Section 3 Customer Conduct, Communications, and Ethics

Custody, vulnerable adults, and cybersecurity

19 min read · Lesson 7 of 8

About This Lesson

The ethics arc closes with the protective machinery — the rules about who can touch client assets and who watches out for clients who can't watch out for themselves. The centerpiece is a three-rung ladder the Series 63 tests constantly: trading authorization → discretion → custody, each rung carrying more authority and more obligation. Around it: agency cross transactions, NASAA's vulnerable-adult framework with its temporary-hold mechanics, and the cybersecurity and continuity duties that modern rulemaking bolted onto the fiduciary chassis.

What you'll cover

  • the authority ladder — and the one-question diagnostic (can they withdraw funds?) that sorts every fact pattern
  • custody triggers, the qualified-custodian rules, surprise exams, and the $35,000 / $10,000 net-worth minimums
  • soft dollars inside the Section 28(e) safe harbor — research yes, rent no
  • agency cross transactions under 102(f)-1 and the one condition no consent can waive
  • vulnerable adults: the trusted contact, temporary holds on disbursements, red flags, and reporting
  • cybersecurity, privacy, business continuity, and succession planning

This finishes the Ethical Practices function's teaching chapters — the recap and module test follow, and the vulnerable-adult scenario is one of the most reliably tested items on the modern exam.

Custody — the federal and state framework

An adviser has custody whenever they hold, directly or indirectly, client funds or securities, or have any authority to obtain possession of them. The Series 63 tests the triggers, the operational requirements, and the financial-eligibility rules as separate questions — so learn them as separate lists.

But first, the ladder. Three authorities, three different things — do not let the exam blur them:

  • Trading authorization — permission to place specific trades the customer has directed. No authority to decide what or how much; no authority to withdraw funds. Not discretion, not custody.
  • Discretionary authority — the ability to choose which securities and how much within a customer's brokerage account without first contacting the customer. Granted in writing. Not custody.
  • Custody — the authority to obtain possession of client funds or securities, including the ability to withdraw funds from the account. The highest rung — and the one that triggers the qualified custodian rules below.

One question sorts every fact pattern: can the professional withdraw funds from the account? Yes → custody. No, but they choose what to buy or sell → discretion. No, and they only execute what the customer specifies → trading authorization. That diagnostic alone wins several exam questions.

Custody triggers include:

  • Physical possession of client funds or securities
  • Authority to withdraw funds from a client's account (even to deduct advisory fees)
  • Acting as general partner of a limited partnership where the adviser has access to fund assets
  • Having access to client login credentials sufficient to transfer funds

Federal custody requirements (SEC Rule 206(4)-2):

  • Hold client assets with a qualified custodian — a bank, broker-dealer, futures commission merchant, or foreign financial institution
  • Custodian sends account statements directly to clients at least quarterly
  • Annual surprise examination by an independent public accountant
  • Notice on Form ADV that the adviser has custody

State custody requirements — the parallel NASAA Custody Requirements for Investment Advisers Model Rule 102(e)(1)-1 imposes the same core obligations on state-registered advisers, plus additional notice and bonding requirements that vary by jurisdiction.

And the money rules — minimum financial requirements under NASAA Model Rule 202(d)-1, keyed to the authority held:

  • Custody: minimum net worth of $35,000
  • Discretion without custody: minimum net worth of $10,000
  • An adviser whose net worth falls below the applicable minimum must notify the administrator by the close of the next business day and file additional financial reports thereafter

Advisers who do not meet the net worth requirement may post a bond in the amount of the deficiency, where state law permits. Higher authority, higher balance sheet — that's the pattern to remember.

Discretion vs. Custody — know the difference

Discretion means authority to decide what to buy or sell and how much — but the client's custodian still holds the assets. Custody means the adviser can access or possess client funds. An adviser with discretion does NOT automatically have custody — but an adviser with the authority to withdraw funds from a client account (even just to deduct fees) DOES have custody. The Series 63 tests these as separate concepts, and the fee-deduction detail is its favorite way in.

