When someone dies or loses capacity, a fiduciary still has to reach their accounts. The question is not whether the family knows the password. It is whether the law gives the executor, trustee, agent, or guardian authority a custodian must honor. In New York that authority comes from a statute, and from the documents the person signed before it was needed.
A boutique practice sees the same problem from two directions. A family principal asks how their executor will handle the email, the photo archive, the domain names, and the exchange account after they are gone. A daughter holding a power of attorney for an incapacitated parent cannot get a bank to discuss an online-only account, and cannot get a provider to release anything at all. In both cases the instinct is to hand over a password and assume the matter is solved. It is not, because password-sharing is neither lawful authority nor a plan a custodian is required to recognize.
This article explains the legal authority framework for fiduciary access to digital assets in New York. It is about who may lawfully reach the account, on what basis, and within what limits — not about how to custody crypto for inheritance, which is a structuring question, and not about holding digital assets in a trust, which is a succession question. Those have their own counsel; this piece sits underneath both. Whatever structure a family builds, a fiduciary will eventually need authority a provider must honor, and that authority is governed by the Revised Uniform Fiduciary Access to Digital Assets Act as New York adopted it.
It is general information, not legal advice. The authority a given fiduciary holds depends on the instrument that appointed them, the settings the account holder used, the provider's own terms, and the law in force, and an access plan should be drafted with counsel rather than assembled from logins. One point recurs throughout: the strongest digital-asset access plan is written into the will, the trust, and the power of attorney while the account holder is alive and able to grant it, not reconstructed by a family after the fact.
Why a password is not lawful access
The common assumption is that whoever holds the credentials controls the account. In law the two are separate. A fiduciary — an executor or administrator of an estate, a trustee, an agent under a power of attorney, or a court-appointed guardian — derives authority from the instrument or order that created the role, not from possession of a username and a password. A provider that lets an account be used by someone holding the login has not granted that person any right to the account, and a fiduciary who logs in with a decedent's credentials may be acting without authority even when the family fully intends it.
Two bodies of law sit behind that distinction, and password-sharing runs against both. Federal computer-fraud and stored-communications statutes restrict accessing an account or compelling disclosure of its contents without proper authorization, and a provider reads its own terms of service against that backdrop. A surviving spouse who signs in as the decedent, or an agent who uses a parent's password, is relying on the provider not to notice rather than on a right the provider must recognize. When an account is frozen, an estate is contested, or a provider asks who is acting and on what basis, the password proves nothing about authority.
This is why fiduciary access to digital assets needs a statutory and documentary basis rather than a shared credential. The point of the framework that follows is to give a fiduciary a lawful path to the account — one a custodian is obligated to honor, that survives a dispute, and that does not depend on guessing or inheriting a password. The credential is a convenience and a risk. The authority is the thing that matters, and it has to come from somewhere the law respects.
A fiduciary's authority comes from the instrument that appointed them, not from possession of a username and a password.
RUFADAA as New York adopted it
New York answered the problem by enacting the Revised Uniform Fiduciary Access to Digital Assets Act, codified in Article 13-A of the Estates, Powers and Trusts Law. RUFADAA is a model act that most states have adopted in some form, and New York's version gives four kinds of fiduciary a defined route to a decedent's or principal's digital assets: the executor or administrator of an estate, the trustee of a trust, an agent acting under a power of attorney, and a guardian appointed for an incapacitated person. The statute treats a digital asset broadly — electronic records in which a person has a right or interest — which reaches email, documents, photographs, social and messaging accounts, domain names, loyalty balances, and cryptocurrency and exchange holdings alike.
The act works by balancing three interests that had been colliding before it existed: the account holder's wishes, the fiduciary's need to administer the estate or the affairs of an incapacitated person, and the provider's obligations to its users and under federal privacy law. It does not hand a fiduciary the keys to everything. It sets out what a fiduciary may request, what a custodian — the provider that holds the asset — may require before releasing anything, and how the account holder's own choices govern the result. Article 13-A is, in effect, the New York rulebook that tells a custodian when it must respond to a fiduciary and tells the fiduciary what they are entitled to ask for.
Two structural features of the statute do most of the work, and the rest of this article takes them in turn. The first is an order of priority that decides which expression of the account holder's intent controls when more than one exists. The second is a distinction between the existence of a person's electronic communications and the actual content of those communications, with a higher bar of consent required to reach the content. A fiduciary who understands those two features understands most of what RUFADAA gives and withholds in New York.
