On November 9, 2015, the Office of Compliance, Inspections and Examinations (OCIE) issued a Risk Alert regarding its findings with respect to the use of outsourced Chief Compliance Officers (CCOs). This latest Risk Alert came out of a series of examinations that OCIE conducted in its “Outsourced CCO Initiative,” in which the OCIE staff focused on registered investment advisers that use the outsourced CCO model to comply with Rule 206(4)-7 under the Investment Advisers Act and/or Rule 38a-1 under the Investment Company Act, pursuant to which registered funds must designate a CCO on behalf of the fund (collectively, Compliance Rules).
The outsourced CCO model has been controversial since the Securities and Exchange Commission (SEC) adopted the Compliance Rules in 2003 after the late trading and market timing scandals of that year and created a dilemma for CCOs and the investment management firms that must appoint one. Because a CCO has “personal liability” under the Compliance Rules, many compliance professionals adopted the attitude that an outsourced CCO would have the liability, but may not have access to all of the relevant information, work flow, and personnel that would be necessary for doing the job properly. Therefore, the potential liability would be too great given the inability for an outsourced CCO to obtain and act on all of the information necessary to effectively executive the job. On the other hand, an internal CCO may find himself in a position of being marginalized or facing a “tone at the top” that is not helpful in implementing a robust compliance program that meets the requirements of the rules. In such cases, the internal CCO still has the potential liability and the possibility of facing fines and sanctions for matters that a CCO in an untenable situation may feel is totally out of his control. Indeed, one of the emerging trends we have seen over the past year or two is SEC enforcement going after CCOs for a variety of compliance missteps. Most of these cases have been against internal CCOs, not the outsourced variety.
Over the past few years, the outsourced CCO model has gained more of a following, particularly for smaller investment advisers that do not have a qualified internal compliance person. OCIE staff had obviously seen this configuration enough to embark on its own Outsourced CCO Initiative to determine whether this outsourced model is effective. This latest Risk Alert provides us with OCIE’s findings and impressions of the Initiative.
The good news is that OCIE found instances where the outsourced CCO was generally effective in administering the registrant’s compliance program, as well as fulfilling his other responsibilities as CCO. In these situations, effective outsourced CCOs maintained strong communications with their investment adviser clients, provided sufficient support to the adviser, and had a good working knowledge about the regulatory requirements and the adviser’s business.
But not all outsourced CCO arrangements passed the smell test. In other situations, risk assessments fell short of what OCIE expected to see. In certain instances, standardized or “off the shelf” documents were employed on behalf of the adviser, such as checklists, policies, and procedures, and certain risk disclosures had not been personalized for the particular adviser client. In other cases, policies and procedures were adopted that were not necessary for the particular adviser’s business or adopted and then ignored. OCIE also found cases of annual reviews not being conducted or a lack of testing of policies and procedures. Some outsourced CCOs lacked the authority to implement changes to procedures if deficiencies were found.
OCIE stopped short of condemning the outsourced CCO model, but the implications of the Risk Alert were clear. If an investment adviser decides to use the outsourced model, it must accomplish all of the compliance-related tasks that an in-house CCO would perform. Advisers are “encouraged” to re-examine their outsourced model in view of the findings in the Risk Alert and make a determination that the outsourced compliance program meets all of the regulatory requirements. Given the items specifically identified in the Risk Alert, registrants should expect to see enforcement actions in the near future against advisory firms that have outsourced and abdicated their compliance responsibilities.
For the full Risk Alert, click here.