Third-party firms acting as chief compliance officers for advisors are falling short in a number of areas—including tailoring compliance practices to an advisory firm’s business—the Securities and Exchange Commission’s exam division warned Monday.

The SEC’s Office of Compliance Inspections and Examinations warned in a Monday Risk Alert that the growing trend in the investment management industry of outsourcing the compliance role to a third party, such as a consultant or law firm, is not without risk.

The exam division urges advisors employing outside compliance providers to be especially mindful of their obligations under the SEC’s compliance rules — Rule 206(4)-7 under the Investment Advisers Act of 1940 and Rule 38a-1 under the Investment Company Act of 1940 — and to assess whether the third party they’re using is complying with those rules.

OCIE staff, which conducted nearly 20 exams as part of its Outsourced CCO initiative, states that the risk alert should help advisors identify weaknesses in their own compliance programs.

Robert Grohowski, general counsel for the Investment Adviser Association in Washington, told ThinkAdvisor Monday that the SEC’s alert on third-party CCOs, which points to those that “were working well and others that were not,” provides “great lessons” not only for outsourced CCOs, but for internal CCOs as well.

The risk alert, Grohowski says, also “underscores” IAA’s concerns about the upcoming third-party audit rule for advisors that the SEC is currently drafting. For “any third-party program, you’d have to make sure that any third party is appropriately qualified to do the job and appropriately overseen by the SEC to make sure that you don’t run into the same types of compliance failures” that the SEC found during its outsourced CCO exams.

Below are five trouble areas OCIE staff found in advisory firms that used a third-party compliance firm:

  • Certain outsourced CCOs could not articulate the business or compliance risks of the registrant or, to the extent the risks were identified, whether the registrant had adopted written policies and procedures to mitigate or address those risks. In some instances, the risks described to the staff by the registrant’s principals were different than the risks described by the outsourced CCO. 

  • Compliance manuals created by outsourced CCOs were not tailored to registrants’ businesses and practices and, thus, the compliance manuals that had been adopted contained policies and procedures that were not appropriate or applicable to the registrants’ businesses or practices; 

  • Outsourced CCOs that have “impersonal interaction” with firms, such as via electronic communication or via a pre-defined checklist lack an understanding of the registrant’s business. SEC staff found that third parties  who frequently and personally interacted with advisory and fund employees  appeared to have a better understanding of the registrants’ businesses, operations and risks, which resulted in fewer inconsistencies between the compliance policies and procedures and the registrants’ actual business practices. The staff also noted that these CCOs were typically able to effectuate compliance changes that they deemed to be necessary. 

  • For the registrants examined, the outsourced CCOs observed a general lack of documentation evidencing the testing when conducting and documenting registrants’ annual reviews, which included testing for compliance with existing policies and procedures. 

  • Certain outsourced CCOs infrequently visited registrants’ offices and conducted only limited reviews of documents or training on compliance-related matters while on-site. Such CCOs had limited visibility and prominence within the registrants’ organization, which appeared to result in the CCOs also having limited authority within the organization to, among other things, improve adherence to the registrants’ compliance policies and procedures.