Should We Outsource Compliance?
By Todd Cipperman, Managing Member, Cipperman Compliance Services
Private fund firms should consider outsourcing to meet their ever-increasing compliance needs. In recent years more firms have turned to compliance outsourcing firms because they can leverage compliance teams to quickly and efficiently implement an SEC-ready compliance program. The old default option of hiring an in-house full-time equivalent employee (FTE) may simply not make sense in the current regulatory and personnel environment. Many firms, paralyzed by indecision, simply do nothing, which can lead to very bad regulatory, reputational, and business outcomes.
Because of Dodd-Frank, private fund firms have wrestled with how to implement an effective compliance program, which is required by Rule 206(4)-7 of the Advisers Act.Although the Rule doesn't say exactly how to implement such a program, we now have 10 years' experience since the SEC adopted the Rule and 3 years since Dodd-Frank to form an understanding of what a compliance program should include.Most significantly, every fund manager must hire a Chief Compliance Officer that has experience and knowledge about an adviser's regulatory obligations. Additionally, based on enforcement actions, speeches, examinations, and statements, we know that a reasonable compliance program must include the involvement of senior management, have adequate financial and human resources, adopt customized policies and procedures, train staff, and maintain records.
Confronted with all the required compliance activities and their associated costs, a fund firm has three alternatives:
- Retain a reputable compliance services firm;
- Hire a full-time equivalent employee (FTE) to serve as the CCO; or
- Do nothing or the bare minimum until the SEC or a client forces a change.
Outsourcing to a Reputable Compliance Firm
Using a third party compliance firm to provide your compliance services, including utilizing one of the third party firm's personnel as Chief Compliance Officer, offers many benefits over hiring one or more FTEs. A compliance firm can implement a compliance program quickly and efficiently with an experienced team that applies an industry-wide perspective. Some of the concerns about outsourcing have diminished over the past few years, making outsourcing a more viable option.
Why Firms Outsource Compliance:
A reputable compliance services firm with a reasonable staff (e.g. more than ten) should give a fund firm the breadth of knowledge necessary to implement an effective compliance program. A group of experienced professionals will have more regulatory knowledge than any one person a firm could hire.
A group of professionals work together to support a firm's compliance needs.They can draw on each other's experience and knowledge.Also, their knowledge is not firm-specific.A team can utilize cross-industry and multiple firm intelligence to serve each client. A firm also retains an adviser's institutional compliance knowledge even if personnel turn over.
A compliance services firm will have broad industry experience and apply it to the particular issues facing the firm. A large team will have more industry knowledge than any one FTE.
Management and Turnover
When a service issue arises, the fund firm can appeal to the compliance firm's management for corrective action.A firm, unlike a person, does not take vacation or sick days or ask for a promotion.Also, a change in compliance providers does not become the same type of emotional decision as firing an employee.
Turnover among internal compliance officers has become an industry-wide problem.Faced with a limited career path, many compliance officers leave after a few years to make more money or to experience a different type of firm.Then, the firm must go through the decision-making and hiring process all over again.
Very often, the outside compliance firm becomes the keeper of a firm's institutional regulatory history even as internal personnel come and go.Much like using an audit firm or a law firm, an adviser can institutionalize its knowledge with a compliance provider.
A compliance services firm brings an independent perspective to the compliance function. Institutional clients and regulators value this independence and often give more weight and credibility to a compliance review prepared by an outside party rather than somebody reporting to senior management.
Conversely, an in-house CCO is inherently conflicted because he/she reports to senior management that may be the cause of the problem.In many cases, the CCO gets blamed because senior management views the CCO as the cause and not the solution.Unlike an outside firm which has many clients, an in-house CCO faces significant disruption if a compliance breakdown fractures the relationship with management.
Based on our experience, utilizing a compliance services firm usually costs between 40%-60% of the cost of hiring comparable in-house resources.An adviser can also vary the services utilized to meet its budget constraints. Utilizing a compliance firm avoids the fixed cost (including benefits) and commitment of hiring FTEs.
To hire a competent compliance officer generally costs at least $200,000 in salary and benefits. The price tag goes up for larger, more complex advisers and may require hiring multiple people. Costs obviously vary depending on the market, but an adviser should compare the available talent against the personnel offered by a compliance firm.Hiring an FTE also involves a fixed commitment of resources including head count, benefits, and management.
The Chief Compliance Officer has direct regulatory liability better retained by an experienced compliance professional provided by a third party firm than undertaken by a senior executive without a regulatory background. The SEC has brought several cases against non-regulatory senior executives that served as CCO in addition to other responsibilities because they did not have sufficient knowledge or did not devote sufficient time to their compliance responsibilities.Some of these cases resulted in industry bars, which had the effect of putting the firm out of business.
In addition to retaining a competent CCO, retaining a compliance services firm also ensures that somebody has responsibility for the compliance infrastructure. In the event of a compliance problem, a fund firm can look to the compliance services firm and its contractual service commitments.The Agreement may provide for a cause of action and/or indemnity for significant failures. The only remedy against an employee would be termination.
The regulators have increasingly accepted outsourcing as a viable compliance solution. In the most recent proposed Form ADV amendments, the SEC has recognized the outsourcing trend by requesting firms that use an outsourced CCO to identify the third party firm that provides compliance services.We believe that the SEC is recognizing outsourcing as an option for firms that are challenged to hire a competent in-house CCO either because of size or geographic location.
Also, the SEC has acknowledged that the use of third party compliance firms may help answer the criticism that it only examines about 10% of advisers per year.Recently, SEC Commissioner Gallagher has recommended that the SEC require investment advisers to engage third party compliance firms as a legitimate alternative to increasing SEC funding, handing regulatory oversight to FINRA, or creating a new SRO.Mr. Gallagher noted the benefits of using an accountable and independent compliance firm to review regulatory compliance and compared the model to requiring public companies to obtain a financial statement audit.In response, Chairman White, has requested that the staff review requiring firms to engage third party compliance firms to perform reviews.
The SEC now has a track record examining firms that use a third party compliance firm for CCO and other compliance services.Several firms (including our firm) provide this service and their clients have experienced dozens (hundreds?) of exams during the last several years.Our experience has been that the SEC focuses on the quality of the program, not how the firm specifically executes.With respect to outsourcing, the SEC wants to make sure that the designated CCO does not manage too many relationships.No staff member has told us how many is too many, although we believe that 10 relationships should be the most that one person manages, and that number should decrease with larger or more complex relationships. In our experience, the SEC will criticize an adviser that demonstrates lack of commitment to compliance by spending too little (e.g. less than 5% of revenue), outsourcing to a firm that does not provide the necessary resources and services, or fails to empower the compliance services firm.
Hiring an FTE to Serve as CCO
Private fund firms should pursue retaining an employee (i.e. FTE) dedicated to compliance if the business is large enough to afford the required talent and complex enough to require a dedicated resource.Hiring an in-house CCO also allows a firm to control the compliance function and leverage resources.
Firms must be large enough to afford the right compliance officer for the business.As any recruiter will tell you, finding a quality compliance officer can be challenging.There is more demand than supply, and the talent gap grows every day.Firms generally must pay at least $200,000 per year to retain a quality CCO. If a firm has less than $5 Billion in assets under management, it may not have the resources to allocate such a large amount to one position that does not manage or raise assets.Also, growth may require hiring several compliance officers, thereby expanding the required budget.However, if a firm can afford the position and can find the right talent, it may make sense to retain one or more FTEs.A firm that pursues an FTE CCO should conduct significant due diligence to ensure that it finds the right person with the appropriate temperament, knowledge, and skill set, because hiring the wrong person can hurt the firm, waste resources, and delay implementation.
Certain firms are so complex that only a full-time in-house resource will suffice.For example, if the firm's trading strategy requires unique knowledge or the firm has multiple product lines, an in-house resource expert in that firm's particular business may be the best choice in the long run. Also, if a firm has so many employees that only an in-house resource can monitor for wrongdoing, an in-house staff may be necessary.
Hiring an in-house FTE also allows firm management to control compliance outcomes.The CCO will report directly to senior management who will determine pay and tenure. Although firms lose the ability to claim an accountable and independent compliance function, senior management may feel more comfortable with one of its own team serving in a regulatory monitoring function.
Firms may also leverage internal compliance personnel to perform additional operational responsibilities.For example, many in-house compliance personnel perform finance or operational control functions in addition to their compliance responsibilities.However, as firms grow, senior management must monitor workloads and focus to ensure that the firm has dedicated enough to compliance.
Delaying or Doing Nothing
Few firms actually acknowledge that they have done nothing meaningful to implement a compliance program. However, many have either intentionally or unintentionally ignored compliance.
What are the signs that a firm has done too little to implement a compliance program?They fail to spend enough on compliance. In our experience, firms should spend at least 5% of revenues or 7% of total operating costs on compliance. Firms that spend less than that are “do nothing” firms.
Firms also fool themselves into thinking they have done something significant.For example, they buy a canned compliance manual online or from a vendor, adopt policies and procedures but decline to implement their requirements, tell the CFO he/she is now the Chief Compliance Officer, promote an administrative assistant to CCO, allocate minimal resources to compliance, etc. These are also “do nothing” firms because the SEC has cited these practices in various enforcement actions as examples of failures to implement effective compliance programs.
We also see doing nothing disguised as rationalization: “We do the right thing.” The compliance rule does not require a firm to do the right thing.It requires the firm to adopt, implement, and test policies and procedures reasonably designed to achieve compliance with the Advisers Act and its rules.
Doing nothing doesn't work as a business strategy.The SEC does not offer a free pass for regulatory violations just because it is a firm's first cited deficiency. In many cases, the SEC has brought significant enforcement actions and penalties, which have included fines and personal liability including industry bars, even without a prior warning. Firms should also consider the potential reputational costs.Enforcement actions are available on the web to be forever cited by clients, competitors, potential employees, and regulators.
Failing to implement a compliance program also will not work with institutional clients.Most public plans, fund-of-funds, mutual funds, and other institutional investors perform significant due diligence on a firm's compliance program in addition to investment and operational due diligence.Also, once a firm makes it onto the SEC's bad actor list, expect to see them on a regular basis.
Using a third party firm to provide compliance services including a CCO has become more accepted as both private fund firms and the SEC have seen the model work effectively. Outsourcing allows a private fund firm to access a deep compliance team, avoid the fixed costs and management issues of hiring an FTE, demonstrate compliance independence, share liability, and lower costs.If your firm is large and complex and you can find the right person, it may make sense to hire an FTE for your compliance needs.Doing nothing or delaying only invites regulatory, reputational, and, ultimately, business risk.
Cipperman Compliance Services (CCS) provides managed compliance services to alternative investments, including hedge and private equity funds, as well as registered funds and money managers. With 80-plus domestic and international relationships, services delivered include: acting as the firm's Chief Compliance Officer (CCO) to providing a team of resources that executes and delivers compliance support. Todd Cipperman is the founding principal of Cipperman Compliance Services (CCS.) During his two decades of experience Todd has represented a wide range of investment management clients with a focus on distribution issues facing investment managers and broker-dealers. Todd previously served as general counsel of SEI Investments, a public mutual fund and financial technology firm, prior to that, Todd spent several years in private practice on Wall Street representing both buy and sell side clients in investment management and capital markets transactions.