Use of Client User Names and Passwords by
Investment Advisory Personnel
Division Interpretive Guidance
August 12, 2019
In administering the Connecticut Uniform Securities Act, the Securities and Business Investments Division (the "Division") of the State of Connecticut Department of Banking has received inquiries from investment advisory personnel concerning the extent to which they may access a client’s account by using the client’s own unique identifying information such as the client’s personal username and password. This scenario is distinct from advisory personnel that access client electronic accounts through the adviser’s own, unique log-in information following authorization from the client. While the latter situation may also raise issues regarding custody and recordkeeping, it is not the focus of this interpretive position.
Investment advisory personnel occupy a special fiduciary role insofar as their clients are concerned. Using a client’s own unique identifying information to access the client’s account presents both operational and regulatory risks. In addition, the practice makes it difficult to pinpoint exactly who is accessing the account. Advisers engaging in the practice are, in effect, "impersonating" the client, and, in extreme situations, this raises a red flag that more egregious conduct, such as misappropriation, may or could be occurring. In addition, the practice raises concerns relating to cybersecurity, custody, recordkeeping and potential violation of the client user agreement. Custody issues arise because the adviser has the ability to transfer monies or securities out of the account. Client user agreement violations may prompt the custodian to deny reimbursement for unauthorized withdrawals. Any convenience to the client is thus overshadowed by the risk of harm to the client, to the adviser’s operations and to the adviser’s reputation for integrity.
Consistent with the approach taken by other states and recommended by the North American Securities Administrators Association, Inc., the Division does not condone the practice and would consider the use of a client’s unique identifying information to access the client’s account a dishonest or unethical practice within the meaning of Section 36b-5(f) of the Connecticut Uniform Securities Act.
Section 36b-5(f) provides that: "No person who directly or indirectly receives compensation or other remuneration for: (1) Advising another person as to the value of securities or their purchase or sale, whether through the issuance of analyses or reports or otherwise; or (2) soliciting advisory business on behalf of a person subject to the prohibition contained in subsection (a) of this section shall engage in any dishonest or unethical practice in connection with the rendering of such advice or in connection with such solicitation."
Section 36b-5(f) covers any person who renders investment advice or solicits investment advisory business on a compensated basis. As such, it is not confined to state-registered firms and their agents. To the extent the provision applies to investment advisers subject to Securities and Exchange Commission oversight, it would be circumscribed by the National Securities Markets Improvement Act of 1996.
In addition, engaging in dishonest or unethical practices would support the initiation of suspension or revocation proceedings against registered firms and their investment adviser agents pursuant to Section 36b-15(a)(2)(H) of the Act.
In articulating this position, the Division acknowledges that it is not intended to apply to data aggregation software where the adviser does not know or have access to the client’s password; an agreement exists between the data aggregation software concern and the custodian or online platform permitting this back-door access; and the data is read-only, with the adviser being unable to change the client’s underlying account.
Going forward, the Division will be incorporating this position into its enforcement and examination programs. Investment advisory personnel who are currently out of compliance should immediately 1) notify affected clients in writing that the clients should change their custodial account user name, password and security questions; and 2) request that the custodian or platform provider provide the adviser with its own unique log-in information to use as a standard business practice.