The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations on Nov. 9 issued a risk alert to registered funds and investment advisers about outsourcing the role of chief compliance officer or other compliance activities. The alert reinforces previous staff warnings and recent enforcement activity focused on funds or advisers that outsource one or more compliance obligations. Asset managers that choose to outsource this statutorily required function must ensure that the outsourced CCO has enough time, resources, knowledge, authority, and understanding of the business to administer an effective compliance program.
In its most recent alert, OCIE presents observations — drawn from its examination of registrants — that all funds and advisers should consider including in their Rule 206(4)-7 and 38a-1 compliance programs.
The risk-assessment process should be specifically tailored to correctly identify risks inherent in each registrant’s business activities. OCIE specifically warns against using standardized checklists or questionnaires, which are likely to omit risks presented by a registrant’s unique conflicts and business model.
This guidance has been a consistent point of emphasis during OCIE’s examinations of registered funds’ and advisers’ compliance programs. In addition, the commission’s Dec. 17, 2003, release on its final rule about compliance programs of funds and advisers states that “in designing its policies and procedures, [registrants] should first identify conflicts and other compliance factors creating risk exposure for the firm and its clients in light of the firm’s particular operations, and then design policies and procedures that address those risks.” The commission staff has emphasized and clarified this expectation in formal guidance and several speeches (including by the OCIE director and associate director): “Proactive” risk assessments should be the “basis for developing compliance policies and procedures” and should be re-evaluated to include “new, evolving, or resurgent risks.” This emphasis underscores OCIE’s expectation that firms identify risks through formal, tailored assessments, which will best position firms to implement mitigating policies and procedures pursuant to regulatory requirements.
The commission has made it clear that it expects to see evidence of tailored risk assessments during examination. The sample adviser-examination request for information includes “[an] inventory of compliance risks that forms the basis for policies and procedures” and “written guidance regarding compliance risk assessment process and procedures to mitigate and manage compliance risks.” In a recent enforcement action, the commission cited failure to conduct periodic risk assessments as a supporting factor.
Policies and Procedures
After a risk-assessment process identifies conflicts and risks specific to each registrant’s business, funds and advisers should develop and implement policies and procedures reasonably designed to eliminate or reduce the impact of each risk. The risk alert notes a direct relationship between the use of checklists or template questionnaires in developing policies and procedures and weak, inapplicable, or inadequate compliance controls. This alert, together with recent staff guidance and enforcement actions (including against a mutual-fund adviser and private fund adviser), indicates continued emphasis on effective policies and procedures.
To help demonstrate compliance and facilitate future reviews, firms should document annual compliance reviews despite the fact that current rules — namely, 206(4)-7 and 38a-1 — do not require documentation. The risk alert notes that these reviews are more effective when the leader of the review (typically the CCO) maintains an active, on-site presence.
Finally, the risk alert emphasizes that CCOs must be amply equipped, supported, informed, and empowered to administer compliance functions. In response to recent enforcement actions regarding ineffectual CCOs (notably against a mutual-fund adviser), Commissioner Luis Aguilar emphasized that funds and advisers must support their CCOs to establish “a robust and enduring culture of compliance.” Other guidance has reassured compliance employees that they are not liable if they perform their duties in good faith.
How Promontory Can Help
Promontory helps regulated entities, including investment companies and investment advisers, understand their compliance obligations. Please call us to discuss the SEC’s alert and how registrants should review their compliance programs in light of this guidance. For more information, please contact:
Managing Director, Washington, D.C.
+1 202 370 0461
Director, Washington, D.C.
+1 202 384 3508
Director, Washington, D.C.
+1 202 384 0397