1. One April 26, 2023, the SEC issued a Risk Alert regarding safeguarding customer records and information at branch (remote) offices. Individuals in branch offices often have access to information technology systems that contain customer records and information. While many advisers have implemented safeguarding policies and procedures at their main office, some firms did not adopt or implement written policies and procedures that address safeguards for their branch offices despite the existence of the same or similar risks. In particular, staff observed the following:
Firms use vendors to provide services such as cybersecurity, technology operations, and business applications. In many instances firms did not appear to reasonably ensure that their branch offices performed proper due diligence and oversight of their vendors as required by the firms’ own policies and procedures. In some of these instances, firms did not provide any guidance or recommendations to assist branch offices in the selection of vendors. This resulted in weak or misconfigured security settings on systems and applications at some firms, which could result in unauthorized access to customer records or information.
Firms often use vendors to provide email services. Staff observed that in many instances, these services are managed from the main office where staff or vendors provide accounts for branches. However, in some instances, firms did not manage email accounts for branch offices. Moreover, some firms lacked policies and procedures addressing branch office email configurations and allowed branch office staff to obtain their own email services from vendors without specifying the technical requirements adequate to secure the branch offices’ email solution. In some instances, weak email configuration resulted in account takeover or business email compromise. In other instances, default email configuration failed to capture all account activity, resulting in the inability to perform adequate incident response.
Staff observed that while firms often maintained data classification written policies and procedures to identify where customer records and information were stored electronically, firms did not always apply these policies and procedures to branch offices. We observed that this lack of data classification policies and procedures resulted in a failure to identify and control customer records and information in some instances.
Staff observed that firms often maintain policies and procedures requiring password complexity and multi-factor authentication for remote access to firm systems. Although some firms required these controls for the main office, they did not require similar controls for branch offices. As a result many branch offices did not apply any such controls and became victims of breaches. In these cases, multi-factor authentication, password complexity requirements, and other controls used at the main office may have prevented the breach.
Staff observed that many firms focus on technology risk by implementing written policies and procedures for inventory management, patch management, and vulnerability management. In some instances, however, though the firms maintained reasonable technology policies and procedures for their main office, they did not apply any such policies and procedures in connection with their branch offices. As a result, multiple branch offices were not up to date with system patching. Some firms were not aware of the systems running on the branch office networks, and some branch offices were running end of life operating systems. As a result, branch office systems were more prone to compromises.
In response to these observations, many of the firms modified their written policies and procedures to mitigate the issues identified by EXAMS staff. Firms should consider their entire organization, including branch offices, when implementing written policies and procedures for the safeguarding of customer records and information to ensure they are compliant with Regulation S-P.
2. On April 26, 2023, the SEC announced that the Division of Investment Management will host virtually an inaugural Conference on Emerging Trends in Asset Management on Friday, May 19, 2023. The conference will bring together a variety of asset management industry participants and academics to discuss emerging trends in asset management. Registration for the event will be open until May 17 and will be replayed on the SEC’s website. To register, see https://surveys.sec.gov/jfe/form/SV_0VrPnSrVPMVGz54
3. On April 24, 2023, the SEC instituted administrative proceedings against Joshua Nicholas, former head trader at Empires Consulting Corp. (dba “EmpiresX”) and a registered representative and investment adviser representative. Nicholas and others fraudulently raised at least $40 million of investor funds in EmpiresX investments by falsely claiming that EmpiresX would earn an expected investment return through a proprietary trading “bot” or by manual trading performed by Nicholas. The bot was fake, Nicholas and others traded only a fraction of the funds they took from investors, and that limited trading failed to earn the purported return. Nicholas and others further lied to investors to provide assurances of the safety of their investment, including by falsely telling investors that EmpiresX had filed SEC registration paperwork. Nicholas and others misappropriated that investor money for personal uses such as cars, real estate, and travel. Nicholas and others sold unregistered securities. Nicholas was barred. https://www.sec.gov/litigation/admin/2023/ia-6291.pdf
