OCIE recently released a National Exam Program (NEP) Risk Alert on Outsourced CCOs. The trend in outsourcing certain compliance activities and even the role of CCO continues to grow as the industry seeks new ways to increase efficiencies. OCIE has long warned on the risks associated with outsourced CCOs and followed this with targeted exams of 20 firms with outsourced CCOs. Although no exact numbers were provided in the Risk Alert, examiners found that most firms they reviewed utilizing outsourced CCOs were not in compliance with Rule 206(4)-7, the Compliance Rule.
Specifically, OCIE noted the following weaknesses in firms with outsourced CCOs:
1. Lack of communication, resources, and empowerment of the CCO were found to be challenging for many of the outsourced CCOs in that their infrequent onsite visits, multiple responsibilities as CCO for several unaffiliated entities, and lack of authority to take action and enforce compliance within the firms resulted in weak compliance programs with little direct oversight.
2. Standardized Checklists utilized by many of the outsourced CCOs were inadequate in identifying the relevant risks within the firms examined. The checklists did not account for specific business models, practices or strategies applicable to the registrants.
3. Conflicts of Interests were not properly addressed in written policies, procedures, and disclosures since many of the outsourced CCOs did not have a good understanding of all of the actual or potential conflicts within the firms.
4. Actual practice not matching written policies was observed more in the outsourced CCO firms even when the outsourced CCO was the one responsible for conducting the reviews of the operational area. Examples included solicitor activities under Rule 206(4)-3 and review of employee emails.
5. Boiler-plate compliance manuals were found in many of the firms with outsourced CCOs. The written policies were not customized to firm business practices and either contained policies not applicable to the firm or did not address specific areas of risk for the firm.
6. Inadequate Annual Reviews were found in several of the outsourced CCO firms due to the lack of testing and documentation of oversight practices.
The Risk Alert and SEC findings are specific to firms that utilize outsourced CCOs, not firms that outsource specific compliance functions to third parties and directly employ an in-house CCO. The SEC recognizes the need for outside assistance to maintain an effective compliance program. However, firms should carefully consider the use of an outsourced CCO based on the risks identified by the SEC.