SEC Warns Advisors of Compliance Outsourcing Risks

Nov 19th 2015
Share this content

Weaknesses in outsourced compliance oversight require a review of business practices, according to an alert issued on Nov. 9 by the US Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE).

“A chief compliance officer (CCO), either as a direct employee of a registrant or as a contractor or consultant, must be empowered with sufficient knowledge and authority to be effective,” the alert states. “Each registrant is ultimately responsible for adopting and implementing an effective compliance program and is accountable for its own deficiencies. The staff observed fewer compliance-related issues at the registrants examined that had developed appropriate controls in each of the areas identified in this risk alert.”

Commissioners issued no press release or statement about the findings, noting that the alert's views are those of the OCIE and staff of the SEC Division of Investment Management and the SEC Division of Enforcement. The findings are based on 20 examinations, which focused on SEC-registered investment advisors and investment companies that outsource their CCOs to unaffiliated third parties.

The three problem areas identified in the alert are meaningful risk assessments, compliance policies and procedures, and annual review of compliance programs.

Here are the details.

Meaningful risk assessments. An effective compliance program should identify risks related to business, operations, and conflicts, among other factors. Compliance policies and procedures should reflect those risks. But examiners found that some outsourced CCOs couldn't describe the business or compliance risks of their client, or if risks were identified, whether the client's policies and procedures addressed the risks. Examiners also heard risk descriptions from outsourced CCOs that differed from what they heard from the principals in the company. In those cases, examiners also found that companies lacked policies, procedures, and disclosures to handle risks.

Examiners found that some outsourced CCOs use standardized checklists to gather information from their clients. While those can be helpful, the examiners found that some checklists were generic and inapplicable to the client's business, some standardized questionnaires completed by the clients included incorrect or inconsistent information about business practices, and that outsourced CCOs didn't know enough about their clients to follow up on the discrepancies.

The alert points to an enforcement action in March involving Aegis Capital LLC, in which the SEC Division of Enforcement said an outsourced compliance officer contributed to the firm's false filings to the SEC because the officer didn't review records to validate the information and relied on information from the client.

Examiners also found that firms didn't appear to have policies, procedures, or disclosures on hand to address the identified conflicts of interest. Those conflicts involved areas affecting a firm's clients, including compensation, portfolio valuation, brokerage and execution, and personal securities transactions by access people.

Compliance policies and procedures. Examiners saw a lack of policies and procedures that would prevent regulatory violations. Those include ignoring or inconsistently following compliance procedures in areas either required to be reviewed or in areas in the policies that aren't expressly required to be reviewed. Many times, the outsourced CCO was responsible for the reviews.

Examiners also reviewed compliance manuals based on the outsourced CCO's template. But, because some templates weren't in sync with firms' business practices, compliance manuals included policies and procedures inappropriate for a firm's business.

Annual review of compliance programs. While outsourced CCOs generally conducted the annual reviews, including testing for compliance with policies, the testing generally wasn't documented.

Outsourced CCOs also irregularly went to clients' offices and performed limited reviews of documents or compliance training. They had limited authority to improve compliance, which seemed to affect their ability to bring about disclosure changes.