The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) released a national exam program risk alert concerning investment advisers and funds that outsource their chief compliance officers (“CCOs”). Rule 206(4)-7 under the Investment Advisers Act of 1940 (the “Advisers Act”) and Rule 38a-1 under the Investment Company Act of 1940 (the “Investment Company Act”) require registrants to designate an individual as CCO that is responsible for administering the policies and procedures of the firm.
OCIE conducted approximately 20 examinations that focused on SEC-registered investment advisers and investment companies that outsource their CCOs to unaffiliated third parties. OCIE evaluated the effectiveness of these registrants’ compliance programs and outsourced CCOs by considering, among other things, whether the CCO was administering a compliance environment that addressed and supported the goals of the Advisers Act, Investment Company Act, and other federal securities laws, as applicable and whether the CCO appeared to have sufficient authority to influence compliance with the registrant’s policies and procedures.
In situations where OCIE believed that the CCO was effective in administering the registrants’ compliance program, the CCOs generally had regular, often-in-person, communication with the registrants’ employees. There was also sufficient access to the registrants’ documents and information and the CCOs were knowledgeable about regulatory requirements and the registrants’ business. However, OCIE noted that in other situations, outsourced CCOs were not able to articulate the business or compliance risks of the registrant or when such risks were identified, the registrant had not adopted policies and procedures to address those risks. In other instances, the risks described by the registrants’ principals were different than those described by the outsourced CCOs. In addition, OCIE noted situations where outsourced CCOs infrequently visited registrants’ offices and conducted limited reviews of documents while on-site. Limited authority of the outsourced CCOs also appeared to affect the CCOs’ ability to properly perform their responsibilities.
OCIE also noted that outsourced CCOs use of standardized checklists to gather information regarding the registrants can be problematic if the checklists are too generic and do not capture all of the business models, practices, strategies and risks applicable to the registrant. In addition, OCIE cautioned that it saw several compliance manuals created using outsourced CCO-provided templates that were not appropriately tailored to the registrants’ business and practices.
OCIE suggested that investment advisers and funds with outsourced CCOs review their business practices in light of the risks identified to correct any weaknesses. In doing so, they should ensure that their practices as well as their policies and procedures are appropriately tailored to their business and to comply with the requirements under the Advisers Act, the Investment Company Act, and other federal securities laws, as applicable.