Outsourced CCOs: New Risk Alert Warns of Compliance Weaknesses
Advisers and fund managers beware: The SEC’s Office of Compliance Inspections and Examinations on November 9 issued a risk alert about advisory firm and fund use of outsourced chief compliance officers. Know that if you employ an outsourced CCO, you may draw agency attention.
OCIE issued the risk alert, "Examinations of Advisers and Funds That Outsource Their Chief Compliance Officers," after conducting "nearly 20" examinations under its Outsourced CCO Initiative. The initiative is the result of OCIE staff noticing "a growing trend in the investment management industry: outsourcing compliance activities to third parties, such as consultants and law firms," OCIE said.
"During these examinations, the staff observed certain compliance weaknesses associated with registrants that outsourced their CCOs," the risk alert said.
"Advisers and funds with outsourced CCOs should review their business practices in light of the risks noted in this risk alert to determine whether these practices comport with their responsibilities as set forth in the compliance rules," OCIE said. Advisers Act Rule 206(4)-7, the Compliance Program Rule, and Investment Company Act Rule 38a-1, its counterpart for registered funds, are the two rules that the initiative measured compliance against.
One thing a bit unusual about this risk alert: It does not state when the exams were conducted – and the SEC, when asked, declined an opportunity to provide the time frame.
What it means
"The risk alert offers a balanced discussion of the issues that arise when an adviser outsources its compliance functions," said Stroock partner and former SEC Division of Investment Management deputy director Robert Plaze. "Outsourcing makes sense sometimes, but it also presents risk. The risk alert will be useful to help advisers better understand what it takes to make outsourcing work."
"It’s consistent with other statements we’ve heard from the SEC about how the CCO should have sufficient authority within the organization to compel people to adhere to the firm’s compliance policies and procedures," noted Day Pitney counsel Eliza Fromberg. "It’s extremely difficult for a CCO to have the requisite authority when he/she is in an outsourced role. While not every firm may be able to afford its own CCO, this risk alert should be a wake-up call to firms that seek to cut corners and spend as little as possible on compliance."
Fromberg also noted a different kind of risk involving outsourced CCOs. That risk is tied to the SEC’s recent proposed rules to enhance the information it gets from advisers on Form ADV (ACA Insight, 7/20/15). "One of the proposed amendments to Form ADV Part 1 would require an adviser to report whether its CCO is employed as a CCO by any other person or entity," she said. "If so, the firm would need to report the name of the other entity(ies) for which the CCO serves in the CCO capacity. If the amendment is adopted, the SEC will be able to identify which CCOs are employed by multiple firms, and examine those firms for the types of deficiencies it has identified in this risk alert."
"Firms that use outsourced CCOs should carefully consider this alert in conjunction with SEC Division of Enforcement director Andrew Ceresney’s November 4 speech at the National Society of Compliance Professionals conference (ACA Insight, 11/9/15), said Sidley Austin partner Mark Borrelli. "The alert talks about the importance of providing the CCO with sufficient authority and resources, and having a strong compliance culture, and in the speech, Ceresney highlighted a couple of enforcement actions in which CCOs were not provided with sufficient resources or were misled by other personnel."
Strengths and weaknesses
The risk alert places the observations made by examiners into three broad categories: meaningful risk assessments, compliance policies and procedures, and annual reviews of compliance programs.
Advisers and funds, "particularly those that use outsourced CCOs, may want to consider the issues identified in this risk alert to evaluate whether their business and compliance risks have been appropriately identified, that their policies and procedures are appropriately tailored in light of their business and associated risks, and that their CCO is sufficiently empowered within the organization to effectively perform his/her responsibilities," OCIE said.
Meaningful risk assessments
"The staff observed that certain outsourced CCOs could not articulate the business or compliance risks of the registrant (adviser or fund) or, to the extent the risks were identified, whether the registrant had adopted written policies and procedures to mitigate or address those risks," OCIE said. "In some instance, the risks
described to the staff by the registrant’s principals were different than the risks described by the outsourced CCO."
The risk alert attributes these risk assessment problems to the following:
Use of standardized checklists. Not all such uses are problematic, the staff said, as "use of questionnaires or standardized checklists may be a helpful guide to identify conflicts and assess risks." Nonetheless, the risk alert noted that some standardized checklists used by outsourced CCOs "were generic and did not appear to fully capture the business models, practices, strategies and compliance risks that were applicable to the registrant." In addition, some of the responses to the standardized questionnaires included "incorrect information about the firms’ business practices. The outsourced CCOs did not appear sufficiently knowledgeable about the registrant to identify or follow up with the registrant to resolve such discrepancies."
