← Glossary

Qualified Custodian

The bank, broker-dealer, or trust company an investment adviser must engage to hold client assets under SEC Rule 206(4)-2 — subject to annual surprise examination and direct quarterly reporting to clients.

Definition

What is a qualified custodian?

A qualified custodian is the financial institution an investment adviser registered under the Investment Advisers Act of 1940 must engage to hold client funds and securities whenever the adviser has custody of those assets. SEC Rule 206(4)-2 — the Custody Rule — defines the entity types that qualify, the account structure required, and the examination and reporting obligations the adviser must satisfy on an ongoing basis. The rule treats an investment adviser holding client assets as a structural conflict: the adviser has access, and potentially incentive, to misuse those assets. The qualified custodian requirement interposes an independent, regulated entity between the adviser and the client's assets, with that entity subject to its own regulatory oversight and independent annual verification.

The qualified custodian requirement is not waivable by client agreement. An adviser cannot contract around Rule 206(4)-2 or obtain client consent to hold assets in a non-qualifying structure. The SEC treats failures to use a qualified custodian as violations subject to enforcement regardless of client awareness or absence of client harm.

Who qualifies — and who does not

Rule 206(4)-2(d)(6) defines four qualifying entity types. A bank as defined in Advisers Act §202(a)(2) — this includes federally chartered banks, state-chartered banking institutions, savings associations, and trust companies that exercise fiduciary powers similar to national banks, are supervised by state or federal banking authorities, and are not operated for the purpose of evading the Advisers Act. Critically, the §202(a)(2) definition does not require FDIC insurance as a precondition: a state-chartered trust company that meets the statutory definition and is supervised by a state banking regulator qualifies as a bank for Custody Rule purposes, even without FDIC deposit insurance coverage. The test is whether the entity meets the statutory bank definition and is under appropriate regulatory supervision — not whether its deposits are federally insured.

A registered broker-dealer subject to Rule 15c3-3 qualifies because that rule independently requires the broker-dealer to segregate customer securities from its own property. A CFTC-registered futures commission merchant qualifies within the scope of derivatives and commodity products. A foreign financial institution that customarily holds financial assets for customers and is regulated as a financial institution in its home jurisdiction qualifies for non-US holdings.

State-chartered trust companies require careful analysis. They can qualify if they meet the Advisers Act §202(a)(2) bank definition — which many do, because they exercise fiduciary powers and are examined by state banking regulators. For digital assets specifically, the analysis must extend to whether the trust company's custody structure ensures that client assets are held in a manner segregated from the trust company's own estate in insolvency. A state trust charter alone is not dispositive: the structure of the custody arrangement — how assets are titled, how they would be treated in a SIPA-type proceeding, and whether client assets would be reachable by the custodian's general creditors — determines whether the safeguarding obligation is genuinely satisfied.

Most cryptocurrency exchanges do not qualify as qualified custodians because they are not banks, broker-dealers, or trust companies under the applicable regulatory definitions. An exchange that obtained a qualifying bank or trust charter could theoretically qualify, but few do. The FTX collapse illustrated the consequence of exchange custody without a qualifying structure: customer assets held on the exchange's internal ledger were treated as assets of the bankruptcy estate rather than as segregated client property recoverable outside the insolvency proceeding.

When an adviser has custody

Rule 206(4)-2(d)(2) defines custody broadly: an adviser has custody whenever it holds, directly or indirectly, client funds or securities, or has any authority to obtain possession of them. Direct custody is straightforward. Deemed custody arises in situations that advisers frequently fail to recognize.

A general power of attorney over a client account — even if never exercised — constitutes custody. Authority to deduct advisory fees directly from a client account constitutes custody, though the rule provides a limited exception for fee-deduction-only arrangements when the qualified custodian is not a related person of the adviser. Serving as a general partner, managing member, or trustee of a pooled investment vehicle that holds client assets makes the adviser deemed to have custody of the entire pool. When a related person of the adviser holds client assets without being operationally independent, the adviser is deemed to have custody through that related person. SEC enforcement actions have cited advisers for unrecognized deemed custody arising from standing letters of authorization that gave the adviser authority to direct client fund movements — a commonly missed trigger.

The five Rule 206(4)-2 compliance obligations

When an adviser has custody, five operational requirements attach.

Maintain assets at a qualified custodian. Client assets must be held in a separately identified account for each client in the client's name, or in an account under the adviser's name as agent or trustee for clients. The structure determines how assets are titled and how they would be identified in an insolvency proceeding if the custodian failed.

