Whether you have an established business, are starting your firm or just need an outside perspective to see what’s working in your Compliance program and what isn’t, outsourcing the Chief Compliance Officer role is an important decision.  Look at your team and determine if they have the experience, knowledge, drive and leadership qualities to be an effective CCO. If not, you need to decide whether to recruit a CCO, grow an employee into an effective CCO, or outsource.

In today’s episode of Oyster Stew, our seasoned outsourced CCOs walk you through some key things to consider:

  • Firm structcure
  • Risks of CEO as CCO
  • Common mistakes by new Chief Compliance Officers
  • Advantages of outsourced CCOs for new firms
  • Regulatory scrutiny and expectations
  • Effective resource management

Explore Your Options: Outsourced CCO

Outsourced CCO professionals provide the unique benefit of getting a multi-disciplined professional without having to interview, negotiate, hire, onboard and maintain another employee. Oyster Consulting provides an outsourced professional who is right-sized for your organization – no more having to wonder if your candidates are qualified to meet the daily challenges of regulatory compliance for your firm. At Oyster, our outsourced CCOs provide superior capabilities for RIA and Broker-Dealer compliance backed by an entire company of industry professionals.


Transcript provided by TEMI

Libby Hall:  Hi, and welcome to the Oyster Stew Podcast. I’m Libby Hall, Director of Communications for Oyster Consulting. Whether you have an established business, are starting your firm, or just need an outside perspective to see what’s working in your compliance program and what isn’t, deciding whether or not to outsource your Chief Compliance Officer role is an important decision to make. In today’s episode of Oyster Stew, our seasoned outsource CCOs walk you through things to consider – from the expertise and expanded resources an outsource CCO brings to common mistakes and experience CCOs make, and concerns firms may have around outsourcing such an important role. Let’s get started.

Bob Mooney:  Hello, my name’s Bob Mooney. I’m the General Counsel for Oyster Consulting.  With me today, we have Sarah Sutton and Kandy Palugi, two of our compliance experts from our Governance, Risk and Compliance practice. Topic for today’s podcast is the outsourced chief compliance officer function. We serve as outsource CCOs for many firms. Sarah, in your experience, what are the factors that firms should consider when deciding to outsource this function?

Sarah Sutton:  Hi, Bob. Some of the factors that a firm should consider when looking to outsource the CCO role, there can be many, but probably top of mind issues are, does it make sense? And so when you’re looking at that, it’s different for every firm. I don’t think there’s a perfect formula that you can plug in. It’s more of what makes sense for the particular firm at the time that they’re considering this option. So one of the things they can look at is with their current staff – with the CEO or the other additional staff that they have, that they could allocate the CCO role to, or have them assist with is how comfortable do they feel in the role? Do they have the experience, the expertise?

Have they done it before? Have they worked in a compliance role or been in a compliance department or been in the financial industry?  It’s really about feeling comfortable is half the battle. So by having current staff that have the experience or have experience in a compliance role, that’ll help you and the leadership of the firm feel more comfortable with having them carry the title as CCO. So one of the things also to consider is if you’re looking through all the tasks that a CCO would need to do on a monthly, quarterly, annual, and even a daily basis, it’s what things are you looking to outsource? Do you need compliance support? Do you really fully need that CCO title to be held outside of the firm? So one of the things that I recommend is just looking at your compliance calendar, if you have one, and just  putting the checkbox next to the things that you would like someone else to do.

Or maybe you don’t have someone with the type of experience at the firm and you are looking for some additional help after you go through your list. Comprehensive as it may be, if a large majority, say 70, 80% of those items have a check mark next to it, you probably want to look at outsourcing that CCO  role, maybe just for the interim.  The nice thing is with Oyster, we’re going to customize the relationship with the firm. And again, it’s not kind of an out-of-the-box program, it’s really kind of meeting the client where they have the need that we can help fill with the outsource CCO role.

Bob Mooney:  We serve as outsource CCO to a number of firms. Is there a certain size of firm where this makes more sense? And does the type of business a firm is engaged in matter?

