NASAA Model Rule on Custody of Client Funds and Securities

The NASAA Model Rule on Custody of Client Funds and Securities requires state-registered investment advisers with “custody” to keep client assets with a qualified custodian, promptly notify clients of the custodian, ensure clients receive at least quarterly statements, and complete an annual surprise exam by an independent public accountant. Build your program around a precise custody determination and tight operational controls. (NASAA Model Rule 102(e)(1)-1)

Key takeaways:

• Start with a custody classification that covers both direct possession and “authority to obtain possession,” including fee deduction authority. (NASAA Model Rule 102(e)(1)-1)
• Operationalize custody through: qualified custodian selection, client notifications, statement delivery verification, and annual surprise exams where required. (NASAA Model Rule 102(e)(1)-1)
• Exams focus on evidence: custodian contracts, notices, statement cadence, and surprise exam engagement/results, plus proof your practices match disclosures. (NASAA Model Rule 102(e)(1)-1)

If you are a state-registered investment adviser, the custody rule is one of the fastest ways to end up in an exam deficiency because it blends legal definitions with day-to-day operations. The NASAA Model Rule is also commonly adopted at the state level, so you must confirm how your specific state implements it and whether there are state-specific variations. (NASAA Model Rule 102(e)(1)-1)

Operationally, “custody” is broader than physically holding checks or securities certificates. It can be triggered by authority, access, or arrangements that allow you to obtain client funds or securities. A frequent example is advisory fee deduction authority from client accounts, which may still be treated as custody depending on the state’s adoption and interpretation. (NASAA Model Rule 102(e)(1)-1)

To implement this quickly, treat custody as a control system with four pillars: (1) keep client assets with a qualified custodian, (2) notify clients about the custodian, (3) make sure clients receive account statements at least quarterly, and (4) complete an annual surprise examination by an independent public accountant when custody applies. Then make evidence retention part of the workflow so you can answer exam requests without reconstructing history. (NASAA Model Rule 102(e)(1)-1)

Regulatory text

Regulatory excerpt (provided): “An investment adviser shall comply with custody requirements for client funds and securities, including maintaining client assets with a qualified custodian and undergoing annual surprise examinations.” (NASAA Model Rule 102(e)(1)-1)

What this means for an operator You must be able to show, in a repeatable way, that client assets are held at a qualified custodian (for example, a bank, broker-dealer, or trust company), that clients are told where their assets are held, that statements are delivered at least quarterly by the custodian, and that an independent public accountant performs an annual surprise examination when your firm has custody. (NASAA Model Rule 102(e)(1)-1)

The practical exam question behind the text is simple: “Do your processes prevent you from misdirecting, withdrawing, or obscuring client assets, and can you prove it with records?” The rule’s mechanism is custody determination plus controls that reduce the opportunity for misuse and increase detectability via custodian reporting and independent verification. (NASAA Model Rule 102(e)(1)-1)

Plain-English interpretation of the requirement

If you can touch client money or securities, or have the authority to get them, you have custody and must put guardrails around how client assets are held and verified. Those guardrails include keeping assets at a qualified custodian, telling clients the custodian’s identity and location promptly, confirming clients receive statements at least quarterly, and (when applicable) paying for an independent accountant to show up unannounced to verify client assets. (NASAA Model Rule 102(e)(1)-1)

Treat this as both a compliance and operations requirement. Your trading, billing, onboarding, and client service teams will each own pieces of the evidence chain. If any team “works around” the process (for example, accepting checks payable to the adviser, redirecting statements, or using shared credentials to a custodian portal), your custody posture can change overnight.

Who it applies to (entity and operational context)

Applies to

• Investment advisers registered or required to be registered under state securities laws that have custody of client funds or securities. (NASAA Model Rule 102(e)(1)-1)

Operational situations that commonly trigger custody

• Physical possession of client cash, checks, or securities.
• Authority to obtain possession, which is broadly defined and can include fee deduction authority depending on state adoption and interpretation. (NASAA Model Rule 102(e)(1)-1)
• Standing instructions, account access, or control arrangements where your firm or supervised persons can move client funds or securities.

What’s “in scope” operationally

• Client onboarding and account opening workflows
• Billing and fee debiting
• Trading and settlement operations
• Client money movement requests (wires, ACH, journals)
• Use of third parties (qualified custodians, accountants) and the contracts that govern them

What you actually need to do (step-by-step)

Step 1: Make a formal custody determination (and keep it current)

1. Inventory all ways your firm or supervised persons can receive, access, or direct client funds/securities (include billing, money movement, and any trustee/POA roles). (NASAA Model Rule 102(e)(1)-1)
2. Map each workflow to a custody posture: “no custody,” “custody via authority,” or “custody via possession.”
3. Document the conclusion, the rationale, and the specific triggers. Update the analysis when business practices change (new custodian, new billing method, new client portal, new affiliate service).

