SEC Examines Efficiency of Outsourced CCO’s

SEC releases results of examinations on 20 investment advisers that outsource compliance activities to consultants. The study, conducted by the Office of Compliance Inspections and Examinations ( OCIE ), offers insight to effective practices when outsourcing compliance activities.


“The Compliance Rules”: Rule 206(4)-7 and Rule 38a-1 under the Investment act of 1940 | Adopt > Designate > Review

  • Adopt and implement written policies and procedures reasonably designed to prevent violations by advisers

  • Designate an individual, a CCO, to be responsible for administering the policies and procedures

  • Review policies and procedures regularly for adequacy and effectiveness, and  prepare a written report for the fund’s board  

CCO’s should have sufficient seniority and authority to compel others to adhere to the compliance policies and procedures. 

Series 24 general securities principal

Types of tasks handled by Outsourced Compliance Officers and CCO’s :

CCO’s perform key compliance responsibilities such as; updating firm policies and procedures, preparing regulatory filings, and conducting annual compliance reviews.

Applicable license: Series 24 | General Securities Principal Exam.

Focus of OCIE staff examinations on advisers with outsourced compliance consultants:

Evaluate the effectiveness of compliance programs administered by outsourced CCO’s by questioning;

  • Are compliance risks appropriately identified, mitigated, and managed?
  • Does the compliance program reasonably prevent, detect, and address violations?
  • Is the program supported with open communication between service providers and in-house supervisors?
  • Is the compliance program proactive rather than reactive?
  • Does the outsourced CCO have sufficient authority to influence adherence to policy?

OCIE staff observed effective outsourced CCO’s regularly visit in-person with advisers, build strong relationships between CCO’s and registrants, have sufficient access to registrants documents, and are knowledgeable about the registrants business and regulatory requirements.

Deficiencies were noted where the outsourced CCO; did not independently obtain records necessary for conducting reviews,  served numerous firms but didn’t have sufficient resources to perform all the duties necessary, and rarely interacted in-person with the advisory practice and its employees.

Standardized Checklists: 

Often times outsourced CCO’s use standardized checklists to gather pertinent information about registrants. While use of checklists is helpful, some checklists are too standardized and don’t fully capture the business model, practices, strategies, and risks. Other times checklists are filled out incorrectly or deficient and the problems are never addressed. 

Policies and Procedures: 

At a minimum, compliance programs need to address 10 core areas

  • Portfolio Management Processes
  • Accuracy of Disclosure to Investors, Clients, and Regulators
  • Proprietary Trading
  • Safeguarding Client Assets
  • Creation and Retention of required Records
  • Privacy Protection of Client Records
  • Trading Practices
  • Marketing Advisory Services
  • Process for Valuation of Client Holdings and Fees Assessment
  • Business Continuity Plan

The OCIE found instances where compliance policies and procedures were not followed, or were not consistent with procedures outlined in the compliance manual. Additionally, compliance manuals in some instances were poorly tailored to registrants business. 

Annual Review of Compliance:

Where annual reviews were outsourced to CCO’s, the OCIE observed a lack of documentation related to testing and reviews. Incidences are significantly higher where outsourced CCO’s rarely visited  offices in person. Limited visibility was found to lead to limited authority and a decline in adherence to policies and procedures. 


CCO’s whether outsourced or a direct employee must be empowered with sufficient knowledge, authority, and access to be effective. Each registrant is responsible for adopting and implementing an effective compliance program, thus advisers using outsourced CCOs beware, the registrant retains responsibility for deficient and ineffective compliance programs.  

Read the Risk Alert issued November 9 2015



RND Resources Inc has over 30 years experience handling compliance for registered investment advisers. At RND we customize programs to fit your firms needs, not the other way around. We offer a full suite of compliance and registration support for RIA’s including; examination and testing, surprise custody exams, mock audits, and every day tasks like registration and marketing review.

Download our Registered Investment Advisers services brochure for more details.

For a fixed fee quote on consulting and outsourced compliance officer services specific to your firm email us.


0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *