The Pros and Cons of Outsourcing Your Chief Compliance Officer (“CCO”)

What is “Outsourcing”?

Outsourcing can be defined as the act of contracting certain work or services out to a third party, typically as a replacement for conducting that service internally.

In today’s market, many organizations choose to outsource specific, everyday critical tasks to outside experts. Some prime examples: an accountant for tax preparation, a mechanic for car maintenance, or a lawyer for legal work. Businesses and individuals often rely on a third party’s expertise, that they often lack, to achieve the best results or desired outcome. This is also applicable to the compliance requirements of registered investment advisers and funds. Although this RMU may mainly focuses on RIAs and Funds, outsourcing can also be a beneficial option for broker-dealer compliance programs.

 

 Background

Rule 206(4)-7 under the Investment Advisers Act of 1940 (“Advisers Act”) and Rule 38a-1 under the Investment Company Act of 1940 (“Investment Company Act”), often referred to as the “Compliance Rules,” require registrants to:

• Adopt and implement written policies and procedures that are reasonably designed to prevent violations by the adviser and its supervised persons of the Advisers Act and its rules and violations by the fund of the federal securities laws and the rules under those laws, respectively;^[1]
• Designate an individual as CCO to be responsible for administering the policies and procedures; and ^[2]
• Review the policies and procedures at least annually for their adequacy and the effectiveness of their implementation. ^[3] Fund CCOs must also prepare a written report for the fund’s board of directors.^[4]

Qualifications of a Chief Compliance Officer

Per the rule, the adviser’s CCO should be:

• Competent and knowledgeable regarding the Investment Advisers Act of 1940 (“Advisers Act”) and in case of the mutual funds, the Investment Company Act of 1940 (“Investment Company Act”);
• Empowered with full responsibility and authority to develop and enforce appropriate policies and procedures for the firm; and
• In a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.^[5]

Now that we understand the SEC’s expectations regarding outsourcing a CCO, firms often question the benefits and disadvantages of this potential solution. Organizations must consider all aspects to determine the best option for their company, especially their corporate culture, business model and needs.

What are the Pros of Outsourcing the CCO Role?

• Focused and Dedicated Talent. RIA staff can focus on providing advisory services to their clients and marketing their firms to increase business;
• Untapped Knowledge. Outsourcing provides firms a wealth of compliance resources and expertise which is typically not available in-house;
• Reduced Cost. The expense of outsourcing compliance and CCO services is more cost effective than hiring in-house talent (not factoring the costs associated to benefits etc.), especially for new advisers with limited budgets;
• Streamlined Access and Resources. Outsourced CCOs have access to significant resources (deficiency letters, trends, etc.) to assist RIAs or Funds manage a proactive compliance program;
• Industry Focused Outlook. Outsourced CCOs offer years of industry experience, some from an examiner/regulatory aspect, while others provide in-house experience; either of which can be instrumental in providing an independent, new, and outside perspective to compliance programs and pin-point key focus areas;
• Voice of Reason. Over time and from first-hand experience, we have seen that supervised persons tend to adhere to compliance advice and recommendations better from an independent party;
• Focused on Compliance and Nothing but Compliance. Their entire business model as an outsourced CCO is compliance and improving your firm’s program. They won’t struggle with business and client obligations or juggle hats and responsibilities like many small firm’s in-house CCOs do; and
• Meet/Exceed Expectations. Today’s Regulator’s expect strong RIA/Funds to have comprehensive compliance programs. By utilizing an outsourced compliance specialist, firms can ensure focused positive SEC exam outcomes by concentrating on key trends and focus areas to reduce overall compliance risk.

What are the Cons of Outsourcing the CCO Role?

As discussed above, there are significant advantages to outsourcing compliance and the role of CCOs, yet there are some considerations that RIAs should be aware of prior to selecting this solution for their firm. Outsourced CCOs can be utilized for most of the compliance heavy lifting, but RIAs have to be aware of their compliance obligations and create a strong culture of compliance.   Other concerns of outsourcing can be:

• Additional scrutiny by regulators;
• Limited communications with the outsourced CCO;
• Overall regulatory compliance responsibilities still belong to the RIAs;
• Turnover within the outsourced firms can heavily impact a firm’s program; and
• Having an onsite compliance resource/presence serves as a reminder for employees regarding regulatory requirements and establishing a strong culture of compliance.

