Custody, vulnerable adults, and cybersecurity
About This Lesson
The ethics arc closes with the protective machinery — the rules about who can touch client assets and who watches out for clients who can't watch out for themselves. The centerpiece is a three-rung ladder the Series 63 tests constantly: trading authorization → discretion → custody, each rung carrying more authority and more obligation. Around it: agency cross transactions, NASAA's vulnerable-adult framework with its temporary-hold mechanics, and the cybersecurity and continuity duties that modern rulemaking bolted onto the fiduciary chassis.
What you'll cover
- the authority ladder — and the one-question diagnostic (can they withdraw funds?) that sorts every fact pattern
- custody triggers, the qualified-custodian rules, surprise exams, and the $35,000 / $10,000 net-worth minimums
- soft dollars inside the Section 28(e) safe harbor — research yes, rent no
- agency cross transactions under 102(f)-1 and the one condition no consent can waive
- vulnerable adults: the trusted contact, temporary holds on disbursements, red flags, and reporting
- cybersecurity, privacy, business continuity, and succession planning
This finishes the Ethical Practices function's teaching chapters — the recap and module test follow, and the vulnerable-adult scenario is one of the most reliably tested items on the modern exam.
Custody — the federal and state framework
An adviser has custody whenever they hold, directly or indirectly, client funds or securities, or have any authority to obtain possession of them. The Series 63 tests the triggers, the operational requirements, and the financial-eligibility rules as separate questions — so learn them as separate lists.
But first, the ladder. Three authorities, three different things — do not let the exam blur them:
- Trading authorization — permission to place specific trades the customer has directed. No authority to decide what or how much; no authority to withdraw funds. Not discretion, not custody.
- Discretionary authority — the ability to choose which securities and how much within a customer's brokerage account without first contacting the customer. Granted in writing. Not custody.
- Custody — the authority to obtain possession of client funds or securities, including the ability to withdraw funds from the account. The highest rung — and the one that triggers the qualified custodian rules below.
One question sorts every fact pattern: can the professional withdraw funds from the account? Yes → custody. No, but they choose what to buy or sell → discretion. No, and they only execute what the customer specifies → trading authorization. That diagnostic alone wins several exam questions.
Custody triggers include:
- Physical possession of client funds or securities
- Authority to withdraw funds from a client's account (even to deduct advisory fees)
- Acting as general partner of a limited partnership where the adviser has access to fund assets
- Having access to client login credentials sufficient to transfer funds
Federal custody requirements (SEC Rule 206(4)-2):
- Hold client assets with a qualified custodian — a bank, broker-dealer, futures commission merchant, or foreign financial institution
- Custodian sends account statements directly to clients at least quarterly
- Annual surprise examination by an independent public accountant
- Notice on Form ADV that the adviser has custody
State custody requirements — the parallel NASAA Custody Requirements for Investment Advisers Model Rule 102(e)(1)-1 imposes the same core obligations on state-registered advisers, plus additional notice and bonding requirements that vary by jurisdiction.
And the money rules — minimum financial requirements under NASAA Model Rule 202(d)-1, keyed to the authority held:
- Custody: minimum net worth of $35,000
- Discretion without custody: minimum net worth of $10,000
- An adviser whose net worth falls below the applicable minimum must notify the administrator by the close of the next business day and file additional financial reports thereafter
Advisers who do not meet the net worth requirement may post a bond in the amount of the deficiency, where state law permits. Higher authority, higher balance sheet — that's the pattern to remember.
Discretion vs. Custody — know the difference
Discretion means authority to decide what to buy or sell and how much — but the client's custodian still holds the assets. Custody means the adviser can access or possess client funds. An adviser with discretion does NOT automatically have custody — but an adviser with the authority to withdraw funds from a client account (even just to deduct fees) DOES have custody. The Series 63 tests these as separate concepts, and the fee-deduction detail is its favorite way in.
