Investment advisers’ use of clients’ usernames and passwords to access their clients’ accounts to observe the accounts’ performance has come under scrutiny in recent years. In February 2017, the SEC Office of Compliance Inspections and Examinations (“OCIE”) disclosed in a Risk Alert that investment advisers’ use of client usernames and passwords can create compliance issues with the Custody Rule. According to OCIE, an investment adviser’s “online access to client accounts may meet the definition of custody when such access provides the adviser with the ability to withdraw funds and securities from the client accounts.” Accessing a client’s account using a client’s username and password often results in an investment adviser being able to withdraw funds and securities.
The North American Securities Administrators Association (“NASAA”) has also observed in recent years that if an investment adviser logs into a client’s account using the client’s personal information, “the investment adviser is in effect impersonating this client and has the same access to the account as the client.” As a result, a number of issues arise when investment advisers use their clients’ personal information to gain access to online accounts, including custody, recordkeeping obligations, and potential violations of user agreements. Continue reading