As the regulatory landscape for financial advisory firms becomes increasingly complex, many firms are turning to outsourcing as a way to manage their compliance obligations. After all, compliance can be time-consuming and tedious, especially for smaller firms whose chief compliance officer (CCO) is wearing several hats.
However, while outsourcing certain compliance tasks can be a cost-effective solution, it is important to understand the risks and limitations of out-of-house compliance, as well as potential limitations proposed by the Securities and Exchange Commission (SEC).
The SEC has recently shed more light on how registered investment advisers (RIAs) should approach outsourced compliance tasks while keeping within regulatory guidelines. Read on to learn more about what they said and how you can keep your firm compliant.
Outsourced chief compliance officer: What to know
One of the most important things to understand is that, functionally, financial advisory firms cannot outsource the role of Chief Compliance Officer (CCO). However, this doesn’t mean you necessarily need to hire a CCO dedicated solely to the compliance function. In fact, more than 95% of RIAs with less than $100 million assets under management (AUM) have a CCO who pulls double-duty for the firm.
The CCO is ultimately responsible for ensuring the firm is in compliance with all applicable laws and regulations and, as such, must be an employee of your firm – not an external consultant. However, the CCO can indeed outsource certain tasks related to compliance.
In October 2022, the SEC proposed new oversight for advisory firms which outsource certain services. SEC Chair Gary Gensler explains, “When an investment adviser outsources work to third parties, it may lower the adviser’s costs, but it does not change an adviser’s core obligations to its clients. Thus, today’s proposal specifies requirements for investment advisers designed to ensure that advisers’ outsourcing is consistent with their obligations to clients.” The proposed regulation would require advisers to carry out and document due diligence of third-party companies, plus conduct regular monitoring.
The SEC’s proposal for outsourced services
National Regulatory Services (NRS) – which is also owned by our parent company COMPLY – released a statement in response to the SEC’s proposal, arguing third-party compliance servicers do not present a conflict of interest to clients.
“The SEC already has examination and enforcement powers to identify and call attention to the need for advisers to conduct regular and meaningful reviews of service provider,” NRS states, before continuing:
In our experience, advisers are not only well aware of risk alerts and enforcement cases involving poor oversight of service providers, but actively take appropriate steps to bring their own reviews in line with SEC expectation, based on each adviser’s specific practices. The only benefit listed in the Release that is currently not being met by these examination and enforcement powers is the ability to evaluate a service provider’s potential impact on a market event. This could be accomplished by including a census on Form ADV Part 1A.
The inherent risks of outsourced compliance
Despite the potential benefits of outsourcing, it carries inherent risks, including a potential lack of authority and accountability.
Lack of authority and accountability
Outsourcing is essentially giving a third-party control over certain aspects of your firm’s compliance program. Without proper due diligence, firms run the risk of losing control over their compliance efforts and may not be able to adequately oversee the third party’s actions. Additionally, if the third party fails to comply with laws and regulations, the firm may still be held responsible for any regulatory violations.
Loss of expertise
Another risk is the loss of expertise. When a firm relies too heavily on a third party for compliance, it may lose access to the specialized knowledge and expertise of its in-house compliance staff. This can lead to a situation where an RIA is not able to properly identify and address compliance issues, which can put the firm at risk for enforcement action.
In sum, there are a few red flags to outsourced compliance which you should be aware of, including:
- Lack of compliance awareness in-house.
- Less authority to push back against potential violations.
- Unclear accountability – if an issue arose, there could be conflict over whether the CCO or the firm are at fault.
However, outsourcing can be a great addition to your CCO’s toolbelt when your firm implements proper oversight. Done correctly, your firm can save time, cut costs, and improve your compliance practices via partnerships with external entities. This is particularly true when software is leveraged to augment your firm’s internal expertise.
Beyond outsourced chief compliance officers: What you can outsource
Aside from more common outsourced services like regulatory filing, compliance testing, and compliance training, there are several other compliance tasks you can potentially offload to a trusted third party.
One notable example is the communications archival and review processes. With third-party software, advisers can store, retrieve, and filter communications all within a single platform, optimizing the content review process.
Your firm may also benefit from outsourcing other tasks, such as:
Audit preparation
Technology solutions can help your CCO collect and organize large amounts of information prior to and during an SEC audit. An experienced compliance consultant can also provide valuable guidance in preparation for the audit/examination process.
Cybersecurity
Software such as RIA in a Box’s Cybersecurity Solution can help firms with security training awareness, email phishing attack simulation, technology inventory and risk assessment, and crafting a sustainable information security policy.
Employee trade monitoring
Not only can employee trade monitoring software streamline the transactions, holdings, and accounts attestations process – it can also proactively identify and resolve possible trading and firm-level policy violations by automatically flagging potential employee front running securities transactions.
Vendor due diligence
Vendor due diligence ensures third-party systems and vendors which your firm hires are operating within regulatory guidelines.
However large your firm is, your CCO doesn’t have to do it all alone. With proper into third party solutions, you can successfully outsource many compliance tasks while meeting SEC and other regulatory guidelines.
RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.