Is an outsourced CCO appropriate for your organization?
The SEC’s Director of Examinations1 recently reiterated the critical role that Chief Compliance Officers (“CCO”) play for both investment advisers and investment companies. The SEC’s language, together with previous SEC guidance focused on outsourced CCOs, suggests that the SEC may be in favor of in-house CCOs. The case for that interpretation was strengthened when the SEC amended Form ADV in 2017, after which the agency began collecting data on the use of outsourced CCOs.
The SEC has acknowledged that outsourced compliance providers have their place in effective compliance programs, however, they seem to repudiate the complete outsourcing of the CCO role. This article will break down the SEC’s disdain for an outsourced CCO, where outsourced CCOs struggle, and how to effectively use outside compliance providers, which have their place in an effective compliance program. We conclude that the best structure to implement may be pairing an in-house CCO with an experienced external compliance provider.
CCOs should have the knowledge and authority to do their jobs effectively
The SEC’s expectation is that an adviser’s CCO should be competent and knowledgeable regarding the Advisers Act and should be empowered with full responsibility and the authority to develop, implement, and enforce appropriate policies and procedures for their organization. The Director stated that a “CCO should have a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.”
The SEC’s 2015 Risk Alert focused on outsourced CCOs and raised many of the same concerns as the Director and the SEC’s 2020 Risk Alert. In the 2015 report, the SEC observed that some advisers retained CCOs who lacked sufficient authority within the adviser’s business to develop and enforce appropriate policies and procedures. While the SEC’s 2015 Risk Alert identified instances where an outsourced CCO arrangement worked, it also noted that more significant compliance-related issues were identified at registrants with an outsourced CCO. This appears to be directly related to the historic issue of failing to devote adequate resources to compliance.
The challenge of an outsourced CCO
The SEC found that outsourced CCOs tended to over generalize in both crafting policies and procedures and in conducting annual and other required reviews. This may be as a result of running a large-scale, outsourced CCO business that requires some standardization. It is, however, at odds with the SEC’s requirement that each adviser maintain a compliance program appropriately tailored to its own business models, practices, strategies and compliance risks. In 2015 the SEC appeared skeptical of the outsourced CCO arrangement even though it is not prohibited by the Advisers Act. It is clear that a ‘one size fits all’ approach is unlikely to be successful.
The SEC now collects data on Advisers who use outsourced CCOs
In October 2017, the SEC adopted a change that “requires an Adviser to report whether its CCO is compensated or employed by any person other than the adviser (or a related person of the Adviser) for providing chief compliance officer services to the adviser.” The SEC explained that:
Identifying information for these third-party service providers, like others on Form ADV, will allow us to identify all advisers relying on a particular service provider and could be used to improve our ability to assess potential risks.2
Since the number of advisers is too great for the SEC to examine every year, it is understandable that the SEC would employ a risk-based approach. How exactly the identified risks are used to risk rate advisers is unclear, however. An outsourced CCO may mean a higher risk rating, which could mean more frequent examinations or additional scrutiny in other areas. It could also be a flag to focus on the adviser clients of a particular service provider that may be repeating the same mistakes across all its clients.
CCOs can leverage outside firms for maximum effectiveness
Reading between the lines, the SEC’s 2015 guidance, the SEC’s 2017 Form ADV amendment, and the Director’s recent Risk Alert statements seem to favor a dedicated, in-house CCO. A fair reading of the guidance suggests that a knowledgeable, competent CCO requires sufficient seniority and access to senior management, as well as sufficient time dedicated to fulfilling their responsibilities as CCO and sufficient time developing their knowledge of the Advisers Act.
When an in-house CCO is paired with a reputable outside firm, they are able to focus on significant happenings within the organization and have direct access to senior management and personnel. Being in- house allows the CCO to focus their attention where it is needed most, while at the same time outsourcing standardized tasks and leveraging an outside compliance provider’s knowledge of the Advisers Act. This practice effectively leads to there being a much larger compliance staff at the CCO’s disposal for far less cost than hiring a comparable in-house team.
Pairing an in-house CCO with a reputable outside compliance firm can be successful, due to the fact that it acknowledges that the critical function of compliance may be best executed when the responsibilities do not fall solely on the shoulders of the CCO alone. Advisers should evaluate the need for compliance resources and continually reassess such needs as the organization’s business model ebbs and flows. One advantage of engaging an outside firm on retainer is the ability to marshal additional compliance resources almost instantly. In addition, retaining outside help before you need it is less costly than waiting until an SEC enforcement action requires you to do so.
The CCO must have the support of senior management
Regardless of where the CCO is positioned, the most important aspect of an effective compliance program is gaining management support and having an empowered CCO with the capability to perform their job effectively. The Director summed up this responsibility concisely when he said, “Without a culture that truly values the CCO, supported by a sincere ‘tone at the top’ by senior management, a firm stands to lose the hard-earned trust of its clients, investors, customers and other key stakeholders.”
For further information please reach out to our US Compliance Specialists or contact us below.
1 Formerly known as the Office of Compliance Inspections and Examinations (OCIE)
2 https://www.sec.gov/rules/final/2016/ia-4509.pdf