Sarah Sutton:  Yeah, I think it does.  It’s all based on the type of firm. I think size definitely is a consideration when you have a larger firm that has a larger number of advisors. A lot of the time it makes more sense to have the CCO role as an internal position. And when we describe the size, it could be the number of advisors, because a lot of the time that’s going to generate more activity. Other things you need to take into consideration are the complexity of the firm’s practice for the advisors that are there. What type of products are you offering? Do you have a specialty that you have to have additional supervision or level of expertise that’s needed. But definitely the number of advisors and the complexity of the firm should be taken into consideration. And I do know that cost is a lot of the time a factor that firms look at when they’re looking at outsourcing the CCO versus having someone internally.

So that’s definitely something that’s top of mind for everyone. But one of the considerations that every firm should look at is take cost out of the picture for just a second. I know sometimes that’s hard to do, but really look at, do you have the expertise at the staff, and do you feel comfortable with having someone internal for that role?  If you’re not a larger firm with a large number of advisors yet, does it make more sense to have it outsourced where you have an experienced individual that can hold title as CCO and can help train and grow with you as you need it? Uh, and really just help guide you through the compliance area of the business until it’s time to reevaluate and see if it’s time to change the structure and have someone hired internally?

Bob Mooney:  Yeah, I think we’ve all seen situations where the cost of not having the right experience in the CCO role is proven to be more costly than what that resource would’ve been from an expense perspective. You know, we see from time-to-time firms where the CEO is also playing the role of the chief compliance officer.  Candy, what are some of the risks you see associated with that?

Candy Palugi:  Thanks, Bob.  As Sarah said earlier, a lot of times the main risk is just not having the experience on the compliance side. So often we find that the small firms start up just by an advisor going out on their own, maybe just a one man shop or a few together setting up a firm. So compliance isn’t their strength to begin with.  They’re more sales revenue driven, growing their business, although yes, they can be compliant. They’ve had others to guide them in their compliance. So I think that’s probably the main factor is just not having the experience in compliance and understanding all the different aspects and what it takes really to set up a good compliance program. The other thing is having the time to devote, to stay abreast to current regulations, the current regulatory environment, new initiatives, new rules, watching out for new guidance published by regulators.

And oftentimes they may get wrapped up in running the firm from the sales perspective, from recruiting and all of those areas to where there’s no time left to really focus on what’s happening regulatory-wise. So they can get in trouble with a lot of that, if they’re not on top of a new rule or if something’s changed and they haven’t addressed it. And sometimes, they may not find out until they get an exam and a regulator points it out. We often find that advisors don’t know that they aren’t in compliance on certain things. Like they may not realize if it’s an RIA firm that they need to do an annual review and actually put that to paper, things like that. So a lot of times we find that the CEO, if you’re being the CEO and the CCO , you may be spread too thin, I think ultimately, is the result of that. As well as not having the experience.

Bob Mooney:  Sarah, we see firms, whether it’s due to attrition or a new firm being launched, having a brand-new compliance officer in this seat. What are some of the mistakes that you see new compliance officers making?

Sarah Sutton:  So I would echo what Candy said, comments about just a lack of experience for someone who’s in this Chief Compliance role. It can very easily become overwhelming with the day-to-day changes to rules, interpretations.  On the IA side, it’s more principle-based versus broker dealer is more rule-based and a lot of the time there’s a lot of interpretation without having that experience and know how.  It just ratchets up the overwhelming feeling of, am I doing the right thing? Another common mistake, or really not even a mistake, is just not knowing or being aware of the resources that you can utilize for some of the new regulatory requirements. Some firms may not realize that FINRA and SEC have samples of compliance calendars that they can use. So they may be trying to create their own from scratch, and it’s like, oh my God.

It just gets overwhelming with the number of things that have to be done on a daily, weekly, monthly, quarterly, and annual basis.  They may not be aware of the common compliance mistakes to avoid. And these could be things that we on the call think that are common. But to someone who’s new to the role may not have experienced and just don’t know that is going to create an issue down the road. Another, common mistake that we see with folks that are new to the compliance officer role is when regulators notify you that they’re about to begin an audit and you’re going through that process, navigating through the requests, making sure that you get everything on time, making sure you review everything before you send it to them to make sure it’s accurate and complete. So it doesn’t lead the regulator to go down any rabbit holes later on is very important. And I think that by having someone that’s gone through that process and understands what the regulator needs, interprets what is happening through the process, is also critical because I think it can help diffuse some situations without giving the regulator something else that they want to go look at after they finish with the current topic they’re auditing.

