Today, we offer our “Friday List,” an occasional feature
summarizing a topic significant to investment management professionals
interested in regulatory issues. Our
Friday Lists are an expanded “Our Take” on a particular subject, offering our
unique (and sometimes controversial) perspective on an industry topic.
Over the last several years, an increasing number of investment
management firms have chosen to outsource the Chief Compliance Officer role and
associated compliance function. In our
experience, these firms make this decision for rational business reasons based
on an assessment that outsourcing the compliance function is better than hiring
a full-time employee. Usually, firms
consider outsourcing because of an external event such as a less-than-perfect
SEC exam or an institutional due diligence process that suggests unknown weaknesses. Some firms decide to outsource after yet
another internal CCO changes jobs. Other
times, firm management simply gets frustrated with the inherent limitations of
the one internal compliance person.
Regardless, we list below the top 10 reasons investment firms should outsource
the CCO role and compliance function rather than hire an in-house employee.
10 Reasons Outsourcing Compliance Beats Hiring an In-House
Experience: A team of professionals can draw on decades of aggregate compliance experience to address a firm’s regulatory challenges.
Knowledge: No one person can provide the depth of knowledge of several compliance professionals working collaboratively.
Independence: A third party firm offers investors and other stakeholders an independent assessment of a firm’s compliance strengths and weaknesses.
Industry best practices: A multi-person team working with multiple clients across the country has the industry vision to inform the compliance program.
Accountability: A compliance firm stands behind its work and advice with a service level agreement and professional liability insurance.
24/7/365 support: A person may take PTO, but a team of professionals is available at all times for any emergency including unplanned client due diligence and SEC exams.
Personal liability: Serving as CCO involves significant personal liability, which is better left to professionals that understand and accept the regulatory and career implications.
Frees up internal resources: Internal personnel can focus on core activities such as portfolio management and fund-raising.
Management: Senior managers can avoid the confusing and time-consuming process of hiring, retaining, and managing an internal CCO, only to start the process anew in the event the CCO leaves.
Cost savings: Because of program efficiencies, outsourcing generally costs less than hiring a full-time employee.
It is unclear how much due diligence is enough, but an investment that promises a 1000% return likely requires more than a few phone calls. When financial professionals recommend a losing investment, they bear the burden of proving that their recommendations and due diligence satisfied their fiduciary and/or suitability obligations.
As firms implement FinTech and RegTech, they cannot simply set it and forget it. Compliance, operations, and IT personnel must work together in real time to ensure that systems reflect current regulatory requirements. Technology is a great tool, but it is not the complete answer to regulatory compliance.
censured and fined a broker-dealer for inadequate email reviews. Although the firm, through its President/CCO,
conducted weekly reviews, FINRA charges that the firm’s random sampling and
lexicon-based reviews were not sufficient given the firm’s size and risk
areas. The firm used 24 search terms
provided by its email provider, but FINRA asserts that the search terms did not
reflect a meaningful assessment of risk areas and resulted in a large number of
false positives. FINRA faults the firm
for failing to change the email reviews “[d]espite the obvious indications that
the firm’s lexicon system was not reasonably designed.” FINRA also criticizes the firm’s Written Supervisory
Procedures for omitting specific email review procedures.
Just doing email reviews isn’t enough. A firm must conduct effective email reviews that can statistically assess whether supervised persons are complying with the securities laws. We call this “compliance alchemy” i.e. the appearance of compliance without the implementation of adequate procedures and testing.
SEC’s Office of Compliance Inspections and Examinations has published a Risk
Alert calling out advisers and broker-dealers for their failures to protect personal
information. Based on deficiencies
identified over the last 2 years, the SEC found failures related to privacy
notices, policies and procedures, and physical safeguards. The SEC faulted registrants for failing to
deliver initial and annual privacy notices or for delivering notices that did
not accurately reflect policies and procedures.
The SEC found firms that completely failed to adopt policies and
procedures by simply restating the Safeguards Rule. Other firms either adopted weak policies and procedures
or failed to properly implement them. Some
common deficiencies included unsecure laptops, unencrypted emails, inadequate
training, insufficient control of third-party vendors, inadequate incident
response plans, and shared login credentials.
OCIE states that the Risk Alert is intended “to assist advisers and
broker-dealers in providing compliant privacy and opt-out notices, and in
adopting and implementing effective policies and procedures for safeguarding
customer records and information.”
Compli-pros should ensure the annual testing program includes the privacy notice process and the implementation of policies and procedures to avoid the highlighted issues. It may make sense to combine the testing with the required cybersecurity assessment.
The SEC charged
an unregistered day trader for lying about his trading success and misappropriating
client funds. The defendant convinced clients to hire him by asserting that
that he had done very well as a day trader over several years and then promised
over 50% annualized returns. Once retained,
the trader did very poorly and siphoned client assets for personal
expenses. According to the SEC, he then
concealed his misconduct by delivering false account statements and implementing
a microcap wash sale scheme. The
defendant also faces criminal charges brought by the U.S. Attorney’s Office for
the Eastern District of New York.
Lying about your investment track record constitutes securities fraud, subjecting you to civil and criminal penalties. Do not make performance claims unless you can affirmatively support your claims with hard data.
Corporate executives cannot avoid accountability by claiming that they were just following orders. The SEC has maintained that senior executives have a duty to investors and the markets to stop financial wrongdoing at the companies they steward. Once charged, the SEC will often use its leverage to encourage cooperation in cases against others in the C-Suite.
Although the SEC does not have criminal prosecution powers, it has the discretion to refer matters to the U.S. Attorney once it uncovers securities wrongdoing. If the DoJ can make a federal criminal case because of fraud or theft, an investment adviser can end up a guest of the state for several years.
Fund managers that engage in selling efforts must register as broker-dealers unless they can take advantage of the issuer exemption (Rule 3a4-1), which prohibits the receipt of specific transaction-based compensation.