Is an Outsourced Compliance Provider Appropriate for Your Firm?
The SEC’s Director of Examinations recently reiterated the critical role that Chief Compliance Officers (“CCO”) play for both investment advisers and investment companies. The SEC’s language together with previous SEC guidance focused on outsourced CCOs implies that the SEC prefers in-house CCOs. The case for that interpretation was strengthened when the SEC amended Form ADV in 2017, after which the agency began collecting data on the use of outsourced CCOs.
This article will help you decide whether an outsourced compliance provider is right for your organization by breaking down SEC guidance on CCO best practices, where outsourced CCOs struggle, and how to effectively use outside compliance providers, which the SEC acknowledges have their place in an effective compliance program. We conclude the best structure to implement is pairing an in-house CCO with an experienced outside compliance provider.
CCOs should have the knowledge and authority to do their jobs effectively
The SEC’s expectation is that an Adviser’s CCO should be competent and knowledgeable regarding the Advisers Act and should be empowered with full responsibility and authority to develop, implement, and enforce appropriate policies and procedures for their firm. The Director stated that a “CCO should have a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.”
The SEC’s 2015 Risk Alert focused on outsourced CCOs and raised many of the same concerns as the Director and the SEC’s 2020 Risk Alert. In that 2015 report, the SEC observed that some advisers retained CCOs who lacked sufficient authority within the adviser’s business to develop and enforce appropriate policies and procedures. While the SEC’s 2015 Risk alert identified instances where an outsourced CCO arrangement worked, it also noted that more significant compliance-related issues were identified at registrants with an outsourced CCO. This appears directly related to the age-old issue of failing to devote adequate resources to compliance.
The problem with outside CCOs
The SEC found that outsourced CCOs tended to over generalize in both crafting policies and procedures and in conducting annual and other required reviews. This makes sense because running a large-scale, outsourced CCO business requires at least some standardization, but it is at odds with the SEC’s requirement that each Adviser have a compliance program appropriately tailored to its own business models, practices, strategies, and compliance risks. In 2015 the SEC appeared skeptical of the outsourced CCO arrangement even though it is not prohibited by the Advisers Act. Clearly the one size fits all approach is unlikely to be successful.
The SEC now collects data on Advisers who use outsourced CCOs
In October 2017, the SEC adopted a change that “requires an Adviser to report whether its CCO is compensated or employed by any person other than the adviser (or a related person of the Adviser) for providing chief compliance officer services to the adviser[.]” The SEC explained that:
Identifying information for these third-party service providers, like others on Form ADV, will allow us to identify all advisers relying on a particular service provider and could be used to improve our ability to assess potential risks.
Since there are too many Advisers for the SEC to examine every year, it makes sense that the SEC would employ a risk-based approach. How exactly the identified risks are used to risk rate Advisers is unclear. An outsourced CCO may mean a higher risk rating, which could mean more frequent examinations or additional scrutiny in other areas. It could also be a flag to focus on the Adviser clients of a particular service provider that may be repeating the same mistakes across all its clients.
CCOs can leverage outside firms for maximum effectiveness
Reading between the lines, the SEC’s 2015 guidance, the SEC’s 2017 Form ADV amendment, and the Director’s recent Risk Alert statements favor a dedicated, in-house CCO. A fair reading of the guidance suggests that a knowledgeable, competent CCO requires sufficient seniority and access to senior management, as well as sufficient time dedicated to fulfilling their responsibilities as CCO and sufficient time developing their knowledge of the Advisers Act.
When an in-house CCO is paired with a reputable outside firm, that in-house CCO can have eyes on important happenings within the firm and direct access to firm management and personnel. Being in-house allows the CCO to focus their attention where it is needed most; while at the same time outsourcing standardized tasks and leveraging an outside compliance firm’s knowledge of the Advisers Act. This practice leads to effectively having a much larger compliance staff at the CCO’s disposal for far less cost than hiring a comparable in-house team.
Pairing an in-house CCO with a reputable outside compliance firm works because it acknowledges that the critical function of compliance may be best executed when the responsibilities do not fall solely on the shoulders of the CCO alone. Advisers should evaluate the need for compliance resources and continually reassess such needs as the firm’s business model ebbs and flows. One advantage of having an outside firm on retainer is the ability to marshal additional compliance resources almost instantly. Moreover, retaining outside help before you need it is less costly than waiting until an SEC Enforcement action requires it.
The CCO must have the support of Senior Management
No matter where the CCO sits, the most important aspect of an effective compliance program is having management support and an empowered CCO with the capability to perform their job effectively. The Director summed up this responsibility concisely when he said: “Without a culture that truly values the CCO, supported by a sincere ‘tone at the top’ by senior management, a firm stands to lose the hard-earned trust of its clients, investors, customers and other key stakeholders.”
 Formerly known as the Office of Compliance Inspections and Examinations (OCIE)