Outsourcing Compliance: What Could Go Wrong?
There’s no doubt that compliance is tricky business. Ensuring that your company adheres to the numerous regulations imposed by various bodies and administrations is a tough job that you may think requires you to hand it over to the experts. But you may be surprised to learn that doing that could cost you more in the end.
Many firms who specialize in compliance offer the ever alluring idea that their “Former SEC/FINRA/CFTC” experts unburden you from the responsibility and hassle of ensuring that your firm is compliant with the multitude of regulations. While this sounds ideal, and in many cases is, there are a few things that you should keep in mind when considering this option.
You’re still responsible if something goes wrong.
A letter of caution was released by the SEC in November of 2015, warning of the dangers of outsourcing various compliance functions.
After almost 20 reviews of SEC-registered investment companies that outsource compliance operations, the SEC found that often times there was a lack of communication, in terms of business practices, company principals, knowledge of business dealings and required documentation, resulting in the 3rd parties inability to be effective.
As outlined in SEC Rule 206 it is the responsibility of every company to create and maintain policies and procedures that are reasonably designed to prevent regulatory violations, by you and your supervised individuals. Ineffective communication with an outsourced supervision processes opens a company up to a wide variety of risks, which could have otherwise been avoided had the process been handled in-house.
In conclusion, the letter goes on to state “Each registrant is ultimately responsible for adopting and implementing an effective compliance program and is accountable for its own deficiencies.”
You might think that you’ll be insulated from repercussions should an incident occur (blame the contractor), but the reality of the situation is that you will still be held liable.
Tailoring to your business needs.
The phrase “Jack of all trades, master of none” isn’t something that you want applied to your compliance department.
In the SEC’s review, they found that the nature of outsourcing compliance functions resulted in diminished communication and, therefore, the firm handling compliance was not able to provide a proper approach.
While the regulations with which firms must comply are largely the same, the methods of doing so are vastly different based on how a firm conducts its business. What works for one business might not work for yours and vice versa.
The only way to ensure that your compliance department is meeting all of your needs is to bring those functions in house and have compliance work with the business and the resources to maintain and operate the system.
This is perhaps best demonstrated in the communication surveillance space, where companies have outsourced their communications review to a 3rd party firm. While some direct violations are obvious in nature, there’s an added level of intimacy and understanding when you’re constantly being exposed to the people you’re reviewing as well as the ability to incorporate internal knowledge to a review.
Being somewhat familiar with the individuals that are under review is the difference between ignoring something that seems benign in nature, but in reality is a serious violation.
The differences between outsourcing and contracting.
These two concepts, while similar in that both involve individuals not directly employed by the firm handling a specific function, differ in terms of where each take place.
Outsourcing something requires that the required information or function be sent externally from the firm, whereas contracting allows the company to maintain everything internally.
It’s this difference between the two solutions that outsourcing compliance functions themselves carries with it a significantly increased risk, as opposed to relying on the expertise or a consulting resource for the guidance, support and maintenance of certain functions, such as your supervisory system, is considerably safer.
As noted by the SEC investigation, conveyance of business requirements, access to necessary internal documents, and overall communication between the outside resource and the firm were some of the biggest issues that were found, all of which are the direct result of placing the function outside of the company.
Along with the opportunity for the most knowledgeable and capable experts to guide and assist your compliance department in getting everything they need to satisfy your company’s regulatory obligations, contracting preserves the integrity, efficacy, and efficiency of the information or function, and overall communication by allowing everything to remain internal.
Ultimately the decision to outsource is yours to make, but after reviewing the risks associated (not to mention a warning letter issued by the very regulatory authority that you report to, advising caution against the practice) it’s safe to say that your compliance department, your vital regulatory functions, and the information required for them both should remain in house.
Because while a “jack of all trades” sounds appealing in the short term, if you want compliance done right, you have to do it yourself.