top of page
Search

Unauthorized Fees and Misused Client Credentials: A Case Study in Basic Controls


The SEC’s 2025 enforcement action against a registered investment adviser highlights how routine administrative shortcuts, rather than intentional theft, can still lead to severe fiduciary violations. The Commission alleged that advisory personnel charged millions of dollars in unauthorized fees by directly accessing client brokerage accounts using client credentials and rerouting multi-factor authentication (“MFA”) codes to firm devices.

According to the complaint filed in federal court, firm staff “used client usernames and passwords to log into brokerage accounts and initiate withdrawals of advisory fees far in excess of those authorized.” The practice had evolved informally over several years. Operations employees initially asked clients for login access “to assist with billing or reconciliation,” and those credentials were retained indefinitely. When new fee files were uploaded, they were processed directly through client portals without the custodians’ standard authorization workflow.


The SEC described this conduct as “a pattern of deception carried out through omissions and misuse of access,” noting that firm personnel “failed to disclose to clients or custodians that the firm had taken control of client credentials” and “diverted multi-factor authentication codes to firm-owned devices.” Those actions, the Commission said, deprived clients of the ability to monitor or verify transactions in real time.


The complaint emphasized that the adviser’s compliance program “was ill-equipped to detect or prevent” these issues. The firm’s Code of Ethics specifically prohibited employees from using client passwords, and its written policies required that all fee withdrawals be supported by written authorization and cross-checked against custodial statements. Yet these controls existed only on paper. Supervisors did not review reconciliations, compliance staff had no independent billing reports, and custodians were not alerted that client credentials were being shared.


What made the matter particularly concerning to regulators was not a sophisticated scheme, but the erosion of basic governance. The SEC alleged violations of Advisers Act Sections 206(1) and 206(2), which prohibit fraudulent, deceptive, or manipulative conduct by investment advisers. The Commission underscored that intent is not required under Section 206(2); negligent breaches of fiduciary duty such as failing to safeguard client assets or implement adequate oversight are enough to constitute violations.


The firm’s failures also extended into cybersecurity. The complaint detailed that “the adviser configured MFA codes to be delivered to a single firm-controlled device,” enabling multiple employees to access any client account without detection. When concerns surfaced, the firm could not produce an access log showing which employee had logged in or when. Regulators viewed this as a serious breakdown in internal control, particularly because the firm had certified to clients that its systems complied with industry cybersecurity standards.

 

When the conduct was discovered, the adviser refunded a portion of the overcharged fees but did not self-report to the SEC. The Commission noted that remediation after detection “does not negate prior violations of fiduciary duty,” especially when the underlying control environment remains unchanged. The case serves as a reminder that operational convenience can never justify practices that compromise client trust or account integrity.


Practical Steps for Advisory Firms

Advisers can use this case as a benchmark for assessing their own fee-billing and credential-management controls. Consider performing the following reviews:


Credential and Access Review: Verify that no employee or vendor possesses or uses client usernames, passwords, or authentication tokens. Custodial portals should be accessed only through firm-approved adviser channels.


Billing Authorization Audit: Confirm that every fee debit is supported by a current advisory agreement and a documented client consent. Test a sample of transactions each quarter to ensure accuracy.


Custodial Statement Reconciliation: Match billed fees against custodial records for a random set of accounts and verify that calculations conform to the ADV-disclosed methodology.


Cybersecurity and MFA Controls: Ensure that MFA tokens and verification codes are directed solely to firm-designated, access-controlled devices. Retain access logs and monitor for unusual login patterns.


Exception and Remediation Tracking: Create a standing log for all billing or fee discrepancies, with assigned responsibility for follow-up and documentation of corrective actions.


For many firms, independent testing by an outside compliance professional can help validate these controls. A third-party review can identify weak points in billing oversight, credential governance, and cybersecurity policy implementation that may be overlooked internally. Even well-intentioned firms can drift toward informal shortcuts over time; an external perspective helps ensure that efficiency never compromises fiduciary care.


If you found this article helpful, please like and share it to help advisory professionals strengthen their compliance programs.


Coulter Strategic Services provides customized compliance and regulatory consulting designed to meet the specific needs of each investment advisory firm. Services are tailored to the firm’s structure, business model, and regulatory obligations to help maintain an effective and sustainable compliance program aligned with current expectations. Contact us today to discuss your firm’s compliance program needs. Learn more at https://www.coulterstrategicservices.com/


All information provided is for educational purposes and should not be construed as specific advice. The information does not reflect the view of any regulatory body, State or Federal Agency or Association. All efforts have been made to report true and accurate information. However, the information could become materially inaccurate without warning. Not all information from third-party sources can be thoroughly vetted. Coulter Strategic Services and its staff do NOT provide legal opinions or legal recommendations. Nothing in this material shall be considered as legal advice or opinion.

 
 
 

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating

Disclaimer: The information provided is for educational purposes and shall not be construed as specific advice. The information does not reflect the views of any regulatory body, State or Federal Agency, or Association. All efforts have been made to report true and accurate information. However, the information could become materially inaccurate without warning. Not all information from third-party sources can be thoroughly vetted.  Coulter Strategic Services does NOT provide a legal opinion or legal recommendations.

©2023 by Coulter Strategic Services.

Powered & secured by gozoek.com

bottom of page