Bob Mooney:  The considerations for outsourcing the CCO role may be different for an existing firm versus a firm that’s just starting out. What would you say are some of the advantages of an outsourced CCO in place as you launch your firm, Candy?

Candy Palugi:  As you’re launching a firm, that’s an excellent time to have an outsourced CCO.  Consulting firms like Oyster can provide a valuable experience and resources to help a new firm put together an effective compliance program, including putting together a compliance manual, the proper disclosures that are required, privacy policies, and business continuity plans. If you’re starting a new firm, sometimes you don’t know what comes next. So you need experts to guide you and tell you what you need, so you don’t miss any of those critical parts of setting your firm up correctly. Oyster also has a team of professionals to support the effort. So if we come across something that the one CCO in particular who’s hired for that firm hasn’t had experience with, we have a team behind us to help us out, give us information, as well as partners that we can recommend if we think the firm needs them.

It also provides a period of time for the owners and the advisors to learn the compliance aspect and what the regulators expect of the firm. They will participate hand in hand with the outsource CCO setting up and following through a compliance calendar for the first months or years, which will build their experience. And they’ll have someone there to clarify each requirement if necessary.  What is required for their firm, what’s relevant, what’s not relevant. I think altogether really just giving them that support system and having someone to make sure they get started on the right foot is the biggest benefit from having an outsource CCO when you’re launching.

Bob Mooney:  Here at Oyster, we help a number of firms start out with their FINRA membership. In your experience, does FINRA expect anything additional from a new firm or are new firms under any additional scrutiny?

Candy Palugi:  I think yes, they are under additional scrutiny and in fact, I know there’s a SEC initiative going on right now where within the first 12 months they will do an exam on a new RIA for instance, just to come in and see, do you have your ADV 1 A set up properly? Do you have your disclosures complete? Have you covered everything that needs to be covered? As well as, how is the CCO connecting with the firm? How are you staying connected? What kind of feedback are you receiving? And how much do both the CCO and the advisors understand what’s going on at the firm? So, I think sometimes they may scrutinize an outsourced CCO role more than maybe an in-house, but I think that would really depend on the situation. As we said earlier, if you have a CEO trying to be the CCO, as well as other roles that may be scrutinized more heavily, then the firm saying, hey, we need help stepping out and hiring an outsourced CCO to get them along their way. So I think, as you mentioned, I think having our membership team, I find it valuable that they’re able to set up a new firm that I’m going to be working with, they make sure all the filings are handled properly and get us rolling on the right track for them to move forward and set up the compliance program.

Bob Mooney:  Sarah, if I’m a business owner considering outsourcing the CCO position, I’m thinking, what are the risks? What am I losing control of by outsourcing this position? How would regulators view the outsource CCO role? What are your thoughts?

Sarah Sutton:  So I think that’s a very good question, and I think the misconception is that if I outsource the CCO role that I don’t have the risk. And to be honest, the risk is still there. You’re usually just decreasing the level of risk by having somebody who has experience as a CCO.  But ultimately the risk is still going to be there. And what I would say to the control aspect of it is you really, by using an outsourced CCO, you shouldn’t be losing any kind of control. If anything, I would think you would be gaining control because you have a level of comfort that you have an expert who you’re working with to handle the compliance side of the business so that you as the CEO or the business owner can focus on building the client base focusing on growth and expansion and forward thinking.  Not is my compliance menu up to date and, have I done all these tasks that I need to do.  We all know that the more things you have on your list, the more distracted you can be. So it helps the business owner stay focused. I think looking at the outsourced CCO relationship, it should really be looked at more as a partnership gained to help create that culture of compliance for the firm. And by having that outsourced CCO, they should be working with the business owner, the CEO and team to know what’s going on at the firm. There should be an open and transparent relationship. There should be regular meetings, if anything, an outsourced CCO should have an open and transparent relationship with the business owner of the firm the entire time that the relationship is there. The CCO is there to help initiate a lot of the FINRA compliance filings, regulatory filings that need to be done. But they should always be done with the knowledge of the business owner or the CEO. Nothing is really done without their review and approval. So it’s not like the CCO is acting in a bubble. It should be a relationship where they’re both working together.

Bob, to your question about how do the regulators view the outsource CCO role.  It comes down to the fact, did the firm, or did the business owner, do their due diligence, and document the reasoning behind hiring an outsource CCO.  The firm that they choose and the individual that they have as their CCO should have a level of experience and knowhow that is adding value to the firm. And the regulators are going to look at what the firm did to make sure that was the right fit at the time. As with any vendor, a firm should always be looking for negative news, background security, comfort level experience, and that has to be documented and reviewed on a regular basis. The one thing that I do want to emphasize is that the regulators will look at whether or not someone is just holding the title to hold the title.

So when you look at the amount of work that goes into having a firm, whether it’s a large firm or a small firm, and the level of complexity and the amount of time and effort it takes to keep a strong compliance program in place, the regulators are going to look at the relationship between an outsourced CCO and the firm. They’re going to look at how much time the outsourced CCO is truly allocating to the specific firm. And not that there’s a magic number out there because I don’t think there is, but I think they’re going to look at, is the outsource CCO giving enough time to the specific firm to get everything done? So I think that’s something that needs to be considered when a business owner is looking at the cost. I know we say, don’t let the cost come into play, but it does.

Bob Mooney:  So Sarah, what I’m hearing from you is there’s really no additional risk that a business owner would have, whether it’s an employee CCO or an outsource.  They’re responsible for the firm’s culture of compliance. They have the same risk that they would have with an internal resource, and the regulators have the same expectations whether the position is outsourced or in house.

Sarah Sutton:  Yeah, Bob, I agree with everything that you just said. I think the level of engagement has to be there. So you can’t have a CCO that operates in a bubble and doesn’t really know what’s going on and doesn’t interact with the business owner and the staff of the firm. It’s got to be a symbiotic relationship where everybody’s working together, everybody’s updating each other on specific things that are happening at any given time and they have to trust each other.

Bob Mooney:  Yeah, I think mentioning the notion of interaction is key.  Candy, whether outsourced or internal effective communication, as we’ve just discussed, is a critical component of being a successful CCO. How do you ensure there is effective communication between the outsource CCO and the firm?

Candy Palugi:  Yes, as Sarah and as you’ve just said, the level of engagement is so important and that’s whether there’s an in-house CCO or an outsource CCO.  But as outsource CCOs, we know that we have to be effective. We have to immerse ourselves basically into the firm and into the firm’s daily activities. We basically become part of the firm and maintain ongoing communication as if we were an employee of the firm. We get involved in investment committee meetings, ops meetings, risk meetings, you know, anywhere that the CCO may be pulled into in a firm. In the position we’re in, we make ourselves available to firms at whatever level they need for their business.  If they have risk meetings and that’s where they want their CCO to participate, that’s what we will do.

We schedule standing calls with the firms to give everyone an opportunity to review current matters. And the frequency of those calls depends on the size and the needs of the firm. It could be weekly call, it could be multiple times a week, it could be daily or it could be biweekly. It really depends on the firm, the nature of their business, what their compliance calendar looks like, what kind of things we are looking over. However, even when we are not in communication as a CCO, we are still participating in firm activities with things like email reviews, trade reviews, or all those things that CCOs are responsible for, that we would be doing. Also, the other thing that’s important is to just make sure the firm knows that we are available for them to reach out anytime a matter arises.  We encourage that if there’s ever a question or something comes up that they think may be an issue.  Or if they just aren’t sure what to do, we encourage them to call us.

We would rather discuss it with them, take a few minutes to talk it through and make sure that everything’s done correctly. The firm stays on track compliance wise, and we offer any assistance that we can. And we also, as outsource CCOs, will have set up a compliance calendar and we’ll follow that calendar.  But when we do that, we’ll do that with the assistance of the firm’s employees. So we would look ahead on our calls with the client we will look ahead to what’s coming in the coming weeks or month and what we will be working on.  So they can always follow and know what we’re working on, what we will be working on, and where we may be spending our time.

