Earlier this week, the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (SEC) issued a new Risk Alert (available here) related to the use of outsourced chief compliance officers (CCOs) by SEC-registered investment advisers and investment companies (Registrants). The Risk Alert shares staff observations of Registrants who outsource their CCO functions to unaffiliated third-parties resulting from nearly 20 examinations under OCIE’s Outsourced CCO Initiative. The Risk Alert identified a number of key concepts that should be considered by Registrants.
First, Registrants with outsourced CCOs should review their business practices in light of the risks highlighted by the staff and the Registrant’s responsibilities under applicable compliance rules. The Risk Alert emphasizes that Registrants not only must assure that outside CCOs have the requisite knowledge and experience to carry out the responsibilities of a CCO, they should also have the authority and access to the organization needed to accomplish their duties.
Second, Registrants with outsourced CCOs retain responsibility for the adoption and implementation of an effective compliance program, and use of an outside CCO does not reduce that obligation. The Risk Alert noted that one size does not fit all, and outside CCOs should seek to adjust and tailor compliance programs to meet the specific needs and functions of each client, where standard checklists do not address unique factors.
The Risk Alert encouraged outsourced CCOs to maintain frequent and personal interaction with the employing Registrant’s staff, rather than just electronic communications. The staff also noted a positive correlation between accurate annual reviews and outsourced CCOs who were able to independently obtain records necessary for such reviews (rather than relying solely on the Registrant to do so), and cautioned that the staff observed more compliance-related issues arising with outsourced CCOs serving in that role for numerous unaffiliated firms, especially with a disparate and dispersed client base. The Risk Alert also provided detailed information related to exam findings concerning outsourced CCOs conducting meaningful risk assessments, following and tailoring compliance policies and procedures, and performing annual reviews of Registrant compliance programs.