Advisor Transitions Leave Ghost Access

Why changing lawyers, bankers, accountants or technology providers leaves hidden access—and the day 0, 30 and 90 controls that close it.

The answer

An adviser can stop working for you and remain embedded in your institution for years. The engagement ends. The account does not. A former lawyer still appears in a deal room. An old accountant remains a recovery contact.

An adviser can stop working for you and remain embedded in your institution for years. The engagement ends. The account does not. A former lawyer still appears in a deal room. An old accountant remains a recovery contact. A technology provider retains administrator access because nobody knows whether removing it will break something. A banker’s personal mobile number remains the trusted route for urgent instructions. A shared mailbox continues forwarding. Copies of identity documents sit in an abandoned portal. This is ghost access: authority, information or trust that survives the relationship that justified it.

Offboarding an adviser is not offboarding an employee

Employees are at least visible to internal systems. Professional advisers operate across organisational boundaries. They use their own devices, their own staff, subcontractors, specialist platforms and regulated archives. They also become part of the institution’s human trust graph. That makes the transition broader than disabling an account. You must transfer records, knowledge, authority, relationships, recovery paths and the right to represent the client.

Map five forms of residue

  • Technical residue: accounts, API keys, administrator roles, shared drives, forwarding rules, device enrolments and remote support tools.
  • Informational residue: working papers, identity documents, correspondence, exports, backups and local copies.
  • Authority residue: mandates, powers, signing permissions, approval roles and the practical ability to persuade a counterparty.
  • Relational residue: a former adviser still recognised by banks, registrars, insurers, family members, assistants or vendors.
  • Knowledge residue: undocumented decisions and context that the successor needs but the outgoing adviser alone holds.

Removing only the technical account leaves the other four intact. Removing everything immediately may destroy records the institution must retain or knowledge it must transfer. The work is controlled separation, not indiscriminate deletion.

Day 0: stop authority from drifting

The first phase begins when the transition is decided, not when the farewell email is sent.

  • Name an internal owner for the transition and an authorised point of contact at both firms.
  • Freeze creation of new privileged access unless the transition owner approves it.
  • Inventory live mandates, accounts, repositories, credentials, devices, data exchanges and recurring tasks.
  • Identify imminent deadlines, transactions, filings and renewal dates.
  • Establish the effective time at which the outgoing adviser may no longer issue or approve instructions.
  • Notify critical counterparties through a verified route and state exactly what has changed.

Do not write “X is no longer our adviser” and assume every recipient understands the control implication. State who is authorised now, which prior instructions remain valid and how a new instruction must be verified.

Day 30: complete the transfer

By the end of the first month, the successor should not merely possess files. They should be able to operate.

  • Transfer authoritative records in usable formats with an index and provenance.
  • Rotate shared secrets and recovery factors; do not only change the visible password.
  • Remove legacy delegates from identity, finance, document, communications and vendor systems.
  • Review forwarding rules, integrations and service accounts that may continue moving data.
  • Reconcile the outgoing adviser’s inventory against the successor’s receipt.
  • Record any material gap, dispute or retention restriction.

For personal data, deletion is not a magic instruction. Determine what the former adviser must retain, may retain and must return or erase under the engagement terms and applicable law. Separate the firm’s regulated or defensible archive from live operational access.

Day 90: hunt the ghosts

Residual access is easiest to find after normal activity has resumed. At roughly ninety days, run a second review based on actual logs and relationships.

  • Search authentication and sharing records for former domains, named users and service accounts.
  • Ask key counterparties whom they currently recognise as authorised.
  • Check whether any old contact is still receiving statements, alerts, codes or meeting invitations.
  • Review new invoices and vendor support interactions for reliance on the outgoing adviser.
  • Confirm that data exports and backups created for transfer have a retention owner and destruction date.
  • Test a recovery event to ensure the former adviser is not still part of the path.

Demand evidence, not reassurance

“Access removed” is not a useful completion statement. Ask for evidence appropriate to the system: role export, access log, mandate confirmation, credential rotation record, delivery receipt or signed transition schedule. The standard is not absolute proof that no copy exists anywhere. The standard is a defensible chain of custody and a documented disposition for each material class of access, authority and information.

A transition is a security event

Treating adviser change as procurement administration misses the moment of highest risk. Relationships are strained. Staff are distracted. Two operating teams overlap. Each assumes the other owns the gap. The outgoing adviser still knows the language of trust, while the incoming adviser does not yet know where the institution is brittle. Handled well, the transition is also an unusual opportunity. It reveals undocumented authority, duplicate systems and inherited permissions that ordinary reviews never surface. Do not waste it. Close the relationship with the same precision used to open it.

Sources

  1. Swiss FDPIC: Data securitySwiss FDPIC: Data security

    Primary authority

  2. NIST Digital Identity GuidelinesNIST Digital Identity Guidelines

    Primary authority

  3. FINMA: Revised circular on operational risks and resilienceFINMA: Revised circular on operational risks and resilience

    Primary authority

Jonathan P. De CollibusFounding Partner, Svperior / Cyber
Adam J. De CollibusFounding Partner, Svperior / Systems Engineering

Ross Belhomme

Ross leads Legal within Svperior GmbH. His work draws on more than two decades across international fiduciary, wealth-structuring, and private-client environments, combining legal, financial, and technical judgment around governance, privacy, assets, authority, and cross-border operating conditions.

Legal strategy / Governance / Private-client structuring / Digital assets

Need to apply this to a specific situation?

Send us the initial context. If the matter fits, we will respond directly.

Send private inquiry