Third-party compliance teams will get a closer look from the Securities and Exchange Commission starting this fall. From October, firms that outsource their chief compliance officer function must include the details of their service provider on their Form ADV, which is used to register with the SEC.
The agency said the move will help it identify all advisors relying on a particular service provider, and improve its ability to “assess potential risks” after staff observed a “wide spectrum of both quality and effectiveness of outsourced chief compliance officers and firms.”
While an industry consultation on the matter identified some support for the initiative, the majority of respondents raised concerns that ranged from a perceived increase in their administrative tasks, to the likelihood it would invite additional scrutiny about an advisor’s judgement in hiring externally versus internally.
The focus of the new requirement also came under fire; it zooms in on the outsourced CCO’s other employment and compensation, as opposed to the service it is offering.
“The inquiry should focus on the details of the compliance program and resources committed to address compliance risk – e.g., the CCO’s education and professional designations, the number of employees, estimated total number of hours spent on compliance and the other duties of the CCO,” said one respondent to the consultation.
But the agency said its approach meets its regulatory objective of identifying all advisors relying on a particular service provider, and may improve its ability to assess the potential risks related to outsourced CCOs and firms.
An added risk
Compliance experts have indicated it’s possible that outsourcing the function could be considered a risk factor by the agency. The SEC relies on a risk-based approach to determine whether it will examine a firm – the higher the risk rating, the more likely an exam will take place.
“I think that is true in part [that outsourcing will be perceived as a risk factor],” says Doug Cornelius, CCO at Beacon Capital Partners, “but it depends on the outsourcing itself. If the SEC sees a trend that a particular outsourcing firm is doing a bad job, it will certainly take a closer look at the advisors that use that outsourcing firm.”
This means that, theoretically, the chances of a smaller firm being subject to an SEC exam would go up. These firms are more likely to outsource their compliance function to avoid having to staff up internally or combine the CCO role with other functions such as the CFO or the COO, a practice which has also raised concerns with the regulator.
“[CFOs and COOs] may already have a full workload and/or lack the time or expertise to effectively administer the compliance program. This can lead to undetected issues and deficiencies if the registrant is examined by the regulators. It can also lead the regulator to question a firm’s dedication to its compliance function,” Joseph DiBartolo, director at Alaric Compliance Services, tells pfm.
The new requirement is in part a response to the agency’s 2015 focus on outsourced CCOs. That year, the Office of Compliance Inspections and Examinations performed 20 examinations of investment managers that fully outsourced the function, the results of which were generally positive.
But the exams did identify three areas where they specifically contrasted the strength and effectiveness of a fund manager’s compliance program. It found there were inconsistencies when outsourced CCOs were representing a multitude of funds. It also noted that in some cases, fund managers never implemented suggestions put forward by outsourced CCOs, and in the worst cases the outsourced CCO was clueless about the firm’s activities.
“A CCO, either as a direct employee of a registrant or as a contractor or consultant, must be empowered with sufficient knowledge and authority to be effective,” the SEC says.
At the time the agency recommended registered investment advisors with outsourced CCOs review their business practices to determine that their chosen service provider is able to establish, implement, monitor and review an effective and robust compliance program.
When it comes to outsourcing, fund managers have to strike the balance between costs and benefits, and risks and rewards. It may make their lives easier, and reduce their overall operating costs, but managers should always be aware that the more they outsource, the more risk controls they must implement to ensure that their appointed outsourced provider is doing exactly what they should be doing.
While the new requirement to file details of an outsourced CCO doesn’t change the reasons to hire one, it might mean a firm has to re-evaluate its relationship with these third-party service providers. ?
Britain’s new raft of rules
Starting in March 2018, the Senior Managers and Certification Regime, which governs the appointment and conduct of senior and key personnel at banks, will apply to UK-based private equity firms and some of the firms in which they invest.
Much like the US Compliance Program Rule, SMR requires firms to develop good compliance procedures and culture, and holds senior managers accountable for oversight. It replaces the Approved Persons Regime, which dictates who can carry out controlled functions such as being a director or being responsible for compliance on behalf of an authorized firm.
Under SMR, senior staff must be approved by the UK regulator, the Financial Conduct Authority, and take on increased accountability for happenings at their firm. A statement of responsibilities must be drawn up and maintained for each manager, identifying the areas of regulated activity the staff member is responsible for.
SMR also introduces new conduct rules for other staff, which is likely to require firms to update their compliance processes, and employment contracts and policies. These will apply very widely to all employees, except those performing ancillary tasks.
If you do not receive this within five minutes, please try to sign in again. If the problem persists, please email: