THE CHIEF COMPLIANCE OFFICER’S ROLE & THE RISKS OF OUTSOURCING

May 10, 2017

The Chief Compliance Officer serves an important role in an investment adviser firm’s business. A role that requires expertise, independent judgment, and dedication, an increasing number of investment adviser firms are choosing to outsource the Chief Compliance Officer position to third party compliance professionals. Despite the potential cost-savings, outsourcing this vital role is generally not a wise business strategy and will likely increase the firm’s risk of exam by the U.S. Securities and Exchange Commission (“SEC”) or affect the depth of inquiry an investment adviser firm is subject to once an exam has begun.

Chief Compliance Officer Requirement

Rule 206(4)-7, adopted by the SEC in 2003, has three main requirements. Click here to read the rule. First, the rule requires investment adviser firms to adopt and implement written policies and procedures reasonably designed to prevent violation, by investment adviser firm and its supervised persons, of the Investment Advisers Act of 1940 and any rules adopted by the SEC under the Act. Second, Rule 206(4)-7 requires investment adviser firms to review, no less frequently than annually, the adequacy and effectiveness of the policies and procedures established pursuant to the rule. And third, the rule requires the investment adviser firm to designate a Chief Compliance Officer (“CCO”) who will be responsible for administering the firm’s policies and procedures.

In essence, Rule 206(4)-7 creates and delineates the role of the CCO. The CCO must administer the investment adviser firm’s policies and procedures, a task that may – but does not need to – involve direct responsibility for the implementation of specific policies and procedures. Unless the CCO adopts supervisory responsibility for a specific task, his or her role is limited to administering the firm’s policies and procedures.

Qualifications of a Chief Compliance Officer

The rule requires investment adviser firms to appoint a CCO, but does not specify the type of experience or education required of an individual serving as CCO. In its Final Rule Release for Compliance Programs of Investment Companies and Investment Advisers, the SEC has stated that a CCO should be:

  • Competent and knowledgeable regarding the Investment Advisers Act of 1940 (“Advisers Act”);
  • Empowered with full responsibility and authority to develop and enforce appropriate policies and procedures for the firm; and
  • In a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.

Click here to read the final rule release. The SEC requires that the CCO be a supervised person of the firm, a requirement interpreted to include outsourced CCOs.

SEC Risk Alert on Outsourced Chief Compliance Officers

Given the need for expertise and costs associated with carrying out a CCOs responsibilities, an increasing number of investment adviser firms have begun to use outsourced CCOs. Investment adviser firms interested in following this trend should be advised it is not without risk and should carefully weigh the costs and benefits of using an outsourced CCO versus an internal CCO.

On the one hand, third parties offering outsourced CCO services often advertise outsourced CCO services as a convenient and cost-effective alternative to hiring or designating an internal CCO. Admittedly, hiring an outsourced CCO can help investment adviser firms avoid the costs associated with hiring and ongoing employment of a CCO, as well as the cost involved in training inexperienced new hires. Furthermore, an internal CCO may lack the time or expertise to do the job properly. CCOs of investment adviser firms of all sizes can often benefit from assistance with both routine tasks and complex regulatory matters.

On the other hand, however, the all-important “culture of compliance” is something built, not purchased. As the SEC noted in its 2015 Risk Alert, “Examinations of Advisers and Funds that Outsource Their Compliance Officers,” choosing to use an outsourced CCOs comes with its own downsides and may expose an investment adviser firm to additional risk. Click here to read the 2015 Risk Alert. Over the course of 20 examinations, the SEC observed investment adviser firms experiencing varying degrees of success with outsourced CCOs. In cases where the outsourced CCO was generally effective in administering the firm’s compliance program, the SEC staff observed the following traits:

  • Regular, often in-person visits
  • Communication between CCOs and firms
  • Strong relationship established between CCOs and firms
  • Sufficient firm support of the CCO
  • Sufficient CCO access to firm’s documents and information
  • CCO knowledgeable about the regulatory requirements and the firm’s business

Too often, however, the SEC staff noted significant problems with the use of an outsourced CCO by investment adviser firms. In some cases, the outsourced CCO could not articulate business or compliance risks of the investment adviser firm or whether the investment adviser firm had adopted policies and procedures to mitigate identified risks. In other instances, the risks described to SEC staff by an investment adviser firm’s principals were different than those described by the outsourced CCO, leading the SEC staff to identify several areas where the firm did not have adequate policies and procedures or disclosures in place. The SEC also noted with disapproval the practice of some outsourced CCOs to use generic, standardized checklists in discharging the CCOs duties that did not capture the risks and practices specific to the investment adviser at hand. Although checklists can be a helpful tool, the CCO – whether outsourced or not – must be understand and be able to articulate the investment adviser’s business model and unique risks in order to discharge their duties as CCO under Rule 204(7)-4.

Furthermore, the SEC staff also noted that some investment advisers utilizing an outsourced CCO failed to have adequate policies and procedures to address conflicts or prevent violations of the law. In other cases, written policies and procedures were found present but not followed. In some instances, the outsourced CCO was named the responsible party for carrying out compliance tasks that would have been better suited for an internal supervisor.

A major weakness of the outsourced CCOs found deficient by the SEC in its Risk Alert is the lack of regular, on-site communication with investment adviser firm employees, managers, and directors. Outsourced CCOs also struggled to assert authority over the investment adviser firm to the degree necessary for the outsourced CCO to fulfill its compliance duties. In at least one recent enforcement action, the SEC held an outsourced CCO personally liable for his alleged negligence in relying on data given to him by the chief operating officer without independent verification. Click here to read this SEC enforcement action.

Ultimately, however, responsibility for compliance with the Investment Advisers Act of 1940 and its associated rules falls on the investment adviser firm, not on the outsourced CCO. RIA Compliance Consultants, Inc. believes the wisest solution is one that combines the best of both worlds –  the expertise of a dedicated compliance professional with the internal expertise and business familiarity of a firm insider. An internal CCO is familiar with the business, interacts with employees every day on a face to face basis, and has easier access to records yet can still have ready access to expert assistance from third-party consultants.

New Disclosure Regarding Outsourced Chief Compliance Officers in the ADV Part 1

Going forward, recent SEC guidance – from its 2015 Risk Alert, Rule Release 4509, and enforcement actions such as Aegis Capital – makes clear that a firm’s decision to employ an outsourced CCO can subject it to additional scrutiny by the SEC. Any new or amendment Form ADV filed after October 1, 2017 will require firms to provide the name and IRS Employer Identification Number of the outsourced CCO “[if the] Chief Compliance Officer is compensated or employed by any person other than you, a related person or an investment company registered under the Investment Company Act of 1940 that you advise for providing chief compliance officer services to you…”

Nurturing a culture of compliance throughout one’s organization can be challenging at the best of times; RIA Compliance Consultants, Inc. believes that having an outsourced CCO exposes investment adviser firms to unnecessary risk, increasing the firm’s risk of an SEC examination or expanding the depth of the SEC’s inquiry once an exam is underway. The ADV Part 1 Amendment Rule Release specifically notes that the SEC would like to use information about outsourced CCOs to identify CCO service providers, which would make it easier for the SEC to use service provider metrics as a risk factor for registered investment adviser firms.

If your investment adviser firm outsources the role of CCO to a third party, RIA Compliance Consultants strongly encourages you to review your business practices specifically scrutinizing the risks highlighted in the SEC Risk Alert and consider whether continuing in this practice exposes your investment adviser firm to unwanted and unnecessary risk.

Posted by Grant Parr
Labels: Outsourced CCO, Outsourced CCO