Custody of Funds or Securities of Clients by Investment Advisers
SEC Rule 206-4-2, codified at 17 C.F.R. § 275.206(4)-2 under the Investment Advisers Act of 1940, establishes the comprehensive framework governing the safekeeping of client funds and securities by registered investment advisers that have custody of such assets — requiring that those assets be maintained with qualified custodians, that clients receive account statements directly from those custodians at least quarterly, that advisers having custody undergo annual surprise examinations by independent public accountants, and that advisers acting as their own custodians obtain internal control reports from accountants registered with the Public Company Accounting Oversight Board.
The rule is the foundational investor protection standard for the custody of client assets in the registered investment advisory industry — the regulatory mechanism whose purpose is to ensure that the funds and securities that clients entrust to their investment advisers are physically segregated from the adviser's own assets, maintained by entities with the financial strength and regulatory oversight necessary to safeguard those assets, independently verified at least annually, and continuously monitored through a combination of custodian-generated statements and periodic surprise examinations that make fraudulent misappropriation of client assets significantly more difficult to conceal.
The December 2009 amendments — adopted in the immediate aftermath of the Bernard Madoff scandal, in which billions of dollars of client assets were misappropriated over decades without detection — substantially strengthened the rule's safeguards by eliminating exemptions from the qualified custodian requirement, mandating universal surprise examinations for advisers with custody, and requiring an internal control report from accountants where advisers or their related persons act as their own qualified custodians.
The December 2025 no-action relief confirming that certain state-chartered trust companies qualify as banks for digital asset custody purposes represents the most recent significant regulatory development in the rule's interpretation, reflecting the Commission's ongoing engagement with the emerging digital asset custody landscape and its implications for the Custody Rule's qualified custodian framework.
Overview and Regulatory Purpose
The registered investment adviser's relationship with client assets creates one of the most acute fiduciary conflicts in the financial services industry: the same professional who makes investment decisions on behalf of clients — and who benefits commercially from the management fees those assets generate — may also have the ability to access, transfer, and spend those same assets without immediate detection.
The history of investment adviser fraud is replete with cases in which advisers who had both custody of client assets and unmonitored control over those assets exploited that combination to misappropriate client funds — sometimes for years or decades before discovery, and often causing catastrophic and unrecoverable losses for clients whose savings had been entrusted to the adviser based on a relationship of professional trust.
Rule 206(4)-2 addresses this structural vulnerability through a layered framework of controls whose cumulative effect is to interpose multiple independent parties between the adviser and unfettered access to client assets. By requiring that client assets be maintained by qualified custodians — banks, broker-dealers, and other regulated entities whose own obligations to clients provide an additional protective layer — the rule ensures that the adviser cannot simply transfer or spend client assets at will.
By requiring that clients receive statements directly from the custodian rather than solely from the adviser, the rule creates an independent verification channel that enables clients to monitor whether their assets are accurately reported and safely held. By requiring surprise examinations by independent accountants, the rule creates a periodic, unannounced verification of whether the assets the adviser claims to hold on behalf of clients actually exist and are held in the manner required by the rule.
The Madoff fraud — in which an SEC-registered investment adviser used a fraudulent investment strategy to misappropriate billions of dollars from thousands of clients over more than a decade — exposed the consequences of the pre-2009 Custody Rule's inadequacy in stark and historic terms.
The pre-2009 rule had permitted advisers to avoid surprise examinations if client statements were sent quarterly by the adviser itself rather than by a qualified custodian, creating a surveillance gap that Madoff exploited by serving as his own custodian through an affiliated broker-dealer and sending fabricated account statements that bore no relationship to the actual state of client assets.
The 2009 amendments closed this gap by eliminating the self-reporting exemption and mandating surprise examinations for essentially all advisers with custody.
Statutory Authority and Rulemaking History
Rule 206(4)-2 derives its statutory authority from Section 206(4) of the Investment Advisers Act of 1940, which makes it unlawful for any investment adviser to engage in any act, practice, or course of business that is fraudulent, deceptive, or manipulative, and authorises the Commission to define and prescribe means reasonably designed to prevent such acts, practices, or courses of business.
Section 206(4)'s broad anti-fraud authority is the foundational basis for the rule's characterisation of custody-related violations as fraudulent, deceptive, or manipulative acts, practices, or courses of business — a characterisation that has significant implications for enforcement, since Section 206(4) violations can be pursued without the intent element that some other antifraud standards require.
