In light of all of the demanding regulations that asset managers now face at a time when the nation is gripped by a financial crisis, not to mention the inevitable additional oversight that the new presidential administration will impose on the financial services industry, chief compliance officers are taking a more critical look than ever before at their resources. One of the obvious solutions to the demands they face is outsourcing, which today has become a mission-critical reality for even the biggest fund complexes.

But outsourcing compliance is complex and must be carefully managed.

Chief compliance officers and experts met last month at the headquarters of SourceMedia, publisher of Money Management Executive, for a roundtable sponsored by Citi on what functions can be outsourced, what benefits besides economies of scale can be realized, and how to effectively oversee it.

In attendance were:

Lee Barney, editor, Money Management Executive: Starting from a high-level vantage point, how do you determine which regulatory compliance areas are appropriate to outsource, including legal, traditional compliance, Sarbanes-Oxley and risk management? How do you assess your internal resources and expertise against those of outside service providers?

Frederick Schmidt: All fund families have definitely been looking at internal resources and outside service providers for economies of scale. In the face of the severe economy and budgetary constraints, firms are weighing whether they are better off outsourcing various services to improve their margins and ease their budgets.

Smaller firms may not necessarily need a full-time person to carry out, for example, a CCO or treasurer's function, whereas an outsourced service provider can readily provide this service and leverage their expertise from serving other fund companies.

John F. Robbins: Some of the decisions are based on economies of scale, while others are based on rounding out core competencies.

And then, there are the specific initiatives that CCOs may want to undertake for the year but for which they don't have the infrastructure or head count to do it internally. For example, a CCO might want to outsource a transaction monitoring function to detect market-timing. I might have 10 guys looking at a myriad of factors but need five more operational functions covered.

Fred Naddaff: I agree. As a result of poor market performance, redemptions and overall expense pressures, advisers across-the-board are under stress. Compliance teams will not be immune to that pressure, and CCOs are looking for efficiencies and expertise. These resources may be available at a third-party provider that is servicing a much larger book, and therefore can bring a lot more experience and insight to the table. That's a built-in efficiency right there.

Robbins: There's been a big shift from the theoretical to the practical, where we set big agendas based on what we want to fix, because of the regulatory climate and, now, the financial crisis. Given these tremendous mandates, being realistic about what we can actually accomplish 2Q09 or 3Q09 is hard.

We need those external service providers to help us find a pragmatic solution-to shift from a reactive compliance-monitoring environment to an actual, proactive risk mitigation environment. That is the 800-pound gorilla.

It doesn't happen by taking your existing compliance teams and trying to teach them guidance and advisory functions. It happens by identifying and moving functions into areas where they can be more process-oriented. Then you can assign your experts to monitor red flags among your various business units-to work closely with executives to educate and proactively develop their awareness, so we can hopefully mitigate problems, as opposed to react to them once they have occurred.

Scot Draeger: The Securities and Exchange Commission's view on Rule 38a-1 and outsourcing is that there is a delineation between discretionary functions and operational or substantive areas of expertise. Anything dealing with true investment discretionary areas, such as fair-value pricing of hard-to-price securities or liquidity determinations, should be left for the investment adviser or the fund's board.

Whereas, there are a host of non-discretionary operational items-transfer agent, fund accounting, fund administration-that are ripe for outsourcing to efficiently reduce your costs.

Robbins: One of the challenges compliance departments face is that outsourcing is perceived as an additional, discretionary cost separate from the compliance team. The finance team may argue, hey, wait a minute, we are already paying for that anyway. But the argument is really about enhancing the level of surveillance and process and monitoring in order to do a better job. And it's often difficult to articulate that when you are not staring down the barrel of a gun, some SEC enforcement, God forbid, or other type of remediation effort.

Victor Frye: Certainly, in today's environment, the law is changing very quickly. It's very dynamic.

When you hire someone internally, you look for a particular expertise and actually lock yourself into that expertise with a permanent employee. There is a large overhead cost associated with hiring and training that person, a benefit cost, if you will. There is even an ongoing monitoring cost to make sure that that employee is performing to internal standards.

