IMPACT ANALYSIS: Managing the risks of compliance outsourcing

December 1, 2015

By Julie Dimauro, Regulatory Intelligence

(Thomson Reuters) – As regulators increasingly tell companies to bolster their compliance programs, some of them are turning to outside experts to provide the creation or management of such programs by outsourcing all or parts of the chief compliance officer job.

An assortment of consultants and law firm attorneys serve as these outsourced CCOs, and they may fill the role at a number of companies at once. For smaller firms in particular, the approach provides the independent compliance expertise when the needs might otherwise be hard to meet. But responsibility for the program’s vulnerabilities remain with the contracting firm in the eyes of regulators, and firms should carefully consider how they risks of the outsourcing process.

Regulators have instructed companies to take seriously the role of the chief compliance officer by endowing the position with the authority and resources to monitor and control risk.

Drawing attention to the issue most recently is a risk alert from the Securities and Exchange Commission’s (SEC’s) Office of Compliance Inspections and Examinations (OCIE) on November 9 that warned advisory firms and funds of the risks inherent in using an outsourced CCO.

The alert was issued after the SEC conducted nearly 20 examinations under its “Outsourced CCO Initiative.” The initiative is the result of OCIE staff noticing a growing trend of firms outsourcing critical CCO functions and after having “observed certain compliance weaknesses associated with registrants that outsourced their CCOs,” the risk alert said.

The risk alert quoted a Charles Schwab & Corp. study that determined that 38 percent of the 820 registered investment advisers it surveyed are outsourcing some aspect of their compliance function, which was an increase of over 10 percentage points from the previous year. The study noted that outsourcing compliance is of high importance to the majority of those firms (79 percent).

In the banking sector, the Office of the Comptroller of the Currency (OCC) issued guidance in 2013 to national banks and federal savings associations on assessing the risk in third-party relationships, with a particular focus on outsourcing relationships. The OCC noted that banks are outsourcing increasingly complex functions and processes, which is exposing them to greater risk.

In assessing the industry, the OCC found that certain banks had failed to properly assess the risks and costs of managing third-party relationships, had failed to perform appropriate due diligence and entered into agreements that encouraged the third party to take risks detrimental to the bank.

Speeches, enforcements

Underscoring the focus regulators are paying to compliance programs and compliance professionals, Andrew Ceresney, head of the SEC’s enforcement division, delivered the keynote at a National Society of Compliance Professionals event in Washington, D.C., early November, saying the outcome of SEC enforcement actions can often be predicted by how the defendant company treats its compliance officers.

To that end, Ceresney said the likelihood of an enforcement action against a firm can often be gleaned by asking these questions about the role of the compliance department in it:

  • Are compliance personnel included in critical meetings?
  • Are their views typically sought and followed?
  • Do compliance officers report to the CEO and have significant visibility with the board?
  • Is the compliance department viewed as an important partner in the business and not simply as a support function or a cost center?
  • Is compliance given the personnel and resources necessary to fully cover the entity’s needs?

Ceresney makes it clear that his agency expects that SEC-regulated firms to value the responsibilities associated with the role of CCO, and that a failure to do so will be considered a deficiency upon which to base an action against them.

On August 6, the SEC issued a cease and desist order to Parallax Investments, LLC, a registered investment adviser, and John Bott II, the firm’s owner. The case, based on deficient conflict of interest policies, also reprimanded the firm for failing to adopt, implement and annually review written policies and procedures reasonably designed to prevent violations of law and to establish and enforce a written code of ethics.

The SEC order in its recent decision regarding Parallax states: “[The CCO] devoted approximately nine hours per month to Parallax’s compliance program. He did not maintain a permanent office at Parallax and delegated daily compliance tasks to other employees in his absence.” The CCO used an off-the-shelf compliance manual that was never made to suit the firm’s business.

This does not sound like a full-time compliance officer position; rather, it sounds like a poorly outsourced one, and one that bears the hallmarks of a deficient compliance program, using Ceresney’s key indicators noted above.

In what could be dismissed as another conflicts of interest case — In The Matter of the Robare Group Ltd. — is being decided via an SEC administrative proceeding that calls into question the reliance on compliance consultants by SEC-regulated firms.

The case started as a cease-and-desist order in September 2014, was dismissed in June 2015 when appealed by the defendants, and returned to the SEC’s administrative tribunal as a petition for review of the dismissal.

