The SEC’s Office of Compliance Inspections and Examinations, or OCIE, recently issued a risk alert titled “Examinations of Advisers and Funds That Outsource Their Chief Compliance Officers.” According to the alert, OCIE staff have noted a growing trend in the investment management industry: outsourcing compliance activities to third parties, such as consultants or law firms. Some investment advisers and funds have outsourced all compliance activities to unaffiliated third parties, including the role of their chief compliance officers, or CCOs.
OCIE staff conducted nearly 20 examinations as part of an Outsourced CCO Initiative that focused on SEC-registered investment advisers and investment companies that outsource their CCOs to unaffiliated third parties. The purpose of the risk alert was to share the staff’s observations from these examinations and raise awareness of the compliance issues observed by the staff.
During these examinations, the staff observed instances in which the outsourced CCO was generally effective in administering the registrant’s compliance program, as well as fulfilling his/her other responsibilities as CCO.
However, the staff also observed that certain outsourced CCOs could not articulate the business or compliance risks of the registrant or, to the extent the risks were identified, whether the registrant had adopted written policies and procedures to mitigate or address those risks. In some instances, the risks described to the staff by the registrant’s principals were different than the risks described by the outsourced CCO.
Although the SEC’s rules do not expressly require compliance policies and procedures to contain specific elements, OCIE believes the Commission has made clear that it expects an adviser’s policies and procedures, at a minimum, to address ten core areas to the extent that they are relevant to the adviser’s business. The staff observed certain instances where the registrants did not appear to have adopted, implemented, and/or adhered to policies and procedures that were reasonably designed to prevent the violation of applicable regulations or that were relevant in light of the registrant’s business and operations.
OCIE believes that certain outsourced CCOs infrequently visited registrants’ offices and conducted only limited reviews of documents or training on compliance-related matters while on-site. According to the OCIE such CCOs had limited visibility and prominence within the registrants’ organization, which appeared to result in the CCOs also having limited authority within the organization to, among other things, improve adherence to the registrants’ compliance policies and procedures. Limited authority also appeared to affect the outsourced CCOs’ ability to implement important changes in disclosure regarding key areas of client interest, such as advisory fees.
OCIE believes that advisers and funds with outsourced CCOs should review their business practices in light of the risks noted in the risk alert to determine whether these practices comport with their responsibilities as set forth in the SEC’s compliance rules. The staff anticipates that, by sharing these examination observations, it will assist registrants in assessing whether their compliance programs have weaknesses, particularly with respect to identifying applicable risks and ensuring that the firm’s compliance program encompasses all relevant business activities.