The Role of the CCO – Empowered, Senior and With Authority
Nov. 19, 2020
Opening Remarks at National Investment Adviser/Investment Company Compliance Outreach 2020
Thank you for joining us today for the 10th National Compliance Outreach program and our 15th year sponsoring compliance outreach seminars. I am pleased that this event can continue in our new virtual environment and reach even more attendees. Thank you for taking the time to participate and for your continued interest in compliance and the work of the Office of Compliance Inspections and Examinations and the Commission. I am excited about today’s lineup and grateful for this opportunity to speak with you. Before I start, let me remind you – on behalf of myself and all of the other SEC speakers and panelists today – that the views we express today are our own and do not necessarily reflect the views of the Commission, the Chairman, the Commissioners, or my colleagues on the Commission staff.
We have faced a major and unexpected event this past year, unlike anything many of us have experienced. We all have faced many challenges. Concern over the health and safety of our families, friends, colleagues, and ourselves has become top priority. Balancing remote work, restrictions on travel, childcare, virtual school, and virtual meetings has become the new normal. We have faced dramatic changes in how we operate, regularly communicate, and, importantly, adapt compliance with the existing policies and procedures and law to the new circumstances. We observed many in the industry successfully pivot to full telework, at a time when we saw incredibly high market volume. With this lead in, I would like to share with you today how OCIE was impacted by the Covid-19 pandemic, and also spend time discussing the challenges CCOs face and the importance of achieving their empowerment, seniority, and authority in their firms to ensure that they are effective.
III. Covid-19 and OCIE
OCIE was certainly impacted by Covid-19, but we have continued to be fully operational, just like so many financial firms and businesses. One way the SEC as a whole was impacted by Covid-19 included the limitation on direct, on-site interaction with other SEC staff, regulators, industry personnel, and investors. Just like many of you, we found alternative ways of accomplishing our investor protection mission. We continue to effectively carry out exams to protect investors’ interests without the benefit of normal, on-site interactions. The transition to conducting our mission via virtual and correspondence interactions is not a seamless one, but we have increased our capacity for using alternative secure technologies for interviewing and discussing documents with registrants during our examinations.
In light of health and safety concerns and other circumstances, OCIE has continued to conduct examinations off-site through correspondence, and we are working with registrants to address the timing of our requests, availability of registrant personnel, and other matters to minimize disruption. We have engaged in outreach and other efforts with many investment advisers and investment company complexes to assess the impacts of Covid-19 and to gather information, including challenges with operational resiliency and fund liquidity. We found that the majority of firms we met with had business continuity plans (BCPs) and had activated them. A small percentage of the hundreds of firms we virtually met with actually had pandemic specific plans that were in existence before the Covid-19 pandemic, but I think most were fortunate that BCPs generally were beneficial in addressing the impact of the pandemic. We noted that critical areas for operations were typically covered in the BCPs. We saw BCPs that provide for personnel to work in separate remote sites, succession plans that address the death or lengthy incapacitation of key personnel and contingency plans for when other essential personnel are unable to work for extended periods.
The issues and concerns raised by firms varied. Many of the issues with implementing business continuity and pandemic plans have been minor and were addressed quickly. For example, we noted issues with addressing specific tasks that could not be performed remotely, situating remote location hardware to better replicate typical in-office setup, gaining wide-scale access to certain systems remotely, and reassessing certain functions to adapt to remote environments. Some of the issues required a little more creative thinking, such as the loss of critical personnel to illness and developing procedures to effectively handle the travel bans and local and regional lockdowns, the lack of child-care for workers, and tele-school demands.
Other concerns or challenges will require more active revisiting and monitoring, such as cybersecurity and data protection concerns, addressing market volatility and spiked volume, firms maintaining their financial solvency, and concerns regarding customers with financial hardships. As firms continue to develop new ways to cope with the situation, new challenges may arise from the solutions. The burden on firms to adapt to processes such as remote due diligence on service providers and sub-advisers will require considerable attention by advisory firms. New technology adopted to address business or compliance needs during the pandemic may bring with it risks that will need to be evaluated by skilled and knowledgeable compliance departments.
OCIE is aware that this is an evolving situation and we will remain cognizant of the reality on the ground. The health and safety of our employees and firm personnel is paramount. We are continuing to monitor the situation, and follow national guidance and local orders. We will continue to prioritize the health and safety of our employees and the public, and will continue to remain flexible.
Despite all of this headwind, OCIE conducted over 2,950 examinations in fiscal year 2020, including 15 percent of all SEC-registered investment advisers. We successfully began initiatives to review compliance with Regulation Best Interest and Form CRS and to assess registered advisers’ and investment companies’ preparedness for the transition away from LIBOR. OCIE also continued its complementary and highly effective asset verification program — in the same time period of FY 2020, OCIE verified 4.8 million investor accounts totaling $3.4 trillion in assets. OCIE conducted over 300 outreach events, issued a report on Cybersecurity and Resiliency Observations, and published eight risk alerts. I am awed by how well OCIE staff pivoted at this difficult time to complete these achievements. Our success was driven in part by OCIE’s experience and flexibility working from remote locations, but now from our homes rather than from registered firm locations. As Chairman Clayton recently said, “we all know the most effective regulatory environment is one that drives a culture of compliance. That is just what OCIE does.”