Soft Dollar Arrangements — Section 28(e) Safe Harbor
Soft dollars are client money buying things for the adviser — which is why the rules police them. The arrangement: an adviser directs client brokerage commissions to a broker in exchange for research and services. The test is what those services are:
- Section 28(e) of the Securities Exchange Act provides a safe harbor if the research benefits the clients whose commissions are being used
- Eligible uses: Research reports, financial databases, analytical tools, market data, portfolio management software
- NOT eligible: Office rent, furniture, travel expenses, telephone bills, employee salaries — these are overhead, not research. If it would exist without the investment process, it's overhead.
- The adviser must seek best execution even when using soft dollars — they cannot direct trades to a broker solely for the soft dollar benefit if it means worse execution for the client
- Disclosure: Soft dollar arrangements must be disclosed in Form ADV Part 2A
Agency cross transactions — NASAA Model Rule 102(f)-1
An agency cross transaction puts the adviser on both sides of the table: acting as agent for both buyer and seller in the same transaction, matching one advisory client's order with another's. A fiduciary owing loyalty to both sides is a built-in conflict — so the rule permits it only under a strict script.
NASAA Model Rule 102(f)-1 (paralleling federal SEC Rule 206(3)-2) permits agency cross transactions only if all of the following conditions are satisfied:
- Prior written disclosure and consent — the client must consent in writing before the cross transaction, after receiving a written disclosure describing the conflict, the compensation the adviser will receive, and the right to revoke consent at any time.
- Confirmation at each transaction — the adviser must send a written confirmation at or before completion stating the nature of the transaction and the compensation received from any party.
- Annual itemized report — the adviser must furnish each consenting client with an annual itemization of all agency cross transactions and the total compensation received.
- Not the source of the recommendation — the adviser must not have recommended the transaction to both the buyer and the seller.
That last condition is the exam's favorite, because no paperwork waives it: even with full disclosure and written consent, an adviser cannot cross two clients where the adviser recommended the trade to both. Consent cures the conflict of executing; nothing cures the conflict of instigating both sides.
Detect
NASAA Model Act §3
Reasonable belief of financial exploitation of a person 65+ or impaired adult
Place temporary hold
NASAA Model Act §4
Hold disbursement or transaction — trading is not held
Notify
NASAA Model Act §5
Internal compliance and the client's designated trusted contact person
Report
NASAA Model Act §6 · Safe harbor §7
State securities administrator and Adult Protective Services
Financial Exploitation of Vulnerable Adults
Now the framework built for the exam's most human fact patterns. NASAA model rules impose specific obligations on IAs, IARs, BDs, and agents when dealing with vulnerable adults — generally defined as individuals aged 65+ or adults with mental or physical impairments that limit their ability to protect their own interests.
Trusted Contact Person — Firms are required to request that clients designate a trusted contact when opening an account. Keep the boundary crisp: the trusted contact has no authority over the account — they are an information resource the firm can reach out to if it suspects exploitation, diminished capacity, or cannot reach the client. The client may decline to provide one, but the firm must make a reasonable effort to ask.
Temporary Holds on Disbursements — Under NASAA model rules, firms may place a temporary hold on a disbursement if they reasonably believe exploitation is occurring or has been attempted:
- Hold lasts up to 15 business days (extendable to 25 in some jurisdictions)
- Applies to disbursements only — not to purchases or sales within the account
- Firm must immediately notify the trusted contact person (if designated) and the state securities regulator
- Firm must conduct an internal review during the hold period
Red Flags — Sudden changes in financial patterns, a new "friend" or caregiver directing transactions, client appearing confused or under duress, unusual wire transfers to unfamiliar parties, and unexplained changes to beneficiary designations or POA documents.
Reporting — IARs and agents who suspect exploitation must report to their firm's compliance department. Depending on state law, reports to Adult Protective Services (APS) or the state securities administrator may also be required. Many states provide safe harbor from liability for good-faith reports — the rules are built to make speaking up the safe choice.
