A decade after the Securities and Exchange Commission raised concerns about outsourced chief compliance officers, the model is not only still around — it's gaining ground.
A
The latest Form ADV data shows that nearly 8% of CCOs at SEC-registered firms were compensated by a third party in 2024, according to an analysis by the
Across the industry, more than 2,500 chief compliance officers are responsible for two or more RIAs at the same time, according to ISS Market Intelligence. Most outsourced CCOs handle compliance for just two or three firms, but a small subset takes on far larger workloads. More than 60 oversee five or more RIAs, and just over a dozen are responsible for 10 or more.
As the outsourced CCO model has expanded, a core question has emerged: How many firms can one person realistically oversee?
With no formal regulatory cap, outsourced CCOs are limited only by their own capacity and internal company policies.
Stacy Sizemore, an outsourced CCO at consulting firm tru Independence, currently serves as the chief compliance officer for 14 RIAs. Sizemore said that figure is slightly higher than usual — she's serving as the interim CCO for a number of RIAs being onboarded to tru Independence's services.
"What I have found is that six to eight firms is a pretty good [number] of firms to work with to be able to really service them in the way that they deserve to be serviced. … Generally, I have about six to eight," Sizemore said.
Others take a more limited approach.
Victoria Olson DeLucia, director of institutional engagement at compliance consulting firm Confluence, said that Confluence has an internal policy prohibiting any outsourced CCOs from serving as the chief compliance officer for more than three firms.
"One of the points in the risk alert … that the SEC talks about is their observations of tying the effective OCCO relationships to individuals with a high level of ongoing communications, in particular, in-person communications," DeLucia said. "There's only so many hours in the day, right? It becomes difficult as an outsourced CCO, as a human being, to have that continual dialogue with multiple different firms."
READ MORE:
What the SEC warned about
The SEC's 2015 risk alert highlighted many of the same concerns that persist today. Among them: whether outsourced CCOs have sufficient resources, whether compliance programs are tailored to each firm and whether the CCO is meaningfully engaged in the business.
Examiners found more issues at firms where outsourced CCOs were spread too thin or relied heavily on standardized templates that weren't customized to the firm's actual operations. They also noted that effective arrangements tended to involve frequent, direct communication and strong relationships between the CCO and firm leadership.
Those findings still resonate with practitioners.
Both Sizemore and DeLucia emphasized that templates are a starting point, not a finished product. Compliance programs must be tailored to each firm's business lines, risks and practices to meet regulatory expectations.
The alert also underscored a critical point that remains unchanged: Outsourcing does not shift responsibility. RIAs are still accountable for the effectiveness of their compliance programs.
READ MORE:
Beyond enforcement: The hidden risks
One notable finding from industry data is what doesn't show up. Even among RIAs served by high-volume OCCOs, relatively few have public disclosures tied to compliance failures.
But that doesn't necessarily mean fewer problems.
DeLucia pointed to the gap between clean disclosure records and the reality of SEC exams. Firms can avoid enforcement actions yet still face deficiency letters, triggering remediation requirements, increased scrutiny and follow-up exams.
"When you receive a deficiency letter, and it identifies one to a boatload of findings, you're under the gun to correct those promptly," DeLucia said. "And the SEC also then recalibrates your risk as a firm, and they're coming back to see you sooner than they otherwise would."
Those behind-the-scenes pressures can be significant, even if they never result in public enforcement.
Why outsourced CCOs make sense
For many firms, the appeal of an outsourced CCO is straightforward: access to senior-level expertise without the cost of a full-time hire.
Sizemore said the model allows firms to tap experienced professionals while avoiding the overhead tied to in-house roles.
DeLucia, who has worked as an outsourced CCO since 2014, agreed.
"As time has gone by, since 2004 with this compliance program rule and the need to have someone designated as CCO, firms have realized that's a whole lot of expertise that's necessary. … But they don't have the budget to pay for a full-time person," DeLucia said. "And so outsourcing becomes very appealing."
Form ADV data shows that smaller firms — those with less than $5 billion in assets under management — are more likely to use an outsourced CCO.
The model also introduces a level of independence that can be difficult to replicate internally, Sizemore said.
That outside perspective can extend beyond pure compliance. Because OCCOs often work across multiple firms, Sizemore said they can bring insights about emerging business lines, regulatory issues and operational best practices.
"When I get to know these firms, I say, 'Oh, this other firm I work with, they are great at options, and I've got that down regulatory-wise, why don't I introduce you and you can talk, and maybe they can help answer some questions,'" she said.
READ MORE:
An evolving model
Despite early skepticism, outsourced CCOs have become a normalized part of the RIA landscape.
DeLucia said that even large firms are maintaining or expanding outsourced relationships, often layering them alongside internal compliance staff. At the same time, regulatory signals may be softening.
A Form ADV disclosure requirement around third-party compensation for CCOs, introduced after the risk alert, is no longer publicly visible, a potential sign the SEC is less focused on the structure itself than on outcomes, DeLucia noted.
Still, the core tension remains unresolved: balancing efficiency with effectiveness.
At one end of the spectrum are high-touch models with limited firm counts and deep integration. At the other end are scaled operations where a single name may appear across dozens of filings, backed by a broader team, like that of Sadzewicz, who added that as his firm grows, he adds staff.
For advisors evaluating the model, the takeaway is less about whether to outsource and more about how.
As DeLucia put it, the key question isn't just who holds the title, but whether the compliance program is truly designed, resourced and executed to meet the firm's risks.
"In each of those relationships, you're not a part-time CCO to them, you're their full-time compliance expert," DeLucia said. "And so it's really important, when firms look at who they're engaging for an outsourced CCO, that they ask: 'What is the capacity of this individual? How many other outsourced CCO arrangements do they currently have? And what is the maximum that they could have?'"
