In response to an increase in the number of registered investment advisers outsourcing their compliance function to unaffiliated third parties, the SEC’s Office of Compliance, Inspections and Examinations (OCIE) created an Outsourced CCO Initiative and conducted 20 inspections of advisers specifically focused on identifying areas of concern and weakness in such arrangements. On November 9, 2015, OCIE issued a risk alert (the Alert) identifying areas of weakness it found in some outsourced compliance arrangements. The guidance provided in the Alert is directed at SEC-registered investment advisers, but provides equally important considerations for state registered advisers.
Based on the Alert, an adviser that outsources its compliance function, including the role of the CCO, should ask itself:
- Does the outsourced CCO understand the key risks applicable to the adviser in light of the adviser’s business models, practices, strategies, operations, conflicts, and other compliance factors? According to the SEC staff, if the outsourced CCO does not understand the adviser’s business and does not approach its compliance role in light of key risk factors specific to the adviser, it may not be able to formulate and implement an effective compliance policy.
- Do the adviser’s policies and procedures adequately address the practices of and compliance risks applicable to the adviser? The SEC staff expressed concern that an off-the-shelf set of compliance policies and procedures provided by an outsourced compliance service provider that are not customized to address the practices and risks discussed above might not suffice, and might fail to address key areas of concern. Even if the adviser takes steps to address specific risks it faces, any disconnect between a firm’s policies and procedures and actual firm practice could lead to significant problems and undermines the efficacy of the firm’s compliance program.
- Does the outsourced CCO actively communicate and have a strong relationship with the adviser and its management? Outsourced CCOs who frequently and personally interacted with an adviser’s management and employees (in contrast with impersonal interaction, such as electronic communication) appeared to have a better understanding of the registrants’ businesses, operations, and risks. OCIE found that in such instances, it noted fewer inconsistencies between the compliance policies and procedures and the registrants’ actual business practices. In contrast, outsourced CCOs were less effective if they infrequently visited the adviser’s offices and conducted only limited reviews of documents or training on compliance-related matters. In such cases, the outsourced CCO often had less visibility and less sway over management, resulting in a limited ability to, among other things, improve adherence to the adviser’s policies and implement important changes when needed. A strong relationship and regular interaction between an outsourced CCO and an adviser’s management is critical in creating the type of culture of compliance and evidencing the “tone at the top” that the SEC staff looks for in evaluating a firm’s compliance program.
- Does the outsourced CCO devote sufficient time and resources to creating, implementing and testing the adviser’s compliance program? OCIE found that outsourced CCOs that served as the outsourced CCO for numerous unaffiliated firms often did not have sufficient time and resources to perform compliance duties, especially given the varying operations and activities of the advisers that the CCO serviced. Overstretched outsourced CCOs are often unavailable to properly and timely address compliance issues that arise at an advisory firm on a day-to-day basis.
- Does the outsourced CCO conduct and document a thorough annual review of the adviser’s compliance program? An outsourced CCO should have the ability to view and request all records and documents he or she deems necessary to perform the required annual review of the adviser’s compliance program. OCIE found that, in some instances, an adviser’s employees had discretion to determine the documents provided to the outsourced CCO. This ability to selectively provide documents to the outsourced CCO can affect the accuracy and efficacy of an adviser’s annual reviews and prevent the outsourced CCO from evaluating and implementing needed changes. OCIE also noted that outsourced CCOs often did not sufficiently document the annual review process, which is imperative both to properly evaluate the compliance program and to document the appropriate focus on a culture of compliance to the SEC staff.