How to Best Work with Compliance Consultants


The following is an edited transcript of a recent NSCP-hosted webinar on how to best work with compliance consultants. Meghan Flanagan, deputy executive director for the National Society of Compliance Professionals, introduced the discussion. Participants were Carlos Guillen, CEO, BasisCode Compliance, who served as moderator; Janaya Moscony, president, SEC3; James Spinelli, COO, Great Valley Advisor Group; Jon Wowak, COO, Cipperman Compliance Services; and Jason Ewasko, CCO, Cipperman Compliance Services.

About the Authors


How to Best Work with Compliance Consultants

Carlos Guillen: Today, we will be addressing with our panelists the following topics: why, how, and when is a good time to hire a third-party consultant, what to look for when finding the right consultant, what to expect related to cost, implementation, and timing, and leveraging consultants to evaluate other third-party relationships such as technology and other vendors. Janaya, when should a firm consider hiring a third-party compliance consultant?

Janaya Moscony: The right time to consider hiring a consulting firm is when you are starting a new firm and registering for the first time. Many people are unfamiliar with what’s expected – especially from the SEC. During the preparation for registration, firms can gain an understanding for what they can manage in-house versus what they may need a consultant to help them with.

Firms often seek out a consultant when an internal CCO is leaving or there’s some sort of transition internally. Here, a consultant is helpful to making sure you’re getting all the information necessary from the departing employee and there’s a smooth transition and excellent document retention. Compliance experts know what to request from that departing employee and sometimes it’s helpful to have a third-party helping you through that transition.

Then there is the dual-hat situation which we find with a lot of partnerships and where consultants can help firms with ongoing compliance. Firms often find that using a consultant is cost-effective because they can have a firm officer internally maintaining the title and liability, but a consultant can do much of the heavy lifting. It helps with the independence perception since the CCO may be off and doing other activities with the firm, so it may create a conflict there.

Working with consultants who are ex-regulators or who have significant experience dealing with regulators can also be helpful in providing insight into FINRA and SEC expectations regarding disclosures, your policies and procedures, and your compliance testing.

Carlos Guillen: James, from the client perspective, can you talk about your experience on when to hire a third-party consultant?

James Spinelli: While our firm was already offering compliance as part of our value-add to advisors and our clients, and we actually felt comfortable with the solution that we were providing as a firm, we addressed this question after we experienced our first SEC exam and audit. We regrouped at the stakeholder level and said, “Do we have to add another layer to the program?”

We considered what teams are available out there, someone who specializes in compliance that could better help us prepare the compliance arm or the individuals that reside within that compliance arm of the firm. Then there are the situations when you add another element into the firm such as an in-house money manager program, which we rolled out a couple years ago and start managing models. That requires a different layer of compliance.

Lastly, using a consultant is really an independent validation of what you’re currently doing, so we’re able to validate the strength and weaknesses of the compliance program. It is what we didn’t know that was pretty much the most concerning.

Carlos Guillen: Jon, what types of work can a consultant do?

Jon Wowak: There’s a lot that a consultant can do depending on the type of relationship and the priority of the client’s needs. There’s the fully outsourced CCO where the consulting firm would take on all compliance responsibilities and take a proactive approach to running the program. They may or may not have in-house compliance people working with them, but they’re really in charge of the entire compliance program.

You can also build a support model to an in-house CCO or possibly a dual-hat person that will supplement the work of the compliance staff. If there’s certain areas of need in the compliance department, the consultant can step in and do that work as instructed. It could also be project-based work, so as projects arise such as trade testing, mock audits and independent verifications.

Another area that consultant firms can be relied upon is short-term support during a CCO transition including medical leave, termination or separation. They can also do training and regulation adoption. Consultants can also administer compliance technology platforms such as BasisCode and others that are out there.

One of the latest areas of interest is cybersecurity. Compliance staff doesn’t have the expertise to deal with the information technology side of their business and something that consultants are doing now is partnering or gaining that experience to bring the cybersecurity program from the SEC and FINRA’s perspective in through compliance consulting.

Carlos Guillen: James, what should a firm like yours consider when hiring a consultant?

James Spinelli: The first and main thing is the reputation of the compliance firm and its principals. We did a lot of due diligence before we selected a consultant including looking at specialized teams which could help us out from our viewpoint.

The experience factor is extremely important as well. Our advisors and our clients trust us as fiduciaries. They want us to provide them with the most up-to-date industry information and be able to also handle unique situations.

Carlos Guillen: Janaya, can you please add to what the firm should consider when hiring a compliance consultant?

Janaya Moscony: The best consultants can do two things at the highest level. First, they can find the answers quickly.

Secondly, they’re reliable and diligent. Beyond these two fundamental qualities, there are so many other nuances that firms think are important and so consulting firms need to be flexible and offer customized service to their clients that meets their needs and specific requests.

In terms of due diligence, you should include asking questions related to the assigned consultant and checking references. While the firm reputation’s is important, you also want to really dig into who you’re going to be working with.