When you outsource, you actually have a lot more flexibility in terms of selecting expertise and alternating it throughout the year. One year, you might beef up transfer agency expertise. Another year, regulation might prompt you to focus on portfolio trading systems. Or perhaps it will be intrusion detection in your IT systems to protect customer information. These things change by the minute.

Another problem that outsourcing readily solves is groupthink. Within our corporate culture, we tend to all think the same way and aren't really aware of what other members in the industry are facing. A new outsourcing expert may come in with a different perspective on how to interpret the law, or performance standards or how to gauge your vendors' effectiveness.

So there can be many, many benefits to having those regulatory resources at hand.

Naddaff: We've been in a fast-moving regulatory environment over the past three or four years, but now, even the larger players will struggle with the expected onslaught of new oversight. Everything is changing. You put the financial crisis on top of that, and you see that all the conventions have completely changed. The new dynamic is, where do you draw the line on outsourcing?

The challenge, then, is which of four different support models do you choose. One, just the data can be sent. Two, you can outsource the testing that goes against that data. Three, a third party can do some of the analytics. And, lastly, someone has to draw a conclusion on those analytics. Some clients are looking for an external perspective to help draw conclusions on the numerous streams of compliance info.

Robbins: Well, the challenge that I have had in that respect is knowing whether I can reasonably rely upon the conclusions the outsourced expert has drawn, or whether I need yet another checker? Are their conclusions valid? Are they reasonable? What is a pragmatic or practical solution?

So I'm left in the same pickle of saying, "Wait a minute, would I not be better off to outsource a very discrete service and process-related item to make sure I'm staffed with the subject matter experts so that I have that balance between industry and institutional knowledge with the process strength that I need?"

Bruce Treff: Yes, it's a balance between oversight and execution. One of your biggest challenges is to ensure you have the appropriate expertise to perform the oversight over what was outsourced.

The other big task is to effectively make the point to the businesspeople at the investment adviser/sponsor that over the last five, six years there have been a lot of additional regulatory responsibilities from a host of various regulators, whether it's advisory-related, transfer agency, accounting, administration-you name it. A lot of those responsibilities have not necessarily been the adviser's responsibility under the advisory contract, but they have decided to take on the responsibility out of their own fee revenue. So it's a direct dollar-for-dollar cost against their ultimate profitability.

Some of these responsibilities and legal requirements may be appropriate expenses for fund shareholders to bear.

Schmidt: From my experience with outsourcing operations, you need to make sure that you have the flexibility between the management company and the outsourced service provider. You want to make sure that fund management still controls the process.

You don't want to necessarily delegate all of the responsibility to the outsourced service provider and have the SEC walk in the door and be in the position of having no idea what happened.

And the other thing which is really important is, when you enter into these outsourcing contracts, you need to engage in these contracts as a partnership. The outsourced service provider needs to work hand in hand with the investment management company and the board of directors. Everyone needs to be in agreement with what their responsibilities and expectations are.

Draeger: That's absolutely true. You can never abdicate responsibility for your legal duties. From the SEC's perspective, it doesn't matter if something goes wrong at the outsourcer. You can never point to your contract with the outsourcer and say they were supposed to do that.

If you tick through a regulator's compliance list, at the very top is risk assessment. It's effective design and implementation of internal controls. It's quality control and forensic testing. It's comprehensive annual review and disclosures. There are very few touch points where discretion is required. It is the discretionary piece of this role that would be inappropriate for you guys to give up.

Robbins: And within a global context, your regulatory model may not hold because of the myriad of laws and regulations around the world. We need outsourcing service providers who have the flexibility to fine-tune our program, because my AML program in Dublin is going to look slightly different than my AML program in the U.S.

However, it would sure be handy if I could have one source to do some of that forensic testing.

Naddaff: That's the crux of the issue. It's all about data warehousing, management and reporting. We easily spend eight figures a year just updating and enhancing our technology. With all the regulatory changes, data management is going to be the biggest challenge for 2009 and beyond.

Barney: How are smaller complexes dealing with these challenges?

Frye: For those complexes that don't even know how to start a program, outsourcing can provide a template. Then you customize that and analyze if and how it's effective for whatever lines of business you might need.

Robbins: Even for larger firms like ours, a service provider can help us get our arms around detailed elements, to help us identify some of those areas where we should fine-tune, whether we have the infrastructure to do it or not. So I absolutely believe that if outsourcing compliance is managed properly, it can help a variety of different-size organizations.

