There is no denying that third-party relationships require careful and ongoing compliance reviews. But what if your compliance functions—up to and including the CCO—are themselves outsourced?
The answer depends on what specific compliance initiatives are shuffled off to an outside vendor, why, and whether doing so affects a firm’s risk weighting and tolerance.
Does outsourcing compliance make your company better? Or does it run contrary to best practices and open new risks? Those are the questions regulators are asking.
In 2017, the Office of the Comptroller of the Currency issued this warning: “Banks may outsource some or all aspects of their compliance management systems to third parties, so long as banks monitor and ensure that third parties comply with current and subsequent changes to consumer laws and regulations.”
The Securities and Exchange Commission has also cast a critical eye upon outsourced compliance arrangements. In August 2017, it reached a settlement with a third-party chief compliance officer and the firms that retained him for filing incorrect and misleading data. It came to light that neither the outsourced CCO, nor the internal chief investment officer, took “sufficient steps to ascertain the accuracy” of those disclosures.
It is not the first or only time the SEC has chimed alarms.
A 2015 risk alert issued by the Office of Compliance Inspections and Examinations noted that, faced with budget constraints and a shallow talent pool, financial firms were more frequently turning to external professionals to supplement—if not entirely run—their compliance programs. Updating firm policies and procedures, preparing regulatory filings, and conducting annual compliance reviews were among the services increasingly farmed out to external consultants and law firms.
As part of what it called the Outsourced CCO Initiative, OCIE evaluated these arrangements at nearly 20 firms. “Significant issues” were identified at registrants with an outsourced CCO who also served that role for multiple firms or that “did not have sufficient resources to perform compliance duties.”
“The purpose of the whole outsourcing platform is really to handle all the low-hanging fruit out there in terms of tasks for a compliance department.”
Jeremy Kopcsik, Managing Director of Client Development, ACA
Several of the examined outsourced CCOs, for example, used standardized, generic checklists that did not fully capture business models, practices, strategies, and compliance risks. Others infrequently visited registrants’ offices, conducted only limited reviews of documents and training on compliance-related matters while on-site, and had limited visibility into, and authority within, the organization.
“A CCO, either as a direct employee of a registrant or as a contractor or consultant, must be empowered with sufficient knowledge and authority to be effective,” the OCIE said, adding that a firm is ultimately “accountable for its own deficiencies.”
Although the risk alert was intended to nudge firms that outsource the role of CCO, by further clarifying a view of what a robust compliance program must exhibit, the SEC offered advice and potentially a safe harbor for less comprehensive arrangements.
“The SEC has not banned outsourced compliance in any way or said it is presumptively disfavored, but reading between the lines you get the feeling that, in an ideal world, it is not how they would like to have regulated entities go about things,” Jason Halper, a partner at Cadwalader, Wickersham & Taft, told Compliance Week when he was a partner at Orrick, Herrington & Sutcliffe in December 2015. “If you do delegate, you need to understand who the vendor is, their relationships with your company, and potential risks associated with that firm.”
There are, despite certain risks, aspects of a compliance program that do benefit from an external assist. A common use of third parties in this context is to help improve training programs. They can also facilitate employee “helplines” by impartially gathering and reporting employee concerns about workplace practices.
The view from consultants
ACA Compliance Group is a provider of governance, risk, and compliance advisory services. The firm was founded in 2002 by former SEC and state regulators and has since grown to more than 700 global employees.
“The purpose of the whole outsourcing platform is really to handle all the low-hanging fruit out there in terms of tasks for a compliance department,” says Jeremy Kopcsik, managing director of client development at ACA. “A typical client for us is a smaller department of five or fewer people. They just don’t have the bandwidth to deal with a lot of things. We take on these tasks for them, so they can then focus their attention on the more high-profile tasks they need to address internally.”
Among the increasingly in-demand services that might otherwise tax both internal manpower and expertise: social media reviews, e-mail surveillance, and marketing reviews. “There are compliance departments that have two or three dedicated individuals where all they do is review that firm’s marketing material, just a very time intensive task,” Kopcsik says.
Among the touted benefits of third-party compliance advisors is speed. “There’s no ramp-up time, there’s no training, there’s no implementation delay,” Kopcsik says, adding that “outsourcing allows firms to scale their compliance department” without the added costs and training that come with a new hire.
Guy Talarico sees third-party compliance services as a means to keep pace with the complex regulatory landscape that has constantly evolved since the 2008 recession and passage of the Dodd-Frank Act. He is founder and CEO of Alaric Compliance Services, a firm that provides outsourced compliance solutions for the financial services industry.
The firm provides outsourced CCOs in addition to preparing disclosures, firm monitoring and testing, and mock audits.
“The dust is still settling,” Talarico says, reciting an alphabet soup of domestic and international rules and issues firms must consider, from FCPA and FATCA to Brexit and GDPR. “It’s harder and harder to be an expert.”
“[The regulatory landscape] really is so diverse, and so complex, that unless you’re a JPMorgan with thousands and thousands of people in all kinds of specialized roles, you need to have outside support to effectively get these things done,” he adds. “Every day, there’s something in the news” for advisors to pay keen attention to.
In Talarico’s view, despite accessional risk warnings, the SEC has actually validated the value of outsourced compliance services.
“You often see, in enforcement actions, that the Commission requires firms to hire independent consultants as part of the remediation to fix what they found,” he says. “Even the SEC is explicitly dictating the hiring of third-party compliance, consulting firms to help registrants meet their demands.”
What are firms looking for as they consider these services? Among the attributes they seek: knowledge, experience, and interpersonal skills, the latter vital to ensure open lines of communication.
Firms, according to Talarico, also typically ask—or at least should—for specific details about the engagement. How much time are they going to spend on site? How will they interact electronically with the firm? Do they have the necessary resources?
“This has to work both ways. The [external] CCO has got to feel comfortable that the firm is being open and honest and giving them all they need,” he says. “They need to know that the firm is going to listen to them when they raise an issue, and management doesn’t just say, ‘Oh, don’t worry about it.’ You don’t want to be in that role.”
Special report: Third-party risk management
- Currently reading
The risks of outsourcing compliance