SEC Issues Risk Alert on Outsourced CCO Model

November 16, 2015

On November 9, 2015, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a National Exam Program Risk Alert regarding advisers and funds that have retained an unaffiliated third party such as a consultant, contractor, or lawyer to serve as their outsourced Chief Compliance Officer (“CCO”). Please note that while ACA provides a broad range of compliance support services, we do not provide an outsourced CCO service.

The Risk Alert summarized the findings of nearly 20 sweep examinations conducted by OCIE in order to evaluate the effectiveness of adviser and fund compliance programs with an outsourced CCO. The examinations focused on the following:

  • Whether the outsourced CCOs were “administering a compliance environment that addressed and supported the goals of the Advisers Act, Investment Company Act, and other federal securities laws, as applicable to the firm”
  • Whether the compliance program was reasonably designed to prevent, detect, and address violations of the relevant federal securities laws
  • Whether the compliance program supported open communication between the service providers and those with compliance oversight responsibilities
  • Whether the compliance program was proactive rather than reactive
  • Whether the CCO met the definition provided in Rule 206(4)-7 and had sufficient authority to compel the registrants to comply
  • Whether the registrant appeared to have a “culture of compliance”

Outsourced CCOs: Proceed with Caution

According to the Risk Alert, the SEC’s examination staff found instances where outsourced CCOs were generally effective in administering the compliance program and fulfilling their CCO responsibilities. Overall, however, the staff’s findings raised questions about the effectiveness of outsourced CCOs. For example, the Alert noted that the staff found situations where the outsourced CCO could not accurately articulate the adviser’s or fund’s business or compliance risks, resulting in compliance controls that did not appropriately mitigate actual risks. The staff also identified instances where the CCO used standardized checklists, resulting in only general information being obtained by the CCO regarding the adviser’s or fund’s investment strategies and compliance risks.

The staff found that registrants with outsourced CCOs may experience compliance program policy and procedure failures, specifically those which had been designated to the outsourced CCO. The staff also found examples of compliance policies and procedures that were not tailored to the registrant, or that were factually inaccurate in critical areas, as a result of having been created using templates provided by the outsourced CCO. In addition, the staff cited concerns about whether registrants had the appropriate level of resources to perform their compliance duties where one individual served as outsourced CCO to multiple registrants.

The Risk Alert also expressed concerns surrounding the general lack of documentation to evidence testing associated with the annual compliance program review conducted by outsourced CCOs.

Perhaps the most notable statement in the Risk Alert was the following:

In addition, the staff notes that certain outsourced CCOs infrequently visited registrants’ offices and conducted only limited reviews of documents or training on compliance-related matters while on-site. Such CCOs had limited visibility and prominence within the registrants’ organization, which appeared to result in the CCOs also having limited authority within the organization to, among other things, improve adherence to the registrants’ compliance policies and procedures. Limited authority also appeared to affect the outsourced CCOs’ ability to implement important changes in disclosure regarding key areas of client interest, such as advisory fees.

While the deficiencies described above may be found at firms with internal CCOs as well, it is clear that the SEC’s examination staff is particularly concerned with compliance weaknesses at registrants that outsource the CCO function. In the Risk Alert, the staff recommended that registrants with outsourced CCOs review their business practices in light of the risks noted in the Alert, in order to ensure that their compliance programs are meeting the SEC’s expectations. The staff also took the opportunity to remind firms that their CCOs, regardless of whether an employee, contractor, or consultant, must be appropriately empowered and have sufficient knowledge and authority to be effective in the CCO role.

For the full text of the Risk Alert please click here.

Part of a Larger Focus?

The SEC’s recent Risk Alert may be part of a larger SEC initiative to focus on advisers and funds that use an outsourced CCO. Indeed, it is possible that the SEC is seeking to identify CCOs who serve multiple organizations in an outsourced capacity. In May 2015, the SEC proposed amendments to Form ADV that would require advisers to report whether their CCO is compensated or employed by any person other than the adviser (or a related person of the adviser) for providing CCO services. The proposal stated:

Our examination staff has observed a wide spectrum of both quality and effectiveness of outsourced chief compliance officers and firms. Identifying information for these third-party service providers, like others on Form ADV, would allow us to identify all advisers relying on a particular service provider and could be used to improve our ability to assess potential risks.

The full Interpretive Notice is available here.

How ACA Can Help
ACA’s deep bench of compliance professionals can assist firms with evaluating, enhancing, or testing their compliance program to help ensure that the firm meets the regulatory expectations communicated in the Risk Alert. If you have any questions about the notice, or if you would like to discuss engaging ACA for assistance, please contact Lynne Carreiro at +44 (0)20 7042 0500.