Soft Dollar Arrangements — Section 28(e) Safe Harbor

Soft dollars are client money buying things for the adviser — which is why the rules police them. The arrangement: an adviser directs client brokerage commissions to a broker in exchange for research and services. The test is what those services are:

  • Section 28(e) of the Securities Exchange Act provides a safe harbor if the research benefits the clients whose commissions are being used
  • Eligible uses: Research reports, financial databases, analytical tools, market data, portfolio management software
  • NOT eligible: Office rent, furniture, travel expenses, telephone bills, employee salaries — these are overhead, not research. If it would exist without the investment process, it's overhead.
  • The adviser must seek best execution even when using soft dollars — they cannot direct trades to a broker solely for the soft dollar benefit if it means worse execution for the client
  • Disclosure: Soft dollar arrangements must be disclosed in Form ADV Part 2A

Agency cross transactions — NASAA Model Rule 102(f)-1

An agency cross transaction puts the adviser on both sides of the table: acting as agent for both buyer and seller in the same transaction, matching one advisory client's order with another's. A fiduciary owing loyalty to both sides is a built-in conflict — so the rule permits it only under a strict script.

NASAA Model Rule 102(f)-1 (paralleling federal SEC Rule 206(3)-2) permits agency cross transactions only if all of the following conditions are satisfied:

  • Prior written disclosure and consent — the client must consent in writing before the cross transaction, after receiving a written disclosure describing the conflict, the compensation the adviser will receive, and the right to revoke consent at any time.
  • Confirmation at each transaction — the adviser must send a written confirmation at or before completion stating the nature of the transaction and the compensation received from any party.
  • Annual itemized report — the adviser must furnish each consenting client with an annual itemization of all agency cross transactions and the total compensation received.
  • Not the source of the recommendation — the adviser must not have recommended the transaction to both the buyer and the seller.

That last condition is the exam's favorite, because no paperwork waives it: even with full disclosure and written consent, an adviser cannot cross two clients where the adviser recommended the trade to both. Consent cures the conflict of executing; nothing cures the conflict of instigating both sides.

1

Detect

NASAA Model Act §3

Reasonable belief of financial exploitation of a person 65+ or impaired adult

Sudden urgency Caregiver pressure Unusual transactions Cognitive decline
2

Place temporary hold

NASAA Model Act §4

Hold disbursement or transaction — trading is not held

Up to 15 business days Extendable to 25 Court order can extend further
3

Notify

NASAA Model Act §5

Internal compliance and the client's designated trusted contact person

Within 2 business days Document the basis Maintain records
4

Report

NASAA Model Act §6 · Safe harbor §7

State securities administrator and Adult Protective Services

State administrator APS Civil immunity if in good faith

Financial Exploitation of Vulnerable Adults

Now the framework built for the exam's most human fact patterns. NASAA model rules impose specific obligations on IAs, IARs, BDs, and agents when dealing with vulnerable adults — generally defined as individuals aged 65+ or adults with mental or physical impairments that limit their ability to protect their own interests.

Trusted Contact Person — Firms are required to request that clients designate a trusted contact when opening an account. Keep the boundary crisp: the trusted contact has no authority over the account — they are an information resource the firm can reach out to if it suspects exploitation, diminished capacity, or cannot reach the client. The client may decline to provide one, but the firm must make a reasonable effort to ask.

Temporary Holds on Disbursements — Under NASAA model rules, firms may place a temporary hold on a disbursement if they reasonably believe exploitation is occurring or has been attempted:

  • Hold lasts up to 15 business days (extendable to 25 in some jurisdictions)
  • Applies to disbursements only — not to purchases or sales within the account
  • Firm must immediately notify the trusted contact person (if designated) and the state securities regulator
  • Firm must conduct an internal review during the hold period

Red Flags — Sudden changes in financial patterns, a new "friend" or caregiver directing transactions, client appearing confused or under duress, unusual wire transfers to unfamiliar parties, and unexplained changes to beneficiary designations or POA documents.

Reporting — IARs and agents who suspect exploitation must report to their firm's compliance department. Depending on state law, reports to Adult Protective Services (APS) or the state securities administrator may also be required. Many states provide safe harbor from liability for good-faith reports — the rules are built to make speaking up the safe choice.

Vulnerable-adult questions — the answer framework

The Series 63 loves the scenario version: "Your 82-year-old client's caregiver requests a $50,000 wire transfer. The client seems confused. What should you do?"

The answer is always the same four beats: (1) do not process the suspicious transaction, (2) notify your compliance department, (3) contact the trusted contact person, (4) report to the appropriate authority.

Two distinctions decide the trickier versions: temporary holds apply to disbursements only (trading inside the account continues), and the trusted contact has no account authority — any answer that has the trusted contact approving or directing anything is wrong.

Cybersecurity, Privacy, and Data Protection

Protecting client data is an extension of the firm's safeguarding obligations — and breathe easy: the NASAA outline tests your understanding of the regulatory framework, not technical security knowledge. No firewalls on the exam, just rules.

Regulation S-P (Privacy of Consumer Financial Information) applies to BDs, SEC-registered IAs, and investment companies:

  • Initial privacy notice: Delivered at the start of the customer relationship, describing what nonpublic personal information (NPI) is collected and how it is shared
  • Annual privacy notice: Provided each year (unless the firm qualifies for the FAST Act exception)
  • Opt-out right: Customers must be given the opportunity to opt out of having NPI shared with non-affiliated third parties
  • Safeguard Rule: Firms must adopt written policies to protect customer information against unauthorized access — including administrative, technical, and physical safeguards

SEC Cybersecurity Rules require IAs to adopt written cybersecurity policies, report significant incidents to the SEC, disclose risks and incidents to clients, and maintain records related to cybersecurity.

State-Level Requirements — Many states have data breach notification laws requiring prompt notification to affected clients and the state attorney general or securities administrator when breaches occur.

Business Continuity and Succession Planning

Serving clients includes still being there tomorrow. Maintaining a business continuity plan (BCP) is part of the firm's duty of care, and both IAs and BDs are expected to ensure they can continue to operate and serve clients during significant disruptions.

What a BCP Must Address:

  • Data backup and recovery: How client records and essential documents are backed up and can be restored
  • Alternate communications: How the firm will reach clients, employees, and regulators if primary systems are unavailable
  • Alternate physical location: Where employees will work if the primary office is inaccessible
  • Financial and operational assessment: How the firm will assess its ability to continue operations
  • Customer access to funds and securities: How clients can access their assets during a disruption

Succession Planning — The SEC and state regulators increasingly expect IAs — especially small firms with a single principal — to address succession as part of their fiduciary duty. Without a plan, a principal's death or incapacity could leave clients unable to access accounts or receive advice. Key questions: Is there a designated successor adviser? Are client agreements structured for orderly transition? Who manages client assets during the interim?

Disclosure — and a tested asymmetry: BDs must disclose their BCP to customers at account opening and post it on their website. IAs are not required to deliver the plan itself, but must have it documented in writing and available for regulatory examination. Same duty, different paperwork.

Concept Check

A state-registered investment adviser maintains discretionary authority over client accounts but does not have custody. Under NASAA Model Rule 202(d)-1, the adviser must maintain:

NASAA Model Rule 202(d)-1 sets minimum financial requirements for state-registered advisers. An adviser with discretion but not custody must maintain $10,000 in net worth. An adviser with custody must maintain $35,000 in net worth and is subject to the surprise audit and qualified custodian requirements. Net capital ratios apply to broker-dealers under SEC Rule 15c3-1, not to investment advisers. A bond may be posted by some states in lieu of the net worth requirement. <!-- CC:s63-ethics-min-financial-requirements-202d1 -->
Concept Check

An adviser uses client brokerage commissions to pay for a new Bloomberg terminal subscription. Under Section 28(e), this is:

Soft dollar arrangements — where an adviser directs client brokerage to a particular broker-dealer in exchange for research or other services — are permitted ONLY within the Section 28(e) safe harbor of the Securities Exchange Act. The safe harbor permits client commissions to pay for (a) research providing lawful assistance in investment decision-making, and (b) brokerage services related to execution. OUTSIDE the safe harbor: office furniture, salaries, computer hardware not used primarily for research, travel, entertainment. A Bloomberg terminal used primarily for research is within; office furniture is not. <!-- CC:s63-ethics-soft-dollars -->
Concept Check

