On November 9th, 2015 the SEC released a Risk Alert through their Office of Compliance Inspections and Examinations (OCIE) to raise the awareness around the outsourcing of the compliance function by investment managers.
The alert reads “OCIE staff have noted a growing trend in the investment management industry: outsourcing compliance activities to third parties, such as consultants or law firms. Some investment advisers and funds have outsourced all compliance activities to unaffiliated third parties, including the role of their chief compliance officers (“CCOs”). Outsourced CCOs may perform key compliance responsibilities, such as updating firm policies and procedures, preparing regulatory filings, and conducting annual compliance reviews.”
Apparently, the OCIE performed 20 examinations of investment managers that fully outsourced the CCO function and made a number of notable observations.
The good news is that they found that the outsourced CCO was generally effective in administering the registrant’s compliance program.
However, they also found three areas where they specifically contrasted the strength and effectiveness of a fund manager’s compliance program.
- Communication – The outsourced CCO that had more personal interaction with the manager’s staff (in person, on the phone), rather than impersonal activity (email, checklists, etc.) had a better understanding of the fund’s business and thus less inconsistencies between the compliance policy and the actual business practice.
- Resources – More inconsistencies were found when outsourced CCOs were representing a multitude of funds. Notably, many of these funds were dissimilar which further complicated proper representation.
- Empowerment – Outsourced CCOs that were able to independently obtain the fund’s records to perform its annual review fared better than CCOs that were supplied documents and records. In the latter case, it was implied that the registrant could influence the accuracy of the review based upon the selectivity of the documents offered.
The Risk Alert further pointed out other areas that were problematic. Specifically, certain outsourced CCOs could not properly frame the fund’s business or compliance risks. In other cases, even if CCOs could properly frame the business or compliance risks, often the identified policies written were insufficient to address the risks themselves. Moreover, in many instances, interviews with the fund’s staff and principals often yielded different risks than those cited by the outsourced CCO. This resulted in the CCO not having policies in place to meaningfully address all of the fund’s identified risks.
The Risk Alert cautioned against the use of standardized or generic checklists, which often misses key business considerations for each fund. In view of the lack of comprehensive business knowledge, the CCO did not ask the proper questions nor meaningfully address any of the resulting discrepancies that these checklists produced.
In some cases, conflict of interest risks, the safeguarding of client information, the collection of management fees in advance (rather than monthly in arrears) and the oversight or fairness of composite performance reporting were all noted examples where the templated policies were insufficient to adequately address the risk.
The industry speculation is that the SEC will take some enforcement action soon. In order to be best prepared, fund managers should review their compliance policies and ensure that they are properly targeted for their specific business risks.
In addition, managers should also try to leverage commercial grade technology wherever they can. Notable examples include adopting system automations wherever possible, enforcing trade compliance reporting, managing performance measurement and composites, applying “four-eye” sign-offs, enabling proper document storage, imparting workflow restrictions, amending user permissions and even memorializing a proper audit trail. Technology, in general, can be leveraged by the CCO, whether outsourced or not, and be helpful in supporting this critical responsibility.