4. On April 18, 2023, the SEC entered final consent judgments against Amin Majidi, a portfolio manager for a private fund advised by now-defunct New York-based investment adviser Premium Point Investments LP, and Ashish Dole, a Premium Point trader. Premium Point engaged in a fraudulent valuation scheme that resulted in the inflation of the value of private funds Premium Point advised by hundreds of millions of dollars. The scheme relied on a secret deal where in exchange for sending trades to a broker-dealer, Premium Point received inflated broker quotes for mortgage-backed securities, as well as the use of “imputed” mid-point valuations, which were applied in a manner that further inflated the value of securities. This practice boosted the value of many of Premium Point’s holdings and further exaggerated returns in order to conceal poor fund performance and attract and retain investors. Premium Point and Ahuja from violating the antifraud and other provisions of the federal securities laws and ordering Ahuja to pay a civil penalty of $450,000. https://www.sec.gov/litigation/litreleases/2023/lr25698.htm
5. On April 18, 2023, the SEC charged investment advisory firm Betterment LLC for material misstatements and omissions related to its automated tax loss harvesting service (TLH), failing to provide clients with notice of changes to contracts, and failing to maintain certain required books and records. Betterment misstated or omitted several material facts concerning TLH, a service that scans clients’ accounts for opportunities to reduce their tax burden. Betterment failed to disclose a change in the software related to its scanning frequency, failed to disclose a programming constraint affecting certain clients, and had two computer coding errors that prevented TLH from harvesting losses for some clients. These issues adversely impacted more than 25,000 client accounts, resulting in those clients losing approximately $4 million in potential tax benefits. Betterment agreed to pay a $9 million penalty and to distribute funds to affected clients. https://www.sec.gov/news/press-release/2023-80
6. On April 17, 2023, the SEC charged crypto asset trading platform Bittrex, Inc. and its co-founder and former CEO William Shihara for operating an unregistered national securities exchange, broker, and clearing agency. The SEC also charged Bittrex, Inc.’s foreign affiliate, Bittrex Global GmbH, for failing to register as a national securities exchange in connection with its operation of a single shared order book along with Bittrex. The matter is being litigated. https://www.sec.gov/news/press-release/2023-78
7. On April 17, 2023, the SEC entered final judgments against defendants Jonah Engler and Barbara Desiderio and two other defendants. Engler, Desiderio, Joshua Turney, and Hector Perez conducted a fraudulent, unauthorized trading scheme through hundreds of retail customer accounts at New York broker-dealer Global Arena Capital Corp. Engler, Desiderio, Joshua Turney, and Hector Perez engaged in illicit trading in over 360 retail customer accounts as Global Arena was going out of business, which resulted in over $4 million in net losses for their customers and generated over $2.4 million in unlawful markups, markdowns, and commissions for their firm. Engler with violating the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934, and charged Desiderio with aiding and abetting her co-defendants’ violations. Engler was ordered to disgorge $1,440,683 in ill-gotten gains plus prejudgment interest of $420,561 and to pay a civil penalty of $2,295,977. Desiderio was ordered to pay $391,000 in disgorgement, $114,140 in prejudgment interest, and a civil penalty of $391,000. https://www.sec.gov/litigation/litreleases/2023/lr25693.htm
8. On April 14, 2023, the SEC instituted administrative proceedings against Corvex Management LP, a registered investment adviser, in connection with the firm’s activities related to certain special purpose acquisition companies (“SPACs”). Corvex failed to make timely disclosure of conflicts of interest and failed to adopt and implement reasonably designed written policies and procedures regarding Corvex personnel’s ownership interests in SPAC sponsors and Corvex’s practice of investing client assets in private placement in public equity (“PIPE”) transactions in connection with the business combinations of affiliated SPACs. As a result, Corvex violated Sections 206(2) and 206(4) of the Advisers Act and Rule 206(4)-7 thereunder. Corvex was ordered to pay a civil money penalty in the amount of $1 million. https://www.sec.gov/litigation/admin/2023/ia-6284.pdf
9. On April 11, 2023, the SEC instituted administrative proceedings against Marcus Beam, and investment adviser with Chase Private Equity a/k/a New World Capital. Beam illegally solicited and received funds from individuals in connection with CPE and promised to invest the funds in pre-IPO shares and other securities. Beam instead misappropriated a significant portion of the funds for his own benefit. Beam then concealed the misappropriation by fabricating periodic account statements and other documents falsely showing the funds had been invested as he represented and that investors were earning returns. When investors sought to redeem their investments, Beam failed to return the funds. The matter is being litigated. https://www.sec.gov/litigation/admin/2023/ia-6279.pdf and https://www.justice.gov/usao-ndil/pr/chicago-investment-manager-detained-indonesia-and-returned-chicago-face-federal-fraud
10. On April 4, 2023, the SEC instituted administrative proceedings against Roberto Mejill-Tellado a consultant and financial adviser through his company Premier Investment and Financial Services Group LLC. Roberto acted as an unregistered investment adviser within the meaning of the Advisers Act by, among other things, providing investment advice regarding investments in securities to the City and Mayagüez Economic Development, Inc. (“MEDI”) a Puerto Rico Municipal Enterprise. Roberto has never been registered with the Commission in any capacity. Roberto conspired with others to defraud the Municipality of Mayagüez, Puerto Rico (the “City”) and its municipal enterprise, Mayagüez Economic Development, Inc. (“MEDI”), and to obtain money and property by means of materially false and misleading statements involving the City’s funds. Roberto was a contractor providing financial, including investment advisory, services to the City. Roberto made and caused to be made materially false statements to the City, through electronic messages, asserting that the City’s $9 million in principal was invested at a high rate of return. Roberto caused financial transactions that depleted the City’s funds and converted a portion of the City’s funds to Respondent’s own personal use. Roberto also transferred funds, said funds having been derived from his unlawful activity in connection with the scheme to defraud the City. Roberto was barred. https://www.sec.gov/litigation/admin/2023/ia-6272.pdf
11. On April 3, 2023, the SEC charged New Jersey-based Chatham Asset Management LLC and its founder, Anthony Melchiorre, in connection with improper trading of certain fixed income securities. One Chatham-advised client sold certain American Media, Inc. (AMI) bonds while a different Chatham-advised client purchased the same bonds through various broker-dealers. Chatham engaged in these trades to address portfolio constraints such as industry or issuer fund concentration limits, meet investor redemptions, and allocate capital inflows and outflows. These trades were executed at prices Chatham and Melchiorre proposed and had the effect of increasing the price of the AMI bonds at a significantly higher rate than the prices of similar securities. Chatham’s and Melchiorre’s trading in the AMI bonds accounted for the vast majority of trading in those securities and therefore over time had a material effect on their pricing. Chatham and Melchiorre calculated the net asset values, or NAVs, of their client funds’ holdings using pricing data that was based, in part, on the trading prices of the securities. As a result, during the relevant period, the NAVs of Chatham’s clients were higher than they would have been if the subject trades were removed from the market for the AMI bonds, which, in turn, resulted in higher fees being charged to the clients. Chatham and Melchiorre agreed to pay more than $19.3 million in combined disgorgement, prejudgment interest, and civil penalties to settle the charges. https://www.sec.gov/news/press-release/2023-72
12. On April 3, 2023, the SEC charged Merrill Lynch, Pierce, Fenner & Smith Incorporated for charging advisory clients more than $4 million in undisclosed foreign exchange fees for transfers to or from their accounts. Merrill Lynch offered programs to advisory clients in which the clients paid Merrill a fee in exchange for a range of investment advisory services, including foreign currency exchanges. Merrill Lynch disclosed that it charged a markup or markdown on foreign currency exchanges, but it did not disclose an additional fee it referred to as a production credit, which, in more than 80 percent of the transactions, was equal to or greater than the disclosed markup or markdown. Merrill Lynch paid a percentage of these production credits to its financial advisors and referred to this charge as a commission in internal documents. Merrill Lynch failed to adopt and implement policies and procedures reasonably designed to prevent its disclosures from being misleading about the fees it charged on foreign currency exchanges. Merrill Lynch has agreed to pay disgorgement, prejudgment interest, and a civil penalty totaling more than $9.5 million and has agreed to distribute funds to harmed clients. https://www.sec.gov/news/press-release/2023-73
Q1 2023 was a busy quarter. In case you missed it, here are some noteworthy regulatory matters:
13. On March 27, 2023, the SEC’s Division of Examinations published a Risk Alert discussing the typical focus areas reviewed during examinations of newly-registered advisers and shares staff observations regarding compliance policies and procedures, disclosures, and marketing practices. The full risk alert can be found here: https://www.sec.gov/files/risk-alert-newly-registered-ias-032723.pdf.