Rule 206(4)-2 was originally adopted November 9, 1961 — Advisers Act Release No. IA-166 — establishing the initial safekeeping framework. The rule underwent several amendments in the decades following its adoption, most significantly in 2003 — Advisers Act Release No. IA-2176 — when the Commission modernised the qualified custodian framework and introduced the pooled investment vehicle annual audit exception.
The most consequential amendment in the rule's history was adopted December 30, 2009 — Advisers Act Release No. IA-2968, published at 75 FR 1456, January 11, 2010 — directly following the discovery and indictment of Bernard Madoff in December 2008.
The 2009 amendments eliminated the exemption from the qualified custodian requirement that had permitted advisers to maintain client assets in their own or affiliated custody without independent oversight, mandated universal surprise examinations for advisers with custody subject to limited exceptions, required advisers acting as qualified custodians to obtain internal control reports from PCAOB-registered accountants, and strengthened the account statement delivery requirements to ensure that client statements originated from the qualified custodian rather than from the adviser itself.
The Commission proposed comprehensive amendments to Rule 206(4)-2 on August 9, 2023 — Advisers Act Release No. IA-6240 — which would have substantially expanded the rule's scope to address digital asset custody, tightened the qualified custodian definition, and modified several of the rule's existing exceptions. That proposal was withdrawn without adoption under the Atkins Commission, leaving the 2009 framework operative.
The most recent significant interpretive development is the December 2025 no-action relief from the Division of Investment Management confirming that certain state-chartered trust companies qualify as banks under Rule 206(4)-2 for digital asset custody purposes — a development that provides the registered investment adviser industry with additional qualified custodian options for digital asset portfolios under the rule's existing framework. No changes have been made to Rule 206(4)-2's operative provisions up to the present time.
Key Provisions and Operative Requirements
Rule 206(4)-2(a) establishes that it is a fraudulent, deceptive, or manipulative act, practice, or course of business for a registered investment adviser to have custody of client funds or securities unless the adviser satisfies the rule's four specified conditions.
The first condition — the qualified custodian requirement — provides that a qualified custodian must maintain those funds and securities in a separate account for each client under that client's name, or in accounts that contain only the funds and securities of the adviser's clients under the adviser's name as agent or trustee for clients.
The qualified custodian definition encompasses four categories of institution: banks as defined in Section 202(a)(2) of the Advisers Act, including federally chartered banks and state-chartered banks supervised by a federal banking regulator; registered broker-dealers subject to Rule 15c3-3 under the Exchange Act, the customer protection rule that requires broker-dealers to maintain customer assets in a specific reserve account; futures commission merchants registered under the Commodity Exchange Act with respect to the futures and options on futures managed for clients; and foreign financial institutions that customarily hold financial assets for their customers, provided they are regulated as such by a foreign financial regulatory authority under a system of laws comparable to the regulatory framework applicable to domestic qualified custodians.
The December 2025 no-action relief's confirmation that certain state-chartered trust companies qualify as banks under Rule 206(4)-2 is significant for the digital asset custody landscape because state-chartered trust companies have emerged as primary custodians for digital assets in jurisdictions such as Wyoming, South Dakota, and New York — states that have enacted specific trust company licensing frameworks for digital asset custody.
The Division's confirmation that these entities can serve as qualified custodians for digital asset holdings under Rule 206(4)-2 provides advisers managing digital asset portfolios with an additional set of regulated institutions through which to satisfy the qualified custodian requirement, extending the rule's protective framework to a new and rapidly growing asset class.
The second condition — account statement delivery — requires the adviser to have a reasonable basis, after due inquiry, for believing that the qualified custodian maintaining client funds and securities sends account statements at least quarterly to each client for whom it maintains funds or securities, identifying the amount of funds and of each security in the account at the end of the period and setting forth all transactions in the account during that period.
The after due inquiry standard requires active verification — the adviser cannot simply assume that the custodian is sending statements but must take reasonable steps to confirm that clients are actually receiving the custodian-generated statements that the rule requires.
If the adviser also sends account statements to clients, the adviser must include a legend in those statements urging clients to compare the account statements received from the custodian with those from the adviser — an investor protection measure designed to alert clients to the existence of independent custodian statements and to encourage them to use those statements as a verification tool.
