The OCIE staff of the SEC released a Risk Alert relating to the Outsourcing of Chief Compliance Officers and Compliance Activities. Truly, the findings and risks shouldn’t be a surprise to anyone. My colleagues and I have all recently left “in-house” Compliance positions to become “outsourced compliance advisors.” As Consultants that have recently had the opportunity to observe multiple Financial Firms that have utilize outsourced compliance we have spotted many of the issues that the SEC reported. A few things my colleagues and I have noted since leaving our “in-house” positions: Many Financial Institutions may have a false sense of security with respect to their Outsourced Compliance Office as they deem "no news" to be "good news". Prior to hiring a Compliance Consultant, Financial Firms should ask the following questions:
Within moments of looking at a Firm’s policies and procedures, we can determine which Compliance Consulting Firm wrote the policies and procedures. Most Compliance Consulting Firms have "template" policies and procedures that they implement in each Financial Institution. And indeed it seems as if most Compliance Consulting Firms implement the entire policies and procedures without tailoring them to the particular Financial Institution. Not being privy to the agreements between the Consultant and Financial Firm, our belief, based on what we have observed, is that the Financial Firm is told they will be tailored. We have not been able to identify the exact cause of why the policies were not tailored, but it seems as if it is a combination of lack of experience, quality or business knowledge of the Consultant implementing the procedures. 
Often times a Compliance Consultant will complete a review by interviewing the Firm’s personal and then document the conversation as a report with few to no findings. If the Compliance Consultant hasn’t requested specific samples and has left it up to the Firm to determine the Compliance Consultant reviews, the Firm will be at risk. This is especially true when it comes to AML reviews. Compliance Consultants may not actually understand the business of the Financial Institution. If a Compliance Consultant does not have the requisite experience in the same type of Financial Firm as the Financial Firm they will be supporting the Firm is at risk to a lack of business knowledge. This is a key point that smaller Financial Firms overlook; it is easy to underestimate the specialization of Compliance Officers and to find that you have hired a Consultant that does not have experience with your particular business. What the SEC is asking: Has your Firm hired Compliance in Box and how effective is your appointed Outsourced CCO? As the demand for Outsourced Compliance Officers has increased, the field of Qualified Compliance Consultants has shrunk. One Compliance Consulting Firm has offered “Free 15 Minute Consultations.” That suggests that a Firm has 15 minutes to share information and receive recommendations from the Consulting Firm. This hardly seems to be a Consultant looking to for a long-term relationship, or a Consultant that would address the SEC concerns. In addition, some Compliance Consulting Firms have a link to the SEC Risk Alert and a statement that their programs address the SEC concerns and however, they offer little to no information on how their programs support the SEC concerns. If your firm is seeking to retain an industry savvy and seasoned Compliance Professional, see how CRC's programs support the SEC's concerns. Please contact us to get started.
