SEC Risk Alert-Outsourcing CCO

December 14, 2015

The Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (SEC) recently issued a risk alert regarding outsourcing compliance activities to third parties. The SEC’s OCIE conducted nearly 20 examinations focusing on SEC-registered investment adviser firms that outsource the position of the Chief Compliance Officer (CCO) to third parties. The risk alert shares SEC staff’s observations and identifies areas of risk associated with an investment adviser firm outsourcing the role of CCO. This SEC Risk Alert comes on the heels of a new rule the SEC proposed in May of 2015, which would require investment advisers to disclose if they outsource the role of CCO. These two actions indicate that the SEC is seriously scrutinizing the effectiveness of an investment adviser firm’s outsourced CCO.

Pursuant to Rule 206(4)-7(c) under the Investment Advisers Act of 1940, an investment adviser firm must designate an individual as CCO to be responsible for administering its policies and procedures. There are no rules prohibiting an investment adviser outsourcing the role of a CCO to a third party, however the SEC staff evaluated the effectiveness of the outsourced CCOs by considering whether;

  • The CCO was administering a compliance environment that addressed and supported the goals of the Investment Advisers Act, Investment Company Act, and other federal securities laws, as applicable (i.e., compliance risks were appropriately identified, mitigated, and managed);
  • The investment adviser’s compliance program was reasonably designed to prevent, detect, and address violations of the Investment Advisers Act, Investment Company Act, and other federal securities laws, as applicable;
  • The investment adviser’s compliance program supported open communication between service providers and those with investment adviser compliance oversight responsibilities;
  • The investment adviser’s compliance program appeared to be proactive rather than reactive;
  • The CCO appeared to have sufficient authority to influence adherence with the investment adviser’s compliance policies and procedures, as adopted, and was allocated sufficient resources to perform his or her responsibilities;
  • Compliance appeared to be an important part of the investment adviser’s culture

The examination found that outsourced CCOs were generally effective in administering the investment adviser’s compliance program when they frequently interacted with the firm and its employees and were able to obtain independently the records they deemed necessary for conducting such reviews.

The SEC staff identified areas of risk associated with outsourcing the role of CCO including the misidentification of the firm’s risks. Other areas of risk are:

  • Standardized checklists, which the outsourced CCO would use to gather information about the investment adviser firm. Some of these checklists were found to be generic and did not capture the business models or strategies of the investment adviser firms.
  • Compliance policies and procedures were not tailored to investment adviser’s businesses or practices.
  • A general lack of documentation evidencing the compliance annual review testing.

If your investment adviser firm outsources the role of CCO to a third party, RIA Compliance Consultants strongly encourages you to review your business practices specifically scrutinizing the the risks highlighted in this SEC Risk Alert.

Posted by Bryan Hill
Labels: CCO, Chief Compliance Officer, SEC