Vulnerable-adult questions — the answer framework
The Series 63 loves the scenario version: "Your 82-year-old client's caregiver requests a $50,000 wire transfer. The client seems confused. What should you do?"
The answer is always the same four beats: (1) do not process the suspicious transaction, (2) notify your compliance department, (3) contact the trusted contact person, (4) report to the appropriate authority.
Two distinctions decide the trickier versions: temporary holds apply to disbursements only (trading inside the account continues), and the trusted contact has no account authority — any answer that has the trusted contact approving or directing anything is wrong.
Cybersecurity, Privacy, and Data Protection
Protecting client data is an extension of the firm's safeguarding obligations — and breathe easy: the NASAA outline tests your understanding of the regulatory framework, not technical security knowledge. No firewalls on the exam, just rules.
Regulation S-P (Privacy of Consumer Financial Information) applies to BDs, SEC-registered IAs, and investment companies:
- Initial privacy notice: Delivered at the start of the customer relationship, describing what nonpublic personal information (NPI) is collected and how it is shared
- Annual privacy notice: Provided each year (unless the firm qualifies for the FAST Act exception)
- Opt-out right: Customers must be given the opportunity to opt out of having NPI shared with non-affiliated third parties
- Safeguard Rule: Firms must adopt written policies to protect customer information against unauthorized access — including administrative, technical, and physical safeguards
SEC Cybersecurity Rules require IAs to adopt written cybersecurity policies, report significant incidents to the SEC, disclose risks and incidents to clients, and maintain records related to cybersecurity.
State-Level Requirements — Many states have data breach notification laws requiring prompt notification to affected clients and the state attorney general or securities administrator when breaches occur.
Business Continuity and Succession Planning
Serving clients includes still being there tomorrow. Maintaining a business continuity plan (BCP) is part of the firm's duty of care, and both IAs and BDs are expected to ensure they can continue to operate and serve clients during significant disruptions.
What a BCP Must Address:
- Data backup and recovery: How client records and essential documents are backed up and can be restored
- Alternate communications: How the firm will reach clients, employees, and regulators if primary systems are unavailable
- Alternate physical location: Where employees will work if the primary office is inaccessible
- Financial and operational assessment: How the firm will assess its ability to continue operations
- Customer access to funds and securities: How clients can access their assets during a disruption
Succession Planning — The SEC and state regulators increasingly expect IAs — especially small firms with a single principal — to address succession as part of their fiduciary duty. Without a plan, a principal's death or incapacity could leave clients unable to access accounts or receive advice. Key questions: Is there a designated successor adviser? Are client agreements structured for orderly transition? Who manages client assets during the interim?
Disclosure — and a tested asymmetry: BDs must disclose their BCP to customers at account opening and post it on their website. IAs are not required to deliver the plan itself, but must have it documented in writing and available for regulatory examination. Same duty, different paperwork.
A state-registered investment adviser maintains discretionary authority over client accounts but does not have custody. Under NASAA Model Rule 202(d)-1, the adviser must maintain:
An adviser uses client brokerage commissions to pay for a new Bloomberg terminal subscription. Under Section 28(e), this is:
An investment adviser representative suspects that a 79-year-old client is being financially exploited by a family member. The firm places a temporary hold on a pending disbursement. This hold:
Under Regulation S-P, which of the following is required of a registered investment adviser?
A small investment advisory firm has a single managing partner and 200 client accounts. The state examiner asks about the firm's succession plan. Which of the following BEST describes why succession planning is important for this firm?
Under NASAA Model Rule 102(e)(1)-1 (custody), which of the following situations would cause an investment adviser to have CUSTODY of client assets?
Under SEC Rule 206(3) and NASAA Model Rule 102(f)(1), an investment adviser may execute an "agency cross" transaction (matching one advisory client's order with another client's order, or with a brokerage customer order) only if:
Under SEC Regulation S-ID (the Identity Theft Red Flags Rule), a broker-dealer must: