Yesterday, the SEC indirectly affirmed that registered investment advisers and investment companies can outsource their CCO to an unaffiliated third party and satisfy their 206(4)-7(c) and 38(a)-1(a)(4) obligations. However, advisers and funds that do so must ensure they comply with all aspects of the respective Compliance Rules, including ensuring the outsourced CCO is qualified to serve as the CCO. The SEC’s announcement came via a risk alert that was based on an SEC examination initiative focused on advisers and funds that outsource their Chief Compliance Officers. Consistent with other risk alerts, the SEC raised their concerns around the subject at hand, and outlined some best practices. The examination included 20 firms composed of both investment advisers and investment companies as part of the Outsourced CCO Initiative.
The staff evaluated the effectiveness of the compliance programs of those firms who had outsourced their CCO to a third party by considering whether:
- The CCO is actively administering the program so that it addresses and supports the goals of all federal securities laws including the Advisers Act and Investment Company Act;
- The compliance program is reasonably designed to prevent, detect, and address violations;
- The compliance program is being carried out with open communication between the firm’s internal compliance staff and the third party service provider;
- The compliance program appears to be proactive rather than reactive;
- The CCO appears to have sufficient authority to manage the firm’s policies and procedures and has sufficient resources to perform his or her responsibilities; and
- Compliance appears to be an important part of the firm’s overall culture
According to the release, those firms that effectively utilized an outsourced CCO to administer their compliance program, and satisfactorily fulfilled the other responsibilities that come along with the CCO title, shared the following characteristics:
- regular, and often in-person communication between the CCO and the firm;
- strong relationships established between the CCO and the firm;
- sufficient firm support of the CCO;
- sufficient CCO access to firm documents and information; and
- CCO knowledge about the regulatory requirements and the firm’s business
On the other hand, the staff also observed potential hazards that could be associated with the decision to use an outsourced CCO. The risk alert noted that some of the examined CCOs could not adequately describe the business or risks inherent to the firm’s business, or the CCO described the risks differently from the other executives in the firm. In the cases where the CCOs could identify the risks, there were instances where the SEC noted the CCO was unable to articulate whether or not there were policies and procedures in place deigned to mitigate such risks. These findings are an important reminder to advisers that they should be conducting meaningful risk assessments of their business on a periodic basis, including the risks associated with using an outsourced CCO and ensure their policies and procedures address those risks.
The SEC also found instances where the firms’ compliance policies and procedures were created using templates provided by the outsourced CCO that were not tailored to their business or practices. Another vulnerability of outsourcing compliance responsibilities that the SEC highlighted in this risk alert was that despite having policies and procedures in place, there were occasions where they were not being followed, or were not consistent with the description found in their Compliance Manual. The SEC noted that in many instances, the outsourced CCOs were designated as the individuals responsible for conducting the reviews to ensure all requirements were being met and in accordance with the firm’s Compliance Manual.
For those firms examined, the outsourced CCOs were usually responsible for ensuring the firm was compliant with the firms’ respective Compliance Rules including the annual review of the firm’s compliance program, which includes testing of the existing policies and procedures. The staff observed a “general lack of documentation evidencing the testing” completed during these annual reviews. In addition, the staff noted that certain outsourced CCOs infrequently visited the firm offices of which they served as CCO, and conducted only limited reviews of documents or training on compliance-related matters while on-site.
The risk alert reminds advisers and funds utilizing outsourced CCOs to ensure they understand the potential weaknesses that come with outsourcing the role of CCO. An outsourced CCO must understand the compliance risks inherent in an adviser’s or fund’s business and be able to appropriately design policies and procedures tailored to address those risks. The firm must also ensure the CCO is sufficiently empowered within the organization to effectively perform his/her responsibilities. Firms should note that the SEC has taken enforcement action against CCOs who were designated as the individuals responsible for conducting reviews and failed to do so.
As with previous examination initiatives, the Commission is essentially “rulemaking” when releasing their findings, and will expect advisers to adapt their policies and procedures to address the potential dangers as defined in this risk alert.
If considering outsourcing your CCO, we advise getting very comfortable with the individual that is going to be your CCO and their background: have they operated within your business model and do they understand the regulator mindset. SEC3 can assist your firm in creating, implementing and maintaining your policies and procedures. Our sister company, CCO Compliance Services, LLC (CCO3), offers outsourced CCO services to registered investment advisers and investment companies. For further information, please contact your SEC3 representative or contact us at email@example.com.