Execution tip: Treat “custody determination” like a control gate in change management. Any new product feature that touches billing or money movement should force a re-evaluation.

Step 2: Confirm assets are maintained with a qualified custodian

1. Identify the qualified custodian(s) holding client assets (bank, broker-dealer, trust company). (NASAA Model Rule 102(e)(1)-1)
2. Review agreements with the custodian and your internal procedures to confirm:
   • Client assets are titled/held at the custodian (not at the adviser).
   • Money movement controls are consistent with your custody posture (who can initiate, who can approve, what authentication is required).
3. Restrict internal access:
   • No shared credentials.
   • Role-based access for operations staff.
   • Clear separation between those who calculate fees and those who can initiate money movement, where feasible.

Step 3: Provide prompt written notice to clients about the custodian

1. Build a standard “custodian notice” template that includes the custodian’s identity and location. (NASAA Model Rule 102(e)(1)-1)
2. Trigger the notice:
   • At account opening.
   • When the custodian changes.
   • When a client account is moved to a different custodian location or platform.
3. Record evidence of delivery (mail log, client portal delivery receipt, signed acknowledgment, or equivalent).

Step 4: Ensure clients receive account statements at least quarterly from the custodian

1. Confirm the custodian’s statement frequency and delivery method for each account (paper vs. electronic). (NASAA Model Rule 102(e)(1)-1)
2. Put a verification control in place:
   • Periodic spot checks of statement availability.
   • Exception handling for returned mail or failed e-delivery.
3. Align your advisory reports with custodian statements:
   • If you provide performance reports, ensure they do not conflict with custodian records.
   • Train client service to direct clients to custodian statements as the official record of holdings.

Step 5: Arrange the annual surprise examination (if custody applies)

1. Engage an independent public accountant to perform an annual surprise exam to verify client assets when required by your custody status. (NASAA Model Rule 102(e)(1)-1)
2. Define the scope clearly:
   • Accounts in scope and out of scope
   • Evidence you will provide (custodian statements, client lists, reconciliation reports)
3. Operationalize readiness:
   • Maintain an always-current client asset listing and custodian account roster.
   • Be able to reconcile advisory billing files to custodian data.

Third-party risk tie-in: The surprise exam is a third party dependency. Treat the accountant as a critical third party: validate independence, define deliverables, and set timelines that align with your compliance calendar.

Required evidence and artifacts to retain

Keep evidence in a format you can produce quickly during an exam.

Core artifacts

• Custody determination memo (dated, approved, and updated as practices change). (NASAA Model Rule 102(e)(1)-1)
• Qualified custodian contracts/agreements and a list of custodians used. (NASAA Model Rule 102(e)(1)-1)
• Client notifications: templates plus proof of delivery for each client (or a defensible delivery log). (NASAA Model Rule 102(e)(1)-1)
• Statement verification records: documentation that clients receive statements at least quarterly from the custodian (spot checks, exception logs). (NASAA Model Rule 102(e)(1)-1)
• Surprise exam package: engagement letter, independence confirmation, exam reports/communications, and your remediation records for any findings. (NASAA Model Rule 102(e)(1)-1)
• Procedures: written supervisory procedures (WSPs) or equivalent operational procedures that match actual practice.

Optional but practical

• Money movement procedure with dual control steps and escalation paths
• Fee calculation worksheets and a tie-out showing billed amounts align to agreed fee schedules

Common exam/audit questions and hangups

• “Explain why you do or do not have custody. Show the analysis.” Expect follow-ups on fee deduction, standing letters of authorization, and any trustee/POA roles. (NASAA Model Rule 102(e)(1)-1)
• “Where are client assets held? Provide custodian details and client notices.” (NASAA Model Rule 102(e)(1)-1)
• “How do you know clients get quarterly statements from the custodian?” “We assume they do” tends to fail. Bring a verification method. (NASAA Model Rule 102(e)(1)-1)
• “If you have custody, show your annual surprise exam engagement and results.” Missing documentation is usually treated as noncompliance. (NASAA Model Rule 102(e)(1)-1)
• “Do your disclosures match operations?” Any mismatch between ADV/brochure language and real workflows becomes a credibility problem fast.