- Examination Scope
The Division has prioritized examining newly-registered advisers within a reasonable period of time after the adviser’s SEC registration has become effective.
- General information to provide the staff with an understanding of the adviser’s business and operations, such as: (1) organizational charts; (2) documentation to support eligibility for SEC registration; (3) information about ownership and control of the adviser and its affiliates; (4) information about current and former advisory personnel, such as the reasons for departure for former personnel (if available), and the roles, responsibilities, physical locations for current personnel; (5) financial information, including the balance sheet, trial balance, and income statement; and (6) information about any threatened, pending, or settled litigation or arbitration involving the adviser or any of its supervised persons.
- Demographic and other specific data regarding each advisory client account, including information about: (1) advisory services provided, such as portfolio management, financial planning, and/or bundled wrap fee arrangements; (2) types of client accounts serviced, such as individual, defined benefit retirement plan, registered fund, or private fund; (3) advisory authority to trade in the account, such as whether it has discretionary authority; (4) advisory personnel servicing and overseeing the account; (5) assets under management advised by the firm; (6) third-party service providers, such as custodians, administrators, and auditors; and (7) investment strategies, such as global equity, high-yield, aggressive growth, long-short, or statistical arbitrage. In addition, the staff often requests documents supporting the adviser’s representations, such as copies of select contracts, agreements, or third-party account statements.
- Information regarding the adviser’s compliance program, risk management practices and framework, and internal controls, including written compliance policies and procedures and the adviser’s code of ethics.
- Information to facilitate the staff testing for regulatory compliance in certain areas, including portfolio management and trading activities, such as a record of specific information for all advisory clients’ securities holdings and transactions.
- Communication used by the adviser to inform or solicit new and existing clients, including disclosure documents and advertising, such as pamphlets, social media, mass mailings, websites, and blogs.
- Staff Observations From Recent Newly-Registered Adviser Examinations
The staff’s review of recent newly-registered adviser examinations identified issues in the following three areas, among others: (1) compliance policies and procedures; (2) disclosure documents and filings; and (3) marketing.
- Compliance Policies and Procedures. The staff observed compliance policies and procedures that: (1) did not adequately address certain risk areas applicable to the firm, such as portfolio management and fee billing; (2) omitted procedures to enforce stated policies, such as stating the advisers’ policy is to seek best execution, but not having any procedures to evaluate periodically and systematically the execution quality of the broker-dealers executing their clients’ transactions; and/or (3) were not followed by advisory personnel, typically because the personnel were not aware of the policies or procedures or the policies or procedures were not consistent with their businesses or operations. Additionally, the staff observed advisers’ annual compliance reviews that did not address the adequacy of the advisers’ policies and procedures and the effectiveness of their implementation. For example, the staff observed advisers that:
- Used off-the-shelf compliance manuals that were not tailored for consistency with the advisers’ operations and business lines.
- May not have devoted sufficient resources to comply with regulatory requirements and their own policies and procedures (e.g., advisers may have assigned additional and unrelated responsibilities to the chief compliance officer (“CCO”), resulting in limited time for the CCO to dedicate to compliance), or to ensure compliance personnel understood actual business practices.
- Had undisclosed conflicts of interest created by the multiple roles and responsibilities of advisory personnel carrying out the assigned duties, and these conflicts were not mitigated.
- Outsourced certain business and compliance functions without assessing how these outsourced responsibilities were being performed or whether they were consistent with the advisers’ compliance policies and procedures.
- Did not have adequate business continuity plans, including succession plans.
- Disclosure Documents and Filings. The staff observed required disclosure documents that contained omissions or inaccurate information and untimely filings (i.e., material or annual form updates were not made within prescribed timeframes or at all). The disclosure omissions and inaccuracies were related to advisers’: (1) fees and compensation; (2) business or operations (including affiliates, other relationships, number of clients, and assets under management); (3) services offered to clients, such as disclosure regarding advisers’ investment strategy (including the use of models), aggregate trading, and account reviews; (4) disciplinary information; (5) websites and social media accounts; and (6) conflicts of interest.