Naddaff: The scale and efficiency of a service provider also allows you to react quicker. In '09, money market liquidity, counterparty risk, the valuations associated with both-all are going to be areas of focus that will require resource. We are already working on these issues, and our clients can dovetail on those efforts.

Barney: Given all of these concerns, has it become easier to get the budgetary resources that you need, or is it yet even harder, because of the economic environment that we find ourselves in, to plan ahead?

Frye: Prudent businesspeople understand that if you cut back on compliance, you will have other costs. There will be more errors. There will be customer complaints that will need to be resolved. Even if it doesn't result in regulatory fines, there is still a cost of correction, a cost of investigation. And that's why outsourcing sometimes can be good because there is a consistency of resources that's applied.

Further, what we are hearing from the SEC staff, especially from Lori Richards, director of the SEC Office of Compliance Inspections and Examinations, is that if companies cut back on their compliance staff, the SEC staff will make note of that, and it will be a factor, I'm sure, when sanctions are assessed.

Naddaff: The fact of the matter is that the bloodletting that has started to happen at the investment advisers is going to trickle down. Now, will compliance get less of a haircut? I think so, but it would be unrealistic to expect it to go unscathed.

Robbins: We are trying to play a more active role with our business constituents to make sure we are engaged with them on the budget. If we get nicked, outsourcing can help us manage those few dollars more effectively. It is an exercise of doing more with less. And even if we have less to work with, it's still our responsibility to lay out a program to meet the regulatory and public scrutiny that currently exists within the financial services industry.

Schmidt: One of the things that I have seen in these challenging times is, when there are expense pressures, going out and hiring a consultant on a continuous basis, is much more expensive than having a relationship with a reliable, experienced outsourcing provider who has a consistent level of expertise throughout and can address challenges as they come about.

Naddaff: Well, what's probably as valuable as anything else is, when you outsource a compliance function, that service provider has now assumed some of the risk, whereas a consultant typically just delivers a document and abdicates execution responsibility.

Draeger: Of the 20 or so compliance consultancy reports I have read, they tend to be very ivory-towerish, amounting, essentially, to: "If you had a zillion dollars to spend and you wish you could do nothing in your entire life besides compliance stuff, here is what we recommend."

Whereas, when you are working with your outsourcer, it's really a practical partnership. It's a combination of risk-based assessments and true exception reporting that allows professionals to see what's going wrong and when. And it's the constant hard look at the internal controls that affect key material things like financial reporting for the funds.

Robbins: I will argue that there is value to both. Often, we can use that consulting relationship to help us identify critical risk areas or a regulatory perspective that we might not have. It can help us assess how effective our current control environment is and whether we need to rely on the bench strength of an outsourcer.

Treff: How do you view outsourcing legal responsibilities, like use of an outside law firm, whether it's on retainer, a la carte projects or overall risk management?

Frye: First ask yourself why you are bringing consultants in. If you are bringing them in because you fear a regulatory investigation or you have discovered a serious problem, you might actually want to hire a law firm to supervise that work and try and maintain some attorney-client privilege as information develops. That can be an effective tool.

Where a consultant has been mandated to come in by a regulatory agency, you have a lot less discretion over the guidance you give to those people. They must exercise independent judgment, and you don't have much say in how the results of the findings are tailored when they are presented.

But when it's on your dime or through your own proactive choice and where there is no real risk of regulatory intervention, then, certainly, the consultant can be much more effective in finding out where there are gaps, and many of the consultants do have the ability to come in and provide tools to assist you in implementing their recommendations, as well.

Barney: Don't you think it's pretty tremendous that there have been no sanctions against CCOs?

Frye: SEC enforcement cases are typically directly tied to fiduciary duty: conflicts of interests, trading allocations, personal trading with the adviser, soft-dollar arrangements that don't past muster. And these are things that are traditionally still overseen by the advisers.

The areas that are ripe for outsourcing are areas where we can save a lot of costs, and they are not necessarily the most high-risk profile focuses of the Commission.

Robbins: But a small adviser may be looking for subject matter expertise or even a partner to implement a whole entire piece of the program.

