From a recent speech by the the head of the SEC’s Office of Compliance Inspections and Examinations (now known as the Examinations Division):
Empowering Chief Compliance Officers
Next, I want to talk about CCOs. CCOs and their staffs have difficult roles. And their roles have become more challenging because of Covid-19. We recognize that the effectiveness of the CCO and that of a firm’s compliance program is critical to the protection of investors. We understand the challenges of the role and take steps to support and enhance effectiveness of CCOs and compliance programs. An important way OCIE tries to assist is by being as transparent as possible about the deficiencies it commonly sees during examinations so even if OCIE does not visit in a particular year, you are still hearing from us. OCIE risk alerts are a significant tool to help you promote compliance in your firms. Today, OCIE published a risk alert on notable observations related to Rule 206(4)-7 (the “Compliance Rule”) under the Advisers Act. Deficiencies related to compliance have been among the most common cited by OCIE, both for investment advisers and investment companies.
Importantly, the Compliance Rule requires each adviser to designate a CCO to administer its compliance policies and procedures. As the Commission described in the Compliance Rule Adopting Release, an adviser’s CCO should be competent and knowledgeable regarding the Advisers Act and should be empowered with full responsibility and authority to develop, implement, and enforce appropriate policies and procedures for the firm. And a CCO should have a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.
Empowerment, seniority and authority. These three words matter. Some firms take the “check-the-box” approach to the CCO requirement, merely looking at it as a way to satisfy the rule as opposed to thinking of the role as an essential component of running an advisory or fund business. We notice on exams when firms hire someone for the role to check the box but do not support or empower them. We notice when a CCO holds one or more roles in a firm and is inattentive to their compliance responsibilities. We notice when a firm positions a CCO too low in the organization to make meaningful change and have a substantive impact, such as a mid-level officer or placed under the CFO function. We notice when CCOs are expected to create policies and procedures, but are not given the resources to hire personnel or engage vendors to provide systems to implement those policies and procedures. We notice when a CCO is replaced because they challenge questionable activities or behavior. We notice when a CCO is trotted out for an examination or sits silently in the corner in compliance discussions, overshadowed by firm senior officers. We notice when a firm puts responsibility on the CCO for a failure of an employee or an officer to follow a firm policy or procedure.
But we do also see good practices where CCOs are routinely included in business planning and strategy discussions and brought into decision-making early-on, not for appearances, but for their meaningful input. Through our examination observations and discussions, we notice CCO access and interaction with senior management, prominence in the firm, and when they are valued by senior management. We notice demonstrable actions, not just words, supporting the CCO and compliance. A good CCO can be a true “value-add” to the business; by keeping up with regulatory expectations and new rules, they can assist in positioning their firms not only to avoid costly compliance failures, but also provide pro-active compliance guidance on new or amended rules that may provide advisers with additional business options.
Compliance officers are on the front lines to help ensure that registrants meet their obligation under applicable securities laws and regulations. We too are on the front lines and with a similar mission, and in many ways examiners and compliance officers and personnel are two-sides of the same coin. We cannot overstate a firm’s continued need to assess whether its compliance program has adequate resources to support its compliance function. Resources means a lot of different things, including training, automated systems and adequate staff to support firm growth, but perhaps most importantly, it means “empowerment.” Compliance must be integral to an adviser’s business and part of its senior leadership.
In today’s risk alert, OCIE staff observed advisers that did not devote adequate resources, such as information technology, staff and training, to their compliance programs. OCIE staff also observed CCOs who lacked sufficient authority within the adviser to develop and enforce appropriate policies and procedures for the adviser.
The risk alert also describes deficiencies related to annual reviews. OCIE staff observed advisers that were unable to demonstrate that they performed an annual review or whose annual reviews failed to identify significant existing compliance or regulatory problems.
Finally, OCIE staff observed advisers that did not establish, implement, or appropriately tailor written policies and procedures that were reasonably designed to prevent violations of the Advisers Act. For example, the staff observed deficiencies or weaknesses in establishing reasonably designed written policies and procedures in the following areas:
- Portfolio management;
- Trading practices;
- Advisory fees and valuation;
- Safeguards for client privacy;
- Safeguards for client assets;
- Required books and records; and
- Business continuity plans.
As you can see from this extensive list, the Compliance Rule touches on all of the critical areas of being an adviser. The CCO is not there to fill out irrelevant paperwork or serve as a scapegoat for the firm’s failings. A firm’s compliance department should be fully integrated into the business of the adviser for it to be effective. Compliance regarding conflicts of interest, disclosures to clients, calculation of fees and protection of client assets should not be done from the sidelines. The CCO needs a meaningful seat at the table.
Although the responsibilities and challenges are significant, the critical function of compliance should not all fall on the shoulders of CCOs. One of the most important aspects of an effective compliance program is having adviser management support compliance and empower CCOs to perform their jobs effectively. Without the support of management, no CCO, no matter how diligent and capable, can be effective.
An effective CCO should have confidence that they can stand up for compliance and be supported. If we see that an adviser has changed CCOs recently or frequently, we are very likely to ask about the circumstances of those actions on an exam. Compensation and job security for CCOs should be commensurate with their significant responsibilities. CCOs should not be made to feel that they are one “no” away from termination. CCOs also should not be made the target of every problem. The cause or blame for a compliance issue or failure typically does not sit only with the CCO and may not sit at all with the CCO. In fact, we appreciate that often the CCO is the one responsible for identifying the problem and for fixing it.
In terms of authority, I am often asked who the CCO should report to in an organization. Is it to the CEO, the COO, the General Counsel, or directly to a Board if one exists. There is no easy answer to this. It depends on the size of the organization, the leadership structure, the experience of the CCO, and the compliance culture. Does the CCO hold multiple roles? While I do not think there should be a uniform requirement of who a CCO should report to, I do believe that, at a minimum, a CCO should have a direct line of reporting to senior management, if not be part of senior management. In all cases, a CCO should be empowered to address compliance weaknesses directly, and report concerns directly to senior management, no matter the source of problem.
I am also often asked how much a firm should budget for the compliance function. This too is an area where there is no standard or rule, but it is something we definitely notice on examinations, particularly where we see an underfunded compliance department. Firms should appropriately assess their own needs based on their business model, size, sophistication, adviser representative population and dispersal, and provide for sufficient resources as necessary for compliance with applicable laws. There is not always a correlation in the amount of the firm’s revenues, percentage of its budget, or its assets under management; however, the need for resources must be continually reassessed, as the firm’s business model may grow or shrink, as new business strategies are adopted, or as weaknesses in compliance are identified. Compliance officers should feel empowered to bring to the firm’s management any needs they have identified that are necessary to perform their roles effectively.
Today, these challenges are even greater. CCOs are currently having to do all of their roles virtually, while dealing with all of the new issues raised by Covid-19. All of this underscores the importance of culture at any firm, and specifically the importance of a firm’s compliance culture. Without a culture that truly values the CCO, supported by a sincere “tone at the top” by senior management, a firm stands to lose the hard-earned trust of its clients, investors, customers and other key stakeholders. As the Commission stated, CCOs should be empowered, senior and have authority, but CCOs should not and cannot do it alone and should not and cannot be responsible for all compliance failures.