Fueled by an increasingly risk-averse regulatory environment, the compliance consulting industry has grown sharply in recent years. A number of consultants are turning to technology to quickly put a more scalable infrastructure in place and to better manage compliance programs on their clients' behalf.
With consultants looking for ways to manage growth and increased operational demands, compliance software is expected to gain much greater global adoption in the next few years. According to research firm MarketsandMarkets, the global market for GRC solutions is forecast to double from $15.98 billion USD in 2015 to $31.77 billion USD in 2020, with North America seeing the strongest growth.
But for now, most consultants continue to employ error-prone and inefficient manual methodologies for managing their clients' compliance programs. "Previously, like many compliance consultants, we relied on manual processes and spreadsheets," said Hardin Compliance Managing Director Jaqueline Hummel. "By automating compliance management, we can now aggregate and manage compliance data across our client base consistently, help team members collaborate more effectively, create an audit trail of who does what when, and minimize disruption should team members change."
The ability for consultants to effectively manage compliance, particularly across a diverse client base, is a challenge regulators acknowledge. In November, the Securities and Exchange Commission (SEC) issued a risk alert based on recent examinations of investment advisers and funds that outsource their chief compliance officers. SEC staff conducted nearly 20 examinations of firms with outsourced CCOs, and found their effectiveness depended on frequent communication with advisory personnel, devoting sufficient time and resources to performing their compliance duties, and receiving unfettered access to client records.
Conversely, outsourced CCOs who “infrequently” visited their clients’ offices and conducted “only limited reviews of documents or training on compliance-related matters while onsite” generally were less effective in implementing a robust compliance program. As this SEC alert suggests, compliance gatekeepers may increasingly find themselves in regulators' crosshairs, and will be held accountable for failing to uphold professional standards by ignoring compliance red flags.
In December, the SEC suspended five accountants and two audit firms after violating several compliance-related rules. SEC Director of the Division of Enforcement Andrew Ceresney said gatekeepers "... must be held responsible when systemic failures such as inadequate engagement procedures, staffing or supervision cause the firm's work to fall significantly short of expected standards."
Nevertheless, regulators often recommend outside consultants as a useful resource for helping firms manage their compliance programs or respond to a regulatory inquiry or deficiency. In a recent case against The Robare Group, a Houston-based investment advisor, judge James E. Grimes concluded that “employing a compliance professional and following his or her advice” met industry standards of due care.
The SEC alleged that the firm failed to provide adequate disclosure in its Form ADV, recommending mutual funds to clients without disclosing a conflict of interest. Charges were dismissed in part because the judge found that even experienced compliance professionals find it difficult to appropriately disclose conflicts of interest. The firm's principals conceded they did not have expertise in this area, and instead engaged experts to help draft their Form ADV. The judge acknowledged the difficulty in meeting the disclosure requirements, and credited the firm’s principals for seeking outside expertise.
Since enacting the so-called Compliance Rule (Rule 206(4)-7 of the Advisers Act) in 2004, the SEC has become increasingly aggressive in bringing enforcement actions against advisers for failure to comply. In 2014 alone, the SEC brought more than a dozen cases for failure to comply with the Rule, and 2015 saw at least as many cases. The uptick in settlement orders alleging violations of the Rule indicates the SEC’s willingness to punish advisers for being negligent in establishing what the Commission views as appropriate internal controls and procedures.
Defendants in many cases that come to light are required to hire an independent compliance consultant (“ICC”) that is "acceptable" to the regulatory body involved in the case. Among the criterion regulators use in determining the abilities of an ICC are its independence, its expertise and its resources.
Against this backdrop, the compliance consulting industry has seen dramatic growth in recent years. Many clients engage consultants for expert ad hoc support; while others hire consultants to serve as their CCO. Some consultants are brought in as a defensive measure after a breach has occurred or in reaction to a regulatory inquiry, deficiency letter or remedial sanction.
On the other hand, many financial firms use consultants to help them manage compliance proactively, for instance, to help them register for the first time in their state, or to help them transition between state and federal registration. Additionally, firms use consultants to supplement their staff to perform tasks such as testing and monitoring of policies and procedures, making regulatory filings, performing advertising reviews, updating required documents and procedures, conducting mock audits, preparing annual reviews and evaluating the firm's cyber-security program.
Relatively new to the compliance consulting space is a new breed of technology tools that enable consultants to help their clients implement and maintain compliance controls; manage risk consistently across their client base; and thereby run their practices more effectively.
These more advanced software tools deliver an enterprise view of compliance tasks, such as testing, staff certifications and risk assessments, to help consultants manage their clients' compliance programs more easily and effectively. Some feature a dynamic dashboard that allows consultants to instantly toggle between client views; and a secure online portal, with centralized activity management. Automated reminders can be routed and time-stamped to serve as an audit trail of actions taken, when and by whom.
The software helps consultants (1) standardize the documentation of testing a firm’s policies and procedures; (2) produce reports evidencing their reviews quickly and easily; and (3) prioritize their work with automated reminders of upcoming tests and regulatory deadlines. It also allows consulting firms to view the status across their clients’ compliance programs using a customizable dashboard.
Hardin has changed its service model over the last three years to a team-based approach to provide better coverage for its clients. If one consultant is unavailable, another can immediately step in. Hardin's new team-based model led the firm to seek an integrated software solution to facilitate data centralization, workflow collaboration and process consistency. Through automation, the firm can now share rich historical insight with customizable audit-ready reports whenever a team member, client or regulator requests it.
Particularly when it comes to the sensitive duty of managing compliance, consultants are facing increased regulatory scrutiny. The question of where they house client data may eventually be held to the same professional standards, such as SSAE 16, that other service providers must meet. Expertise in application development, business continuity and security standards falls outside of most compliance consultant's core capabilities. Consultants face significant unintended risks when attempting to develop and manage software internally, including poor source code management, quality control and infrastructure support.
Hardin found very few options when it came to their unique automation requirements as a compliance consultant. Said Hummel: "Relying on software developed by specialists in this space was a faster, easier and less risky way for us to scale capacity to handle multiple compliance programs while keeping our focus on what we do best."
Retention of a lawyer, auditor, compliance consultant or any other third party provider equipped with the latest software will not absolve a firm should a deficiency arise. But technology tools enable consultants to play better defense by identifying problems before they metastasize. They put compliance gatekeepers in a better offensive position, showing regulators they are actively invested in safeguarding clients. Moreover, they put consultants in stronger position vis-à-vis competitors as financial firms make proactive compliance management a higher priority by using the best technology-enhanced tools the market has to offer.
Carlos Guillen is president and CEO of BasisCode Compliance
 SSAE 16, Statements on Standards for Attestation Engagements No. 16 is a professional attestation and set of standards used for reporting on controls at service organizations, one part of the American Institute of Certified Public Accountants' Service Organization Control (SOC) reporting framework.