Why registered investment advisers should avoid outsourcing their CCO.
Over the past few years, I have been asked a handful of times whether a registered investment adviser may outsource the role of the Chief Compliance Officer. While there are compliance firms that offer such a service, I personally discourage registered investment advisers from outsourcing their CCO.
Rule 206(4)-7 (the “Compliance Rule”) under the Investment Advisers Act of 1940 requires Investment Advisers to designate a Chief Compliance Officer. In October of 2022, the SEC proposed a new rule and rule amendments under the Investment Advisers Act of 1940 to prohibit registered investment advisers from outsourcing certain services and functions without conducting due diligence and monitoring of the service providers. Irrespective of the heightened regulatory attention to the implementation of third-party compliance service providers, the current disclosure requirements already have mechanisms in place that implicitly discourage the outsourcing of a Chief Compliance Officer.
Form ADV Item 19 – Applicable Only to State Registered Investment Advisers
Item 19 of Form ADV Part 2A, the Brochure, requires that each of the firm’s principal executive officers and management persons be disclosed to investors. This includes the Chief Compliance Officer. Any business that the CCO is actively engaged in (other than giving investment advice) and the approximate amount of time spent on that business must be disclosed in Item 19 as well. In my opinion, if a RIA outsources the CCO role to a third-party provider, then Item 19 should disclose the CCO’s employment with the third-party as one of the CCO’s outside business activities because such role is an activity external to its duties to the RIA that engages the outsourcing service.
Considerations for both SEC and State Registered Investment Advisers.
In most cases, a single outsourced CCO is likely responsible for more than one registered investment adviser’s compliance program. This triggers the need to disclose the conflict of interest that arises in this scenario. There is a conflict of interest because the CCO cannot maintain its undivided attention on one adviser’s compliance program if it is responsible for overseeing other advisers’ activities. The time the CCO dedicates to one RIA is time it does not commit to the oversight of the other RIA. Depending on the circumstances, the conflict should be disclosed in Item 10 of Form ADV Part 2A, which is applicable to both SEC and State registered investment advisers.
Circling back to the disclosure of outside business activities (“OBA”), Form ADV Part 2B, Item 4 requires investment adviser representatives to disclose any other investment-related business or occupation and whether the OBA creates a material conflict of interest. If the CCO is also an investment adviser representative, then the advisory firm must create a Form ADV Part 2B for that individual. Generally speaking, if a CCO is responsible for overseeing more than one investment adviser compliance program, then a material conflict arises for the reason I have already addressed.
Imagine disclosing in Form ADV Part 2A and Form ADV Part 2B that the firm’s CCO is actually an employee of a third-party compliance firm that is also responsible for the compliance programs of other investment advisers. Form ADV Part 2 must be delivered to prospective clients. Prospects and current clients will likely take issue with the fact that the CCO has duties to: (1) its employer (the compliance firm); (2) the RIA that delivered the Form ADV Part 2 to this prospective client; and, (3) other investment adviser clients engaged with the compliance firm.
Even if a RIA receives the services of a CCO that is employed by an outsourcing service and that CCO is only responsible for one RIA’s compliance program, that CCO is likely to show preference to the interests of the outsourcing service because the service provider is the CCO’s actual employer.
Delegation of certain compliance obligations.
Although outsourcing the CCO would create the issues described above, delegation of certain CCO responsibilities to third-party providers is a reasonable alternative as long as the RIA has policies and procedures in place regarding supervision of the third-party. In other words, it is not enough to delegate the responsibility and move on.