Notice to clients. When an account is opened at a qualified custodian on a client's behalf, the adviser must promptly notify the client in writing of the custodian's name, address, and manner of asset maintenance. If the adviser also sends its own account statements, those statements must include a legend urging the client to compare them against the custodian's direct statements.

Quarterly account statements directly to clients. The adviser must have a reasonable basis, after due inquiry, for believing the qualified custodian sends statements at least quarterly directly to each client — not routed through the adviser. Statements must identify the balance of each asset at period end and all transactions during the period. The direct-delivery requirement is an anti-fraud mechanism: routing custodian statements through the adviser creates the opportunity for alteration before delivery.

Annual surprise examination. Unless an exception applies, the adviser engages a PCAOB-registered independent public accountant under a written agreement to verify client assets at an unannounced time, irregular year to year. Within 120 days, the accountant files Form ADV-E with the SEC. Material discrepancies require SEC notification within one business day. Exceptions apply for: advisers whose only custody is fee-deduction authority at a non-related custodian; mutual fund clients for whom a transfer agent holds assets; and advisers to pooled investment vehicles subject to annual audit by a PCAOB accountant with audited financial statements distributed to investors within 120 days of fiscal year end — those pools are deemed to have satisfied the surprise examination requirement.

Internal control report when adviser or related person is the custodian. If the adviser or a related person serves as the qualified custodian in connection with advisory services, an annual written internal control report from a PCAOB-registered accountant is required — an evaluation of whether custody controls are suitably designed and operating effectively to safeguard client assets. This is functionally equivalent to a SOC 1 Type II report.

Digital asset custody — exclusive control and independent verification

For traditional securities, the possession and control standard is established through DTC book entries, physical certificates, and custodian account records. For digital assets, the applicable standard — as established through SEC enforcement positions and the agency's 2023 proposed custody rule update — is exclusive control of private key material. A custodian claiming to satisfy the safeguarding requirement for digital assets must be able to demonstrate that it can initiate a transaction from the custodied wallet while preventing any other party — including the adviser, the client, and the custodian's own personnel without proper multi-person authorization — from doing so independently.

The technical mechanism for satisfying the exclusive control standard in institutional custody is Multi-Party Computation (MPC): threshold key shares — mathematically related secret values — are distributed across multiple parties or hardware enclaves, with no single share capable of authorizing a transaction alone. Signing requires a threshold of shares to participate in distributed computation, so the private key material is never reconstructed in a single location. Hardware Security Modules (HSMs) provide tamper-resistant hardware storage with a cryptographic audit trail for every signing event.

For a PCAOB-registered accountant conducting a surprise examination of digital assets, verification of the custodied positions typically relies on custodian attestations, SOC 1 Type II reports covering key management controls, and wallet ownership proofs — cryptographic confirmations that the custodian controls the relevant wallet addresses. This may be supplemented by on-chain balance verification through custodian-provided APIs or public blockchain data, though standardized audit procedures for digital asset examinations have not yet been codified by the PCAOB. Advisers should confirm with their accountant how the surprise examination will be conducted for digital asset positions before engagement, and ensure the written agreement specifies the verification methodology.

The 2023 SEC proposed safeguarding rule — which would have expanded Rule 206(4)-2 to cover all client assets including crypto and would have imposed additional exclusive control requirements on qualified custodians — was not finalized before the change in SEC leadership, but it signals the direction of regulatory expectation. Advisers building digital asset custody infrastructure should design to those higher standards even in the absence of a final rule.

SAB 122 and the new economics of bank custody

SEC Staff Accounting Bulletin 121, issued in March 2022, required any entity safeguarding digital assets for customers to record a corresponding safeguarding liability and an offsetting safeguarding asset on its own balance sheet. The capital impact was indirect but severe: recognizing this additional balance sheet exposure increased total assets, which flowed through leverage ratios, risk-weighted asset calculations, and supplementary leverage ratio requirements under Basel III. For large banks, the additional capital required to support even a modest digital asset custody book made the business economically prohibitive. The practical result was that most federally chartered banks — the most creditworthy and structurally sound qualified custodians — declined the digital asset custody market.

SAB 122, issued in January 2025, rescinded SAB 121 and allows custodians to apply existing accounting frameworks instead. Entities holding digital assets in custody for clients no longer recognize a balance sheet liability for those assets. The accounting treatment of digital asset custody is now equivalent to traditional securities or cash custody: custodied assets appear on the client's balance sheet, not the custodian's.