The three-tier priority that decides what controls
RUFADAA resolves competing instructions through a fixed order of priority, and knowing the order is how a fiduciary knows what governs. At the top sits any online tool the provider offers for directing what happens to an account — a legacy-contact or inactive-account setting that lets the user name who may access or close the account after death or incapacity. If the account holder used such a tool, that choice controls, and it overrides a contrary instruction in a will, a trust, or a power of attorney. The provider's own mechanism, when the user took the trouble to set it, sits at the top of the hierarchy.
The second tier is the estate planning instrument. If the account holder did not use an online tool, or the provider offers none, the user's direction in a will, a trust, a power of attorney, or another record governs — including a direction that permits or forbids a fiduciary's access. This is the tier a drafting lawyer can actually reach, and it is the reason express digital-asset authority belongs in the documents: in the absence of an online tool, the will, the trust, and the power of attorney are where the account holder's enforceable instructions live. A digital assets executor whose authority is spelled out in the will stands on this tier; one whose will is silent does not.
The third and lowest tier is the provider's terms-of-service agreement. Only when neither an online tool nor an estate planning instrument has spoken does the click-through contract the account holder accepted on signup govern access. That ordering is the heart of the act, and it carries a lesson the rest of this article builds on: an account holder who sets an online tool or grants authority in their documents displaces the terms of service, while an account holder who does neither leaves a fiduciary at the mercy of a contract written for the living. The priority rewards the person who decided in advance and penalizes the person who left it to a boilerplate agreement.
An online tool beats the will; the will beats the terms of service. The account holder who decides in advance displaces the boilerplate written for the living.
A catalogue is not the content
RUFADAA draws a second line that surprises families, and it is the one that most often limits what a fiduciary actually receives. The statute distinguishes between a catalogue of electronic communications and the content of those communications. A catalogue is the record that a message existed — the addresses of the sender and recipient and the date and time — without the substance of what was written. The content is the message itself: the words in the email, the body of the chat. The two are treated differently because the content of a person's communications carries privacy protection that the bare fact of a communication does not.
The practical consequence is a difference in what it takes to obtain each. A fiduciary can more readily reach the catalogue and the other, non-communication digital assets — the files, the photographs, the account records, the holdings — which is usually enough to identify property, locate accounts, and administer the estate. Reaching the content of the decedent's or principal's private communications requires more: a clearer expression of consent from the account holder, whether through an online tool that authorizes content disclosure or specific language in the will, trust, or power of attorney directing it. Silence on content is generally read against disclosure, so a fiduciary who needs the messages themselves needs the account holder to have said so.
For drafting, the lesson is precise rather than general. A document that grants a fiduciary authority over digital assets without separately addressing the content of electronic communications may secure the catalogue and the assets while leaving the actual emails and messages out of reach. Where access to the substance of communications matters — and for some estates it does, for locating instructions, contacts, or records that live only in correspondence — the instrument has to say so in terms, because the heightened consent the statute requires for content is exactly the thing a careful clause supplies.
What custodians require, and the drafting that grants authority
When a fiduciary asks a custodian for access, the provider is entitled to satisfy itself that the request is legitimate, and RUFADAA lets it require proof before it releases anything. A custodian may ask for the documents that establish the role — letters testamentary or letters of administration for an estate, the relevant pages of a trust, the executed power of attorney, or the guardianship order — together with identifying information sufficient to link the account to the decedent or principal, and in some cases a court order. The provider is also given latitude in how it complies: it may grant full access, partial access limited to what the fiduciary reasonably needs, or a copy of the relevant records, and it has a defined period within which to act once a complete request is made. A fiduciary should expect to document the appointment, not merely assert it, and should expect the response to take time rather than arrive on demand.
This is the point at which password-sharing and the terms of service reveal themselves as the wrong foundation. A shared password gives a fiduciary no standing to make a RUFADAA request and no answer when the custodian asks for proof of authority; it is access without right, and it disappears the moment an account is locked or a credential changes. The terms of service are no better as a plan, because they sit at the bottom of the priority order and are written to govern the living account holder, not to deliver an estate's assets to a fiduciary. Neither a password nor a click-through agreement is an access plan. They are the things a real plan is built to replace.
The drafting fix is the same in every New York instrument, and it is the practical conclusion of this article. A will should name the executor's authority over digital assets, including, where it is wanted, the content of electronic communications. A revocable or testamentary trust should give the trustee the same authority over the digital assets it holds. A power of attorney should grant the agent express digital-asset authority so an online-only account does not become unreachable during incapacity — power of attorney digital assets are otherwise among the first things a bank or provider will refuse to discuss. And where a provider offers an online tool, the account holder should use it, because it sits above all of those documents in the order of priority. Granting the authority while the account holder is alive and able is the whole of the work; reconstructing it afterward is the expense the work avoids.
Neither a password nor a click-through agreement is an access plan. They are the things a real plan is built to replace.