- Marketing. The staff observed adviser marketing materials that appeared to contain false or misleading information, including inaccurate information about advisory personnel professional experience or credentials, third-party rankings, and performance. Advisers were also unable to substantiate certain factual claims.
14. On March 15, 2023, the SEC reopened the comment period on proposed rules and amendments related to cybersecurity risk management and cybersecurity-related disclosure for registered investment advisers, registered investment companies, and business development companies that were proposed by the Commission on February 9, 2022. The initial comment period ended on April 11, 2022. Tthe SEC proposed new Rule 206(4)-9 related to cybersecurity risk management for investment advisers as well as amendments to certain rules that govern investment adviser. The proposed rule is intended to address the SEC’s concerns for client and investor protection and transparency of information about cybersecurity incidents and would define a “cybersecurity risk” as the “financial, operational, legal, reputational, and other adverse consequences that could stem from cybersecurity incidents, threats, and vulnerabilities.
The proposed rule would require advisers to adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks that could harm advisory clients and investors. The proposed rule also would require advisers to report significant cybersecurity incidents affecting the adviser or private fund clients to the Commission on a new confidential form. To further help protect investors in connection with cybersecurity incidents, the proposal would require advisers and funds to publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their SEC Form ADV. Additionally, the proposal would set forth new recordkeeping requirements for advisers and funds that are designed to improve the availability of cybersecurity-related information and help facilitate the Commission’s inspection and enforcement capabilities.
In sum, the proposed rule would require:
- Policies and Procedures – Advisers would be required to adopt and implement written policies and procedures, including specific enumerated elements, reasonably designed to address cybersecurity risks.
- Reporting – Advisers to report certain cybersecurity incidents to the SEC on new Form ADV-C within 48 hours, including on behalf of any registered funds or private funds that experience such incidents; and
- Disclosure – Advisers to disclose cybersecurity risks and incidents in their SEC Form ADV.
In addition, the SEC proposed corresponding amendments to certain recordkeeping rules that would obligate advisers to maintain for five years copies of cybersecurity policies, reports of annual reviews, Form ADV-C filings, incident records, and risk assessments.
15. On February 15, 2023, the SEC proposed sweeping revisions to the rule under the Investment Advisers Act of 1940, as amended (the Advisers Act) that addresses custody of client assets by registered investment advisers. If adopted as proposed, the rule will affect safeguarding of client assets, including digital assets, real estate, loans, and other emerging asset classes as well as physical assets. As proposed, the new rule also would affect the services offered by qualified custodians to advisers.
The proposed amendments to the Custody Rule would expand the scope beyond client funds and securities to include all client assets of which an advisor has custody, as well as include discretionary authority for the advisor to trade client assets in the definition of ‘custody’.
New Rule 223-1 (the Proposed Rule) would amend and redesignate Rule 206(4)-2, the current custody rule. The Proposed Rule would, among other things,
- expand the custody rule to apply to all client assets held in advisory accounts, not just client “funds and securities,” and explicitly include crypto assets (regardless of whether they are funds or securities);
- require advisers with custody of client assets to maintain them with a qualified custodian. To meet the “maintain” standard, the qualified custodian must have “possession or control” of client assets and must participate in any change of beneficial ownership of the client’s assets;
- require advisers to enter into written agreements with qualified custodians and obtain “reasonable assurances” concerning nine enumerated provisions that address safeguarding of client assets, including a requirement that the qualified custodian indemnify the client for losses resulting from the custodian’s own negligence;
- require qualified custodians to maintain client assets in bankruptcy-remote accounts that are clearly identified and segregated from the adviser’s proprietary assets;
- revise the exception for “privately offered securities” and create a new exception from the requirement to maintain certain assets with a qualified custodian, provided that the adviser meets certain conditions; and
- explicitly include in the definition of custody an adviser’s discretionary authority to trade client assets. The Proposed Rule, however, would exempt assets for which an adviser has custody from the surprise audit requirement if the adviser’s sole basis for being deemed to have custody is the adviser’s discretionary authority that is limited to instructing the client’s qualified custodian to transact in assets that settle on a delivery-versus-payment basis.
