SEC Raises Awareness Surrounding CCO Outsourcing

Yesterday, the SEC indirectly affirmed that registered investment advisers and investment companies can outsource their CCO to an unaffiliated third party and satisfy their 206(4)-7(c) and 38(a)-1(a)(4) obligations. However, advisers and funds that do so must ensure they comply with all aspects of the respective Compliance Rules, including ensuring the outsourced CCO is qualified to serve as the CCO.  The SEC's announcement came via a risk alert  that was based on an SEC examination initiative focused on advisers and funds that outsource their Chief Compliance Officers.   Consistent with other risk alerts, the SEC raised their concerns around the subject at hand, and outlined some best practices.  The examination included 20 firms composed of both investment advisers and investment companies as part of the Outsourced CCO Initiative.

The staff evaluated the effectiveness of the compliance programs of those firms who had outsourced their CCO to a third party by considering whether: 

  • The CCO is actively administering the program so that it addresses and supports the goals of all federal securities laws including the Advisers Act and Investment Company Act;
  • The compliance program is reasonably designed to prevent, detect, and address violations;
  • The compliance program is being carried out with open communication between the firm's internal compliance staff and the third party service provider;
  • The compliance program appears to be proactive rather than reactive;
  • The CCO appears to have sufficient authority to manage the firm's policies and procedures and has sufficient resources to perform his or her responsibilities; and
  • Compliance appears to be an important part of the firm's overall culture

According to the release, those firms that effectively utilized an outsourced CCO to administer their compliance program, and satisfactorily fulfilled the other responsibilities that come along with the CCO title, shared the following characteristics:

  • regular, and often in-person communication between the CCO and the firm;
  • strong relationships established between the CCO and the firm;
  • sufficient firm support of the CCO;
  • sufficient CCO access to firm documents and information; and
  • CCO knowledge about the regulatory requirements and the firm's business

On the other hand, the staff also observed potential hazards that could be associated with the decision to use an outsourced CCO. The risk alert noted that some of the examined CCOs could not adequately describe the business or risks inherent to the firm's business, or the CCO described the risks differently from the other executives in the firm. In the cases where the CCOs could identify the risks, there were instances where the SEC noted the CCO was unable to articulate whether or not there were policies and procedures in place deigned to mitigate such risks.  These findings are an important reminder to advisers that they should be conducting meaningful risk assessments of their business on a periodic basis, including the risks associated with using an outsourced CCO and ensure their policies and procedures address those risks. 

The SEC also found instances where the firms' compliance policies and procedures were created using templates provided by the outsourced CCO that were not tailored to their business or practices. Another vulnerability of outsourcing compliance responsibilities that the SEC highlighted in this risk alert was that despite having policies and procedures in place, there were occasions where they were not being followed, or were not consistent with the description found in their Compliance Manual.  The SEC noted that in many instances, the outsourced CCOs were designated as the individuals responsible for conducting the reviews to ensure all requirements were being met and in accordance with the firm's Compliance Manual.

For those firms examined, the outsourced CCOs were usually responsible for ensuring the firm was compliant with the firms' respective Compliance Rules including the annual review  of the firm's compliance program, which includes testing of the existing policies and procedures.  The staff observed a "general lack of documentation evidencing the testing" completed during these annual reviews.  In addition, the staff noted that certain outsourced CCOs infrequently visited the firm offices of which they served as CCO, and conducted only limited reviews of documents or training on compliance-related matters while on-site.

Our Perspective

The risk alert reminds advisers and funds utilizing outsourced CCOs to ensure they understand the potential weaknesses that come with outsourcing the role of CCO.   An outsourced CCO must understand the compliance risks inherent in an adviser's or fund's business and be able to appropriately design policies and procedures tailored to address those risks.  The firm must also ensure the CCO is sufficiently empowered within the organization to effectively perform his/her responsibilities.  Firms should note that the SEC has taken enforcement action against CCOs who were designated as the individuals responsible for conducting reviews and failed to do so.

As with previous examination initiatives, the Commission is essentially "rulemaking" when releasing their findings, and will expect advisers to adapt their policies and procedures to address the potential dangers as defined in this risk alert.

If considering outsourcing your CCO, we advise getting very comfortable with the individual that is going to be your CCO and their background: have they operated within your business model and do they understand the regulator mindset.   SEC3 can assist your firm in creating, implementing and maintaining your policies and procedures. Our sister company, CCO Compliance Services, LLC (CCO3), offers outsourced CCO services to registered investment advisers and investment companies.  For further information, please contact your SEC3 representative or contact us at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .


Get the latest compliance news and insights - delivered weekly. The SEC3 Communique covers all compliance topics. CCO3 focuses on CCO topics.
tip: check both to keep informed!


Overlooked Benefits of E&O/D&O

While asset managers should always be aware of the protections provided by their E&O/ D&O coverage, there are more reasons than ever to think about it now. The SEC continues to... read more »

SEC3 Newsletter

Commentary: How Compliance Officers & Firms Can Help Limit CCO Personal Liability This article originally appeared on the Thomson Reuters Regulatory Intelligence subscription service for compliance and risk professionals and is... read more »

Wishing One-and-All a Happy, Healthy and Prosperous New Year

We hope each of you found some peace and tranquility in the company of loved ones this holiday season and want to wish one-and-all a happy, healthy and prosperous New... read more »

Understanding How to Mitigate Liability and Navigate Insurance Options (Part II)

In June, we shared our thoughts around common insurance gaps and insurance riders that CCOs as well as managers should understand. One of the gaps we shared related to pre-claim... read more »

Cybersecurity - What have we learned and what have we done?

Regulatory Landscape In April 2015, the Securities and Exchange Commission ("SEC's") Division of Investment Management issued a guidance update, identifying cybersecurity as a critical issue. Several regulators are in fact focusing... read more »

Gatekeepers in SEC Crosshairs

Ever since the enforcement cases were announced as part of the SEC’s “Operation Broken Gate,” the SEC enforcement division has continued to ramp up scrutiny of gatekeepers including third-party service... read more »


Upcoming Events - September & October 2017

Upcoming Events Don’t miss the opportunity to meet with us in person to discuss the topics that matter most to you. SEC3 is teaming up with industry experts in NYC to discuss...

May 23, 2017 - Webcast: WannaCry Ransomware: Were You Really Protected or Just L…

When: Tuesday, May 23rd, 2017 | Schedule: 12pm - 1pm EST Who: Paul Caiazzo, CEO and Co-Founder, TruShield Security Solutions Michael Brice, Founder, BW Cyber Services John Lukan, Managing Director, SEC Compliance Consultants, Inc. We...

June 14, 2017 - Compliance Breakfast Briefing

8:30-9:00am - Networking and Continental Breakfast 9:00-10:30am - Program Location: Willkie Farr & Gallagher LLP | 600 Travis Street | Suite 2310 | Houston, TX Barry Barbash from Willkie Farr & Gallagher LLP,...

June 13, 2017 - Compliance Breakfast Briefing

8:30-9:00am - Networking and Continental Breakfast 9:00-10:30am - Program Location: Haynes and Boone, LLP | 2323 Victory Avenue | Suite 700 | Dallas, TX 75219 Validated parking is available in the garage attached...

May 31, 2017 - Chicago

9:00-9:30 a.m - Networking and Continental Breakfast 9:30-11:00 a.m - Program Location: Baker & McKenzie LLP | 300 East Randolph Drive | Suite 5000 | Chicago, IL 60601 Kristin Gonzalez and Jerome Tomas...

May 17, 2017 (NYC WIMF)

This event is by invitation only. Please email to learn more.

May 15, 2017 (NYC Chief Compliance Officer Roundtable)

9:00-9:30am - Networking and Continental Breakfast 9:30-11:00am - Program Location: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 | 22nd Floor Boardroom | Phone:...

Webcast: The Most Insidious Cybersecurity Threat Is Also The Least Understood

When: Tuesday, April 25th | Schedule: 12pm - 1pm EST Who: Paul Caiazzo, CEO and Co-Founder, TruShield Security Solutions Michael Brice, Founder, BW Cyber Services John Lukan, Managing Director, SEC Compliance Consultants, Inc. Ransomware, the...

CCO Liability (Part III): Managing Liability Webinar

In this webinar, panelists discuss indemnifications and insurance as potential remedies to address the direct financial risks to a CCO. Attendees will learn: What terms and conditions should Chief Compliance Officers be...

Webinar: CCO Liability (Part III): Managing Liability: Navigating Indemnities an…

When: Tuesday, February 21, 2017 Schedule: 11:00am ET / 10:00am CT / 9:00am MT / 8:00am PT / 7:00am AT Description of Webinar: The National Society of Compliance Professionals is pleased to host...

Webcast: SEC 2017 Examination Focus Area – Cybersecurity Testing

Penetration Testing & Vulnerability Assessments - Examining the SEC & FINRA Requirements When: Wednesday, January 25th | Schedule: 12pm - 1pm EST Who: Paul Caiazzo, CEO and Co-Founder, TruShield Security Solutions Michael Brice, Founder,...

Chief Compliance Officer Roundtable: Breakfast Briefing

When: October 20, 2016 Where: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 | 22nd Floor Boardroom | Phone: 212.885.5000 Thomas Westle and Janaya...

Practicing Law Institute - Hedge Fund Management 2016

When: September 15, 2016 Where: New York & concurrent webcast | 1177 Avenue of the Americas | New York, NY 10036 Schedule: 9:00 am – 5:00 pm Janaya Moscony, President of SEC3 will...


When: April 13, 2016 Where: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 22nd Floor Boardroom Thomas Westle and Janaya Moscony, along with industry experts,...


When: November 17, 2015 Where: Convene Midtown East | 730 Third Avenue | New York, NY 10017 Janaya Moscony, President, SEC Compliance Consultants, Inc. will be moderating a...