanics in client agreements, fund documents, and custodian/auditor contracts. Sweep actions highlight custody rule and Form ADV failures charged together. (2022-156) (2023-168)

Who it applies to (entity + operational context)

In scope

• SEC-registered investment advisers (and those required to be registered) that have custody of client funds or securities. (17 CFR 275.206(4)-2)

Common operational situations that trigger custody workstreams

• You can move client money or securities (for example, debit authority or similar authority arrangements).
• You serve as trustee or in another role that gives you possession or control of client assets.
• You advise pooled investment vehicles (private funds) where the audit distribution pathway can substitute for delivering custodian statements to each investor, but only if executed correctly and on time. (17 CFR 275.206(4)-2)

Special focus areas the SEC has called out

• Private fund advisers: exam staff focuses on accurate reporting, timely completion of private fund audits by a qualified auditor, and distribution of audited financial statements. (2024-exam-priorities)
• Crypto assets that are funds or securities: exam staff will consider whether advisers comply with the custody rule for those assets. (2024-exam-priorities)

Regulatory text

Rule 206(4)-2 requires registered investment advisers with custody of client funds or securities to: (1) maintain those assets with a qualified custodian; (2) provide notice to clients about the custodian and the adviser’s custody; (3) have a reasonable belief that the qualified custodian sends account statements to clients; and (4) be subject to an annual surprise examination by an independent public accountant or, for advisers to pooled investment vehicles, distribute audited financial statements to investors. (17 CFR 275.206(4)-2)

Operator translation (what you must implement)

• A custody determination process that is repeatable and documented.
• A qualified custodian selection and oversight process (including for harder-to-custody assets).
• A client communication workflow (initial notice + updates).
• A statement oversight control that you can evidence.
• An audit/surprise exam program run by an independent public accountant, with contracts, timing discipline, and delivery evidence. (17 CFR 275.206(4)-2)

What you actually need to do (step-by-step)

Step 1: Run a custody determination and document it

1. Inventory all account types and asset types you touch: separately managed accounts, advisory-only accounts, private funds, and any side vehicles.
2. For each, document whether you have custody and why (possession/control, authority to withdraw, trustee role, pooled vehicle structure).
3. Map each custody determination to your Form ADV custody reporting fields and owners for updates. Sweep actions show the SEC charges Form ADV issues alongside custody failures. (2022-156) (2023-168)

Deliverable: a written “custody analysis” memo per business line or per client/fund, with a control owner and a refresh trigger (new custodian, new authority language, new fund launch).

Step 2: Confirm qualified custodian status and contractual setup

1. Identify the qualified custodian(s) holding client assets and collect custody agreements.
2. Validate account titling/segregation is consistent with client ownership and advisory authority.
3. For non-traditional assets (including crypto assets that are securities), document how custody is maintained with a qualified custodian or why the asset is outside the scope of custody rule treatment. The SEC has explicitly stated it will look at custody rule compliance for crypto assets it believes are funds or securities. (2024-exam-priorities)

Deliverable: qualified custodian due diligence file and an account listing tied to each custodian relationship.

Step 3: Implement client notice and statement oversight controls

1. Prepare the required client notice content: identify the custodian and describe your custody status/arrangement.
2. Send the notice at onboarding and resend when the custodian changes or custody status changes.
3. Establish a “reasonable belief” control that the custodian sends account statements to clients (examples: sample client statement confirmations, client attestations, or periodic checks with the custodian and documented results). (17 CFR 275.206(4)-2)

Deliverable: notice templates, distribution logs, and a statement oversight checklist with sampling notes.

Step 4: Choose the correct independent verification path (and run it on a calendar)

Create a decision point for each custody scenario:

Scenario	Verification requirement	What “done” looks like
Adviser has custody of client assets (non-pooled context)	Annual surprise exam by an independent public accountant	Engagement letter + exam completion evidence retained (17 CFR 275.206(4)-2)
Adviser to pooled investment vehicle	Distribute audited financial statements to investors	Audit completed by qualified auditor + distribution evidence retained (17 CFR 275.206(4)-2)