The Proposed Rule would apply to all registered investment advisers (and advisers required to be registered) under the Advisers Act. Exempt Reporting Advisers (ERAs, both U.S. and non-U.S.) and the accounts of the non-US clients of registered offshore advisers, however, would continue to fall outside of the scope of Advisers Act custody rules. Registered investment companies also would not be required to comply with the Proposed Rule, as they are subject to separate custody requirements under the Investment Company Act of 1940.
Our Compliance Analysis. The Proposed Rule will introduce new challenges to advisers and qualified custodians, especially with respect to custody of digital assets.
Application of the rule: what is custody of client assets? The Proposed Rule generally would preserve the current rule’s definition of “custody.” That is, the Proposed Rule would apply when an adviser “holds, directly or indirectly, client assets, or has any authority to obtain possession of them.” In other words, the Proposed Rule would apply when an adviser has the ability or authority to access, control, or effect a change in beneficial ownership of a client’s assets.
Like the current custody rule, the Proposed Rule would define three categories that serve as examples of custody:
- physical possession of an asset;
- any arrangement (including a general power of attorney or discretionary authority) that authorizes or permits the adviser to instruct the client’s custodian to withdraw client assets; and
- any capacity that gives the adviser or affiliate legal ownership or access to securities (e.g., a general partner of a limited partnership).
The Proposed Rule specifically includes “discretionary authority” within the definition of custody. An adviser would also continue to be deemed to have custody of client assets if it is authorized to withdraw funds from client accounts to pay its advisory fee.
Scope of assets covered. The current rule applies only to “funds and securities” held in a client’s account of which the adviser has custody. The Proposed Rule would expand the definition of assets to all assets within the scope of an adviser’s fiduciary relationship with its client, including:
- crypto assets, commodities, and other real assets;
- assets not typically included on a balance sheet for accounting purposes, such as short positions and written options;2
- derivatives contracts held for investment purposes, such as swaps; and
- physical assets, including artwork, real estate, precious metals, and physical commodities, such as wheat, lumber and whisky.
Definition of a qualified custodian. In a departure from the current rule, institutions may serve as qualified custodians only if they have “possession or control” of client assets pursuant to a written agreement between the qualified custodian and the investment adviser.
Written contract. The Proposed Rule requires a qualified custodian to maintain possession or control of client assets pursuant to a written agreement between the adviser and the qualified custodian. The written agreement must contain at least four enumerated safeguards that the Commission believes are “critical to safeguarding client assets” and that the adviser must “reasonably believe” have been implemented. This requirement generally formalizes requirements under the existing rule, except as noted. Specifically, at a minimum, the written agreement must provide that the qualified custodian:
- promptly, upon request, provide records to the Commission or to an independent auditor conducting an annual audit;
- send an account statement to the client or its representative identifying each client asset held in the account and summarizing all transactions;
- at least annually, provide the adviser with a written internal control report (the current requirement requires an internal control report only when the adviser or its related person acts as the qualified custodian); and
- specify the adviser’s agreed-on authority to effect transactions in the custody account and any relevant limitations (designed to distinguish between broad authority permitted in custody agreements as compared to more limited authority in advisory agreements).
The Proposed Rule would require the adviser to obtain from each qualified custodian “reasonable assurances,” in writing, that the qualified custodian will provide certain client enumerated safeguards. Specifically:
- Standard of Care. The qualified custodian will exercise due care in accordance with reasonable standards in discharging its custodial duties and will implement appropriate measures to safeguard client assets;
- Indemnification. The qualified custodian will indemnify the client (and will have insurance arrangements in place that will adequately protect the client, which may be difficult to obtain for certain asset classes, such as crypto assets) against the risk of loss of the client’s assets maintained with the qualified custodian in the event of the qualified custodian’s negligence, recklessness, or willful misconduct;
- Sub-custody. The existence of any sub-custodial, securities depository or other similar arrangements with regard to client’s assets will not excuse any of the qualified custodian’s obligations to the client;
- Segregation of Client Assets. The qualified custodian will hold client assets in a custodial account, segregated from the qualified custodian’s proprietary assets and liabilities; and
- No Security Interest or Lien. The qualified custodian will not subject client assets to any right, charge, security interest, lien, or claim in favor of the qualified custodian or its related persons or creditors, except as agreed to by the client.
