Firms that use third-party CCOs or that rely on financial intermediaries that have outsourced their compliance functions should consider taking a fresh look at their compliance structure in the wake of this guidance.

On November 9, the US Securities and Exchange Commission’s (SEC’s) Office of Compliance, Inspections, and Examinations (OCIE)[1] released a Risk Alert detailing its observations from nearly 20 examinations focused on investment advisers that outsource their chief compliance officer (CCO) function. The Alert follows other indications that the SEC and its staff are considering the sufficiency of outsourcing the compliance function at registered funds and investment advisers,[2] and comes at a time when the CCO role in general has been receiving heightened attention from the SEC and its staff.[3]

As part of the exams, OCIE staff interviewed CCOs and senior employees to evaluate the effectiveness of the investment advisers’ and investment companies’ compliance programs.[4] The examiners focused on whether the outsourced CCO had sufficient authority and resources to enforce the firm’s compliance policies and procedures. OCIE staff also evaluated whether the firms’ compliance programs were reasonably designed to prevent, detect, and address securities law violations; supported open communication; appeared proactive rather than merely reactive; and appeared to be an important part of each firm’s culture.

Throughout the Alert, OCIE reiterated guidance from a 2003 SEC release that first required registered funds and investment advisers to implement a compliance program. The 2003 release stated that a CCO should be competent and knowledgeable regarding the federal securities laws, empowered with the authority to develop and enforce appropriate policies and procedures, and proactive in understanding the particular risks faced by the firm.[5]

OCIE Findings

Based on its findings from the exams, the SEC staff expressed numerous concerns regarding the use of outsourced CCOs. At certain firms, OCIE noted that a lack of communication between the outsourced CCO and firm management resulted in particular risks posed by the firm’s business being overlooked and, consequently, failure to develop policies to address such risks. OCIE staff stressed the importance of frequent and personal interaction with advisory and fund employees in order for an outsourced CCO to be effective, noting that firms where the CCO has regular, in-person contact with the business persons they oversee tended to have stronger relationships between the CCO and employees, more knowledgeable CCOs, and better compliance environments.

OCIE staff also warned about over-reliance on standardized checklists and questionnaires in the compliance role, noting that without tailoring a generic checklist to the particular firm’s business, certain risks relevant to the firm’s actual business practices were overlooked and other aspects of the compliance program were included that were not relevant. This was particularly the case when outsourced CCOs did not appear sufficiently knowledgeable about a firm’s practices to identify discrepancies contained in the questionnaires.

The SEC staff also noted that when an individual is an outsourced CCO for a number of different firms, the CCO may have insufficient resources, particularly when the firms serviced by the CCO have very different businesses and are located far apart from each other.

Along with its general observations, OCIE staff recommended that firms using outsourced CCOs should reevaluate their programs in light of the following observations:

  • Meaningful Risk Assessment. OCIE staff noted that outsourced CCOs should work with firm management to identify the particular risks faced by the firm in light of its business, operations, conflicts, and other compliance factors. This relationship should involve regular communication between the CCOs and advisory and fund employees, and should often occur in person. Involving the outsourced CCO in the firm’s business at the early stages of a project or business initiative can help foster a culture of compliance within the firm, particularly where there is a “tone at the top” that supports the compliance function.
  • Tailoring and Following Compliance Policies and Procedures.  Although checklists and questionnaires may be used as a starting point, they should be tailored to reflect the firm’s business model, including removing items that are not applicable to the firm. For example, OCIE noted that one firm had procedures to monitor the use of composite performance presentations, but the firm did not advertise performance. Policies and procedures also should be refreshed when necessary to reflect changes in the firm’s business and personnel. Finally, the Alert is a good reminder that policies and procedures must actually be followed. OCIE staff noted that in many instances policies and procedures were not followed or the actual practices were not consistent with the compliance manual. In our experience, a firm’s failure to do what it says it will do is one of the easiest deficiencies for OCIE to note on an examination.
  • Annual Review of the Compliance Programs. Although the Alert notes that there is no specific requirement to document the annual review of an adviser’s or fund’s compliance program, OCIE noted that it observed a general lack of documentation evidencing annual reviews. Accordingly, outsourced CCOs conducting annual reviews should consider documenting their evaluations of existing policies and procedures and maintaining a record of that documentation. OCIE staff also noted that CCOs should be empowered to independently request and obtain the records they deem necessary for their review instead of relying on the firm to determine which records are relevant. OCIE also noted that certain CCOs conducted only limited trainings on compliance matters during on-site visits. Accordingly, outsourced CCOs may also want to assess the adequacy of their current employee training initiatives.

Applying OCIE’s Guidance to Your Firm

It is worth noting that, although OCIE’s Alert focuses on firms that use outsourced CCOs, the issues raised in the Alert generally apply to any compliance program. The SEC did not say whether it will conduct more exams as part of this initiative, but noted that the Alert should prompt firms with outsourced CCOs to reevaluate their compliance programs. OCIE’s publication of the Alert, however, can be viewed as an indication that the use of outsourced CCOs is an area of substantial concern for the SEC staff that will almost certainly arise on upcoming examinations.

Accordingly, firms that use an outsourced CCO should consider the sufficiency of their current programs in light of the issues identified in the Alert. In particular, firms should consider whether their current policies and procedures are appropriately tailored to the current business of the firm. This is particularly true where a template was used to design the firm’s compliance policies and procedures. For example, advisers to private funds, which are a common user of an outsourced CCO model, would not need to include many elements of the Investment Company Act in their compliance programs if they do not manage registered funds.

In addition, firms using an outsourced CCO should consider the frequency with which in-person meetings occur on the firm’s premises, whether the CCO is knowledgeable about the particular business of the firm, and whether firm management has given the CCO sufficient authority and access to the documents and information he or she deems necessary to conduct compliance reviews. Firms may even consider holding a documented training session for the benefit of the third-party CCO that outlines the specific attributes of the firm’s business. Outsourced CCOs should consider whether any template materials (such as checklists, questionnaires, and annual assessments) have been appropriately customized to the firm’s business. Firms may also want to consider periodically evaluating the third-party CCO’s capacity in the wake of obligations owed to other firms.

Firms that do not use an outsourced CCO but that have substantial business dealings with firms that use an outsourced model may also want to consider the sufficiency of their due diligence regarding those firms in the wake of the Alert. For example, advisers that employ sub-advisers to manage a portion of their client accounts or provide some specialized advisory service may want to determine whether any of the sub-advisory firms use an outsourced CCO. Similarly, in the wake of the Alert, managed account programs or retirement plans that invest in third-party funds may want to consider whether those funds use an outsourced CCO model.