Outsourced CCOs, Back Under the Microscope

The SEC's Office of Compliance Inspections and Examinations (OCIE) doesn't exactly make a lot of news. With such a colorful name, it competes with the Internal Revenue Service (IRS) for enthusiasm among government entities ... and, well, generally not much more.

However, its National Exam Program occassionally pushes out studies designed to raise some eyebrows and this week produced one: A short-but-sweet note examined the rise of outsourced chief compliance officer (CCO) functions among smaller buy-side shops.

The outsourced CCO isn't anything new. You could probably say it really hit the big-time around 2011 or so, in the aftermath of the Bernie Madoff scandal.

In that year, Charles Schwab's Benchmarking Study for RIAs found that 38 percent of surveyed firms use such a service. Since then it has hovered around a third.

When the option first began gaining traction in the early 2000s after heightened compliance requirements came into force, Lori Richards, then OCIE director, emphasized the need for CCOs to have “intimate knowledge" of the firm’s operations in order to administer an effective compliance program.

It's a fair question to ask whether these "certain weaknesses", as the note described them, are directly attributable to the outsourced CCO phenomenon or, rather, if the level of compliance among RIAs and smaller investment shops is simply lacking — and, perhaps, if the level of understanding around expectations is lacking as well. Keep in mind, Peter Madoff — Bernie's compliance chief — was as close to Bernie as possible; in fact he was family.

"It would therefore be logical to infer that a reasonable amount of time would have to be spent not only overseeing the structure of the compliance program but its implementation as well," she said in a 2004 speech. "Because of this, I am wary about whether a compliance ‘rent-a-cop’ could really be up to the task.”

Custom Tailoring

Richards, in no small irony, left the agency in 2009 following criticism of OCIE's (lacking) oversight in the run-up to Madoff.

But a general sense of worry over outsourced compliance remains still today.

This week's note observed, for example, that "certain outsourced CCOs," when asked, "could not articulate the business or compliance risks of the registrant [RIA or investment firm] or, to the extent the risks were identified, whether the registrant had adopted written policies and procedures to mitigate or address those risks. In some instances, the risks described to the staff by the registrant’s principals were different than the risks described by the outsourced CCO."

Not good. In addition to these flaws, OCIE's staff broadly identified "several areas" where registrants did not appear to have tailored policies, procedures or disclosure requirements in place as part of their outsourcing agreement.

And unsurprisingly, a number of these highlighted areas are technology related. To wit (bold added):

- Critical areas were not identified, and thus certain compliance policies and procedures were not adopted, such as reviewing third-party managers hired to manage client money, or safeguarding client information.

- Policies were adopted, but were not applicable to the advisers’ businesses and operations, such as: monitoring of account performance composites when in practice the adviser did not monitor composites because it did not advertise performance; collecting management fees quarterly in advance when in practice clients were billed monthly in arrears; and referencing departed employees as responsible parties in performing compliance reviews or monitoring.

- Critical control procedures were not performed, or not performed as described, including: oversight of private fund fee and expense allocations; reviews of solicitation activities forcompliance with the Advisers Act; trade allocation reviews for fairness of side-by-side management of client accounts with proprietary accounts; oversight of performance advertising and marketing; personal trading reviews of all access persons; and controls over trade reconciliations. 

A Sector Problem?

Now, it's a fair question to ask whether these "certain weaknesses", as the note described them, are directly attributable to the outsourced CCO phenomenon, or if the level of compliance among RIAs and smaller investment shops is simply still lacking — and, perhaps, if the level of understanding around those expectations is lacking as well. Is this a model problem, or a sector problem?

Keep in mind, Peter Madoff — Bernie's compliance chief — was as close to Bernie as possible; he was family, after all.

And these things aren't black-and-white issues. Oversight of trade reconciliation can prove tricky even for in-house compliance, depending on the asset class. The definition of prop trading continues to change. Troubles related to fees and the publishing of performance numbers — while less complicated or excusable — still happen frequently. And as for "safeguarding client information", we all know how much of a priority and challenge that's become in the cyber-crime era.

Next Time

Given the non-differentiating costs associated with operating a financial services firm at this point, one would think it doubtful that compliance will come back in-house after it's already left. Improved effort on the part of both firms and their services providers alike could be the answer, rather than changing the model.

But the next time a Madoff-type event happens, it may not be the culprit's brother sitting in the CCO chair, so much as someone at a much larger entity, flying blind.

And it could well have to do more with technical ignorance than a Ponzi scheme —or even one contributing to the other.