SEC Issues Risk Alert on Outsourcing the Chief Compliance Officer Role

Written by: RIA in a Box

Today, the Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) staff issued a new registered investment adviser (RIA) regulatory risk alert related to firms that outsource the Chief Compliance Officer (CCO) role to third parties such as compliance consultants or law firms. This comes only a few months after the SEC proposed a new rule in May that would require investment advisory firms to disclose if they utilize an outsourced CCO .

It's evident that the SEC examination staff has been focused on better understanding the effectiveness of outsourced CCOs for quite some time. As RIA compliance consultants , we strongly believe that the CCO role should never be outsourced to a third party and have never taken on this role for any client. It is the crucial that a firm's CCO is properly empowered as a senior officer, has deep knowledge of the firm's business model and relevant risks, and is located on-site.

This latest risk alert notes that the the SEC OCIE staff recently conducted examinations of nearly 20 investment advisory firms that outsource their CCO role to "unaffiliated third parties." Some of the risks of this model that the staff observed during these recent audits include:

  • Communication: Some outsourced compliance officers did not appear to have enough personal communication with the firm to have a sufficient understanding of the firm's operations and associated risks.
  • Resources: Third parties that served as a CCO for multiple firms with varying business models did not always enough resources and detailed knowledge to perform required compliance duties.
  • Empowerment: Outsourced CCOs that did not independently obtain firm records to perform compliance reviews resulted in conducting inaccurate and insufficient reviews.
  • Information gathering: Some 3rd party CCOs use standardized checklists to gather information and when inaccurate information was returned, the CCO did not have enough knowledge to identify the inconsistent information and properly follow-up.
  • Insufficient Policies, Procedures, and Disclosures: Some firms utilizing an outsourced compliance officer did not sufficiently address all relevant conflicts of interest.
  • Policies and Procedures were not Followed: At times, the 3rd party CCO did not properly review and identify when a firm's actual practices did not match the required policies and procedures.
  • Policies and Procedures Manuals were not Tailored: Some compliance manuals were insufficient or not crafted for the relevant firm leading to critical compliance areas not being addressed.
  • Insufficient Testing of the Compliance Program: Many firms were observed to have a lack of documentation evidencing proper testing.
  • Limited Authority: Certain outsourced CCOs did not regularly visit the firm's office, had limited visibility into the organization, and thus were less equipped to drive needed compliance program changes.
  • Even if not utilizing an outsourced CCO, we recommend that all RIA firm principals review this latest risk alert as there are a number of observations that are relevant to all investment advisory firms.