The Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a risk alert on November 9, 2015 regarding SEC-registered investment advisers and investment companies (collectively, registrants) that outsource their chief compliance officer (CCO) function to a third party. OCIE noted that registered investment advisers and investment companies have been relying more on unaffiliated third parties to serve as CCOs. The OCIE staff examined nearly 20 advisers and investment companies as a basis for its observations.

Background

Rule 206(4)-7 under the Investment Advisers Act of 1940 (Advisers Act) and Rule 38a-1 under the Investment Company Act of 1940 (Investment Company Act) require registrants to adopt compliance programs. These programs include: (i) implementing written policies and procedures that are reasonably designed to prevent violations of the federal securities laws and the rules under those laws; (ii) designating an individual as CCO to be responsible for administering the policies and procedures; and (iii) reviewing the policies and procedures at least annually for their adequacy and the effectiveness of their implementation (fund CCOs must also prepare a written report for the fund’s board of directors).

Examinations

OCIE reviewed various factors regarding the compliance programs of the registrants it examined. Specifically, the staff focused on whether: (i) the CCO was appropriately identifying, mitigating and managing compliance risks; (ii) the compliance program was reasonably designed to prevent, detect and address violations of the Advisers Act, Investment Company Act and other federal securities laws, as applicable; (iii) the compliance program supported open communication between service providers and those with compliance oversight responsibilities; (iv) the compliance program appeared to be proactive rather than reactive; (v) the CCO appeared to have sufficient authority to influence adherence with the registrant’s compliance policies and procedures, as adopted, and was allocated sufficient resources to perform his or her responsibilities; and (vi) compliance appeared to be an important part of the registrant’s culture.

Findings

Based on OCIE’s findings, we have identified the following do’s and don’ts for outsourced CCOs and the registrants that hire them.

Do’s – CCOs should:

  • engage in frequent in-person interactions with the registrant, including making regular visits to the registrant’s offices and conducting onsite training on compliance matters. (These types of activities add to the outsourced CCO’s visibility and prominence within the registrant and help ensure the CCO has the authority to improve adherence to policies and to implement changes.)
  • understand the registrant’s business and identify compliance risks. (An effective compliance program relies on correct identification of a registrant’s risks in light of its business, operations, conflicts and other factors.)
  • make sure the registrant has policies and procedures in place to mitigate or address identified risks.
  • use tailored compliance manuals and checklists that are not generic and cover all aspects of a registrant’s business (e.g., if an adviser registrant uses sub-advisers, there should be policies to cover oversight and other relevant topics).
  • ensure all conflicts of interest have been adequately identified and that policies and procedures have been developed and implemented to address them.
  • obtain records independently for conducting annual reviews, as opposed to relying on the registrant to select records for review.
  • ensure that annual reviews, which include testing for compliance with existing policies and procedures, are well documented.
  • use a calendar, checklist or other means of monitoring to ensure that all reviews noted in the compliance manual are actually being performed in a timely manner (g., quarterly reviews of employees’ emails, reviews required for the payment of cash for solicitation activities, reviews required for personal securities transactions, etc.).

Don’ts – CCOs should not:

  • use email or other impersonal means of communicating with registrants in place of onsite visits.
  • use preset compliance checklists that have not been tailored to the business of the registrant.
  • use template compliance manuals that include policies and procedures that don’t apply to the business of the registrant.
  • rely on registrants to choose the records that are subject to the CCO’s annual review.
  • act as CCO for multiple unaffiliated firms if the CCO does not have sufficient resources to do so effectively.

As the OCIE staff observed, registrants bear ultimate responsibility for adopting and implementing effective compliance programs, and as such, they (particularly those registrants using outsourced CCOs) should evaluate whether: (i) their business and compliance risks have been appropriately identified, (ii) their policies and procedures are tailored to their business and associated risks, and (iii) their CCO has the necessary resources and is sufficiently empowered within the organization to effectively perform his or her responsibilities.