Naddaff: I agree. It's all based on the expertise and resources available to the particular firm or person that's running it. I think almost everybody has a different view because of that.

We have changed our service mix greatly, and it morphs from year to year. Rule 38a-1 really made us take a leap, but if you look at what is now important to fund companies, particularly to the big players, an enhanced control environment needs to be incorporated into our core services-fund accounting, administration and transfer agency. Transparency, risk management and data reporting-all of these are now value-add differentiators.

Frye: Think of the most recent scandal with Bernie Madoff and how everything was handled internally. No one of any substantial credibility was overseeing or providing services in the administration of the asset management function that he performed. An independent service provider would not have deviated or have taken positions that would compromise their integrity in order to profit themselves.

Naddaff: Let's face it, managed funds are not where the most change will occur. The whole Madoff situation screams for Rule 38a-1-type oversight of alternatives such as hedge funds and funds-of-funds, and regulators are going to scrutinize these products.

Treff: Institutional investors thinking about investing in those types of unregistered products are going to demand transparency more and more. And certainly it is now more prominent as part of the RFP process when you have organizations like CalPERS and other pension plans investing in unregistered products.

Robbins: Victor brings up some good points about hiring that outsourcing firm to conduct some sort of independent assessment as a gut check to the internal control structure.

And the Global Investment Performance Standards or the old Association for Investment Management and Research-Performance Presentation Standards certifications where we hire a consultant to come in to do a very granular, well-organized review-that's based on a set of rules that are quite clear. There is not a lot of subjective interpretation or grey area, I would argue, within the GIPS process.

And so, I think, an institutional investor can appreciate value in the fact that you underwent a GIPS review or other certification, so they can be comfortable in measuring your performance consistent with industry standards.

But among traditional investment advisers, the products and services they offer are so varied that there isn't one set of consistent standards. Certainly, by now, we all ought to have a pretty good personal trading and compliance program in place, right? We all have relatively good AML programs. These rules are pretty clear and have been well-established.

So what's next? Where should all of my time be spent on what's next? I need those controls.

Draeger: Even among fund shops with greater than $5 billion in assets under management, even though they have controls, unforeseen problems still arise. Perhaps too many trades were sent to one broker with whom the firm has "soft-dollar" arrangements or a portfolio manager placed personal trades without getting them pre-cleared. These things still fall through the cracks.

But as long as the examiners or the Commission sees that the controls are reasonably designed and typically very effective, they are more likely to treat such events as a one-off thing that fell through the cracks.

Robbins: Endemic to an investment process that relies on people-even in the most well-established, largest compliance departments or biggest business organizations-we are always going to have those kinds of compliance breaches.

Naddaff: Take the market volatility and the whole financial crisis of 2008. None of the biggest shops could have contemplated the counterparty risk dwelling underneath it. Even when you think you are totally buttoned up and doing a good job of looking into the future, in this sort of environment, you will always find surprises.

Robbins: That's exactly my point. The new key question is, what do we need to be thinking about that we haven't before? And there has been an entire host of such issues over the last 18 months that have kept compliance guys up at 3 o'clock in the morning.

Treff: How can you leverage not only your infrastructure but your extended enterprise to better maximize expertise?

Robbins: One way is partner with business groups. For example, given today's resources, budgets and other constraints, my AML program today might need to incorporate other business elements, other business groups, as well as potentially third parties in order to do two things: One, meet the basic control structure and identify red flags. And two, get the business engaged in technical compliance thinking.

Draeger: Take a look at the failures of the credit rating agencies. We need the right tools to get to a place where we know what that next frontier is going to look like.

Naddaff: In hindsight, the credit rating agencies are a good example of where more transparency and accountability are needed. A bigger question is, what is the new regulatory landscape going to look like? There is talk of combining the SEC and CFTC or even other agencies and putting them under the Fed.

Robbins: We don't know what's going to happen and so are focused on enhancing our existing systems.

Frye: I would have to agree with John. You can't get caught up trying to second-guess the regulatory initiatives and use that as your grid. You have to really decide what your business risks are.

What I have told a lot of people right now is, it's business as "unusual," and if you think you can keep your existing systems running the same way, then you are probably missing something. The regulatory structure was designed for a different marketplace, and that's what we are seeing in Washington right now.