Lack of certain policies, procedures and disclosures. Some advisers and funds did not have policies, procedures and disclosures in place in critical areas, among them compensation practices, portfolio valuation, brokerage and execution, and personal trading by access persons.
Compliance policies and procedures
OCIE staff reported that it found instances in which compliance policies and procedures were not followed, or where the registrants’ actual practices differed from those listed in their compliance manuals.
These practices, the staff said, "were observed in areas that are required to be reviewed by regulations," such as reviews required for the payment of cash for solicitation activities and personal securities transactions, "and in areas that registrants included in their policies and procedures, but that are not expressly required to be reviewed by regulations," such as quarterly reviews of employee emails.
"In many instances," according to the risk alert, "the outsourced CCOs were designated as the individuals responsible for conducting the reviews."
The staff also observed that, in some cases, compliance policies and procedures were not tailored to businesses or practices. "Several of the compliance manuals that the staff reviewed were created using outsourced CCO-provided templates," the risk alert says. As a result of some of these templates not being tailored to registrants’ businesses and practices, the resulting compliance manuals also contained inappropriate policies and procedures. Examples of this listed in the risk alert include:
Critical areas were not identified, "and thus certain compliance policies and procedures were not adopted, such as reviewing third-party managers hired to manage client money, or safeguarding client information."
Policies were adopted, but were not applicable to the adviser’s business and operations. Examples included monitoring of account performance composites (in practice, the adviser did not monitor composites because it did not advertise performance), and collecting quarterly management fees in advance (in practice, clients were billed monthly in arrears).
Critical control procedures were either not performed or not performed as described. These included oversight of private fund fee and expense allocations, reviews of solicitation activities for compliance with the Advisers Act, and trade allocation reviews for fairness of side-by-side management of client accounts with proprietary accounts.
Annual review of compliance programs
Outsourced CCOs were typically responsible for conducting and documenting registrants’ annual reviews, which included testing for compliance with existing policies and procedures. "The staff … observed a general lack of documentation evidencing the testing," the risk alert says.
The staff also noted that "certain outsourced CCOs infrequently visited registrants’ offices and conducted only limited reviews of documents or training on compliance-related matters while on site. Such CCOs had limited visibility and prominence within the registrants’ organization, which appeared to result in the CCOs also having limited authority within the organization to, among other things, improve adherence to the registrants’ compliance policies and procedures. Limited authority also appeared to affect the outsourced CCOs’ ability to implement important changes in disclosure regarding key areas of client interest, such as advisory fees."
Not all the staff observations were negative. During the examinations, the risk alert says, "the staff observed instances where the outsourced CCO was generally effective in administering the registrant’s compliance program, as well as fulfilling his/her other responsibilities as CCO."
Staff observations regarding effective outsourced CCOs, according to the risk alert, generally involved the following:
Regular, in-person communication between the CCOs and the registrants;
Strong relationships established between the CCOs and the registrants;
Sufficient registrant support of the CCOs;
Sufficient CCO access to registrants’ documents and information; and
CCO knowledge about the regulatory requirements and the registrants’ business.
"Many smaller advisors may think that an outsourced CCO represents the best or even the only possible approach, and they can take some comfort from the risk alert because the Commission staff said that there are some instances in which outsourced CCOs were ‘generally effective,’" said Borrelli.
"However, there clearly is also a fair amount of skepticism from the SEC surrounding these arrangements," he said. "One of the biggest risks involves the use of a CCO that is stretched too thin and therefore doesn’t spend enough time on the compliance program for a particular firm. A related point is that the CCO should have a regular physical presence at the adviser. That type of presence is extremely important. It’s not surprising that the staff found that CCOs that frequently interacted with adviser personnel in person were more effective.
"The other big risk is the use of off-the-shelf manuals and other materials without customization," Borrelli continued. "Even firms without significant internal compliance expertise – which may be the reason for the reliance on an outsourced CCO in the first place – should be able to evaluate whether the CCO is customizing the compliance program to its business."
What OCIE staff looked for
Under the Outsourced CCO Initiative, according to the risk alert, OCIE staff focused on whether:
The CCO was administering "a compliance environment that addressed and supported the goals of the Advisers Act, Investment Company Act, and other federal securities laws, as applicable;"
The compliance program was reasonably designed to prevent, detect and address violations;
The compliance program "supported open communication between service provides and those with compliance oversight responsibilities;"
The compliance program appeared to be proactive rather than reactive;
The CCO appeared to have sufficient authority to "influence adherence with the registrant’s compliance policies and procedures, as adopted, and was allocated sufficient resources to perform his or her responsibilities;" and
Compliance appeared to be an important part of the registrant’s culture.