SEC Risk Alert: Outsourced Chief Compliance Officers
The Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released a “Risk Alert” on November 9, 2015, the purpose of which is to raise awareness of compliance issues observed in connection with the examination of registered investment advisers and investment companies that outsource their Chief Compliance Officers (“CCO”) to unaffiliated third parties.
We encourage our registered investment adviser clients, including hedge fund and private equity managers, that have outsourced their firm’s CCO function to compliance service providers or other third parties to carefully review the following SEC risk alert summary and review their outsourcing arrangement in view of the SEC’s observations.
Outsourced CCO Initiative
The OCIE staff (the “staff”) conducted 20 examinations as part of an Outsourced CCO Initiative to evaluate the effectiveness of compliance programs and outsourced CCOs by considering a number of factors such as:
- Whether the CCOs appropriately identified, mitigated, and managed compliance risk;
- Whether the compliance program was designed to reasonably prevent, detect and remedy violations of federal securities laws;
- Whether there was open communication between those with compliance responsibilities and service providers;
- Whether the CCOs have authority to influence compliance policies and procedures of the registrants and had sufficient resources to carry out their responsibilities; and
- Whether compliance was an important part of the registrants’ culture.
Observations of successfully outsourced CCOs
The staff observed compliance strength in outsourced CCOs with the following characteristics:
- Regular and often in-person communication between the CCOs and registrants;
- Strong relationships between the CCOs and registrants;
- Registrants’ support of the CCOs;
- CCOs having independent access to documents and information; and
- CCOs having knowledge of the registrants’ business and regulatory requirements.
Observations of unsuccessfully outsourced CCOs
The staff observed compliance weakness in outsourced CCOs with the following characteristics:
- CCOs providing compliance manuals based on templates not tailored to the registrants’ businesses and containing inappropriate policies and procedures;
- CCOs visiting registrants’ offices infrequently, conducting limited annual reviews of documents or insufficient evaluation and assessment of training pertaining to compliance matters;
- CCOs not performing critical control testing procedures and lacking documentation to evidence testing of control procedures;
- Critical areas of the registrants’ operations were not identified by CCOs resulting in certain compliance policies and procedures not being adopted, including those necessary to address conflicts of interest;
- CCOs using generic checklists to gather pertinent information regarding the registrants;
- Registrants providing incorrect or inconsistent information to the CCOs about firm business practices;
- Lack of follow-up by CCOs with registrants to resolve discrepancies; and
- CCOs having limited authority within the registrants’ organizations to improve adherence to compliance policies and procedures and implement necessary changes in disclosure practices, such as fees, expenses and other areas of client interest.
The staff reminds registrants that CCOs, whether direct employees, contractors or consultants, must have sufficient knowledge and authority to fulfill their role. In addition, each registrant is responsible for the adoption and implementation of its compliance program and accountable for any deficiencies.
Finally, the staff emphasizes that all registrants, and especially those that use outsourced CCOs, may find the issues identified in the Risk Alert useful to evaluate whether (i) their business and compliance risks have been appropriately identified (ii) policies and procedures are tailored to the specific risks their businesses encounter and (iii) their respective CCOs have the necessary power to effectively perform their responsibilities. Registrants and their funds are advised to review their business practices regularly to determine whether the practices are consistent with compliance obligations under Rule 206(4)-7 under the Investment Advisers Act of 1940 and Rule 38a-1 under the Investment Company Act of 1940.
Please contact the Investment Funds and Investment Management Group if you would like to discuss the SEC alert or need help reviewing your outsourcing arrangement.