Execution controls

• Maintain a compliance calendar for surprise examinations and pooled vehicle audit delivery. Enforcement actions repeatedly cite failures to complete surprise exams or deliver audited financials timely. (IA-6688) (IA-6438) (IA-6676) (IA-6663)
• Engage the independent public accountant early enough that scheduling does not become the reason you miss a cycle; multi-year failures have resulted in enforcement. (IA-6688)

Step 5: Align policies, procedures, and Form ADV updates

1. Update your written compliance policies and procedures to match your custody operating model: custody determinations, custodian onboarding/monitoring, notices, statement oversight, surprise exam/audit workflow, and exception handling. (17 CFR 275.206(4)-2)
2. Reconcile custody-related disclosures in Form ADV to your evidence set and your actual operations. Sweep actions show the SEC brings Form ADV violations with custody rule cases. (2022-156) (2023-168)

Deliverable: custody policy section, procedure runbooks, and an ADV tie-out worksheet.

Required evidence and artifacts to retain (exam-ready checklist)

Maintain these artifacts in a single “Custody Rule” exam folder with clear naming:

Custody determination

• Custody analysis memo(s) and update history
• Client/fund agreements showing authority language and roles (for example, trustee roles)
• Inventory of accounts/assets in scope

Qualified custodian

• Custodian agreements and account lists by custodian
• Due diligence file supporting qualified custodian status
• Controls proving segregation/titling review occurred

Client notice + statements

• Notice templates and proof of delivery (email logs, mail records, portal posting logs)
• Evidence supporting “reasonable belief” that custodial statements go to clients (sampling results, confirmations, or custodian attestations)
• Samples of custodian statements showing the custodian identity

Surprise exam / pooled vehicle audit track

• Engagement letters with the independent public accountant
• Surprise exam completion evidence and correspondence
• Audited financial statements for each pooled vehicle
• Distribution proof to investors (date-stamped email, portal records, mailing lists)

Reporting

• Form ADV custody disclosures and amendment history tied to custody analysis (2022-156) (2023-168)

Common exam/audit questions and hangups (what exam staff will press on)

Expect requests and follow-ups in these areas:

1. “Show me your custody determination.” If you cannot explain why you do or do not have custody for each product, you will spend the exam backfilling analysis.
2. “Which qualified custodians hold which assets?” Examiners will ask for custodian agreements and an account list. (17 CFR 275.206(4)-2)
3. “How do you know clients receive statements from the custodian?” “Reasonable belief” must be more than informal comfort. (17 CFR 275.206(4)-2)
4. “Where is your surprise exam report or proof it occurred?” Long gaps have driven enforcement actions. (IA-6688) (IA-6491)
5. Private fund focus: “When were audited financials distributed?” The SEC exam priorities explicitly call out timely completion and distribution. (2024-exam-priorities)

Frequent implementation mistakes (and how to avoid them)

Mistake 1: Treating custody as a one-time legal conclusion

Fix: re-run custody analysis on triggers: new custodian, new withdrawal authority, new trustee role, new fund, new asset type.

Mistake 2: Missing the surprise exam/audit delivery calendar

Failures to obtain surprise exams or distribute audited financials have led to enforcement actions. (IA-6688) (IA-6438) (IA-6676) (IA-6663)
Fix: put deadlines on a firm-wide compliance calendar with a named owner, backups, and escalation rules.

Mistake 3: Weak proof of investor distribution for pooled vehicles

Enforcement orders cite failures involving delivery of audited financial statements. (IA-6438) (IA-6676) (IA-6663)
Fix: require distribution evidence at the time of sending (portal export, email confirmation, mailing vendor report). Do not rely on “we posted it somewhere” without logs.

Mistake 4: Form ADV custody answers drift from reality

SEC sweep releases show custody rule violations often pair with Form ADV issues. (2022-156) (2023-168)
Fix: implement an ADV tie-out control: custody analysis → ADV items → evidence folder → sign-off.