Frequent implementation mistakes (and how to avoid them)

1. Treating custody as a one-time legal conclusion. Fix: add custody review triggers to onboarding, billing changes, new custodians, and new client authorization forms. (NASAA Model Rule 102(e)(1)-1)
2. No proof of “prompt notification.” Fix: automate notice delivery in your CRM/workflow tool and retain delivery evidence. (NASAA Model Rule 102(e)(1)-1)
3. Relying on the custodian without verification. Fix: implement quarterly statement spot checks and track exceptions to closure. (NASAA Model Rule 102(e)(1)-1)
4. Surprise exam readiness is reactive. Fix: maintain an audit-ready asset roster and reconciliation approach so the accountant can test without a scramble. (NASAA Model Rule 102(e)(1)-1)
5. Money movement controls are informal. Fix: document who can initiate requests, how identity is verified, and when second approval is required, then train staff and test adherence.

Enforcement context and risk implications

Custody failures are treated as high-impact because they involve direct client assets: regulators focus on whether your structure prevents misappropriation and whether independent and custodian reporting would detect issues quickly. The operational risk is not limited to fraud; it includes errors, unauthorized withdrawals, misdirected wires, and client harm from confusing or missing statements. Your mitigation strategy should center on reducing discretion, increasing independent visibility through custodians, and maintaining a clean evidentiary record. (NASAA Model Rule 102(e)(1)-1)

A practical 30/60/90-day execution plan

First 30 days: Stabilize and document

• Complete the custody determination and get it approved by compliance leadership. (NASAA Model Rule 102(e)(1)-1)
• Identify all qualified custodians in use and centralize agreements and key contacts.
• Implement (or tighten) client custodian notice workflow and a delivery evidence method. (NASAA Model Rule 102(e)(1)-1)
• Confirm statement delivery settings with custodians and define your verification approach. (NASAA Model Rule 102(e)(1)-1)

Next 60 days: Operationalize controls and evidence

• Publish/update written procedures for custody-related workflows: onboarding, billing, money movement, statement checks, and exception handling. (NASAA Model Rule 102(e)(1)-1)
• Train advisory ops and client service teams on “custody triggers” and escalation.
• Build an evidence repository (shared drive or GRC system) with a consistent naming convention for notices, statement checks, and custodian communications.

Where Daydream fits: If you track third party dependencies and compliance evidence in Daydream, set up a custody control register mapped to your custodians and independent accountant, then attach artifacts (notices, statement checks, exam deliverables) to each control for exam-ready retrieval.

Next 90 days: Validate, test, and close gaps

• Run an internal custody tabletop: simulate an exam request for notices, statement verification, and (if applicable) surprise exam documents.
• Test money movement controls (sample requests, approval evidence, identity verification).
• If custody applies, confirm engagement planning with the independent public accountant and ensure your client asset roster and reconciliation approach are ready. (NASAA Model Rule 102(e)(1)-1)
• Review disclosures to confirm they match actual custody-related operations.

Frequently Asked Questions

Does fee deduction authority automatically mean we have custody?

Custody is broadly defined to include authority to obtain possession of client funds or securities, and the provided summary explicitly includes fee deduction authority as an example. (NASAA Model Rule 102(e)(1)-1) Confirm how your state adopts and interprets the model rule, then document your conclusion and controls.

What counts as a “qualified custodian” under the NASAA model rule?

The model rule framework describes qualified custodians as including a bank, broker-dealer, or trust company. (NASAA Model Rule 102(e)(1)-1) Document which custodian you use and why it qualifies.

How do we prove clients receive quarterly statements from the custodian?

Keep a defined verification process and its outputs, such as periodic spot checks and an exception log for delivery failures. The requirement is that clients receive account statements at least quarterly from the custodian. (NASAA Model Rule 102(e)(1)-1)

If we send our own performance reports, do they replace custodian statements?

No. The model rule framework expects statements from the qualified custodian at least quarterly. (NASAA Model Rule 102(e)(1)-1) If you also send reports, align them to custodian data and train staff to treat custodian statements as the official source of holdings.

What should we have ready for an annual surprise exam?

Maintain a current list of client accounts and assets held at the qualified custodian, plus reconciliations that explain differences between internal records and custodian records. The model rule includes an annual surprise examination by an independent public accountant as a custody control. (NASAA Model Rule 102(e)(1)-1)

We changed custodians. What operational steps are non-negotiable?

Provide prompt written notice to clients with the custodian’s identity and location, confirm statement delivery settings, and update your custody determination and procedures. These steps tie directly to the notification and quarterly statement expectations. (NASAA Model Rule 102(e)(1)-1)