How to Audit Advisor Actions on Held-Away Retirement Plans: Checklist Tool
Held-away retirement accounts introduce both opportunity and complexity. They allow advisors to deliver more comprehensive advice, but also expose firms to heightened regulatory scrutiny, particularly around custody.
Quick Takeaways
- Held-away accounts are outside advisor custody but still monitored, such as a 401(k) or IRA
- The biggest risk is accidentally triggering custody under U.S. Securities and Exchange Commission rules
- View-only access is the safest option
- Advisors should never store client passwords
- Written client consent is essential
- Regular audits should review trades, withdrawals, logins, and account changes
The objective is not just compliance, but ensuring that all client assets, regardless of location, are managed with consistency, transparency, and fiduciary care.
Held-Away Retirement Plans & Advisor Auditing
Compact review for 401(k), 403(b), 457, IRA, and other held-away accounts.
1. Scope
-
401(k), 403(b), 457, IRA, brokerage, HSA, 529.
-
Keep plan name, recordkeeper, and identifiers handy.
-
Read-only, aggregator, portal, SDBA, or platform.
-
Written or secure electronic permission.
2. Access & custody risk
-
Avoid vaults, spreadsheets, or shared logins.
-
Client keeps control of authentication.
-
Watch for custody triggers.
-
Trading only if policy and consent allow it.
-
Credentials, POA, bill pay, auto-debits, or screen-scraping.
3. Statements & records
-
Use official records, not advisor-only data.
-
Portfolio system, platform log, or blotter.
-
Emails, notes, forms, or trade tickets.
-
Check rate, basis, and source of payment.
-
Statements, confirmations, logs, and disclosures.
4. Activity review
-
Rebalances, buys, sells, and allocation changes.
-
Loans, rollovers, distributions, or transfers.
-
Watch odd dates, frequent rebalances, or drift.
-
Statement values line up with firm records.
-
No surprises, confusion, or missing approvals.
5. Compliance follow-up
-
Update if credentials or authority create custody.
-
No password storage, clear approvals, clean logs.
-
Unauthorized access, missing logs, odd fees, or confusion.
-
Monthly or quarterly review scheduled.
What Does “Held-Away Retirement Plan” Mean?
In the U.S. advisory context, held-away retirement plans refer to client accounts that sit outside an advisor’s direct custody or management platform.
These are most commonly employer-sponsored plans, such as
- 401(k)
- 403(b),
- 457 plans (maintained with a plan recordkeeper rather than the advisor’s custodian)
- IRAs, brokerage accounts
- HSAs, or
- 529 plans (the advisor does not actively manage)
The advisor may advise on or view these assets, but they are not held at the advisor’s custodian, nor fully governed by the advisor’s trading authority.
Why Auditing Advisor Actions on Held-Away Accounts Matter
These accounts often represent a substantial share of client wealth, especially given the scale of U.S. defined-contribution retirement assets (now exceeding $13 trillion).
Auditing serves several critical functions:
What Counts as “Advisor Actions” in Held-Away Accounts
“Advisor actions” = any activity that influences or interacts with a held-away account, whether directly or indirectly.
This includes:
Regulatory Framework: The SEC Custody Rule
Under Rule 206(4)-2 of the Investment Advisers Act, an advisor is deemed to have custody if they:
- Hold client funds or securities directly
- Have authority to withdraw or transfer assets
- Possess credentials or access that enables control
This definition is intentionally broad. Even indirect mechanisms such as storing login credentials or using screen-scraping tools may constitute custody.
When custody is triggered, the advisor must:
The Biggest Risk: Unintentional Custody
The most common compliance failure is triggering custody without realizing it.
This often occurs when:
- Advisors store or use client login credentials
- Automated systems allow transaction execution
- Standing authorizations permit fund movement
- Third-party tools blur the line between access and control
How Advisors Typically Access Held-Away Plans
Advisors rely on a mix of traditional and technology-enabled methods to incorporate held-away assets into their process:
Step-by-Step Framework to Audit Advisor Actions
A structured audit process ensures consistency and defensibility. At a high level:
This process should be performed regularly (monthly or quarterly), not just during formal audits.
Ongoing Audit Checklist (Periodic Review)
A practical audit cadence focuses on a few high-impact areas:
- Ensure all trades match across systems
- Confirm authorized users and permissions
- Validate contributions, rollovers, and withdrawals
- Ensure billing reflects agreed terms
- Review access and activity trails
- Confirm internal controls are followed
- Flag unusual trading patterns or allocation shifts
Red Flags in Advisor Activity on 401(k) and IRA Accounts
Certain patterns should immediately trigger deeper review:
These indicators often point to custody exposure, poor controls, or potential misconduct.
Data Sources Used for Auditing (Statements, Aggregators, Logs)
Effective audits rely on independent and overlapping data sources, including:
Cross-referencing these sources ensures that no single system becomes a point of failure.
Common Compliance Mistakes
Recurring issues in the industry include:
Most of these stem from underestimating the breadth of regulatory definitions.
Internal vs. External Audits
- Internal audits are ongoing, process-driven reviews conducted by the firm to identify issues early and maintain operational discipline.
- External audits (surprise exams) are independent regulatory requirements triggered by custody, designed to verify assets directly with custodians.
Both serve different purposes but are complementary: internal audits prepare and protect, while external audits validate and enforce.
FAQs
What triggers a surprise audit for held-away accounts?
A surprise audit applies only if the adviser has custody, meaning they can move money, access logins, or place trades. Pure advice without control usually does not trigger an audit.
Does an account aggregator count as custody?
No if it is strictly read-only. If the adviser can control access, store passwords, or go beyond viewing, regulators may treat it as custody.
Can advisers charge fees on held-away accounts?
Yes, if clearly disclosed and agreed in advance. Fees should align with the level of advice since the adviser is not directly managing the assets.
What records should be kept for held-away accounts?
Keep statements, authorizations, confirmations, emails, and platform logs. Anything that documents advice, approvals, or outcomes should be retained.
What if the client places trades themselves?
This usually avoids custody. Advisers should still review statements to confirm the client followed recommendations.
How can advisers avoid custody with 401(k)s?
Do not access the account. No logins, no saved passwords, and no ability to move funds. Use read-only tools where the client keeps full control.
Do held-away accounts count as AUM or custody?
They usually do not count as custody. Some firms include them as assets under advisement, but custody requires actual control.
Can auditors review held-away accounts?
Only if custody exists. Otherwise, these accounts are generally outside the scope of a surprise exam unless firms include them for documentation or caution.
Sources:
- https://www.michigan.gov/lara/bureau-list/cscl/securities/investment-adviser-held-away-account-access-advisory
- www.sec.gov/files/litigation/admin/2022/ia-6137.pdf
