The Securities and Exchange Commission warned financial advisers Monday not to "set it and forget it" when outsourcing compliance functions.
In about 20 examinations of advisers who use third-party compliance firms, the SEC found that outside compliance officers sometimes were left in the dark about a firm's business practices, did not have access to its documents and did not communicate regularly with its principals.
“A [chief compliance officer], either as a direct employee of a registrant or as a contractor or consultant, must be empowered with sufficient knowledge and authority to be effective,” an SEC risk alert states. “Each registrant is ultimately responsible for adopting and implementing an effective compliance program and is accountable for its own deficiencies.”
The SEC cautioned that firms that outsourced their CCO function to a third party sometimes didn't have an understanding of their own potential compliance shortcomings. The agency also said certain outsourced CCOs “could not articulate the business or compliance risks of the registrant or, to the extent the risks were identified, whether the registrant had adopted written policies and procedures to mitigate or address the risks.”
Chip Arvantides, executive vice president of FrontLine Compliance, whose firm creates customized compliance programs but does not act as CCO on an outsourced basis, said the function is best housed inside an advisory operation with the backing of the firm's leadership.
“They have to have the ability to effect change and work directly with senior management to do that,” he said. “This is a very strong message to firms that they need to be wary of outsourced CCOs. Firms need to take the time to understand what the CCO role should be.”
The SEC also criticized outsourced CCOs' use of “standardized checklists” to obtain information from advisory firms, and advisory firms' use of outsourced compliance templates that were not tailored specifically to the firm.
A consulting firm that provide compliance services welcomed the standards outlined by the SEC in its risk alert.
“We don't think you can execute compliance without a lot of face-to-face communication,” said Todd Cipperman, principal at Cipperman Compliance Services. “You can't run compliance with a template and form documents.”
Mr. Cipperman said his firm avoids clients that want to simply sign away compliance responsibilities.
“We've been engaged with firms that have not bought into those kind of [SEC] criteria, and we have resigned,” Mr. Cipperman said.
The SEC relies on compliance officers to enforce securities laws and regulations, Andrew Ceresney, the SEC's enforcement director, said in a speech last week.
“We will do all we can to help you perform your work,” Mr. Ceresney said in a speech last Wednesday to the National Society of Compliance Professionals in Washington. “I do not want you to be concerned that by engaging in good faith judgments, you will somehow be exposed to liability.”