In a recent National Exam Program Risk Alert (dated November 9, 2015) the U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) reported on the results of examinations conducted on about 20 investment advisers and investment companies that have outsourced compliance activities to outside parties, including the role of their chief compliance officer (CCO).
The purpose of the Risk Alert was to present the results of the examinations and the staff’s concerns about the outsourcing of compliance responsibilities.
According to recent surveys, it is estimated that about 38 percent of registered investment advisory firms in 2014 outsourced at least some of their compliance activities (up from about 27 percent for the previous year). It is reasonable to believe that the percentage of firms engaging outside third parties for compliance activities will continue to grow.
Under the Investment Advisers Act of 1940 and the Investment Company Act of 1940, registrants are required to:
- Adopt and implement written policies and procedures reasonably designed to prevent and detect violations of the applicable federal securities laws and regulations
- Designate an individual to be the registrant’s CCO who will be responsible for administering the registrant’s supervisory policies and procedures
- Review those policies and procedures on at least an annual basis to determine their adequacy and effectiveness and maintain a written record of the review and steps taken to address deficiencies
The SEC has provided guidance to registrants from time-to-time concerning what attributes the designated CCO should have (i.e., being competent and knowledgeable about the applicable federal securities laws) and that such person needs to be sufficiently senior in authority within the registrant’s organization in order to be effective.
During the examinations conducted by the SEC, the staff evaluated generally the effectiveness of the registrant’s overall compliance program and specifically the effectiveness of the outsourced CCOs. The key observations from the examinations include:
- Those outsourced CCOs who had frequent and personal contact with the registrant’s advisory and fund personnel had a better understanding of the registrant’s business and risks. By being in personal contact versus contact by e-mail or telephone only, those CCOs were better prepared to react to changes in the advisory business and additional risks.
- Those registrants who engaged outsourced CCOs who served numerous advisory firms generally were found to have more deficiencies.
- Outsourced CCOs who had the authority to independently review the registrant’s books and records and compliance procedures were found to be more effective than those outsourced CCOs who relied solely on what the registrant requested them to review.
The important takeaways from the results of the SEC’s examination of advisory firms and funds that outsourced compliance activities and CCOs are:
- Outsourced CCOs need to have personal contact with personnel of the registrant and not have an extensive list of advisory firms they serve as the CCO
- Outsourced CCOs needs to have authority to determine the books, records and advisory practices for review and have sufficient knowledge and experience within the industry to be effective
While the OCIE is not saying that registrants should not outsource their compliance activities including their CCO, they are reminding registrants to carefully vet the candidates to take on those activities because the person ultimately responsible for compliance with the Investment Advisers Act of 1940, is the registrant itself.