Bob Mooney:  I think one of the things clients may worry about is what happens if one of our consultants is the CCO for too many firms. There you all mean you maintain your ability to focus on the firms that you’re holding the title for. How do you manage capacity for the CCO engagements?

Sarah Sutton:   Another great question, Bob. So as outsource CCO, there will always be an agreement in place between the firm and with Oyster. And in that agreement there is a kind of a predetermined amount of time that’s allocated each month or each quarter for the consultant to devote to that specific firm or that specific client. And it’s how we as consultants are able to kind of manage our time as we have this much time allotted to the firm for the week or for the month. It helps us create our own schedule to make sure that we’re getting everything done that’s needed for the specific firm.

One of the things that Oyster does is that management monitors our capacity, I would say on a daily, weekly, monthly basis. Depending on the different needs of the clients that we’re currently working with, they look at the capacity, they look at our experience, good fit with the client. If a client has something come up that is going to require additional time, the great thing is we have a pool of other consultants that we can utilize for the client.  So we have an outsourced CCO engagement that’s 20 hours a month and the new firm have their first SEC audit.  More than likely we’re going to want to be on site as much as we can, or we’re going to be a little more engaged with the gathering of the documentation review.

So that’s going to take additional time. And the nice thing is that we can pull from this pool of consultants that we have, depending on their capacity and bring them in and help get everything done and reviewed. That needs to be done in a timely manner based on the time period that we have. Oyster also has Oyster Solutions software, which is our compliance program software.  A lot of us use it, and it’s our compliance calendar, so it helps keep us on task.  It’s very transparent. Everything that I am assigned or that I’m working on can be seen by the CEO or business owner or the executive of the firm. There is no question as to when things are done. It’s all documented and is available in the software.

And the same thing is true for the clients that don’t use Oyster Solutions. We have a compliance calendar that we share with the clients.  There should be no question as to what is being done on a regular basis. And it’s actually a good idea or a best practice to share the calendar on a regular basis with the clients. So if you have a monthly compliance call with the owner or the CEO, it’s always a great opportunity to go through those things and make sure everybody’s on the same page, and they know what things are coming, what things have been completed, any findings, any things that have bubbled up that need to be addressed.  It just helps keep everybody organized there.

Bob Mooney:  Firms often find they have a gap in the CCO role, whether it’s through attrition, the expansion of their business model or otherwise. How can we as a consulting firm, help navigate these waters?

Sarah Sutton:  It really depends on the firm’s circumstances.  Unfortunately we have times where you’ll have a key member of the firm that passes away unexpectedly. So there wasn’t time to prepare for that exit of that key employee.  When you have a specific situation by looking at outsourcing the CCO role, for the short term or the interim, I think it’s a responsible path to take versus not having anyone in the role.  And the reason is, it’s not just to say someone is CCO, it’s really to put somebody in that can assess the situation pretty quickly and say, okay, these are the things that need to be done now. These are the things that need to be finished up, wrapped up. This is what we have coming on. And I think a lot of the time too with a business owner, the business owner wears all the hats.

So if anything comes up that needs to be done, everyone’s going to look to the business owner to do it. And depending on the firm and the overall environment, sometimes that’s overwhelming and you just need someone with expertise to come in and handle that specific situation or help with that situation when needed. There’s also the option of having assistance with just the everyday compliance tasks like email review, trade review, personal trading review, marketing review, those types of things to really assist firms at all different levels.  We have CCO support where we have a new CCO that’s coming on board, and they just want to run stuff past us.  Such as, this is a situation, this is what I wanna do. Is this the right path?  Or is there a better opportunity or is there a more efficient way of doing something? Or it could be someone that has experience and maybe they need to become more equipped with a newer way of doing things with technology or, just bringing the firm into the year 2023. So the one thing that we really focus on is meeting our clients where they have specific needs. So, it doesn’t really matter where the need is, it’s identifying it and then coming up with a solution and assisting the firms with what their compliance needs are at the time. It’s not really an out-of-the-box solution, it’s a customizable approach, but we can help customize it quickly so that our clients don’t really miss a beat, can continue on running their firms.