Public enforcement cases

Recent public actions show the SEC will bring cases for process failures (not only misappropriation), with penalties across multiple advisers and fact patterns:

• In the Matter of FPA Real Estate Advisers Group, LLC (IA-6663) — custody-related failures tied to pooled vehicles and audited financial statement delivery. (IA-6663)
• In the Matter of Arcis Capital Investment Advisors LLC (IA-6676) — custody rule violations involving pooled vehicles and audited financial statements. (IA-6676)
• In the Matter of Forepont Capital LLC (IA-6438) — custody rule violations tied to failure to deliver audited financials for funds. (IA-6438)
• In the Matter of Eagan Capital Management, LLC (IA-6491) — custody-related failures including surprise examination issues for private real estate funds. (IA-6491)
• In the Matter of Farnham Fisher Collins d/b/a Collins Capital Management (IA-6688) — extended failure to obtain surprise examinations cited in the order. (IA-6688)
• SEC sweep announcements: Custody Rule and Form ADV cases announced across multiple firms in September 2022 and September 2023. (2022-156) (2023-168)

Risk implication for operators: custody findings can escalate from exam deficiencies to enforcement when failures are repeated, prolonged, or combined with inaccurate disclosures. The sweep pattern shows the SEC can pursue multiple firms on similar control breakdowns. (2022-156) (2023-168)

Practical 30/60/90-day execution plan

First 30 days (stabilize and define scope)

• Complete inventory of all client account types, pooled vehicles, and asset types; identify where custody could exist.
• Draft and approve custody determination memo(s); identify owners for each custody pathway.
• Centralize custodian agreements, account lists, and existing audit/surprise exam artifacts.
• Stand up a custody compliance calendar (surprise exam and audited financial statement distribution tracking). (17 CFR 275.206(4)-2)

Days 31–60 (implement controls and evidence)

• Implement qualified custodian due diligence checklist and re-paper any unclear custody arrangements.
• Finalize client notice templates and a delivery log process.
• Implement “reasonable belief” statement oversight control with documented testing steps. (17 CFR 275.206(4)-2)
• Engage or reconfirm independent public accountant coverage for the correct pathway (surprise exam or fund audit). (17 CFR 275.206(4)-2)

Days 61–90 (lock exam readiness and reporting alignment)

• Run a mock exam request: produce the full custody evidence package within a short internal deadline.
• Tie Form ADV custody reporting to custody determinations and evidence; remediate mismatches and document sign-off. (2022-156) (2023-168)
• For private funds, test audited financial statement distribution evidence collection end-to-end and fix gaps before the next cycle. (2024-exam-priorities)

Where Daydream fits naturally If you struggle with repeatable evidence and deadline discipline, Daydream can function as the system of record for custody determinations, third-party (custodian and auditor) document collection, and an exam-ready calendar that ties tasks to artifacts and Form ADV support. Use it to prevent “we did it, but can’t prove it” failures.

Frequently Asked Questions

How do I know if we have “custody” if we never physically hold client assets?

Custody can exist through authority or control, not only physical possession. Treat this as a documented analysis per client, account type, and pooled vehicle, then tie the conclusion to your controls and Form ADV reporting. (17 CFR 275.206(4)-2)

Do we always need a surprise examination if we have custody?

The rule requires a surprise examination by an independent public accountant unless you are in a pooled investment vehicle pathway where distributing audited financial statements to investors satisfies the independent verification requirement. Confirm which pathway applies per product and document it. (17 CFR 275.206(4)-2)

What evidence satisfies “reasonable belief” that the custodian sends statements to clients?

Keep written procedures plus periodic documented checks, such as sampling client statements or obtaining confirmations/attestations through the custodian relationship. The key is a repeatable control you can show an examiner. (17 CFR 275.206(4)-2)

Our private fund audit is done, but investors access financials through a portal. What should we retain?

Retain the audited financial statements and portal distribution logs that show who had access and when the statements were made available. If you cannot produce time-stamped distribution evidence, fix that workflow before the next delivery cycle. (17 CFR 275.206(4)-2)

Why does Form ADV accuracy keep coming up in custody rule enforcement?

SEC sweep releases reflect cases where custody rule failures were charged alongside Form ADV violations. Build an ADV tie-out control that reconciles custody determinations, operational reality, and filed disclosures. (2022-156) (2023-168)

Does the custody rule apply to crypto assets?

SEC exam priorities state that for crypto assets the SEC believes are funds or securities, exam staff will consider whether advisers are complying with the Custody Rule for those assets. Document your asset classification rationale and custody approach. (2024-exam-priorities)