Risk With Outsourced Compliance Officers

The U.S. Securities and Exchange Commission (SEC) is concerned about the compliance risks related to a growing trend to outsource the role of Chief Compliance Officer (CCO) to third parties.

The outsourcing of key roles is often a good business practice. For example, ethics and compliance experts often recommend that firms outsource their ethics hotline operations to third-party vendors that can provide round-the-clock confidential coverage 365 days a year, often with experts in multiple languages.

The SEC does not condemn the practice of outsourcing Chief Compliance Officers or any other staff or service. With regard to Chief Compliance Officers, however, as outlined in its November 9, 2015 risk alert (see references below), it sees potential risks in the following three broad areas.

Communications: Those outsourced chief compliance officers who rely predominantly on impersonal interactions (for example, electronic communication and pre-defined checklists) have a less-than-strong understanding of the client’s business, operations, and risks. This can lead to unrecognized inconsistencies between compliance policies and actual business practices, a situation that CCOs are responsible for monitoring.

Resources: Outsourced compliance officers who serve as CCO for a number of different firms may not have sufficient resources to perform compliance duties for all the client firms with their different needs and levels of compliance.

Empowerment: Outsourced CCOs do not always have the authority to independently obtain information or records needed for various assessments. Annual reviews or other assessments may not be accurate if the CCO must rely on client-selected information.

Here are some more issues seen by SEC staff as part of their investigation of firms that have outsourced their chief compliance officers. The staff found that some outsourced CCOs (or organizations acting in that capacity)

  • could not articulate the business or compliance risks of the client firm;
  • did not know if the firm had adopted written policies and procedures to mitigate or address identified risks;
  • used generic checklists and questionnaires that did not fully capture the client firm’s business models, practices, strategies, and compliance risks;
  • did not always recognize discrepancies in the responses or follow-up with the client when discrepancies were noted;
  • did not appear to have the policies, procedures, or disclosures in place to address all of the conflicts of interest identified by SEC staff;
  • provided generic templates to clients such that client-developed policies and manuals were not always representative of the clients’ specific businesses or practices;
  • failed to document required testing; and
  • infrequently visited clients’ offices or conducted only limited reviews of compliance-related documents or training.

By no means did these issues occur with all outsourced CCOs, but they did with a sufficient number, it appears, that the SEC issued its Risk Alert. It advises firms with outsourced chief compliance officers to review their business practices in light of the preceding risks and work to overcome them. Good advice in any case.

Ethical Advocate provides comprehensive ethics and compliance solutions, including ethics and compliance training and confidential and anonymous hotlines. Please contact us for additional information.

References:

Dockery, Stephen. “Outsourced Compliance Officer Trend Renews Standards Debate,” Risk & Compliance Journal (Wall Street Journal blog), February 24, 2016. http://blogs.wsj.com/riskandcompliance/2016/02/24/outsourced-compliance-officer-trend-renews-standards-debate/

U.S. Securities and Exchange Commission. “Examinations of Advisers and Funds That Outsource Their Chief Compliance Officers,” National Exam Program Risk Alert, November 9, 2015. https://www.sec.gov/ocie/announcement/ocie-2015-risk-alert-cco-outsourcing.pdf