Bob Mooney:  Candy, we’ve talked a lot about the outsource CCO function on this podcast. Before we wrap up, are there any situations where a compliance consultant can help a firm?

Candy Palugi:  Absolutely.  There are many places where a compliance consultant may be beneficial to any firm of any size, like Sarah just mentioned.  Sometimes they just want support, like a compliance support, which is when something comes up.  They have their calendar in place or they know exactly what they need to do. But when it comes up, currently we’re in ADV filing season for RIAs, and they may just have questions, what’s changed is this disclosure proper, things like that. So that’s one area where they can be very beneficial. But also membership, we mentioned that earlier. I think that’s where consultants can provide a huge benefit.  Handling a new member application is so much more efficient and timelier, if someone with experience in that process is managing it, they learn a lot with each one that they do.

So that’s very beneficial to the next one.   Consultants can also be helpful with routine testing, like annual AML reviews, 3120, 3130 reviews, RIA annual reviews.  Sometimes firms just don’t have the bandwidth to manage those, and consulting can help with that. Just seeking perspective on how other firms are approaching a new rule or a new problem, say with Reg BI, things like that.  We have the luxury as being a team of consultants to learn what’s happening in the industry, what are we seeing as a common finding with regulators or things like that. So we can offer solutions if a new rule comes up or there are rule changes or if the firm just has a specific issue that they would like some assistance with. Sometimes also, firms will use consultants to just validate that something is working that they’ve put in place, or it isn’t working.

They may want us to review a specific process or provide advice and guidance on that one process as to how they can better it or do we think it’s sufficient, and often we see that when firms maybe have a new CCO or a new CEO in place, they often want to just know how are things going. It’s on my watch now. So they will hire a consultant, hire Oyster to come in and do some reviews, do a thorough review, even if it’s outside of a cycle for an annual review, maybe do an annual review, look and let them know what are the areas that I have some issues in, where do I need to focus my energy on first? What’s most critical? What’s the highest risk to our firm?  So I think all of those are just a few of the areas where consulting can help.  Consulting can also help if firms are just looking at making a change, a big change. Like if they’re looking at changing clearing firms or an operational process, a major operational process, and they just need someone to help them analyze it and lay out the pros and cons and make a good informed decision. I think consulting can be very beneficial in that aspect too.

Bob Mooney:  Candy, Sarah, thank you so much. I’ve enjoyed learning about what’s involved in the outsource CCO role. And for our listeners, if you would like to learn more about how Oyster can help you with your compliance needs, please visit us @oysterllc.com.

Libby Hall:

Thanks everyone for listening. If you’d like to learn more about our experts and how oyster can help your firm, visit our website@oysterllc.com. And if you like what you heard today, follow us on whatever platform you listen to and give us a review.  Reviews make it easier for people to find us. Have a great day.

About The Podcast Speakers
Photo of Sarah Sutton

Sarah Sutton

Sarah Sutton has over 20 years of experience in the financial services industry on both the revenue and compliance sides of the business. Her expertise includes compliance supervision, leading firm and regulatory examinations, regional and retail branch management, brokerage and clearing operations, developing and implementing advisor best practices along with technology training, financial planning delivery and implementation, advisor and firm transition management to new firms and channels, and project management for advisor and client solutions.

Photo of Candy Palugi

Candy Palugi

Candy Palugi is a Financial Services professional with over 20 years of industry experience. Candy has extensive expertise in broker-dealer and RIA regulation, including FINRA, SEC, MSRB, DOL and state agencies. Her expertise also includes firm merger/acquisition process management and controls testing. Prior to working with Oyster, Candy served in various Compliance roles for B. Riley Wealth Management, a dually registered broker-dealer and investment advisory firm. Candy also served as Assistant Vice President, Product Manager and as Registered Options & Securities Futures Principal for Morgan Keegan & Co.

Photo of Bob Mooney

Bob Mooney

Bob Mooney serves as General Counsel for Oyster Consulting, bringing deep compliance and risk leadership experience. Bob’s executive roles managing risk and controls for Wells Fargo Advisors’ Wealth and Investment Management businesses, in addition to his roles of Chief Compliance Officer and Chief Administration Officer, provide him with a perspective that expands Oyster’s ability to view issues through many vantage points.

View Our Team