The Risks of Outsourcing Compliance

Margaret Williams
Associate Editor
Loyola University Chicago School of Law, JD 2020

The Chief Compliance Officer (“CCO”) plays a vital role in in the business of broker dealers and investment advisors. Following the financial crisis, firms hired compliance officers in droves to help repair vulnerabilities in firm policies and to address emerging regulation. As regulatory complexity and demand for compliance professionals grew, firms looked to consultants, contractors and lawyers to help fulfill specialized compliance functions. Can an unaffiliated third party effectively fulfill the Chief Compliance Officer role?

The SEC’s watchful eye

Rule 206(4)-7 under the Investment Advisors Act of 1940 (“Advisor’s Act”) and Rule 38a-1 under the Investment Company Act of 1940 are known as the “Compliance Rules.” The Compliance Rules make it unlawful for investment advisors to advise clients until they (1) adopt written policies and procedures reasonably designed to prevent violations by the advisor and its supervised persons of the Advisor’s Act and associated rules as well as federal securities laws and associated rules; (2) review the policies and procedures at least annually with respect to their adequacy and effectiveness; and (3) designate an individual as “Chief Compliance Officer” responsible for administering the policies and procedures. Certain CCOs must also prepare written reports of their annual compliance reviews for their board of directors.

As broker-dealers and investment advisors turned to third parties to provide the compliance functions, the Securities and Exchange Commission (“SEC”) took notice. In November 2015, the SEC issued a “Risk Alert” to share its observations from examinations of investment advisors and funds that outsourced their Chief Compliance Officers (“Outsourced CCOs”) and to raise awareness of the compliance issues observed by SEC staff. The SEC’s examinations considered:

  • whether the Outsourced CCOs administered compliance programs that supported the goals of the Advisor’s Act and the Investment Company Act and applicable federal securities laws;
  • whether the registrants had a culture of compliance;
  • whether the compliance programs were proactive or reactive;
  • whether there was open communication between persons with compliance oversight responsibility and the Outsourced CCOs; and,
  • whether Outsourced CCOs satisfied the Rule 206(4)-7 definition and had sufficient authority to compel the registrant to comply.

While the SEC found circumstances of broker-dealers or advisors with Outsourced CCOs that were generally effective, the SEC’s examination findings raised serious questions about the overall effectiveness of outsourcing. The SEC cautioned registrants about Outsourced CCOs that did not have sufficient knowledge of the registrant’s business to identify and mitigate business or compliance risks or policy and procedural failures, particularly among those designated to the Outsourced CCOs. The SEC cautioned registrants about Outsourced CCOs use of general checklists and templates not tailored to the registrant and the SEC expressed concern about the level of resources available to Outsourced CCOs to perform the compliance duties, particularly where one individual served as the Outsourced CCO to multiple registrants. Finally, the SEC questioned the efficacy of Outsourced CCOs that had limited visibility and authority within the registrant’s organization particularly typified by infrequent visits, limited compliance reviews, and limited compliance-related training by the Outsourced CCOs, conducted.

In a November 2015 speech , the SEC’s director of the Division of Enforcement outlined three circumstances under which the SEC would bring a case against a CCO and cited relevant cases: (1) CCO directly engages in misconduct unrelated to the compliance function, (2) CCO attempts to obstruct or mislead SEC staff, and (3) CCO “completely fails” to fulfill their responsibilities. This Risk Alert and speech left the industry concerned about a slippery slope, namely that the SEC would shift to place liability on CCOs, including Outsourced CCOs, for failures. Enforcement cases involving CCOs since 2015 have served to underscore the concern about compliance failures and concomitant CCO liability. While CCOs have been named in enforcement actions, the ultimate responsibility for compliance generally has fallen on the investment advisor and not on an Outsourced CCO.

Recent developments

In February 2017, the SEC published a new Risk Alert highlighting the five most frequent compliance topics for investment advisors. The Risk Alert listed typical deficiencies and weaknesses found by SEC examinations related to the Compliance Rules, regulatory filing requirements, Custody Rule, Code of Ethics and Books and Records Rule. A number of the listed deficiencies were similar to concerns expressed in the 2015 Risk Alert. In particular, concerns that Outsourced CCOs may not be sufficiently close and visible within the organization to identify business and compliance risks and to make adequate disclosures; maintain adequate policies and procedures tailored to the business; and, have the resources necessary to adequately support the compliance needs of the registrant.

In August 2017, the SEC announced a settlement order involving David Osunkwo, the principal of a firm providing Outsourced CCO services. Osunkwo acted as the named CCO for two investment advisors, of which two principals pled guilty for orchestrating two multi-million dollar fraud schemes. In addition to a cease and desist order, Osunkwo was suspended from various functions for 12-months and ordered to pay a $30,000 civil monetary penalty.

As of October 2017, registered investment fund advisors are subject to additional requirements pursuant to Rule Release 4509 which adopted amendments to Form ADV. Form ADV is used by investment advisors to register with the SEC. The new requirements for Form ADV require investment advisors to divulge more details about their business, including whether an investment fund manager intends to use an Outsourced CCO and, if so, the name of the individual, the associated firm, and the IRS Employer Identification Number of the Outsourced CCO.

These 2017 developments highlight continuing concern about the effectiveness of Outsourced CCOs and lead the industry to wonder whether the SEC may subject such relationships to heightened scrutiny.