For RIAs, the SAB 122 consequence is significant. A bank custodian holding client USDC in a segregated trust account now provides Segregated Asset Safeguarding: the client's USDC sits off the bank's balance sheet, is not part of the bank's deposit base, and is not reachable by the bank's general creditors in insolvency. This is a materially stronger structure than cash held in a broker-dealer sweep account — at a broker-dealer, client cash remains subject to the reserve formula and the rehypothecation mechanics of Rule 15c3-3, whereas USDC at a bank QC is segregated from the institution's own liabilities from day one. The combined effect of SAB 122 and the GENIUS Act's payment stablecoin framework has made bank custody of stablecoin-denominated client assets operationally and economically viable at institutional scale for the first time since digital assets emerged as an institutional asset class.

How it works

How qualified custodian compliance works — step by step

1. Custody assessment. The adviser determines whether it has custody — directly or through deemed custody — of any client funds or securities. The analysis covers: whether the adviser physically holds assets; whether it has authority to withdraw from client accounts for any purpose including fee deduction; whether it or a related person serves as a general partner, managing member, or trustee; whether standing letters of authorization or similar authority give the adviser the ability to direct client fund movements; and whether any related person holds client assets without being operationally independent. Advisers that are uncertain whether a particular arrangement constitutes deemed custody should seek regulatory guidance — unrecognized custody is a common examination finding and does not require fraudulent intent to constitute a violation.

2. Qualified custodian selection and engagement. The adviser selects a qualified custodian that meets the regulatory definition under Rule 206(4)-2(d)(6): a bank under Advisers Act §202(a)(2), a registered broker-dealer subject to Rule 15c3-3, a CFTC-registered futures commission merchant, or a qualifying foreign financial institution. For digital asset holdings, selection includes verifying regulatory status, demonstrating custodial segregation from the custodian's estate, confirming exclusive control capability, and reviewing available SOC 1 Type II reporting. The engagement is documented in a custody agreement that specifies account structure, statement delivery, and the custodian's reporting obligations.

3. Account structure — separate or agent/trustee. Client assets must be held either in a separate account for each client in the client's name, or in an account in the adviser's name as agent or trustee for clients. A separate account provides the clearest client identification in an insolvency; an omnibus account under the adviser as agent or trustee requires robust sub-accounting to identify each beneficial owner's interest. The chosen structure determines how assets appear on the custodian's books and how they are treated if the custodian becomes insolvent.

4. Client notice. Promptly upon opening a custodial account on behalf of a client, the adviser provides written notice of the custodian's name, address, and manner in which funds and securities are maintained. This notice must be updated whenever the information changes. If the adviser provides its own account statements to the client, those statements must include a legend urging comparison against the custodian's direct statements — a structural safeguard against adviser-altered account reporting.

5. Quarterly statement confirmation. The adviser must have a reasonable basis — after due inquiry — for believing the qualified custodian sends account statements at least quarterly directly to each client, not through the adviser. Statements must show the balance of each asset at period end and all transactions during the period. Advisers should affirmatively confirm this delivery is occurring, not assume it.

6. Annual surprise examination and Form ADV-E. The adviser engages a PCAOB-registered accountant under a written agreement meeting Rule 206(4)-2(a)(4). The accountant schedules the examination at an irregular, unannounced date; verifies client assets through procedures that include custodian attestations, SOC reports, and applicable on-chain verification; and files Form ADV-E with the SEC within 120 days. Both the 120-day filing obligation and the material discrepancy notification requirement must appear in the written agreement. For pooled vehicles subject to annual PCAOB audit with timely distribution of audited financial statements, the audit satisfies the surprise examination requirement and Form ADV-E is not required.

7. Material discrepancy protocol. If the accountant's examination reveals a discrepancy that cannot be reconciled — missing positions, unauthorized transfers, or valuation inconsistencies — the accountant notifies the SEC by email within one business day, directed to the Director of the Office of Compliance Inspections and Examinations, followed by first-class mail. The adviser's CCO is simultaneously notified. The affected positions are flagged, the adviser engages legal counsel, and the incident is documented in the written supervisory procedures escalation workflow for regulatory response.

In Devancore™

Qualified custodian compliance in Devancore

Devancore functions as the verification and reconciliation layer between an investment adviser and its qualified custodians — connecting the on-chain state of digital assets to the accounting ledger and generating the documentation required for Rule 206(4)-2 examinations. For advisers holding portfolios that span traditional securities at a bank or broker-dealer qualified custodian and digital assets at a trust company or digital asset custodian, Devancore provides a unified compliance view across all qualified custodian relationships.

Custodian-to-ledger reconciliation. Devancore ingests statement and position feeds from qualified custodians on both rails: SWIFT or custody file feeds from traditional bank and broker-dealer custodians, and on-chain balance queries from digital asset custodians. The reconciliation engine matches each custodian-reported holding against the corresponding position in the Devancore ledger — quantity, asset, account identity, and settlement date. Positions that appear in the custodian's statement but not in the ledger, or that differ in quantity, are flagged as discrepancies with the source instruction and expected custodian reference. This continuous match replaces the manual end-of-day reconciliation process and produces a persistent audit log of custodian agreement across every settlement cycle.

