CCO responsibilities broadening, deepening
From reporting to cybersecurity, COOs are playing a leading role
Historically, the chief compliance officer (CCO) has been a behind-the-scenes player in private funds. But since the financial crisis, the role of the CCO has changed significantly, according to panelists who recently spoke with Colin Sanderson, a partner at RSM US LLP on how the role has evolved. The CCO has been catapulted to the front office–taking on myriad roles in order to ensure the consistency throughout the organization the SEC requires. The CCO is now part business development executive, part investor relations professional, part risk manager and part reporting wiz.
"When I started the CCO position was really siloed, but now the CCO is a resource for the entire firm and a business partner," says Myles Edwards, general counsel, CCO and chief operating officer (COO). "That evolution has been significant, but it's also been for the better because you need a more robust set of skills."
Consistent, timely reporting is key
That skill set includes ensuring that every part of the organization is collaborating to ensure that all disclosures and reporting are consistent up and down the chain. Increasingly, the SEC is watching reports for any change, coming down hard on missed reporting deadlines and making fewer exceptions for tardiness as part of its new "broken windows" enforcement style.
"You used to be able to get by with a late form here or there, but we are seeing enforcement actions come down now, and once something is late it gives the SEC the opportunity to look into anything else they might want to see," says Kelli Moll, a partner with Akin Gump. "Unless you want to deal with increased scrutiny, it's very important to stay current on compliance measures and meet those deadlines."
In addition to stricter timeline enforcement, the SEC is using the examination process for private funds to check in on practices it may not like. "The SEC has been laser focused on enforcement on expenses," Moll adds. "Some firms are reimbursing funds voluntarily to get around any enforcement on expenses. The SEC is looking for consistency and explicit detail in all of the disclosures. If you have funds and managed accounts, they are also looking for how you allocate funds for expenses across all of those vehicles."
If an issue crops up during examination, there are ways to remediate them, but if issues come up repeatedly, enforcement is much more likely. "The SEC has taken the time to get a lot savvier about these products and what is going on," explains Greg Farrington, a partner at Constellation Advisers. This is especially true for private equity funds, for which an internal SEC task force has decided to focus on fees and advisory expenses and has already brought enforcement actions.
A wider regulatory net
The knowledge update within the commission also means that the regulator is bringing charges in new areas. "We're seeing them bring cases over whistleblowers, and with the Foreign Corrupt Practices Act (FCPA)," adds Edwards. "Mary Joe White has said in comments that she sees the role of the CCO as being an ally for the SEC within the organization. That could open the door for increased liability for people in the CCO role, if the commission thinks someone should have known something."
Beyond investor disclosures and fund reporting, managers will also need to work closely with their CCO on cybersecurity. The days when a manager could download anti-virus software or leave cybersecurity to the IT department are over. Under the SEC's new cybersecurity guidance, if firms and funds don't have a security plan in place, they could face charges. The CCO needs to be proactive in ensuring there is a response plan and disaster recovery preparations.
"This is a new area for firms and we're seeing people react in ways that are all over the board," Constellation's Farrington says. "Some people are trying to build their own internal NSA unit, while others haven't done anything. The safest route is to create a policy and a plan and start training people. Compliance is going to want to be involved in all aspects of that."