Adviser Alert: IAs Should Avoid Using Third-Party Platforms That Ask Clients to Share Credentials in Violation of Colorado Rules

Denver - September 19, 2025 - The Examination Staff (the "Staff") of the Colorado Division of Securities is aware that some state licensed investment advisers ("advisers") are using an online third-party platform ("platform") to access and manage clients' held-away accounts by having clients share their unique login credentials - username and password of their custodial account - with the platform. In many cases, the platform has no agreement with the relevant custodian.

In the Staff's view, advisers' use of platforms that require clients to share their login credentials with the platform, without an agreement with the custodian, is likely a dishonest and unethical business practice under Colorado state investment adviser rules. The applicable provisions and a discussion of them are set out below.

The Staff reminds advisers who are using, or considering using, these types of platforms that the adviser has a responsibility to understand how the platforms operate, the associated risks to clients, and the regulatory compliance issues. (See: Know Before You Share: Be Mindful of Data Aggregation Risks, FINRA, January 12, 2024; SIFMA Data Aggregation Principles.)

Notably, advisers should determine whether third party platforms access the clients' held-away assets by using the clients' login credentials, and whether access occurs without the permission of the custodian.

Statutes and Rules

3 CCR 704-1, Rule 51-4.8(IA). Dishonest and Unethical Conduct.

A person who is an investment adviser, an investment adviser representative or a federal covered adviser is a fiduciary and has a duty to act primarily for the benefit of its clients. The provisions of this subsection apply to federal covered advisers to the extent that the conduct alleged is fraudulent, deceptive, or as otherwise permitted by the National Securities Markets Improvement Act of 1996 (Pub. L. No. 104-290). While the extent and nature of this duty varies according to the nature of the relationship between an investment adviser or an investment adviser representative and its clients and the circumstances of each case, an investment adviser, an investment adviser representative or a federal covered adviser shall not engage in unethical business practices, including the following:

• (U) Engaging in conduct or any act, indirectly through or by another person,
  which would be unlawful for such person to do directly under the provisions of
  this act or any Rule thereunder.
• (X) Accessing a client's account by using the client's own unique identifying
  information (such as username and password).

Discussion

The Staff is aware that some state licensed advisers are using an online third-party platform that enables the adviser to access and manage held-away accounts. For the adviser to gain access to the accounts through the third-party platform, the adviser instructs their clients to provide their usernames and passwords to the third-party platform. Clients must also agree to allow any multi-factor authentication codes related to the login to be sent to a phone number or email controlled by the platform.
In many cases, it appears that custodians have not agreed to and are unaware that the third-party platform is accessing accounts using the clients' custodial usernames, passwords, and multi-factor authentication codes. In other instances, the custodian has attempted to restrict access to its site by the third-party platform.

Use of Clients' Username and Password - Dishonest and Unethical Behavior under the Rules:
An adviser who uses such a platform may be violating Colorado rules. An adviser engages in dishonest and unethical behavior as defined by 3 CCR 704-1, Rule 51-4.8(IA)(X) when they use their clients' unique usernames and passwords to access their clients' accounts. While the adviser does not necessarily control the clients' usernames and passwords when utilizing a third-party platform, it is a dishonest and unethical business practice as defined by 3 CCR 704-1, Rule 51-4.8(IA)(U) for an adviser to engage in conduct through another person that would be unlawful for the adviser to engage in.

Additional Risks to Clients:
It should be further noted that advisers who recommend their clients share their login credentials may cause clients to violate their agreements with custodians. This could cause the clients to lose fraud protections that may be waived if they share credentials. (See eg: Empower Security Guarantee; Fidelity Customer Protection Guarantee; Schwab Security Guarantee).

In addition, custodians have an interest in understanding who is accessing accounts and communicating trades on the clients' behalf. A platform that obscures the custodian's visibility of who is actually accessing clients' accounts creates risks for the custodian that increases risks to the clients.

Advisers should also be aware that the platforms are not subject to the same regulations as broker dealers or licensed, chartered or registered financial institutions, particularly in areas of data privacy and security and may not be held to the same rigorous regulatory standards of consumer protection and care.

Conclusion

This Adviser Alert has discussed when an adviser's use of a third-party platform to access their clients' held-away accounts may be a dishonest and unethical business practice. Advisers are responsible for understanding any third-party platform they use to access and manage clients' accounts, the risks to clients, and the regulatory compliance issues.

To address the client's login credential issues discussed above, the Staff recommends that advisers consider obtaining the necessary entitlements for each account from each custodian or use a platform authorized by the custodian to access clients' accounts.

If the login credential issues are not satisfactorily resolved, an adviser using such a platform will likely violate 3 CCR 704-1, Rule 51-4.8(IA). In such cases, the Staff recommends advisers avoid using such a platform.