The third condition — notice to clients — requires the adviser to promptly notify clients of the name, address, and the manner in which the funds or securities are maintained, when opening an account with a qualified custodian on behalf of the client and following any changes in that information.
This notification requirement ensures that clients know where their assets are held and are in a position to independently verify their account status with the custodian, exercise their direct rights against the custodian as the account holder, and monitor whether the qualified custodian information reported by the adviser is accurate and current.
The fourth condition — the annual surprise examination — is the rule's most commercially distinctive and operationally burdensome requirement. An adviser having custody of client funds or securities must engage an independent public accountant to conduct a surprise examination of those funds and securities at least annually, with the timing of the examination unannounced in advance to the adviser.
The accountant must file a certificate on Form ADV-E with the Commission within 120 days of the time chosen by the accountant to conduct the examination, stating that it has examined the funds and securities and describing the nature and extent of the examination.
Critically, upon discovering any material discrepancy during the examination, the accountant must notify the Commission within one business day of the finding by means of facsimile transmission or electronic mail, followed by first-class mail — a near-immediate notification requirement that enables the Commission's examination programme to respond rapidly to signals that client assets may be at risk.
Where the adviser or a related person maintains client funds or securities in its own capacity as a qualified custodian — making the adviser itself the custodian of client assets rather than relying on an independent third-party custodian — the adviser must obtain from an independent public accountant registered with the PCAOB an internal control report meeting the requirements of the rule.
The internal control report requirement addresses the specific additional risk that arises when the entity maintaining client assets is the same entity managing those assets — the adviser as custodian has a structurally greater ability to misappropriate client assets without detection than an independent custodian, making an internal control assessment of the custody infrastructure an important additional safeguard.
Scope of Application and the Custody Definition
Rule 206(4)-2 defines custody broadly to capture the full range of arrangements through which an investment adviser may have sufficient access to or control over client assets to misappropriate them — extending the rule's safeguards beyond the straightforward case of an adviser physically holding client securities or funds to encompass constructive custody arising through legal authority or relationship.
An investment adviser has custody under Rule 206(4)-2(d)(2) when it holds, directly or indirectly, client funds or securities; has authority to obtain possession of them; or has the ability to appropriate them — including where the adviser serves as a general partner, managing member, or comparable position for a limited partnership, LLC, or other pooled investment vehicle, since that position gives the adviser practical authority over the vehicle's assets.
The rule confirms that an adviser has custody when it directly holds client funds or securities, when it has authority to withdraw client assets from a custodian account upon its own instruction to the custodian, or when it receives client funds or securities — even inadvertently — and must return them to the client or a qualified custodian within three business days.
The three-business-day return requirement for inadvertently received assets reflects the Commission's recognition that certain client assets — certificates, physical securities, distributions, and similar instruments — may reach the adviser in the ordinary course of the advisory relationship without the adviser intending to take custody, and that prompt return of those assets within the rule's safe harbour period prevents the inadvertent receipt from triggering the full custody rule compliance infrastructure.
Exceptions and Alternative Compliance Pathways
Rule 206(4)-2(b) establishes four exceptions from the rule's general requirements, each calibrated to a specific category of custody situation that presents a different risk profile from the standard case of an adviser maintaining discretionary control over individually managed client accounts.
The registered investment company exception confirms that the rule does not apply with respect to registered investment company client accounts — open-end mutual funds, ETFs, closed-end funds, and other Investment Company Act-registered vehicles — whose custody is governed by the specialised framework of Section 17(f) of the Investment Company Act and the rules thereunder, particularly the custody rules applicable to registered investment companies' assets and the Rule 17f-2 safekeeping requirements applicable to registered funds' own securities.
The pooled investment vehicle annual audit exception — Rule 206(4)-2(b)(4) — is the most commercially significant exception, providing that an adviser need not comply with the account statement delivery requirements and is deemed to comply with the surprise examination requirement with respect to any limited partnership, LLC, or other pooled investment vehicle that it advises, provided the vehicle is subject to an annual audit satisfying the Regulation S-X definition, the audited financial statements are prepared in accordance with generally accepted accounting principles, audited financial statements are distributed to all limited partners, members, or other beneficial owners within 120 days of the end of the fiscal year, and the audit is performed by an independent public accountant registered with the PCAOB.
This exception is relied upon by the substantial majority of private fund advisers — hedge fund managers, private equity managers, and venture capital managers — for whom maintaining separate qualified custodians and conducting individual client surprise examinations for each limited partner account would be operationally impossible given the pooled ownership structure of the funds they manage.
For these advisers, the annual PCAOB-audited financial statements distributed to investors serve as the functional equivalent of the surprise examination and account statement requirements, providing investors with independent verification of the fund's assets and financial condition at least once annually.
The fee deduction exception provides that an adviser need not comply with the surprise examination requirement solely because it has the authority to deduct advisory fees from client accounts maintained with a qualified custodian — recognising that fee deduction authority, standing alone, does not provide the adviser with the ability to misappropriate client assets in the manner that full custody contemplates.
This exception applies only where the qualified custodian provides account statements directly to clients, preserving the independent monitoring channel even where the surprise examination requirement is relieved.
The operationally independent related person exception provides that an adviser need not comply with the surprise examination requirement when custody arises solely because a related person maintains client assets or has authority to obtain possession of them, provided the related person is operationally independent of the adviser — meaning that the personnel of the related person who maintain client assets operate under policies and procedures that are independent of the adviser's advisory functions.
Relationship to Related Rules and Regulations
Rule 206(4)-2's qualified custodian requirement connects directly to the registered investment company custody framework under the Investment Company Act's Section 17(f), particularly the requirements applicable to ETF and mutual fund custody administered through qualified custodians — creating a parallel but distinct regulatory framework in which the same financial institutions that serve as qualified custodians under Rule 206(4)-2 for separately managed account assets simultaneously serve as custodians under the Investment Company Act's framework for registered fund assets.
Understanding the relationship between these two frameworks — and the points at which they diverge, particularly regarding the role of broker-dealer custodians — is essential for advisers managing both separately managed account and registered fund client assets.
Rule 206(4)-2's surprise examination requirement and the independent accountant's obligation to notify the Commission within one business day of discovering any material discrepancy creates an enforcement referral mechanism that directly supplements the Commission's own examination programme.
This one-business-day notification requirement is one of the most rapid investor protection reporting obligations in the federal securities regulatory framework, reflecting the Commission's determination that potential misappropriation of client assets is sufficiently urgent that the Commission must be able to act immediately upon receiving warning signals rather than waiting for the next scheduled examination cycle.
Rule 204-2's recordkeeping framework — which requires registered investment advisers to maintain books and records of all transactions in client accounts, all communications relating to client accounts, and all other records relevant to the adviser's compliance with applicable securities laws — intersects with Rule 206(4)-2's requirements through the adviser's obligation to maintain records demonstrating compliance with the qualified custodian requirement, the account statement delivery and comparison procedures, and the surprise examination process.
The combination of Rule 204-2's recordkeeping standards and Rule 206(4)-2's substantive custody requirements creates a comprehensive documentation framework that enables the Commission's examination programme to assess both the existence of required custody compliance procedures and the quality of their implementation.
Rule 38a-1's compliance programme framework under the Investment Company Act — the companion compliance rule for registered investment companies that this dictionary has previously addressed — creates parallel governance obligations for the registered fund context where a registered fund's investment adviser is subject to both Rule 206(4)-7's Investment Advisers Act compliance programme requirements and Rule 38a-1's Investment Company Act compliance programme requirements simultaneously.
The adviser's compliance with Rule 206(4)-2 for its separately managed account clients must be addressed in the Rule 206(4)-7 compliance programme, while its compliance with the Investment Company Act's custody framework for registered fund clients must be addressed in the Rule 38a-1 compliance programme.
The Marketing Rule — Rule 206(4)-1 — intersects with Rule 206(4)-2 in the context of advisers managing private funds that use the pooled investment vehicle annual audit exception: the same PCAOB-audited financial statements that satisfy Rule 206(4)-2's audit exception must be prepared with sufficient accuracy and completeness to satisfy both the custody compliance function and the performance records substantiation requirements that Rule 204-2(a)(10) and Rule 206(4)-1's performance advertising provisions impose.
Amendment History and Regulatory Evolution
Rule 206(4)-2's most consequential amendment — the 2009 overhaul — was adopted in direct response to the largest investment adviser fraud in the history of the federal securities regulatory framework, and its substantive provisions have remained operative without change since that time.
The Commission's most significant post-2009 regulatory action affecting the rule was the August 2023 proposed amendments — which would have substantially expanded the qualified custodian definition, modified the surprise examination and audit exception frameworks, and addressed the novel custody issues presented by digital assets and other alternative assets — but that proposal was withdrawn under the Atkins Commission, leaving the 2009 framework as the operative standard.
The December 2025 no-action relief addressing state-chartered trust companies as qualified custodians for digital asset custody purposes represents the most recent substantive regulatory development within the existing framework, reflecting the Commission's recognition that the digital asset custody landscape has evolved significantly since the 2009 amendments and that the framework's application to digital assets requires interpretive guidance even in the absence of formal rule amendments.
This no-action relief — and the broader regulatory engagement with digital asset custody questions that prompted it — signals the Commission's awareness that the rule's current framework requires progressive interpretive development to remain effective as investment advisers increasingly manage portfolios that include digital assets alongside traditional securities.
Enforcement Context and SEC Action Patterns
Rule 206(4)-2 enforcement has concentrated on two dominant categories. The first — and the category of greatest historical investor harm — involves advisers who misappropriated client assets under cover of false statements and inadequate custody controls.
The Madoff case is the archetype, but subsequent enforcement actions have addressed numerous additional cases in which registered advisers used custody arrangements — including self-custody and affiliated custodians — to conceal the misappropriation of client funds over extended periods.
The second category — far more prevalent in volume — involves technical violations of the rule's operational requirements without underlying misappropriation: failure to conduct required surprise examinations, failure to have the qualified custodian send account statements directly to clients, failure to send required notices to clients about custodian identity and account location, and failure to obtain required internal control reports where the adviser or a related person serves as custodian.
These operational violations are significant not because they directly harm clients but because they undermine the monitoring and detection infrastructure that protects clients against the more serious category of misappropriation-based harm.
The Commission's Off-Channel Communications enforcement programme — which this dictionary has previously addressed in connection with Rule 204-2 — intersects with Rule 206(4)-2 enforcement in cases where the communications through which advisers directed custodians to transfer client assets were not preserved in accordance with Rule 204-2's recordkeeping requirements, making it impossible to reconstruct the authorisation trail for potentially suspicious asset transfers and thereby impairing the Commission's ability to determine whether custody-related fraud had occurred.
Examination Relevance and Key Takeaways
Rule 206(4)-2 is examined at the Series 65 and Series 66 levels as the foundational custody standard for registered investment advisers.
The definition of custody — encompassing physical possession, legal authority to withdraw, and control through general partner or managing member status in pooled vehicles — is the primary conceptual examination content, since the definition's breadth means that many advisers have custody without having physically held client assets.
The four conditions for advisers having custody — qualified custodian maintenance, account statement delivery by the custodian, client notification, and annual surprise examination — are consistently examined as the operative compliance requirements.
The pooled investment vehicle annual audit exception — excusing compliance with account statement delivery and surprise examination requirements where the fund is annually audited by a PCAOB-registered accountant and distributes audited financial statements to investors within 120 days of fiscal year-end — is examined as the primary alternative compliance pathway applicable to private fund advisers.
The key points to retain are these. Rule 206(4)-2 requires that any registered investment adviser having custody of client funds or securities maintain those assets with a qualified custodian — bank, registered broker-dealer, futures commission merchant, or qualifying foreign financial institution — in accounts under the client's name or under the adviser's name as agent.
The adviser must have a reasonable basis, after due inquiry, for believing the custodian sends account statements directly to clients at least quarterly. Advisers must provide clients with notice of the qualified custodian's identity and location.
An independent public accountant must conduct an annual surprise examination with Form ADV-E filed within 120 days and one-business-day Commission notification of any material discrepancy. Advisers acting as their own qualified custodians must obtain PCAOB-accountant internal control reports.
The pooled investment vehicle annual audit exception relieves private fund advisers from account statement delivery and surprise examination requirements where annual PCAOB-audited financial statements are distributed to investors within 120 days of fiscal year-end.
December 2025 no-action relief confirmed certain state-chartered trust companies qualify as banks for digital asset custody purposes. Rule 206(4)-2 was last amended December 30, 2009; the proposed 2023 comprehensive amendments were withdrawn without adoption. No changes have been made to the rule's operative provisions up to the present time.