Assets unable to be maintained by a qualified custodian. The Commission acknowledged that some assets – particularly physical assets and certain privately offered securities – may be difficult or impossible to maintain at a qualified custodian. The Proposed Rule provides an exception to the requirement to maintain client assets with a qualified custodian when an adviser has custody of privately offered securities or physical assets, provided that:
- the adviser reasonably determines and documents in writing that ownership cannot be recorded and maintained (book entry, digital, or otherwise) in a manner in which a qualified custodian can maintain possession or control transfers of beneficial ownership of such assets; and
- the adviser reasonably safeguards the assets from loss, theft, misuse, misappropriation, or the adviser’s financial reversals, including the adviser’s insolvency.
In addition, to rely on this exception, the adviser must enter into a written agreement with an independent public accountant and notify that accountant of any purchase, sale or transfer of beneficial ownership of any asset within one business day. The agreement would require the independent public accountant to notify the Commission within one business day of finding any discrepancies. In a departure from the current rule, each privately offered security or physical asset not maintained with a qualified custodian would have to be verified in either a surprise examination or audit.
Possession or control of client assets. In a change from the current rule, a custodian would be permitted to serve as a qualified custodian only if it has “possession or control” of client assets pursuant to a written contract with the adviser. Possession or control of client assets would depend, in part, on whether the qualified custodian is required to participate in a change in the beneficial ownership of a particular asset, and the qualified custodian’s involvement is a condition precedent to the change in beneficial ownership. (In the Release, the Commission acknowledges that other functional regulators have not defined “possession or control” in the custody context in exactly the same manner. The Commission said that, nonetheless, the proposed rule’s definition is designed to be consistent with the rules of other functional regulators that apply to the qualified custodians that they regulate, such as a broker-dealer’s possession and control requirements contained in Rule 15c3-3 under the Securities Exchange Act of 1934.)
The “possession or control” standard could affect broad categories of market participants who facilitate transactions in nontraditional assets—including, for example, floating rate and other loans and certain derivatives—when third parties effect a transfer of ownership or collect interest payments. The Proposed Rule, however, appears to target, among other things, crypto trading platforms that require investors to transfer digital assets and fiat currency to the exchange prior to executing a trade (see “Implications for all digital asset market participants” below). The Commission stated that these arrangements “would generally result in an adviser with custody of a crypto asset security” in violation of the Proposed Rule, because the asset is not maintained by a qualified custodian.
Discretionary authority. The Proposed Rule would explicitly identify an adviser’s discretionary trading authority as an arrangement that would trigger the application of the custody requirements. As such, the adviser would be subject to the requirement that client assets must be verified by an actual examination at least once during each calendar year by an independent public accountant (the so-called “surprise examination” requirement).
The Proposed Rule, however, would exempt advisers from the surprise audit requirement for certain assets under limited circumstances. For example, the exemption would apply when an adviser is deemed to have custody of client assets solely as a consequence of its authority to withdraw funds from client accounts to pay its advisory fee. Also, the exemption would apply when the sole basis for the adviser’s custody is discretionary authority with respect to those assets, and only with respect to “DVP,” or delivery-versus-payment, settled transactions (that is, the adviser’s authority is limited to authorizing a custodian to transfer securities out of a client’s account upon receipt of a corresponding transfer of assets into the account). On the other hand, in the case of assets settled on a basis other than DVP, advisers would be subject to the surprise audit requirements of the Proposed Rule.
Amendment to recordkeeping rule (Advisers Act Rule 204-2). The Proposed Rule would add new recordkeeping requirements, including, among others:
- retaining copies of required client notices;
- creating and retaining records and documenting certain client account information, including copies of all account opening records and whether the adviser has discretionary authority;
- creating and retaining records of certain custodian information, including required qualified custodian agreements and written assurances obtained from the qualified custodian;
- creating and retaining a record that indicates the basis of the adviser’s custody of client assets;
- retaining copies of all account statements;
- retaining copies of any standing letters of authorization; and
- keeping records relating to engagement of independent accountants.
Form ADV amendments. The Proposed Rule updates related recordkeeping requirements for advisers and amends Form ADV with respect to custody-related data available to the Commission, its staff and the public. The proposed new reporting requirements in Item 9 include additional details addressing the basis of custody of client assets, qualified custodians that maintain clients assets, and independent public accountants that have been engaged to provide either surprise examinations or financial statement audits of private funds.
