Investment Firms and Compliance Professionals Beware: SEC Finds Risks Associated with Outsourcing Compliance Function

On Monday, November 9, 2015, the Office of Compliance Inspections and Examinations (“OCIE”) of the U.S. Securities and Exchange Commission (“SEC”) released results from its evaluation of investment adviser firms’ use of third parties for compliance functions, including outsourced chief compliance officers (“CCO”).  Outside CCOs often perform important compliance responsibilities, including updating firm policies and procedures, preparing regulatory filings, and conducting annual compliance reviews.  Despite the importance of these functions, the Risk Alert (“Risk Alert” or “Alert”) indicated that several of the outsourced CCOs examined had not implemented effective compliance programs.  The Alert, available here, sends a cautionary signal to investment adviser firms considering outsourcing compliance functions.   This warning is particularly timely since government agencies, including the SEC, have increased their focus on financial firms’ compliance programs, and on CCOs in particular.

OCIE’s review included approximately 20 examinations and interviews of outsourced CCOs and other senior officers.  The review was part of an Outsourced CCO Initiative focusing on SEC-registered investment advisers and investment companies that outsource CCOs to third parties.  OCIE’s review and Risk Alert come on the heels of a “growing trend” to outsource compliance.  Indeed, the Risk Alert quoted a 2011 study from Charles Schwab Corporation finding that 38 percent of investment firms were outsourcing some part of their compliance function, up 11 percent since 2010, when 27 percent outsourced compliance.

While firms may be increasingly outsourcing compliance functions, OCIE’s Risk Alert gives investment firms reason to pause before doing so.  The Risk Alert highlighted a number of challenges faced by outsourced CCOs, some of which resulted in deficient compliance programs.  The Alert included the vulnerabilities listed below:

  • OCIE staff observed that some outsourced CCOs were unable to identify business or compliance risks faced by the firms they were working for and did not even know whether the investment firms had adopted written policies and procedures to mitigate those risks.
  • The Alert also found a disconnect between some outsourced CCOs and firm principals, with the two groups identifying different firm risks. In some of these instances, the staff concluded that registrants lacked policies, procedures, or disclosures addressing certain risks.
  • The Alert also identified instances where compliance policies and procedures were not followed or firm practices were not consistent with policies articulated in compliance manuals.
  • OCIE found that some outsourced CCOs failed to regularly visit their firms’ offices and reviewed only limited documentation when on-site. This limited the compliance chiefs’ visibility and prominence within the firms, resulting in limited awareness of unique compliance risks faced by the companies and limited authority to bolster compliance policies and procedures and ensure that firm employees complied with them.
  • OCIE observed that some outside CCOs failed to tailor compliance program templates to the unique risks and needs of the firm. For example, critical areas of compliance risk were not always identified, resulting in compliance policies and procedures that failed to address important compliance vulnerabilities, such as review of third parties hired to manage client money or policies designed to safeguard client information.
  • OCIE also noted that outside CCOs were often responsible for performing and documenting registrants’ annual reviews, including testing for compliance with firm policies and procedures, but identified a lack of documentation evidencing the required testing.

The Alert did, however, conclude that some outsourced CCOs were successful.  Hallmarks of successful CCOs included regular, on-site communication with their firms, strong relationships between outside CCOs and investment firms, and firms that gave outside CCOs support and access to firm documents and information.  Investment CCOs using outsourced compliance chiefs would be wise to take note of the factors contributing to successful outside CCOs, as the SEC cautioned that registrants themselves – not outside CCOs – are ultimately responsible for implementing effective compliance programs and accountable for any deficiencies in those programs.

Recent SEC enforcement actions also underscore firms’ ultimate responsibility for compliance programs.  For example, in Pekin Singer Strauss Asset Management, available here, the SEC charged an investment advisory firm and its president with violations involving compliance failures, but did not charge the adviser’s CCO, who had allegedly warned the firm that he did not have the resources to fulfill his compliance responsibilities.

As previously noted, OCIE’s alert comes at a time of increasing government attention to firms’ compliance programs.  Two years ago, in a speech to the National Society of Compliance Professionals, available here, SEC Chair Mary Jo White discussed risks of securities laws violations faced by compliance professionals.  Similarly, two weeks ago, in a speech to the National Society of Compliance Professionals, available here, SEC Enforcement Director Andrew Ceresney spoke about liabilities for compliance professionals.  But he specifically cautioned that the cases brought involved compliance chiefs who “exhibited wholesale failures in carrying out responsibilities” and whose “conduct crossed a clear line.”

Those assurances may ring hollow in the wake of several recent actions against CCOs.  In July 2015, the SEC named and sanctioned AlphaBridge Capital Management and its CCO, who was also a co-portfolio manager, for allegedly misleading the fund administrator and auditor about the value of the fund’s assets.  In August 2015, the SEC charged Parallax Investments and its officers, including its CCO, for, among other violations of securities laws, alleged failure to adopt and implement written compliance policies and procedures or to conduct annual compliance reviews.