For the past 15 years, I have been lecturing and writing on the critical role the chief compliance officer plays in RIA firms. It has become increasingly more apparent that the Securities and Exchange Commission’s position is that a firm must show it “owns” its compliance program.
What do I mean? A firm, at the commencement of an examination, must be able to demonstrate that the CCO has a thorough understanding of and access to the firm’s compliance functions, even if the firm outsources some portion of those functions. It cannot just rely on the third party — it must understand what the third party does, how those functions are completed, and make sure they are done in a compliant manner.
Note to advisory firms: You can’t blame compliance failures on your consultant during an exam. Such an excuse will fall on deaf regulatory ears, as it should.
In early November, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert addressed to investment advisors, private equity funds and hedge funds that outsource their chief compliance officers. The Risk Alert reminded them that Rule 206(4)-7 requires advisors to adopt policies and procedures reasonably designed to prevent violations of the federal securities laws and rules; to appoint a CCO to administer these policies; and to review these policies at least annually for their effectiveness.
What’s in a CCO?
The SEC has stated that a CCO should be “competent and knowledgeable regarding the Advisers Act and […] empowered with full responsibility and authority to develop and enforce appropriate policies and procedures for the firm [and] have a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.”