Barney: I would think it also means second-guessing a lot of things you take for granted. For example, Reserve Management-the fact that its Primary Fund strayed from its investment mandate of conservative, non-corporate debt, yet was so heavily invested in Lehman Brothers even after asset-backed securities became questionable is staggering.

Naddaff: From the perspective of a service provider, I can tell you that money market liquidity is going to continue to be an issue, and we are currently discussing negative yield and fair value concerns with our clients.

That's where it goes back to being able to be proactive and having scale and efficiencies. I'm not sure how many internal shops are looking at what the effect is going to be on 2a-7 right now. So there's an example where outsourcing provides a clear benefit to the advisers, the board and the shareholders.

Barney: What about the more onerous responsibilities? There are regulations that have placed tremendous responsibilities on CCOs and their staffs, even at the largest asset management firms. Among these, most notably, is Rule 22c-2.

Schmidt: Personally, I have spent more time on the implementation and oversight of Rule 22c-2 than I ever thought. The industry didn't anticipate the challenges and the coordination required among various entities in order to comply with the Rule.

Draeger: To have people at the management company and the executive officers of the company spend such an inordinate amount of time on this just doesn't make sense. Here, by the way, is a case where the cost/benefit analysis was rushed. That's where outsourcers really came through for the funds. I think it was a great example of a regulation where a lot of human resources and enhanced technologies are required, yet it's easily outsourced.

Robbins: I find myself not spending so much time on the data issues regarding new rules, like 22c-2 or proxy voting, but more around making sure the controls themselves are adequate. Is my conflict management processes for proxy voting, for example, sufficient?

It's that next step into those theoretical aspects of decision making that I spend a lot of time and that I wonder if there is a way for service providers to help us design the actual control itself. Not just implement the process.

Treff: The other thing that makes it a little bit more complex is we have all traditionally thought of the SEC as our regulator. Then you have the Department of Labor, the IRS, and now the states are certainly getting back into it. You have New Jersey, you have Connecticut, you have Massachusetts adopting or proposing to adopt privacy/identity theft type regulations. You have the Federal Trade Commission, which nobody ever thought of as a regulator to our industry, getting involved in identity theft rules.

Nobody has the total toolbox of skills and expertise that they necessarily need at any given time. Nor can they necessarily envision what's coming down the pike next.

Naddaff: The other thing, from a forensic perspective, is how do you get to all the data elements you need? As much as everybody wants to believe that this info is easily available now, it simply is not. The technology investment is a tremendous one, and that's where, again, from an outsourcing perspective, doing it once for 300 clients is a lot less expensive than doing it internally.

Treff: Even the SEC is investing in technology to monitor and identify risks. The SEC is building an analytical system called RADIUS to conduct, plan and coordinate examinations. Their expectation is that to the extent they desire data from us, we need to be able to provide ready access to it. So it's not only about the expertise you have in-house, it's very much about whether your systems are up to snuff. Can your systems actually produce data in a way that's readily usable and analyzable?

Draeger: Certainly as asset managers expand their business globally, there are an infinite amount of issues that come up, starting with trading. I have found that outsourcers are very flexible about developing the necessary new tools, particularly with the global trend.

Robbins: A lion's share of my activities are in cross-border relationships and issues, whether it be trading, taking on new clients, or marketing and sales. And what we typically find is that the geographic location in which the outsourcer is primarily headquartered is their core competency from a tool development standpoint. And that's the hard truth of it. There are tools developed in the UK that look very sophisticated and, boy, they are well designed for the UK, but they are not particularly well designed for Asia.

So I haven't always found that flexibility, and I think that there is more opportunity there to work with those outsourcers.

Draeger: It seems like everybody, service providers included, is thinking about how to assist each other and work as a team when you are dealing with cross-border transactions.

Robbins: Right. A critical competency of the program is communication with your service providers, communication internally with the business, and certainly among compliance officers to flag and then resolve issues. Because you can't know all the rules everywhere. The best we can do is know what our general controls are and then make sure that reviews of the data provide the right level of granularity so that you can get in front of some of the issues before they become real problems.

Barney: To that point, one new compliance outsourcing area is outsourcing oversight of service providers itself. Are any of you doing that to any degree, relying on an outsider for their perspective?

Schmidt: Obviously, 38a-1 allows each fund's CCO to interpret the results and the testing of other fund service provider CCOs, such as the adviser, a sub-adviser or the principal underwriter. Personally, I never took that to heart. I always felt that I had to kick the tires, quite frankly, and feel even more so today.

So one of the things that I have done among all of my service providers is further independent testing in addition to the testing that I receive from the respective CCOs at each service provider. I do thorough independent testing among our various service providers, including broker/dealers and sub-advisers.

It's important that there is a well-developed relationship, a high level of communication, a process throughout the year, quite frankly, where I'm speaking to individuals regularly at all of the service providers, in addition to the information that I'm receiving. On a periodic basis, I will do a level of independent testing to validate the results that I'm receiving and also to substantiate, in fact, what the processes are and if, in fact, the level of procedural adherence at each of the service providers or vendors for that matter comply with that of the fund procedures.

Frye: Many firms have internal audit departments, as well, that look at service providers to see if, in fact, their services are mapping back to their contractual obligations.

Again, I think it comes down to whether you have the in-house expertise or you need to outsource that function. Either way, it's an essential element of reporting.

Barney: Are there any downsides to outsourcing?

Naddaff: Five years ago, when Rule 38a-1 was adopted, there was an initial hesitation about outsourcing compliance-"the fox is in the hen house" syndrome. We have seen that disappear. At the end of the day, relying on external expertise and experience only helps investment advisers, boards and CCOs, and mitigates their risk.

Robbins: The initial relationship with outsourcing was as you described. There were no service provider oversight programs in place, and we were not sure how to implement the whole thing. I would even say that those service providers initially didn't have the same sensitivity to compliance as we might have thought they needed to. But over time, the relationship has matured, and I think there is a lot less to be concerned about.

Schmidt: Obviously, the investment adviser and the service providers each have their own risk assessment. As fund CCO, you want to make sure that at the end of the day, the service providers are effectively supporting and obviously adhering to the fund-adopted procedures.

If a service provider or an investment adviser wants to make a recommendation, it is brought to my attention so that I may review and consider prior to making any adjustments within the fund's compliance program. Having that relationship and having a partnership where everyone works together for the good of the shareholders is really important.

Frye: In a compliance organization, there is a certain amount of systematic, routine testing. The in-depth, targeted testing, and potential rehabilitation of deficiencies, depends on the findings of the more sophisticated reviews. I come into some shops that are in terrible shape, and we have to devote a lot more resources than what we had budgeted for. Other reviews, sometimes due to the service providers, go pretty quickly because they have been through this with many others before. They are ready for you. They have reports, SAS 70s, whatever, and then you test beyond those and it goes quickly.

So the time allocated depends on the complex. We all probably start our programs the same way, thinking that we will divide and conquer this amount, so much for the adviser, so much for the custodian, so much for the fund accountant. But then when we get into the detailed work, we can be pulled aside to get more in-depth. That's where the real resources are eaten up: when you have to deal with problems.

Schmidt: I agree. We all start out with a risk assessment, and based upon the level of a particular risk, that is how we go through our normal, routine testing. I may have a functional area or procedure ranked as a low risk, but if I find out that it has been somewhat problematic, I will elevate the risk and do more frequent testing within the area of the service provider than what I may have initially anticipated.

Robbins: In fact, the results from that will rescore that risk for the next period in order to elevate the risk. That's the magic. That's what turns it from a static to a dynamic process.

Treff: Rule 38a-1 contemplates that all major service providers have compliance programs in place. We are a regulated entity just like the funds or the adviser themselves. Our interests are aligned with the fund, investment adviser and the fund's board. We want to make sure that we have a robust and effective compliance program because every time the SEC comes in and does an inspection of our TA, they are looking at our entire operation, our entire compliance program. So everybody's interests should be aligned.

(c) 2009 Money Management Executive and SourceMedia, Inc. All Rights Reserved.

Subscribe Now

Access to premium content including in-depth coverage of mutual funds, hedge funds, 401(K)s, 529 plans, and more.

3-Week Free Trial

Insight and analysis into the management, marketing, operations and technology of the asset management industry.