Consulting firms vary and so you need to make sure you are hiring a firm that meets your needs. Do you need a broker-dealer expert? Then, you want to be looking for a firm that has extensive broker-dealer experience. Do you need someone to assist you with registering an investment adviser? You want to be asking questions like “How many registrations has the consultant done? Is the new firm registering related to a multi-national firm and is it in need of participating affiliate letters?” In either case, you would want to have a consultant familiar with these matters.

Carlos Guillen: Jason, can you talk about how firms go about finding a suitable consultant?

Jason Ewasko: Centers of influence such as industry attorneys and service providers like administrators and custodians are key information and referrals sources for consultants. As far as the due diligence process is concerned, a buyer looking for a compliance consultant wants to make sure there’s a fit. Without that, no matter how good the compliance knowledge may be, the relationship may not be great just because there’s not a good personality or style fit.

Carlos Guillen: James, what was your experience with finding a suitable compliance consultant?

James Spinelli: There are a lot of out-of-the-box or cookie-cutter solutions available out there that need to be sorted out. After you go through the introductory phone calls, you ask the right questions, you understand who you’re going to be working with, do they have the ability to understand what your firm is going to do and how to handle the agreements and filings as well as provide regulatory oversight. You then realize that while these out-of-the-box solutions may be well-priced, they’re pretty much glorified Excel spreadsheets without having somebody dedicated to your firm or it’s more of an 800 number.

Once you start adding different elements to your business such as financial planning, money management and perhaps fee-based 401Ks, those resources become limited and then you end up just having to reinvent the wheel and starting over.

Carlos Guillen: Janaya, can you discuss some of the doubts and concerns that firms have when hiring a consultant?

Janaya Moscony: Let’s start with the inquiry of whether relying on a third-party might not be an accepted practice by a regulatory agency. The SEC will focus on whether you have a competent person at the helm and that the compliance program is being addressed. The SEC will also want to confirm that the tone at the top is accountability. If these essential elements are intact, using an external compliance person is completely acceptable.

Carlos Guillen: And the client’s perspective, James?

James Spinelli: As Janaya said, a lot depends on the knowledge of those you are going to work with, the industry that you’re in specifically and what you’re trying to focus on. For instance, at Great Valley Advisor Group, we work with institutional clients and one of their main areas of interest is the RFP process. In that process, we frequently get questions on how does compliance work. They scrutinize the agreements and they ask, “We do see that you have a CCO and you do have in-house compliance analysts, but you’re also utilizing a firm on the outside. What is that relationship like and do they really understand what you’re doing?”

We explain to these clients how our consultant firm integrates with Great Valley with a level of additional oversight. We point out that not only are they going to get what we see, but they are also going to get access to what the consultant sees.

Carlos Guillen: Janaya, can you please discuss how to get the most value out of the services and expertise that consultants provide?

Janaya Moscony: First, you want to understand the contract and the deliverables. What is the scope of agreed services? I think sometimes there can be confusion because there’s so many different offerings out there. You also want to look at your risk and, obviously, focus reviews to address the highest risk areas or areas maybe that you just don’t have the expertise to address in-house. This requires a good understanding of what your employee’s strengths and weaknesses are, where your consultant’s strengths are and just understanding when to even call counsel versus calling a consultant.

Carlos Guillen: James, from your experience how does a firm maximize the contribution received from consultants?

James Spinelli: Set expectations early and often. Listen and understand what exactly you’re getting yourself into and explain it to your team. From the beginning you want to communicate on issues with the consulting firm early and often. This is extremely important because the more you hide information, the worse it will be in the long run. Trying to hide an audit or something that happened in the past because you’re afraid that it will be highly scrutinized, at the end of the day, it’s usually not a good business decision.

Also, develop an integrated compliance calendar. If you already have one, edit and update it and stick to it. Work with the team to utilize whatever calendar they may have and go over new ideas or track ongoing daily, weekly, quarterly and annual tasks for the team – and see where those gaps are.

Carlos Guillen: James, can you speak to the value a consultant can bring to the firm?

James Spinelli: Having a regulatory exam pedigree is obviously very important. Are they familiar with key areas and what recent exams have occurred and what they focused on? Can they bring these elements to the table and understand who is going to be best prepared to answer those questions? Probably one of the biggest value-adds is just being aware of industry trends and what other firms are experiencing.

Carlos Guillen: Janaya, can you comment on the different types of engagements that firms can have with consultants.

Janaya Moscony: There’s varying degrees of support that firms provide to clients but many of the packages or service lines look similar across firms. One area of service that the SEC has focused attention is related to outsourced CCOs. If we have a consultant that’s acting as an outsourced CCO for a low risk, plain-vanilla firm, then we may allow them to take on a few more CCO roles.

