OCIE Issues Risk Alert Relating to Outsourced Chief Compliance Officers
November 12, 2015
On November 9, 2015, the Office of Compliance Inspections and Examinations (“OCIE”) released the findings of its Outsourced CCO Initiative, which examined nearly 20 investment advisers and investment companies that are registered with the SEC and that outsource their chief compliance officer functions (“CCOs”). Consistent with past SEC publications, OCIE emphasized that central to all compliance programs is a culture of proactive, client-focused policies and procedures that are appropriately tailored to the firm’s industry and that are closely monitored.
Based on the OCIE Staff’s reviews of the firms’ compliance policies and programs administered by outsourced CCOs, they noted the following as criteria for successful outsourcing of CCO responsibilities:
- Effective Communication. Outsourced CCOs that frequently and personally communicate with the firm’s employees tend to have a better grasp of the firm’s business, operations, and risks, which results in fewer inconsistencies between the firm’s compliance policies and procedures and the firm’s actual business practices.
- Sufficient Resources. Outsourced CCOs that do not devote enough time or energy to a firm’s compliance program or do not have enough resources to perform their compliance duties, such as those who serve as CCO for a number of unaffiliated firms, had more compliance-related problems.
- Empowerment. Outsourced CCOs who were able to independently obtain records to conduct necessary annual compliance reviews were better able to accurately depict a firm’s actual practices than those CCOs who relied on the firm to provide records for their reviews.
The Staff likewise warned of the dangers of an outsourced CCO in a number of areas:
- Meaningful Risk Assessments. Staff observed that many outsourced CCOs were unable to articulate the firm’s business or compliance risks, and that these CCOs often use standardized checklists. Staff notes that many standardized checklists are generic, resulting in compliance programs that fail to capture the firm’s compliance risks and often contain inconsistent or inaccurate information. Further, Staff notes that many of these compliance programs were missing policies necessary to address the firm’s conflicts of interest in critical areas, such as compensation practices and portfolio valuation.
- Compliance Policies and Procedures. Many of the firms’ policies and procedures implemented by outsourced CCOs failed to address what the SEC has identified as ten core areas that should be part of every registered investment adviser’s or investment company’s compliance program.1 Staff further observed that many of these policies were not followed or that their practices differed in practice from what was described in the adviser’s own policies. Further, outsourced CCOs used policy templates but failed to tailor programs to the firms’ business and/or practices, which meant that critical areas remained unidentified, inappropriate policies were adopted, and critical control procedures were not performed.
- Annual Compliance Program Review. Many outsourced CCOs are required to conduct annual compliance reviews. However, many of these reviews were undocumented or inadequately documented. Further, outsourced CCOs had greater challenges implementing necessary changes to compliance programs because they either lacked or appeared to lack the necessary authority to require program adherence.
Based on this risk alert, investment advisory firms that seek to outsource some or all of their compliance monitoring functions, including engagement of an outsourced CCO, would be well advised to examine their relationships to determine whether they are in line with the SEC’s guidance. In particular, investment advisers should note that outsourcing compliance functions alone will not insulate their firm from regulatory scrutiny, and should work closely with their outside service providers and consultants to maintain an effective compliance program, that is effectively tailored to their particular business.
The full text of the Outsourced CCO Risk Alert is available here.
1. These ten areas include portfolio management processes; accuracy of disclosures made to investors, clients, and regulators; proprietary trading; safeguarding of client assets; accurate creation and retention of records; safeguards for privacy protection of client records; trading practices; marketing advisory services; processes to value client holdings and assess fees based on those holdings; and business continuity plans.↩