Faced with budget constraints and a shallow talent pool, financial firms frequently turn to external professionals to supplement, if not entirely run, their compliance programs. Updating firm policies and procedures, preparing regulatory filings, and conducting annual compliance reviews are just some of the services increasingly farmed out to external consultants and law firms.
That trend has caught the attention of the Securities and Exchange Commission, which recently sounded a warning. The question now asked by many is whether a Nov. 9 risk alert issued by the Office of Compliance Inspections and Examinations was intended to push firms that outsource the role of chief compliance officer away from the practice or, instead, creates the equivalent of a safe harbor for doing so by further clarifying a regulatory view of what a robust program must exhibit.
“The SEC has not banned outsourced compliance in any way or said it is presumptively disfavored, but reading between the lines you get the feeling that, in an ideal world, it is not how they would like to have regulated entities go about things,” says Jason Halper, a partner with Orrick, Herrington & Sutcliffe. “If you do delegate, you need to understand who the vendor is, their relationships with your company, and potential risks associated with that firm.”
Advisers and funds with outsourced CCOs should review their business practices, OCIE advised. “A CCO, either as a direct employee of a registrant or as a contractor or consultant, must be empowered with sufficient knowledge and authority to be effective, the alert says. “Each registrant is ultimately responsible for adopting and implementing an effective compliance program and is accountable for its own deficiencies.”
As part of what it calls the Outsourced CCO Initiative, OCIE evaluated the compliance function at nearly 20 firms. “Significant issues” were identified at registrants with an outsourced CCO who also served that role for multiple firms or that “did not have sufficient resources to perform compliance duties.”
The alert clarifies that an effective compliance program relies upon the correct identification of a firm’s risks in light of its business and operations, with policies and procedures designed to address those risks. Several of the examined outsourced CCOs, however, could not articulate these specific business or compliance risks.
“The SEC has not banned outsourced compliance in any way or said it is presumptively disfavored, but reading between the lines you get the feeling that, in an ideal world, it is not how they would like to have regulated entities go about things.”
Jason Halper, Partner, Orrick, Herrington & Sutcliffe
Some outsourced CCOs also used standardized checklists that were generic and did not appear to fully capture the business models, practices, strategies, and compliance risks that were applicable to the registrant. Others infrequently visited registrants’ offices, conducted only limited reviews of documents or training on compliance-related matters while on-site, and had limited visibility into, and authority within, the organization, OCIE wrote.
Despite the laundry list of concerns, some think the risk alert will help validate the use of outsourced compliance services by establishing the rules of the road. “Rather than have to defend the idea that you can or cannot outsource, we at least now have a document from the SEC that that says you can but you need to follow these factors,” says Todd Cipperman, founding principal of Cipperman Compliance Services, a firm in the outsourced compliance space. “The SEC is not exactly shy or subtle when it comes to regulatory prohibitions and prescriptions. If they wanted to outlaw outsourcing they would have just said you can’t do it.”
Cipperman’s views OCIE’s warnings as a validation of what many providers are already doing. His company, for example, requires access to senior management and an onsite person to serve as “eyes and ears” as part of any such contract, he says. It also requires onsite visits at least six times a year and unfettered access to both documents and people.
Maintaining an external CCO is a more attractive option than balancing yet another hat atop an under-qualified, over-worked executive’s head, he argues. “If you are a senior executive at a firm and not a regulatory professional, why would you be the CCO,” he says. “The minute the SEC walks in and starts firing off questions you don’t know the answers to, you are putting yourself and your firm at risk. You don’t have an adequate program because you are obviously not qualified to do that job.”
Companies should nevertheless be cautious when considering the alert as any sort of validation, says Josh Deringer, a partner at law firm Drinker Biddle. His skepticism comes from recent enforcement actions that specifically named CCOs. “It establishes a floor more than a safe harbor,” he says. “I don’t know that firms should ever feel comfortable that—even if they do everything in the alert—they are safe.”
A CALL TO EMPOWER COMPLIANCE
The following, from a Risk Alert issued by the Securities and Exchange Commission’s Office of Compliance Inspections and Examination’s, includes its recommendations for firms that outsource compliance functions.
During these examinations, the staff observed certain compliance weaknesses associated with registrants that outsourced their CCOs, as described in this Risk Alert.
Advisers and funds with outsourced CCOs should review their business practices in light of the risks noted in this Risk Alert to determine whether these practices comport with their responsibilities as set forth in the Compliance Rules.
The staff anticipates that, by sharing these examination observations, it will assist registrants in assessing whether their compliance programs have weaknesses, particularly with respect to identifying applicable risks and ensuring that the firm’s compliance program encompasses all relevant business activities.
A CCO, either as a direct employee of a registrant or as a contractor or consultant, must be empowered with sufficient knowledge and authority to be effective. Each registrant is ultimately responsible for adopting and implementing an effective compliance program and is accountable for its own deficiencies.
Registrants, particularly those that use outsourced CCOs, may want to consider the issues identified in this Risk Alert to evaluate whether their business and compliance risks have been appropriately identified, that their policies and procedures are appropriately tailored in light of their business and associated risks, and that their CCO is sufficiently empowered within the organization to effectively perform his/her responsibilities.
A similarly cautious view is shared by Walter Ferstand, a consultant with NICE Actimize, a provider of compliance and risk management services. If the SEC targets companies for what it views as inadequately outsourced compliance services, small- and medium-sized businesses face a no-win situation, he says. “The reality for a slot of smaller organizations is that it is not organizationally or financially practical to bring someone in to serve as in-house CCO,” he says.
Outsourcing, Ferstand frets, can be viewed by regulators as “just throwing money at a problem” and not taking it seriously. Forcing companies “to choose somebody from within the organization who doesn’t have a compliance background and skill set, simply to avoid the impression that outsourcing gives, would be the entirely wrong inventive for regulators to give smaller firms.”
While hoping the alert isn’t viewed as a prohibition on outsourcing, Ed Petry, vice president of Advisory Services for NAVEX Global, thinks there is plenty of good advice. “We’ve seen situations where the outsourced CCO only communicates with the firm by e-mail or phone,” he says. “OCIE is saying that you really need to make sure there is going to be face-to-face interaction and that there is nobody in the firm who is screening or limiting their access to any documents they may need.” Also, if the outsourced staff is going to take charge of the program’s annual review, they need to be looking at more than just the documentation and make sure it is actually being followed.
Petry also appreciates the alert’s focus on risk assessment. “One thing we see, not just at financial firms but more broadly, is that risk assessments are too often done in a cookie-cutter fashion by checking the box on known risks,” he says. “That is contrary to what a risk assessment is supposed to be, which is proactive and looking for what you haven’t yet seen that needs to addressed. You need to really know the business.” OCIE’s appropriate warning is to avoid outsourced CCOs “who are only looking at documents and not at business practices.”
Petry’s best advice is to not fully abdicate compliance responsibilities. “Even when you are outsourcing the entire compliance officer function, that doesn’t mean you have outsourced the entirety of your approach to ethics and compliance,” he says. “You still need to have somebody in the firm who is going to monitor the outsourced compliance function and make sure that all those things OCIE talks about are authoritatively implemented.”