The next level short of taking on the CCO title involves managing the compliance program, but not holding the title. This happens with firms where the person who was the CCO holds another title as well, like CFO, and they needed support for the compliance function. Several firms hire consultants to provide varying degrees of support where they may direct the program internally and have us or another firm supplement their programs with various tasks.

Carlos Guillen: Jon, can you talk a little bit about the differences between a fully outsourced consultant relationship and a consultant support engagement.

Jon Wowak: Between the fully outsourced model and a support model, the obvious difference is the level of proactiveness. With a fully outsourced model, there’s a lot more skin in the game and liability over each aspect of the compliance program. The shift of liability from management and some of the compliance staff to an outside consultant is attractive to some of the firms that are not comfortable given their knowledge of compliance, the regulations and interacting with the regulators.

I think the most important thing when considering the differences between an outsourced and support model is you must make sure all of the stakeholders in your business plan are aligned. Then, ask how will you integrate and how will your compliance program be initialized, monitored and maintained?

After that, ask the consultant or the firm, from the fully outsourced perspective, how many times are you going to visit my office so that you can understand our business? How are we going to interact – through email, calls or video conferencing? Making sure that those interactions from the fully outsourced perspective truly outweigh the support model.

Carlos Guillen: Jason, can you discuss how consultants can assist firms in evaluating compliance technology and other vendor relationships?

Jason Ewasko: Whether it’s technology providers or any other providers for that matter, prior experience is sort of the most basic way to find ones that you like and that you can put in front of a client. As a consultant dealing with a varied client base, we’ve had exposure to a wide number of relevant vendors including a variety of tech vendors that would be suitable for the equally wide variety of firms that we deal with.

That’s based on several considerations including the headcount of the client or the AUM. It could be they’re techsavvy and importantly it’s often budget size. Speaking of budget size, it’s a good segue into cost comparisons. It’s not too difficult to find a group of vendors that are similar in terms of what they provide in terms of service offerings but it often comes down to cost.

Sometimes the trick can be what does the cost really looks like. For instance, there may be a set monthly fee or a set annual fee for those services, but there could be unadvertised startup costs at times or additional costs for addon services as the relationship progresses. Having had some experience with that, we can push clients in the right direction to be on the lookout for those things and be able to make a smart decision.

It’s also important to align the needs of the firm with the technology that’s out there. A consultant can help effectively evaluate legitimate tech needs as opposed to getting the biggest list of technology services that sounds great on paper, but really may not be that relevant to what the firm needs.

We’ve seen some firms that are really interested in getting the “best technology” that’s out there regardless of cost. More often, firms are looking for what it takes to get compliant in an affordable way and where they can feel they’re set up well for an examination.

One of the largest barriers in assessing new technology is dealing with existing legacy systems. We’ve found that these systems need to be massaged to work with an enhanced compliance program, or new technology needs to be introduced into the mix. At times, the answer is to get rid of the old system, but we’ve seen situations where clients are really married to it for one reason or another and we work with them to make it all fit together in a way that is workable going forward.

The point that customization not being repeatable is important. We try to find systems and solutions that are repeatable without being purely off the shelf. Ideally, it’s a standard solution that allows for some level of customization to make it work for the client, but also make it work for subsequent clients.

In terms of skill sets, most compliance consultants really don’t have the technical expertise to provide a 100%, solid evaluation of a tech service’s vendor. We educate ourselves as much as possible about the firms we’re looking at to at least be in position to say, “Okay, these three or four are what you’re probably looking for within your price range, they offer the services,” and then it’s just a matter of finding a good fit.

Carlos, I guess it’s fair to throw it to you to see if you have any insights on what that process has been like.

Carlos Guillen: As a vendor who’s continuously being monitored by hundreds of firms globally – each with different requirements based upon their jurisdictions or their client types versus our RAs, BDs, banks whether they’re local or international – your comment regarding effectively managing a technology product requires a different skill set is valid. The product must continue to evolve to meet the new business requirements and provide continuous improvement while minimizing security risks.

One of the many value-added benefits that consultants provide to their clients is an external expert point of view. They ask the right questions on behalf of their clients to technology vendors. They have their ear to the ground as requirements change, new regulations emerge and as new risks appear. In our case, when consultants ask questions, we listen and adapt our platform.

Earlier, we discussed some of the doubts and concerns about bringing on or starting a consulting relationship. But what happens when you no longer require these services. Janaya?

Janaya Moscony: For consultants, this is part of the deal. You want to have a long-term relationship, obviously, with loyal clients. However, many firms also come and go for one reason or another. Maintaining a professional approach is vital to a consulting firm’s long-term success. It’s not just the firm that wants a peaceful transition for so many reasons, but the consultants prefer this too.

When this happens in any sort of situation, we generally try to make the transition easy for clients, so they know where their information is and how to access it. We meet with the new compliance person that’s taking over the program and we just try to make it a professional-type of relationship.

That way, the firm can change consultants without having to change the technology piece which affords peace of mind.

This article was originally posted in the NSCP Currents June 2019.