IV. Empowering Chief Compliance Officers
Next, I want to talk about CCOs. CCOs and their staffs have difficult roles. And their roles have become more challenging because of Covid-19. We recognize that the effectiveness of the CCO and that of a firm’s compliance program is critical to the protection of investors. We understand the challenges of the role and take steps to support and enhance effectiveness of CCOs and compliance programs. An important way OCIE tries to assist is by being as transparent as possible about the deficiencies it commonly sees during examinations so even if OCIE does not visit in a particular year, you are still hearing from us. OCIE risk alerts are a significant tool to help you promote compliance in your firms. Today, OCIE published a risk alert on notable observations related to Rule 206(4)-7 (the “Compliance Rule”) under the Advisers Act. Deficiencies related to compliance have been among the most common cited by OCIE, both for investment advisers and investment companies.
Importantly, the Compliance Rule requires each adviser to designate a CCO to administer its compliance policies and procedures. As the Commission described in the Compliance Rule Adopting Release, an adviser's CCO should be competent and knowledgeable regarding the Advisers Act and should be empowered with full responsibility and authority to develop, implement, and enforce appropriate policies and procedures for the firm. And a CCO should have a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.
Empowerment, seniority and authority. These three words matter. Some firms take the “check-the-box” approach to the CCO requirement, merely looking at it as a way to satisfy the rule as opposed to thinking of the role as an essential component of running an advisory or fund business. We notice on exams when firms hire someone for the role to check the box but do not support or empower them. We notice when a CCO holds one or more roles in a firm and is inattentive to their compliance responsibilities. We notice when a firm positions a CCO too low in the organization to make meaningful change and have a substantive impact, such as a mid-level officer or placed under the CFO function. We notice when CCOs are expected to create policies and procedures, but are not given the resources to hire personnel or engage vendors to provide systems to implement those policies and procedures. We notice when a CCO is replaced because they challenge questionable activities or behavior. We notice when a CCO is trotted out for an examination or sits silently in the corner in compliance discussions, overshadowed by firm senior officers. We notice when a firm puts responsibility on the CCO for a failure of an employee or an officer to follow a firm policy or procedure.
But we do also see good practices where CCOs are routinely included in business planning and strategy discussions and brought into decision-making early-on, not for appearances, but for their meaningful input. Through our examination observations and discussions, we notice CCO access and interaction with senior management, prominence in the firm, and when they are valued by senior management. We notice demonstrable actions, not just words, supporting the CCO and compliance. A good CCO can be a true “value-add” to the business; by keeping up with regulatory expectations and new rules, they can assist in positioning their firms not only to avoid costly compliance failures, but also provide pro-active compliance guidance on new or amended rules that may provide advisers with additional business options.
Compliance officers are on the front lines to help ensure that registrants meet their obligation under applicable securities laws and regulations. We too are on the front lines and with a similar mission, and in many ways examiners and compliance officers and personnel are two-sides of the same coin. We cannot overstate a firm’s continued need to assess whether its compliance program has adequate resources to support its compliance function. Resources means a lot of different things, including training, automated systems and adequate staff to support firm growth, but perhaps most importantly, it means “empowerment.” Compliance must be integral to an adviser’s business and part of its senior leadership.
In today’s risk alert, OCIE staff observed advisers that did not devote adequate resources, such as information technology, staff and training, to their compliance programs. OCIE staff also observed CCOs who lacked sufficient authority within the adviser to develop and enforce appropriate policies and procedures for the adviser.
The risk alert also describes deficiencies related to annual reviews. OCIE staff observed advisers that were unable to demonstrate that they performed an annual review or whose annual reviews failed to identify significant existing compliance or regulatory problems.
Finally, OCIE staff observed advisers that did not establish, implement, or appropriately tailor written policies and procedures that were reasonably designed to prevent violations of the Advisers Act. For example, the staff observed deficiencies or weaknesses in establishing reasonably designed written policies and procedures in the following areas:
- Portfolio management;
- Trading practices;
- Advisory fees and valuation;
- Safeguards for client privacy;
- Safeguards for client assets;
- Required books and records; and
- Business continuity plans.
As you can see from this extensive list, the Compliance Rule touches on all of the critical areas of being an adviser. The CCO is not there to fill out irrelevant paperwork or serve as a scapegoat for the firm’s failings. A firm’s compliance department should be fully integrated into the business of the adviser for it to be effective. Compliance regarding conflicts of interest, disclosures to clients, calculation of fees and protection of client assets should not be done from the sidelines. The CCO needs a meaningful seat at the table.
Although the responsibilities and challenges are significant, the critical function of compliance should not all fall on the shoulders of CCOs. One of the most important aspects of an effective compliance program is having adviser management support compliance and empower CCOs to perform their jobs effectively. Without the support of management, no CCO, no matter how diligent and capable, can be effective.