In the first proceeding an administrative judge dismissed the regulator’s allegations that the Houston-based money manager failed to tell clients about a conflict of interest; namely, that it had received compensation from a broker for steering clients into certain mutual funds. The judge said in effect that although responsibility for the firm’s disclosures remains with the firm, it had relied in good faith on its compliance consultant’s judgment in this case. He said Robare had not concealed facts from its compliance consultant and the consultant’s advice was “facially valid.”

The SEC’s Division of Enforcement disagrees, asserting that these findings significantly weaken the “long-standing fiduciary standards applicable to investment advisers.” It justifies its request for an appelate review on the grounds that advisers’ reliance on compliance consultants is an “important matter of public interest.”

Considerations of authority, knowledge, access

The outsourcing approach may enable a smaller company to have the expertise of a full-time, independent compliance professional. At many small firms, compliance is a role someone takes on in addition to another job, a dual-hatted characteristic that offers its own set of pros and cons.

The SEC requires that the CCO is a “supervised person,” defined as “any partner, officer, director (or other person occupying a similar status or performing similar functions), or employee of an investment adviser, or another person who provides investment advice on behalf of the investment adviser and is subject to the supervision and control of the investment adviser.”

Culture of compliance

An outside compliance professional who is given the task of overseeing and implementing the firm’s compliance program and equipped with clear authority to do so could satisfy this requirement. In an outsourced CCO arrangement, the outside compliance professional could become the named CCO on Form ADV, responsible for everything from drafting and implementing a firm’s compliance manual, conducting periodic compliance reviews and offering compliance training to the firm’s staff.

Although firms are in no way prohibited from outsourcing some or all of the compliance functions, there are a few considerations that bear thought.

The SEC likes to see evidence that firms have a culture of compliance and are monitoring everything from day-to-day operations such as trading to periodic operations such as how training is conducted and whistleblower reporting mechanisms are offered and tested.

The SEC has emphasized the importance of an advisory firm’s culture of compliance in speeches and announcements of enforcement wins and settlements. It stresses that firms will be held accountable when their employees break the law to benefit the firm.

One of the attributes of a culture of compliance is what has been dubbed “tone at the top.” Regulators expect senior management to be engaged in compliance — to demonstrably support compliance program elements and offer the CCO a seat at upper management and board meetings. This means the compliance function is not considered a back-office function but is, instead, visible and able to communicate and personify the firm’s compliance ethos.

Regulators have reminded firms that the compliance program should not be a mere checklist of processes, but one that is tailored to the firm’s business and risks and tested regularly to see if they actually work as designed. It should be modified as the firm’s risk profile changes, with processes spelled out as to the issues that must be escalated to senior management.

Regulators demand and seek careful documentation. Good record-keeping reflects a compliance program that is constantly reevaluating itself — performing the check-ups and fine-tuning the regulators require.

It is questionable whether an outsourced CCO provides the essential functions of the role while also embodying the firm’s compliance culture, being accessible and visible and considered a member of the senior management team.

Mock audit

The one compliance duty that most clearly merits hiring a vendor is the firm’s performance of the firm’s mock audit to proactively spot any compliance program weaknesses. This arrangement might not even be accurately called “outsourcing compliance,” as the entity providing this type of assistance is appropriately an independent one — an objective and outside perspective that tests the policies, procedures and risk controls of the firm.

The idea of having an outside professional’s trained eye conduct an independent analysis of a firm’s compliance program got a boost this month from SEC Chair Mary Jo White. White said before the U.S. House of Representative’s Committee on Financial Services that she will be recommending that the SEC create a rule requiring third-party reviews of investment adviser firms’ compliance programs.

That is not to say that aspects of the compliance function cannot be performed by a trusted, closely monitored business supplier. Monitoring should include assessing the vendor’s financial condition and thoroughly vetting any subcontractors. There should be triggers set up, designed to escalate monitoring when the vendor fails to meet performance expectations, which should be clearly delineated early in the relationship.

The more due diligence of the compliance provider that one can perform, the better. But the critical point is this: Regardless of what or how many functions one chooses to outsource, it is the hiring firm that is ultimately responsible for its compliance program and compliance-related results.

(This article was produced by Thomson Reuters Regulatory Intelligence and initially posted on Nov. 24. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @RiskMgment)

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see