Advisory firms that have outsourced their compliance programs may need to double check to ensure their providers are actually covering everything.
The Securities and Exchange Commission recently conducted 20 examinations to discover if outsourced compliance programs performed as well as in-house services. And while the regulator found some third-party providers were effective in administering a dedicated compliance program, some had serious flaws stemming from standardization and lack of authority to implement changes.
In a reported issued Monday, SEC staff found that many of these providers use standardized checklists to gather information regarding registered investment advisors. But in some cases, these proved too generic and did not appear to fully capture the business model, strategies and applicable compliance risks.
“Critical areas were not identified, and thus certain compliance policies and procedures were not adopted, such as reviewing third-party managers hired to manage client money or safeguarding client information,” the report stated.
Additionally, the staff found that while many of the outsourced compliance programs were cited as responsible for conducting and documenting annual reviews—which included testing for compliance with existing policies and procedures—there was a general lack of documentation or evidence of the testing.
Overall, several of the firms examined “did not appear to have the policies, procedures, or disclosures in place necessary to address all of the conflicts of interest identified by the staff,” the report stated. These issues ranged from compensation practices, portfolio valuation and securities transactions.
The staff also noted that some of the outsourced compliance providers rarely visited RIAs’ offices and conducted only limited on-site document reviews or compliance training. Because of the limited interaction, the staff concluded the providers did not have much authority to improve employees’ adherence to the firm’s compliance policies and procedures. These providers also had little authority to implement important changes, such as disclosures around advisory fees.
“A chief compliance officer, either as a direct employee of a registrant or as a contractor or consultant, must be empowered with sufficient knowledge and authority to be effective,” the report stated. “Each registrant is ultimately responsible for adopting and implementing an effective compliance program and is accountable for its own deficiencies.”