An effective CCO should have confidence that they can stand up for compliance and be supported. If we see that an adviser has changed CCOs recently or frequently, we are very likely to ask about the circumstances of those actions on an exam. Compensation and job security for CCOs should be commensurate with their significant responsibilities. CCOs should not be made to feel that they are one “no” away from termination. CCOs also should not be made the target of every problem. The cause or blame for a compliance issue or failure typically does not sit only with the CCO and may not sit at all with the CCO. In fact, we appreciate that often the CCO is the one responsible for identifying the problem and for fixing it.
In terms of authority, I am often asked who the CCO should report to in an organization. Is it to the CEO, the COO, the General Counsel, or directly to a Board if one exists. There is no easy answer to this. It depends on the size of the organization, the leadership structure, the experience of the CCO, and the compliance culture. Does the CCO hold multiple roles? While I do not think there should be a uniform requirement of who a CCO should report to, I do believe that, at a minimum, a CCO should have a direct line of reporting to senior management, if not be part of senior management. In all cases, a CCO should be empowered to address compliance weaknesses directly, and report concerns directly to senior management, no matter the source of problem.
I am also often asked how much a firm should budget for the compliance function. This too is an area where there is no standard or rule, but it is something we definitely notice on examinations, particularly where we see an underfunded compliance department. Firms should appropriately assess their own needs based on their business model, size, sophistication, adviser representative population and dispersal, and provide for sufficient resources as necessary for compliance with applicable laws. There is not always a correlation in the amount of the firm’s revenues, percentage of its budget, or its assets under management; however, the need for resources must be continually reassessed, as the firm’s business model may grow or shrink, as new business strategies are adopted, or as weaknesses in compliance are identified. Compliance officers should feel empowered to bring to the firm’s management any needs they have identified that are necessary to perform their roles effectively.
Today, these challenges are even greater. CCOs are currently having to do all of their roles virtually, while dealing with all of the new issues raised by Covid-19. All of this underscores the importance of culture at any firm, and specifically the importance of a firm’s compliance culture. Without a culture that truly values the CCO, supported by a sincere "tone at the top" by senior management, a firm stands to lose the hard-earned trust of its clients, investors, customers and other key stakeholders. As the Commission stated, CCOs should be empowered, senior and have authority, but CCOs should not and cannot do it alone and should not and cannot be responsible for all compliance failures.
Thank you for joining us today and enjoy the discussions. I would also like to thank the OCIE team who helped put these opening remarks together including Chris Mulligan, Dawn Jessen, Maurya Keating, Dan Kahl and Kristin Snyder.
 The Securities and Exchange Commission (“SEC” or “Commission”) disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This speech expresses the author’s views and does not necessarily reflect those of the Commission, the Commissioners, or other members of the staff.
 See OCIE Risk Alert, Examinations that Focus on Compliance with Regulation Best Interest (Apr. 7, 2020); OCIE Risk Alert, Exams that Focus on Compliance with Form CRS (Apr. 7, 2020); and OCIE Risk Alert, Examination Initiative: LIBOR Transition Preparedness (Jun. 18, 2020).
 See OCIE Risk Alert, The Five Most Frequent Compliance Topics Identified in OCIE Examinations of Investment Advisers (Feb. 7, 2017); OCIE Risk Alert, Observations from Examinations of Investment Advisers: Compliance, Supervision, and Disclosure of Conflicts of Interest (July 23, 2019); OCIE Risk Alert, Observations from Investment Adviser Examinations Relating to Electronic Messaging (Dec. 14, 2018). See also, OCIE Risk Alert, Top Compliance Topics Observed in Examinations of Investment Companies and Observations from Money Market Fund and Target Date Fund Initiatives (Nov. 7, 2019) (describing common deficiencies related to the Fund Compliance Rule).
 Release No. IA-2204. (“We expect that an adviser's policies and procedures, at a minimum, should address the following issues to the extent that they are relevant to that adviser: Portfolio management processes, including allocation of investment opportunities among clients and consistency of portfolios with clients' investment objectives, disclosures by the adviser, and applicable regulatory restrictions; Trading practices, including procedures by which the adviser satisfies its best execution obligation, uses client brokerage to obtain research and other services (“soft dollar arrangements”), and allocates aggregated trades among clients; The accuracy of disclosures made to investors, clients, and regulators, including account statements and advertisements; Safeguarding of client assets from conversion or inappropriate use by advisory personnel; The accurate creation of required records and their maintenance in a manner that secures them from unauthorized alteration or use and protects them from untimely destruction; Marketing advisory services, including the use of solicitors; Processes to value client holdings and assess fees based on those valuations; Safeguards for the privacy, protection of client records and information; Business continuity plans.”)
 See OCIE Risk Alert, Compliance Issues Related to Best Execution by Investment Advisers (July 11, 2018).
 See OCIE Risk Alert, Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies (April 16, 2019).