On November 9, 2015, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert to share its observations and raise awareness of the compliance issues noted by the staff in its examinations of nearly 20 SEC-registered investment advisers and investment companies (collectively, the “registrants”) that outsource the role of their chief compliance officers (“CCOs”) to unaffiliated third parties.

In conducting these examinations, the staff evaluated the effectiveness of the registrants’ compliance programs and outsourced CCOs by considering, among other things, whether: (1) the CCO was administering a compliance environment that addressed and supported the goals of the federal securities laws (i.e., whether compliance risks were appropriately identified, mitigated and managed); (2) the compliance program was reasonably designed to prevent, detect and address violations of the federal securities laws; (3) the compliance program supported open communication between service providers and those with compliance oversight responsibilities; (4) the compliance program appeared to be proactive rather than reactive; (5) the CCO appeared to have sufficient authority to influence adherence to compliance policies and procedures and sufficient resources to perform his or her responsibilities; and (6) compliance appeared to be an important part of the registrants’ culture.

The staff noted that an effective outsourced CCO generally: (1) had regular—often in-person— communication with the registrants; (2) had a strong relationship established with the registrants; (3) had sufficient registrant support; (4) had sufficient access to registrants’ documents and information; and (5) had knowledge about the regulatory requirements and the registrants’ business.

The staff also offered a number of specific observations based on the examinations:

  • Meaningful Risk Assessments: The staff noted that certain outsourced CCOs used questionnaires or standardized checklists that failed to fully capture the business models, practices, strategies and compliance risks that were applicable to the registrants. In addition, the staff observed that some outsourced CCOs did not appear sufficiently knowledgeable to identify or pursue incorrect or inconsistent information about the registrants’ business practices found in questionnaire responses. Finally, the staff noted that several registrants did not appear to have sufficient policies and procedures to address conflicts of interest in critical areas such as compensation, valuation, brokerage/execution and personal securities transactions.
  • Compliance Policies and Procedures: The staff observeual Review of the Compliance Programs: The staff obserd certain instances in which compliance policies and procedures were not followed or the registrants’ actual practices were not consistent with the description in the registrants’ compliance manuals. These practices were observed in areas that are required by regulations to be reviewed as well as in areas that registrants included in their policies and procedures but that are not expressly required by regulations to be reviewed. The Risk Alert states that in many instances the outsourced CCOs were designated as the individuals responsible for conducting the reviews. The staff also observed that several of the compliance manuals reviewed during the course of the examinations were created using outsourced CCO-provided templates, not tailored to the registrants’ businesses and practices and containing policies and procedures not appropriate or applicable to the registrants’ businesses or practices.
  • Annual Review of the Compliance Programs: The staff observed a general lack of documentation evidencing the outsourced CCOs’ annual reviews, including testing for compliance with existing policies and procedures. The staff also noted that certain outsourced CCOs infrequently visited registrants’ offices and conducted only limited reviews of documents or training on compliance-related matters while on-site, leading to limited visibility and prominence and resulting in limited authority to improve adherence to the registrants’ compliance policies and procedures or implement important changes in disclosure.

The staff concluded the Risk Alert with a suggestion to registrants with outsourced compliance functions to review their business practices in light of the risks noted to determine whether these practices comport with the registrants’ responsibilities as set forth in Rule 206(4)-7 under the Advisers Act and Rule 38a-1 under the 1940 Act.

The Risk Alert is available at https://www.sec.gov/ocie/announcement/ocie-2015-risk-alert-ccooutsourcing.pdf.