An investment adviser representative suspects that a 79-year-old client is being financially exploited by a family member. The firm places a temporary hold on a pending disbursement. This hold:

Under NASAA model rules, a temporary hold on a disbursement can be placed when there is a reasonable belief of financial exploitation of a vulnerable adult. The hold applies to disbursements only (not trading), lasts up to 15 business days (extendable to 25 in some jurisdictions), and does not require the client's consent or a court order. The firm must notify the trusted contact person and the state regulator. This is the NASAA Model Act framework tested on the Series 63; FINRA Rule 2165 separately permits member firms to place holds on securities transactions as well as disbursements. <!-- CC:s63-ethics-vulnerable-adult -->
Concept Check

Under Regulation S-P, which of the following is required of a registered investment adviser?

Regulation S-P requires firms to provide customers with a privacy notice describing information-sharing practices and to give customers the right to opt out of having their nonpublic personal information shared with non-affiliated third parties. The Safeguard Rule within Reg S-P also requires written policies to protect customer information, but the specific methods of protection are left to the firm's discretion. <!-- CC:s63-ethics-reg-s-p -->
Concept Check

A small investment advisory firm has a single managing partner and 200 client accounts. The state examiner asks about the firm's succession plan. Which of the following BEST describes why succession planning is important for this firm?

Succession planning is a fiduciary concern for advisory firms, especially small firms where a single principal handles all client relationships. If that person dies or becomes incapacitated without a plan, clients may be unable to access their accounts or receive investment advice. Regulators increasingly view succession planning as part of the adviser's ongoing fiduciary duty to clients. <!-- CC:s63-ethics-succession-plan -->
Concept Check

Under NASAA Model Rule 102(e)(1)-1 (custody), which of the following situations would cause an investment adviser to have CUSTODY of client assets?

Under NASAA Model Rule 102(e)(1)-1 (Custody), an investment adviser has CUSTODY when it holds, directly or indirectly, client funds or securities OR has authority to obtain possession of them. The most common form of indirect custody is AUTHORIZATION TO DEDUCT FEES directly from the client's qualified custodian account. Fee-deduction authority is custody because it lets the adviser remove client funds without specific authorization. Receiving checks payable to the qualified custodian (not the adviser) does not constitute custody and must be promptly forwarded. Custody triggers SURPRISE ANNUAL AUDIT requirements unless an exception applies (most commonly the fee-deduction exception). <!-- CC:s63-ethics-custody-fee-deduction-trigger -->
Concept Check

Under SEC Rule 206(3) and NASAA Model Rule 102(f)(1), an investment adviser may execute an "agency cross" transaction (matching one advisory client's order with another client's order, or with a brokerage customer order) only if:

Under SEC Advisers Act Rule 206(3) and NASAA Model Rule 102(f)(1), an agency cross transaction is permitted only if (1) the adviser obtains PRIOR WRITTEN CLIENT CONSENT to agency cross transactions generally, (2) provides specific DISCLOSURES about the conflict of interest, (3) sends an annual written report summarizing the agency cross transactions executed, and (4) ensures the price represents NORMAL MARKET CONDITIONS. The dual conflict (acting for both sides) creates inherent fiduciary concerns, which the rule mitigates through informed consent. The transaction need not occur on an exchange or through an affiliated BD; no state filing is required. <!-- CC:s63-ethics-agency-cross-consent -->
Concept Check

Under SEC Regulation S-ID (the Identity Theft Red Flags Rule), a broker-dealer must:

Under SEC Regulation S-ID (the IDENTITY THEFT RED FLAGS RULE, finalized 2013), broker-dealers and investment advisers maintaining "covered accounts" must adopt and implement a written IDENTITY THEFT PREVENTION PROGRAM. The program must (1) IDENTIFY relevant red flags, (2) DETECT them in operations, (3) RESPOND appropriately when detected, and (4) PERIODICALLY UPDATE. The rule does not impose a specific 24-hour breach-notification requirement; that timeline derives from state laws. The rule does not require monthly password rotation or WebCRD attestations. Identity theft red flags are typically integrated into broader cybersecurity and BCP programs. <!-- CC:s63-ethics-reg-s-id-prevention-program -->