RIA Compliance Blog
Investment advisers’ use of clients’ usernames and passwords to access their clients’ accounts to observe the accounts’ performance has come under scrutiny in recent years. In February 2017, the SEC Office of Compliance Inspections and Examinations (“OCIE”) disclosed in a Risk Alert that investment advisers’ use of client usernames and passwords can create compliance issues with the Custody Rule. According to OCIE, an investment adviser’s “online access to client accounts may meet the definition of custody when such access provides the adviser with the ability to withdraw funds and securities from the client accounts.” Accessing a client’s account using a client’s username and password often results in an investment adviser being able to withdraw funds and securities.
The North American Securities Administrators Association (“NASAA”) has also observed in recent years that if an investment adviser logs into a client’s account using the client’s personal information, “the investment adviser is in effect impersonating this client and has the same access to the account as the client.” As a result, a number of issues arise when investment advisers use their clients’ personal information to gain access to online accounts, including custody, recordkeeping obligations, and potential violations of user agreements.
According to NASAA, custody issues arise when investment advisers use their clients’ personal information to access client accounts because investment advisers, by logging into their clients’ online accounts, may have the ability to acquire possession of their clients’ securities. As for recordkeeping, it is difficult to differentiate between log-ins begun by the investment adviser and the client when both parties use the same username and password. Finally, NASAA has noted that companies often provide in user agreements that clients cannot give another person their usernames or passwords, as a cybersecurity measure. If an account is compromised, and a client has shared his or her username and password with his or her investment adviser, the company operating the account could cite the shared access in an attempt to disclaim liability.
Based on the risks outlined above, NASAA proposed an amendment in July 2017 to its model rule on unethical business practices. The proposed amendment will make it so that an investment adviser or investment adviser representative “[a]ccessing a client’s account by using the client’s own unique identifying information (such as username or password)” is an unethical business practice.
In light of these concerns involving investment adviser use of client usernames and passwords, investment advisers have been advised to use alternative methods to observe the performance of their clients’ accounts. For example, investment advisers could request that their clients provide them with copies of their account statements. There are also various account aggregation platforms that permit investment advisers to observe client accounts without obtaining the ability to withdraw funds or securities from a client’s account. Some accounts also permit clients to give their advisers limited access to their accounts so that the advisers can see the account performance but not actively manage the accounts.
Parker MacIntyre provides legal and compliance services to investment advisers, broker-dealers, registered representatives, hedge funds, and issuers of securities, among others. Our regulatory practice group assists financial service providers with complex issues that arise in the course of their business, including compliance with federal and state laws and rules. Please visit our website for more information.