Introduction
Denver, CO – May 28, 2025 – The Examination Staff (the “Staff”) of the Colorado Division of Securities recommends that state-licensed investment advisers carefully review their use of third-party platforms that provide access to view and trade held-away client assets. The Staff has identified one such platform, Pontera, that some state-licensed investment advisers are engaging to actively view, manage, and place trades. There may be others. The use of such platforms may cause the adviser to violate the adviser’s fiduciary duties to clients and violate various rules applicable to Colorado investment advisers. This advisory document is intended to address the Staff’s regulatory concerns and to identify various compliance matters for advisers to consider before using these platforms.
Custodial Assets Versus Held-Away Assets
Traditionally, investment advisers who manage client assets enter into agreements with the custodian of the clients’ accounts. These agreements may give the adviser the ability to place trades in the client’s account through the custodial broker-dealer. The agreement and understanding among the client, the custodian, and the adviser ensures that each party involved is aware of their rights and obligations with respect to the arrangement. It also permits the custodian of the client’s assets to
appropriately manage private client data and to make and keep accurate required records related to client log-ins and transactions.
In contrast, some third-party platforms provide the adviser with access to the client’s held-away accounts without the adviser or the third-party entering into an agreement with the custodian. The third-party platform enters into an agreement with an investment adviser to collect client log-in information; to bypass multi-factor authentication protocols put in place by the custodian; and to provide a portal through which the adviser can view and make trades within the held-away account without the custodian having knowledge of who is placing the trade by creating the deception that the client is the one placing the trade when in fact the client is not.
The third-party platform is not registered as an investment adviser or broker dealer and therefore not compliant with important and protective securities regulations regarding policies and procedures, recordkeeping, and net capital requirements.
Regulatory Compliance Issues
Advisers should independently review and understand their ability and authorization when using third-party platforms to access client accounts. Advisers should ensure that none of the agreements confer upon the adviser or the third-party platform the authority to access accounts in a prohibited manner by the custodian.
An adviser’s use of this type of third-party service may violate the Colorado Securities Act and the rules thereunder depending on the specifics of the adviser’s arrangement with the third party. Advisers should consider the following relevant rules:
- Rule 51-4.8(IA) states that a person who is an investment adviser, an
investment adviser representative or a federal covered adviser is a
fiduciary and has a duty to act primarily for the benefit of its clients. - Rule 51-4.8(IA)(X) prohibits accessing a client’s account by using the
client’s own unique identifying information (such as username and
password). - Rule 51.4.8(IA)(U) prohibits engaging in any conduct or any act,
indirectly or through or by any other person, which would be unlawful for
such person to do directly under the provisions of this act or any Rule
thereunder. The rule includes that manipulative or deceptive practices,
or aiding or abetting any unethical practice, shall be deemed an unethical
business practice and shall be grounds for denial, suspension or
revocation of a license. - Rule 51-4.10(IA)(A)(1) states that “Custody” means holding directly or
indirectly, client funds or securities, or having any authority to obtain
possession of them or has the ability to appropriate them.
Using Client Log-In Credentials
The Staff recommends against advisers using client log-in information to access client accounts, even when the access is indirect through a third-party. The Staff warns that doing so and recommending clients to do so creates serious risks for the client and may violate the adviser’s fiduciary duties and other regulations under state securities laws. Platforms that provide access to held-away accounts without the custodian’s knowledge rely on the client providing their log-in credentials to the platform so that it can impersonate the client and therefore gain access to trade in the account. The client may even be encouraged to replace their own phone number used for multi-factor authentication with a “fake” number that will forward the relevant multi-factor authentication code to the adviser or to the client when a log-in is attempted. If the third party, rather than the client, receives multi-factor authentication messages from the custodian, it also may take longer for the client to become aware of unauthorized access.
On these platforms, log-ins to the client account by the adviser are done without the knowledge or consent or the custodian, who is resultingly unaware of who is accessing the client’s account and who is placing trades. The client providing their log-in credentials to a third party may put the client’s assets and personal financial information at risk.
Violation of Custodian Agreements
Third-party access services that rely on impersonating the client also may cause clients to violate their agreements with custodians. This could be considered deception. Agreements differ among custodians, but some expressly prohibit the use of these third-party platforms unless approved in writing, authorized, or made available by the custodian. They also contain limitations of the client’s permission to share their log-in credentials, and may waive the liability of the custodian in
circumstances in which the client has shared their log-in credentials.
A client’s sharing of the passwords with a third party may cause the client to lose protection relating to their custodian account. Staff recommend that advisers avoid recommending such platforms, particularly when expressly prohibited by the custodian or in the absence of a disclosure to the clients about the various risks described within this guidance document.
Violation of Custody Rules
An adviser has custody if it holds client funds or securities, directly or indirectly, or has authority to obtain possession of such assets. Advisers should independently review and understand their ability and authorization to access client funds or securities. The Staff is equally concerned when the adviser authorizes this ability for a third-party. Such a review should examine the powers of attorney, agreements between the customer and the third-party platform, and any agreements between the customer and the custodian of each held-away account that is accessed by the third-party platform. Some platforms might add the investment adviser or investment adviser representative as a supplemental or authorized user on the customer’s custodial account to navigate account authentication procedures during log-in.
Advisers should ensure that none of the agreements give the adviser the ability or the authority to access or withdraw client funds or securities from a held-away account.
Investment advisers with custody of customer assets must affirmatively disclose this and are subject to heightened safeguarding requirements under state securities laws.
Conclusion
Investment advisers and investors are encouraged to consider the noted issues and conduct the appropriate inquiry necessary to address these concerns prior to engaging a third party to access investment accounts. The fiduciary duty of an adviser would require, at a minimum, clear disclosure of each risk to the client. The Staff believes the best practice would be to avoid platforms that implicate the risks above.
This alert along with other investment adviser compliance resources can be found on the Division’s website at IA Guides and Resources. The Staff welcomes advisers’ feedback on its recommendations. Please submit any feedback by email to DORA_SecuritiesWebsite@state.co.us.
The views expressed herein are those of the Examination Staff of the Colorado Division of
Securities and are intended to be informational. Each firm is responsible for and must comply with
all required rules and regulations. This guidance does not supersede any part of the Colorado
Revised Statutes, the Colorado Securities Act, or rules. The contents of this guidance do not
constitute legal advice.