In a Risk Alert dated November 9, 2015, the SEC’s Office of Compliance Inspections and Examinations (OCIE) said it found that outsourced compliance programs are generally effective, but some of these arrangements leave room for improvement.

As part of its Outsourced CCO Initiative, OCIE examined 20 registered advisers and funds (“registrants”) that outsource their compliance activities to assess the effectiveness of outsourced compliance programs and CCOs.  The Risk Alert summarized its findings.

While OCIE stopped short of criticizing outsourced compliance activities, it called attention to its concern that registrants should not be complacent with “off-the-shelf” compliance programs and monitoring.

Based on the results of the 20 examinations, OCIE observed that an effectively outsourced CCO generally involved:

Regular, often in-person, communications between CCOs and registrants (rather than, for example, reliance on pre-defined checklists); Strong relationships established between CCOs and registrants; Sufficient resources for the CCO, particularly in cases where a CCO serves in that capacity for multiple unaffiliated firms; Sufficient, independent CCO access to documents and information necessary to conduct annual reviews; and CCO knowledge about regulatory requirements and the registrant’s business.

OCIE said that “an effective compliance program generally relies upon, among other things, the correct identification of a registrant’s risks in light of its business, operations, conflicts and other compliance factors.”  OCIE cited examples of certain outsourced CCOs who “could not articulate the business or compliance risks” of a registrant or, to the extent the risks were identified, whether the registrant “had adopted written policies and procedures to mitigate or address those risks.”  OCIE discouraged use of standardized compliance checklists, which sometimes do not address risks specific to particular registrants.  In addition, the examiners found that in some instances:

registrants “did not appear to have the policies, procedures, or disclosures in place necessary to address all of the conflicts of interest identified” by the examiners; compliance policies and procedures were not followed or actual practices diverged from the procedures in the compliance manual in some critical areas (e.g., personal trading and payment for solicitation activities); off-the-shelf compliance policies and procedures were not tailored to a registrant’s actual business practices; and there was a “general lack of documentation evidencing the testing” of compliance procedures.

Our take.  OCIE is focused on compliance officers and their responsibilities, and wants to ensure that CCOs are effective and receive adequate support.  OCIE published the risk alert shortly after the SEC announced it settled enforcement charges against certain CCOs.  In addition, in the face of allegations that the SEC was unfairly targeting CCOs, SEC officials publicly reassured compliance officers that this was not the case.  This alert is a gentler way for the SEC to convey its message that registrants that outsource compliance activities are still responsible for ensuring that the CCO is doing its job and that compliance programs are regularly tested and effective.