Timothy M. Simons, CFA, CFP, CIPM, CSCP
Senior Managing Member
Focus 1 Associates LLC
October 25, 2016
While I was reviewing the amended Form ADV that will be required to be used for every filing after October 2017, Part 1 Item 1J. Chief Compliance Officer, caught my eye. I was aware of the requirement to identify the identity of an outsourced CCO, but seeing it as part of the Form ADV made me stop and think. If the SEC has the ability to collate Forms ADV, as they indicate they can, they will be able to identify every individual and company that functions as an outsourced CCO and have a list of all of the RIAs for which they perform that function. It makes sense, that if an outsourced CCO is determined to be performing an inadequate job at one firm, the SEC will be able to examine every RIA for which they act as the CCO. Conversely, if the outsourced CCO is determined to perform at any level above adequate, those firms for which they act as the CCO may have an examination deferred or conducted with a narrower focus.
Rule 206(4)-7(c), under the Advisers Act, requires a registered investment adviser to “designate an individual (who is a supervised person) responsible for administering the policies and procedures” that an adviser adopts pursuant to Rule 206(4)-7. Although Rule 204A-1 (the adviser code of ethics rule) is a separate rule, the fact that a CCO must be a supervised person under Rule 206(4)-7 means that the outsourced CCO would also be considered a supervised person under Rule 204A-1. The rules do not distinguish between outsourced and non-outsourced CCOs for this purpose.
So not only will the SEC be able to determine if the CCO is inadequate due to too much work (which will be at the SEC’s discretion), but the outsourced CCO is subject to an adviser’s policies and procedures, including the code of ethics, and may be considered to be in a supervisory role in some cases (depending on their functions). The liability for an outsourced CCO is increasing substantially.
OCIE Risk Alert
OCIE’s November 2015 Risk Alert stated that the adviser’s CCO should be:
“competent and knowledgeable regarding the Advisers Act and . . . empowered with full responsibility and authority to develop and enforce appropriate policies and procedures for the firm [and] have a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.”
The SEC examination staff conducted nearly 20 examinations of RIAs with outsourced CCOs and observed instances where the outsourced CCO was generally effective in administering the registrant’s compliance program, as well as responsibilities as CCO. In addition to determining whether the RIA’s compliance program was reasonably designed to prevent, detect, and address violations of the federal securities laws, the examination staff was trying to determine whether:
- The compliance program supported open communication between service providers and those with compliance oversight responsibilities;
- The compliance program appeared to be proactive rather than reactive;
- The CCO appeared to have sufficient authority to influence adherence with the registrant’s compliance policies and procedures, as adopted, and was allocated sufficient resources to perform his or her responsibilities; and
- Compliance appeared to be an important part of the registrant’s culture.
The staff observed that an effective compliance program generally relies upon, among other things, the correct identification of a registrant’s risks in light of its business, operations, conflicts, and other compliance factors. The staff observed that certain outsourced CCOs could not articulate the business or compliance risks of the registrant or, to the extent the risks were identified, whether the registrant had adopted written policies and procedures to mitigate or address those risks. In some instances, the risks described to the staff by the registrant’s principals were different than the risks described by the outsourced CCO. In these instances, the staff identified several areas where the registrant did not appear to have policies, procedures, and/or disclosures in place necessary to address certain risks.
The staff also observed instances where the registrants did not appear to have adopted, implemented, and/or adhered to policies and procedures that were reasonably designed to prevent the violation of applicable regulations or that were relevant in light of the registrant’s business and operations. Additionally there were instances where Compliance policies and procedures were not followed and/or were not tailored to the registrants’ businesses or practices.
For the registrants examined, the outsourced CCOs were typically responsible for conducting and documenting registrants’ annual reviews, which included testing for compliance with existing policies and procedures. The staff, however, observed a general lack of documentation evidencing the testing.
In a February 2016 article “The SEC Initiative Re: Outsourced CCOs”, the law firm Venable LLP, suggested a potential way forward:
“…one approach would be to couple an internal CCO or compliance team with an expert third-party law firm or consultant that can provide the CCO much-needed support. Internal CCOs with the authority and expertise to perform their responsibilities would typically possess the intimate knowledge of the firm’s business and operations required to effectively identify risks and manage compliance programs. However, without experienced support, CCOs typically find it difficult to effectively and consistently perform all of their compliance responsibilities.”
Services that could be provided to support an internal compliance team include:
- Independent reviews of critical areas;
- Assistance in developing risk assessments;
- Assistance in developing policies and procedures that are tailored to the firm;
- Providing regulatory guidance on hot topics, or complex regulatory matters;
- Assistance with developing training on key regulatory matters for the adviser’s staff;
- Pre-exam and during- the- exam support for regulatory exams;
- “Mock” SEC exams or independent third-party reviews.
These services can be an indispensable part of an effective compliance program. In utilizing this approach along with one or more of these services, CCOs can help foster a strong culture of compliance within their firms and avoid the concerns identified in the Risk Alert.
Starting with the filing of the updated Form ADV after October 2017, I expect the SEC examiners will take advantage of the identification of outsourced CCOs and key in on those doing a less rigorous job and perhaps conduct fewer exams of those who seem to be covering all of the bases. The Risk Alert seems to indicate that the SEC examination staff puts more faith in a compliance program administered by a competent and knowledgeable person within the RIA, rather than someone external to the firm who may possess the same skills and knowledge about the federal securities laws, but without the firm knowledge. I think the approach outlined above by Venable is a great model to use, especially in smaller firms where the resources may not be available to hire additional compliance staff. I may have some bias here, because I am one of those external persons that have acted as an external resource for CCOs.