The SEC’s Office of Compliance Inspections and Examinations issued a Risk Alert after conducting a series of examinations focused on the use of outsourced CCO by registered investment advisers and funds. In the examinations, OCIE found that effective outsourced CCOs had “regular, often in-person, communication between the CCOs and the registrants; strong relationships established between the CCOs and the registrants; sufficient registrant support of the CCOs; sufficient CCO access to registrants’ documents and information; and CCO knowledge about the regulatory requirements and the registrants’ business.”
However, according to OCIE, certain outsourced CCOs that participated in the examinations “could not articulate the business or compliance risks of the registrant or, to the extent the risks were identified, whether the registrant had adopted written policies and procedures to mitigate or address those risks.” Additionally, OCIE suggested that while standardized checklists and questionnaires used by some of the outsourced CCOs may be a helpful starting point, they “did not appear to fully capture the business models, practices, strategies, and compliance risks that were applicable to the registrant” and sometimes contained incorrect or inconsistent information. The examiners also found several instances where registrants lacked sufficient policies, procedures, or disclosures for “critical areas” including “compensation practices, portfolio valuation, brokerage and execution, and personal securities transactions by access persons.”
The Risk Alert noted a number of issues with some of the registrants’ policies and procedures, including that the policies and procedures were not tailored to their business or practices and did not identify relevant critical areas for review, incorrectly described business practices, or named individuals as responsible for certain areas that were no longer employed by the registrant. OCIE also found that several registrants did not complete practices required by regulation or those required by the registrant’s policies and procedures.
In conjunction with the required annual compliance review, the Risk Alert noted a “general lack of documentation evidencing the testing” of compliance. Several CCOs at examined registrants only infrequently visited the registrant’s offices and had “limited visibility and prominence” and thus limited authority to improve compliance and implement change. The Risk Alert stressed that a CCO “must be empowered with sufficient knowledge and authority to be effective” and that “[e]ach registrant is ultimately responsible for adopting and implementing an effective compliance program and is accountable for its own deficiencies.”