The Securities and Exchange Commission (the "SEC") has expressed significant concern with respect to the practice of some registered investment advisers and investment companies ("registrants") to outsource compliance functions. On November 9, 2015, the staff of the Office of Compliance Inspections and Examinations (the "Staff") of the SEC released a risk alert arising from the "Outsourced CCO Initiative" examination of registrants which outsource their chief compliance officers ("CCOs") functions to unaffiliated third parties ("outsourced CCOs"). The Staff observed "certain compliance weaknesses" associated with registrants that utilized outsourced CCOs.
In light of the Staff's alert, each registrant should carefully consider whether the use of an outsourced CCO is appropriate given the registrant's business and associated risks.
A. Conclusions
The Staff acknowledged that outsourced CCOs may be able to effectively implement and administer a registrant's compliance policies and procedures in accordance with the compliance rules. Regardless of the scope of outsourcing, however, the registrant remains responsible for its compliance. As such, a registrant that uses an outsourced CCO should be particularly careful that: (i) such CCO has correctly identified the business and associated risks particular to that registrant; (ii) compliance policies and procedures have been appropriately tailored to mitigate or address those risks; and (iii) such CCO is sufficiently empowered within the organization to, among other things, improve adherence to the registrant's compliance policies and procedures.
B. Staff Examinations and Observations
Under the Outsourced CCO Initiative, the Staff evaluated the effectiveness of a registrant's compliance program and use of an outsourced CCO by considering, among other things, whether:
(i) the CCO was administering a compliance environment that addressed and supported the goals of the Investment Advisers Act of 1940, as amended (the "Advisers Act"), the Investment Company Act of 1940, as amended (the "Investment Company Act"), and other federal securities laws, as applicable;
(ii) the compliance program was reasonably designed to prevent, detect, and address violations of the Advisers Act, Investment Company Act, and other federal securities laws, as applicable;
(iii) the compliance program supported open communication between service providers and those with compliance oversight responsibilities;
(iv) the compliance program appeared to be proactive rather than reactive;
(v) the CCO appeared to have sufficient authority to influence adherence with the registrant's compliance policies and procedures, as adopted, and was allocated sufficient resources to perform his or her responsibilities; and
(vi) compliance appeared to be an important part of the registrant's culture.
The Staff observed several instances where the outsourced CCO was "generally effective in administering the registrant's compliance program, as well as fulfilling his/her other responsibilities as CCO." In these instances, the Staff observed that effective outsourced CCOs generally had the benefit of:
(i) regular, often in-person, communication with the registrants;
(ii) strong relationships established with the registrants;
(iii) sufficient registrants' support;
(iv) sufficient access to registrants' documents and information; and
(v) knowledge about the registrants' business and the regulatory requirements applicable thereto.
More particularly, the Staff noted that outsourced CCOs who frequently and personally interacted with advisory and fund employees "appeared to have a better understanding of the registrants' businesses, operations, and risks. As a result, the [S]taff noted fewer inconsistencies between the compliance policies and procedures and the registrant's actual business practices." Additionally, the Staff found that annual reviews performed by outsourced CCOs who were able to independently obtain the records they deemed necessary for conducting such reviews "more accurately reflected the registrants' actual practices than annual reviews conducted by CCOs who relied wholly on the firm to select the records subject to their review."
On the other hand, the Staff observed that certain outsourced CCOs could not correctly identify a registrant's risks in light of its business, operations, conflicts and other compliance factors, or, to the extent the risks were identified, could not correctly identify whether the registrant had adopted written policies and procedures to mitigate or address those risks. Although the Staff noted that the compliance rules do not explicitly require compliance policies and procedures to contain specific elements, the Staff observed certain instances where registrants "did not appear to have adopted, implemented and/or adhered to policies and procedures that were reasonably designed to prevent the violation of applicable regulations or that were relevant in light of the registrant's business and operations." More particularly, the Staff observed "instances in which compliance policies and procedures were not followed or the registrants' actual practices were not consistent with the description of the registrants' compliance manuals." Several compliance manuals, the Staff found, were created using "outsourced CCO-provided templates" and were not tailored to the registrant's business or practice.
Finally, the Staff observed that, with respect to annual reviews, certain outsourced CCOs "infrequently visited registrants' offices and conducted only limited reviews of documents or training on compliance-related matters while on-site." The limited visibility of the outsourced CCO, the Staff noted, resulted in such CCOs having diminished authority within the organization to affect the registrants' compliance policies and procedures.
C. Recommendations
1. Diligence of Outsourced CCOs at Time of Engagement. When choosing an outsourced CCO, a registrant should ensure that such CCO has adequate resources to effectively administer the registrant's compliance policies and procedures. At the time of engagement, a registrant should (a) require an outsourced CCO to make a specific time commitment to the registrant that is commensurate with the registrant's business model and associated risks, and (b) review the outsourced CCO's track record and confirm that there are no prior instances of misconduct that would give rise to concern.
2. Evaluation of Policies and Procedures. A registrant should assess the policies and procedures prepared by an outsourced CCO for their adequacy in light of a registrant's particular business and associated risks, and enlist the assistance of counsel or other outside consultants, to the extent necessary, to conduct the assessment. Senior management should be comfortable that the registrant's compliance policies and procedures are appropriate given the scope of the registrant's business and the registrant's growth plans.
3. Periodic Reevaluation of Outsourced CCOs. At periodic intervals, perhaps coinciding with contract renewal dates, management of each registrant should evaluate the performance of the outsourced CCO during the prior term of the contract. Management should take into consideration, among other things, (a) the performance of the outsourced CCO during the prior term, particularly in connection with any SEC examinations of the registrant, (b) whether the compliance needs of the registrant have changed over the prior term, and (c) whether renewing the outsourced CCO's contract is appropriate.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