Surprise examination readiness. For Rule 206(4)-2(a)(4) surprise examinations, an independent public accountant requires point-in-time snapshots of client holdings — the exact position of each asset at each custodian at a specific moment in time, the format needed to complete Form ADV-E within the 120-day window. Devancore generates these snapshots on demand, timestamped and immutable in the audit log, for any historical date within the retention period. For digital assets, the snapshot includes the wallet address, on-chain balance at the relevant block height, and the blockchain transaction hash of the most recent confirmed settlement event — the supporting documentation the accountant uses to verify holdings against the client statement through custodian attestations or wallet ownership proofs. Devancore also monitors for the one-business-day notification trigger: if the custodian-to-ledger reconciliation produces a discrepancy that cannot be resolved within the same settlement session, Devancore surfaces it as a potential material discrepancy requiring CCO review before the one-day SEC notification window expires.

Fee Logic Audit for deemed custody. For RIAs whose deemed custody arises solely from fee-deduction authority — where the adviser is permitted to withdraw fees from client accounts at the qualified custodian — Devancore maps every withdrawal instruction to the custodian's corresponding record, confirming that the amount withdrawn matches the contractual advisory fee calculation and that no withdrawals occurred outside the fee-deduction mandate. This audit trail satisfies the independent verification expectation for deemed-custody-by-fee-deduction arrangements, demonstrating that the adviser's authority to access client accounts was used only for its permitted purpose and in amounts reconciling to the fee schedule. Each fee deduction event is logged with the instruction timestamp, fee calculation basis, and custodian confirmation, providing a complete record available for SEC examination on demand.

Multi-QC unified custody dashboard. Advisers using multiple qualified custodians — a traditional securities bank custodian, a digital asset trust company, and a broker-dealer custodian for margin-eligible positions — face the operational challenge of consolidating fragmented custody views into a single compliant picture. Devancore's unified custody dashboard aggregates all qualified custodian relationships: total assets under custody by custodian and asset class, reconciliation status for each relationship, open discrepancies by age, and the data required for Form ADV Part 1A Item 9 disclosure — each custodian's name, address, and the amount of client assets held. This export reduces the manual quarterly compilation that advisers currently perform before filing updated Form ADV data.

On-chain exclusive control verification. For digital assets held at a qualified custodian, Devancore performs wallet verification: querying the on-chain balance of each custodian-assigned wallet address and confirming it matches the custodian's reported position. This verification confirms that the custodian actually controls the on-chain assets it claims to hold, consistent with the SEC's exclusive control expectation. If a wallet address shows a lower on-chain balance than the custodian's statement, Devancore flags the discrepancy immediately, alerting the operations team and logging the event in the maker-checker workflow for CCO review. Position changes confirmed on-chain — transfers in or out of custodian wallets — are mirrored to the IBOR in real time, ensuring the investment book of record reflects the verified on-chain state rather than a day-old custody statement. See digital asset recordkeeping for the full books-and-records obligations that run in parallel with the qualified custodian requirement.

Related terms

Rule 15c3-3 Customer Protection Rule

SEC rule requiring broker-dealers to hold customer securities in possession or control and fund the Special Reserve Bank Account through the reserve formula.

Digital Asset Recordkeeping Broker Dealer

The requirement for broker-dealers to apply Rules 17a-3 and 17a-4 to digital asset securities, linking on-chain transaction data to the account-level records regulators require.

Written Supervisory Procedures

The compliance policies a broker-dealer must establish, maintain, and enforce under FINRA Rule 3110 to supervise all business lines and associated persons.

Custody Reconciliation

The daily comparison of a firm's internal position records against the custodian's statement of holdings, identifying breaks for investigation and regulatory documentation.

Payment Stablecoin Reserve Requirements

Payment stablecoin reserve requirements mandate 1:1 backing of outstanding tokens with high-quality liquid assets — short-duration Treasuries, insured deposits, and central bank balances.

Broker-Dealer Compliance Technology

The software layer that enables broker-dealers to meet SEC and FINRA regulatory obligations — books and records, net capital, supervisory controls, and audit trail — through automation rather than manual processes.

Operational Risk Management Securities

The identification and mitigation of risks from failed processes, human errors, technology failures, and external events that disrupt securities operations or cause financial loss.

Maker-Checker Workflow

A two-person segregation of duties control requiring that any action entered by one operator must be reviewed and approved by a second before it takes effect.