The SEC has indicated it expects advisors to take control of even outsourced compliance functions. (Illustration: Greg Mably/The Ispot.com)

For the past 15 years, I have been lecturing and writing on the critical role the chief compliance officer plays in RIA firms. It has become increasingly more apparent that the Securities and Exchange Commission’s position is that a firm must show it “owns” its compliance program.

What do I mean? A firm, at the commencement of an examination, must be able to demonstrate that the CCO has a thorough understanding of and access to the firm’s compliance functions, even if the firm outsources some portion of those functions. It cannot just rely on the third party — it must understand what the third party does, how those functions are completed, and make sure they are done in a compliant manner.

Note to advisory firms: You can’t blame compliance failures on your consultant during an exam. Such an excuse will fall on deaf regulatory ears, as it should.

In early November, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert addressed to investment advisors, private equity funds and hedge funds that outsource their chief compliance officers. The Risk Alert reminded them that Rule 206(4)-7 requires advisors to adopt policies and procedures reasonably designed to prevent violations of the federal securities laws and rules; to appoint a CCO to administer these policies; and to review these policies at least annually for their effectiveness.

What’s in a CCO?

The SEC has stated that a CCO should be “competent and knowledgeable regarding the Advisers Act and […] empowered with full responsibility and authority to develop and enforce appropriate policies and procedures for the firm [and] have a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.”

According to a 2011 study by Charles Schwab cited within the SEC’s Risk Alert, 38% of investment advisors outsource some aspect of their compliance function. With all the additional regulation and red tape in the investment management industry, the recent rise in enforcement actions and the ultra-aggressive tenor taken by the SEC against investment advisors, can you really blame these firms and funds for wanting to rely on experts instead of having to provide a nice compensation package to a fully qualified CCO? Does your firm really want someone in senior management spending their valuable time on compliance, instead of focusing on developing and maintaining new client relationships?

Unfortunately, many of the functions of a CCO are administrative. Such monotony that comes with being a CCO includes filing Form U4 amendments, circulating acknowledgements of the firm’s policies, reviewing emails, updating Form ADV and Form PF, and reviewing aggregate discretionary assets for 13F and 13H purposes. Small to mid-sized advisors generally don’t want to hire an additional employee who is knowledgeable in the Advisers Act but is otherwise not a “producer.” Larger advisors will occasionally outsource certain functions to ensure an independent and knowledgeable third party is handling important aspects of their compliance department.

The takeaway from the Risk Alert is that the old saying rings true: “You get what you pay for.” Firms that use compliance consultants or interactive electronic programs with infrequent communication often had more inconsistencies between their policies and procedures and their actual business practices. Firms relying on standard templates to conduct risk assessments often resulted in deficient compliance programs. Before you trust your compliance department to a robo-compliance program, think twice. Although you will pay more for hands-on, knowledgeable assistance, it will prevent later headaches when the SEC shows up.

The prudent solution is for your CCO to have a thorough understanding of what is and — more importantly — is not required of the firm, rather than undertaking a multitude of repetitive tasks via most consultants’ “one size fits no one” approach. That is the only way to truly “own” your compliance.

— Read “Ex-Morgan Stanley Advisor Avoids Prison Over Data Theft” on ThinkAdvisor.