In addition, the SEC’s 2015 Risk Alert, “Examinations of Advisers and Funds that Outsource Their Compliance Officers,” [6]choosing to use an outsourced CCO or compliance service comes with its own concerns which may expose RIAs to additional compliance risk.  Within the Alert, SEC conducted 20 examinations of advisers with outsourced CCOs, as part of an Outsourced CCO Initiative.  The staff evaluated the effectiveness of registrants’ compliance programs and outsourced CCOs by considering, among other things, whether:^[7]

• The CCO was administering a compliance environment that addressed and supported the goals of the Advisers Act, Investment Company Act, and other federal securities laws, as applicable (i.e., compliance risks were appropriately identified, mitigated, and managed);
• The compliance program was reasonably designed to prevent, detect, and address violations of the Advisers Act, Investment Company Act, and other federal securities laws, as applicable; ^[8]
• The compliance program supported open communication between service providers and those with compliance oversight responsibilities; ^[9]
• The compliance program appeared to be proactive rather than reactive; ^[10]
• The CCO appeared to have sufficient authority to influence adherence with the registrant’s compliance policies and procedures, as adopted, and was allocated sufficient resources to perform his or her responsibilities; and ^[11]
• Compliance appeared to be an important part of the registrant’s culture. ^[12]

SEC observed that in some cases the outsourced CCO was generally effective in administering the firm’s compliance program.^[13] Such examples are regular in-person visits, open communication between CCOs and firms or funds, established strong relationships between CCOs and firms, reciprocal support between CCO and firm, and overall CCO’s knowledge about the firm’s business.^[14]

Staff members also observed that the following caused them concern and resulted in this alert:

• CCOs had limited visits to RIAs offices; which limited their ability to conduct on-site reviews;
• CCOs often lacked a full understanding of the RIAs business practices and did not establish effective terms of communication with the firm’s principals;
• Both the RIAs and the outsourced CCOs had limited access to the documents and filing, which directly impacted the effectiveness of the policies and procedures, as well as the overall compliance program;
• With the outsource CCO, the firm has limited visibility and prominence within the organization, thus hindering the ability to create a strong culture of compliance;
• Compliance manuals often contained unnecessary or inapplicable policies and procedures; and
• Annual reviews and records failed to meet SEC expectations, and in some cases were inaccurate.

Due to these findings, SEC amended the Form ADV on August 2016, requiring RIAs to disclose their use of outsourced CCOs within their firm.  The disclosure within Form ADV highlights the usage of ineffective compliance services or CCOs to firms but also the SEC; who may examine other firms that use the same service provider.

Conclusion

As there are risks with many business decisions, there is value-add for firms to consider when deciding to outsource your compliance program or CCO.  Organizations should remember that although outsourcing may alleviate some of the regulatory compliance burden, that they cannot complete forego all their regulatory responsibilities.  Core Compliance recommends that when selecting a service provider to engage as a CCO, firms should conduct extensive due diligence on the service provider and should consider multiple factors, such as – cost, complexity of their business, expertise and experience, and availability of external resources.

According to the SEC’s Office of Examinations and Inspections 2020 Examination Priorities, there are 13,475 RIAs and growing[15], so compliance resources are becoming scarce as the industry grows.

Core Compliance currently serves as an outsourced CCO option for RIAs and BDs and we provide this option to our clients. Many have also utilized the various other services to meet their compliance needs, such as Investment Company Compliance Services.

For more information about our services, please contact us at (619) 278-0020 or visit us at www.corecls.com for more information.

 

Author: Core Compliance & Legal Services (“Core Compliance”); Editor: Tina Mitchell, Lead Sr. Compliance Consultant; Core Compliance works extensively with investment advisers, broker-dealers, investment companies, hedge funds, private equity firms, CPOs, CTAs and banks on regulatory compliance issues and tailored programs.

This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.

^[1] Rule 206(4)-7(a) under the Advisers Act and Rule 38a-1(a)(1) under the Investment Company Act.  The Compliance Rule under the Advisers Act applies to advisers and their “supervised persons.”  The term “supervised persons” is defined as “any partner, officer, director(or other person occupying a similar status or performing similar functions), or employee of an investment adviser, or other person who provides investment advice on behalf of the investment adviser and is subject to the supervision and control of the investment adviser.” Section 202(a)(25) of the Advisers Act.

As noted in the Adopting Release, in designing its policies and procedures, each registrant should identify conflicts, and other compliance factors that create a risk exposure for the firm and clients in light of the firm’s particular operations and design policies and procedures to address these risks.  An adviser should also consider its fiduciary obligations

^[2] Rule 2016(4)-7(c) under the Advisers Act (requiring that the CCO be a supervised person) and Rule 38a -1(a)(4) under the Investment Company Act.

^[3] Rule 206(4)-7(b) under the Advisers Act and Rule 38a-1(a)(3) under the Investment Company Act

^[4] Rule 38a-1(a)(4)(iii) under the Investment Company Act.

^[5] Adopting Release, Section II.C.1.

^[6] Risk Alert. Examinations of Advisers and Funds That Outsource Their Chief Compliance Officers (Nov. 9, 2015) https://www.sec.gov/ocie/announcement/ocie-2015-risk-alert-cco-outsourcing.pdf

^[7] See Risk Alert. Staff Examinations.

^[8] See Risk Alert. Staff Examinations.

^[9] See Risk Alert. Staff Examinations.

^[10] See Risk Alert. Staff Examinations.

^[11] See Risk Alert. Staff Examinations.

^[12] See Risk Alert. Staff Examinations.

^[13] See Risk Alert. Staff Observations.

^[14] See Risk Alert. Staff Examinations.

^[15] https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2020.pdf