Status of state-chartered trust companies and limited purposes banks. As mentioned above, the Proposed Rule would not change the types of financial institutions eligible to act as qualified custodians—which include “banks” (as defined in Section 202(a)(2) of the Advisers Act). The Proposed Rule, however, would require advisers to contract directly with, and obtain reasonable assurances from, qualified custodians relating to “minimum custodial protections” for client assets.
Implications for all digital asset market participants. The Release extensively discusses crypto assets (also referred to as digital assets), and the potential implications for advisers that transact in crypto assets could be significant.
- Crypto assets are in scope. First, the Release includes a policy statement, echoing public statements made by Chair Gary Gensler, that many (with very few exceptions) crypto assets are securities. The Release states that advisers asserting the Proposed Rule would not apply to crypto assets are incorrect “because most crypto assets are likely to be funds or crypto asset securities covered by the current rule.”
In a footnote, the Release attempts to clarify this point further and suggests that even crypto assets that are not securities would be considered “funds” within the scope of the current rule, but it does not elaborate or analyze why crypto assets would be considered “funds,” as opposed to other types of property. By expanding the scope of regulation to include all assets within the scope of a registered adviser’s fiduciary relationship with its client, the Proposed Rule would remove any doubts that it would apply to crypto assets.
- Possession or control of crypto assets. The Release notes that the requirement for qualified custodians to obtain and maintain “possession or control” of client assets may present unique challenges for crypto assets. The Release acknowledges that while it is possible for a custodian to implement processes that seek to create exclusive possession of control of crypto assets, it may be difficult to actually demonstrate that it has exclusive possession or control due to their specific characteristics (e.g., anyone with possession of the private key can transfer ownership of the asset).
Recognizing the difficulty for a custodian to prove that it has exclusive control over the private keys necessary to control crypto assets, the Release does not view exclusive possession or control as the only way a custodian could demonstrate it meets the definition of the “possession or control.” The definition of “possession or control” in the Proposed Rule provides flexibility by permitting for situations when the custodian is necessary to change the beneficial ownership of the asset, even if it could not affect the change in ownership acting alone. For example, “a qualified custodian would have possession or control of a crypto asset if it generates and maintains private keys for the wallets holding advisory client crypto assets in a manner such that the adviser is unable to change beneficial ownership of the crypto asset without the custodian’s involvement.”5 These arrangements may include multisignature, or “multisig,” technology solutions for crypto asset custody, among others.
The Release does not address how the functional regulators of different types of qualified custodians define possession or control—even when the functional regulator is the Commission, although the Release specifically cites the Special Purpose Broker-Dealer Custody Statement as applicable guidance for broker-dealers that intend to custody crypto asset securities.
- Crypto asset trading platforms. The Release notes that the requirement for a qualified custodian to maintain possession or control of client assets at all times when the investment adviser has custody means that advisers who trade on crypto asset platforms that require prefunding the platform would generally be in violation of both the current custody rule and Proposed Rule if the trading platform does not satisfy the definition of a qualified custodian. Interestingly, the Release notes that while the majority of crypto asset trading occurs on platforms requiring prefunding of trades, some trading of crypto assets occurs on a noncustodial basis through decentralized platforms and Alternative Trading Systems (ATSs).
- Status of crypto as “privately offered” securities. In the context of “privately offered securities” exception, the Release states that, as a result of “transactions and ownership involving crypto asset securities on public, permissionless blockchains [being] generally evidenced through public keys or wallet addresses,” the staff believes “that such crypto asset securities issued on public, permissionless blockchains would not satisfy the conditions of the privately offered securities” because under the Proposed Rule, for a security to be a “privately offered security,” it must be “uncertificated, and the ownership can only be recorded on the non-public books of the issuer or its transfer agent in the name of the client as it appears in the adviser’s required records. (Emphasis added.)7
Compliance transition. The Proposed Rule requires compliance within one year following the rule’s effective date for advisers with more than US$1 billion in regulatory assets under management (RAUM), and 18 months for advisers with less than US$1 billion in RAUM.