The role of compliance in a regulated shop, and the allocation of responsibility between the compliance function and senior management, continues to be an active topic at the SEC. Recently, guidance on the CCO function, and particularly its outsourcing, was provided in an SEC Risk Alert. First, the alert underscores general expectations of the compliance function, including that the CCO must be “empowered” and “competent and knowledgeable.” It also highlights the need for “meaningful risk assessments.” In this regard, the SEC is explicitly adopting a page from bank regulatory requirements. All financial regulators now clearly state that compliance starts with the correct identification of business and regulatory risks -- a requirement that has been the cornerstone of compliance programs for many years.
While the alert holds open the possibility that advisers can outsource their CCO and still satisfy their regulatory responsibilities, it clearly indicates that care must be taken. The SEC noted that the firms where an outsourcing program was effective generally had regular, often in person, communication sufficient to establish strong relationships; sufficient internal support for the CCO; sufficient CCO access to documents and information; and a CCO knowledgeable about both the regulatory requirements and the registrant's business.
Of course, the main purpose of the alert was to highlight problems noted with the outsource practice – especially where a CCO had “limited visibility and prominence” or limited authority. (Incidentally, these concerns – and the list we provide below – could just as easily apply to an in-house CCO.) The SEC criticized outsourced CCOs who could not adequately describe the business and its risks, or whose views on firm matters differed from the views of firm management. Even worse, some CCOs were unable to state whether or not there were policies and procedures in place to mitigate risks; some policies and procedures were created using templates that were not tailored to firm business; and in some cases policies and procedures existed but were not being followed. Additionally, the SEC criticized a lack of training, a lack of documentation evidencing testing, and other shortcomings.
The SEC is actively sending a message that the CCO is an important management/leadership role. Maybe it can be outsourced, but the bar has been set and key requirements – outsourced or not – are summarized in this risk alert. What remains to be seen is whether the outsourced model can really survive this level of scrutiny. The next nail in the outsourced model may arise with the adoption of FinCEN’s proposed regulations requiring a dedicated AML officer.