Cipperman: I suppose the good news, if you look at the trends, is that firms are more and more acknowledging the vital importance of compliance. They’ve gone from the “necessary evil” category to more firms seeing it as either really important to attract new business, because of operational due diligence requirements, or at least as a way to protect the firm against regulatory risk. The C-suite is getting it.

I think what's more troubling though is that 25 percent to 50 percent of our respondents said they're not confident of passing a regulatory exam. They acknowledge the importance of compliance and, more importantly, are spending more money on compliance. Yet their confidence level in their programs is going down. I think that suggests that the current model of compliance is not working.

Most firms still utilize the “hire and hope” model:  hire someone who has extensive regulatory or some compliance experience. Senior management generally has no idea how to assess this technical expert’s job performance. The CCO becomes the only expert in a sea of non-experts.

I think that leads to bad results and lack of confidence in the program. I think the compliance profession, though, is getting professionalized if you will. I think there are firms like mine who offer outsourced services or compliance support. I think what you're starting to see is a change. Years ago with fund administration, everyone did it in-house when they started mutual funds. Now few do it in-house. You have professional third party administrators doing that. I think the compliance business is heading in that same direction.

Hortz: In what areas do you see that independent advisors and RIAs are least prepared and most vulnerable?

Cipperman: We use a term called “compliance voodoo”. What we mean by that is the idea that firms think they have a compliance program but really don't have anywhere near an effective compliance program. You're seeing the SEC bring a lot of these cases where firms have a compliance officer and compliance manual but fail to implement effective procedures and testing to ensure regulatory compliance. 

We’re seeing a lot of cases related to programs that haven't done proper testing or adequate reviews or failures to observe information barriers. There may have been a policy or written procedures, but nobody paid much attention. The SEC's getting wise to this. In the early days of compliance, firms were getting tagged for not having any compliance program. Now they may have a program, but the SEC is evaluating that program - the program’s effectiveness and the way it is carried out.

Hortz: So what compliance priorities should firms be focusing on right now?

Cipperman: First of all you have to right size the program for your firm. How do you determine what the right size is? Our benchmarking would suggest that you should be spending a minimum of 5 percent of revenue on the compliance function. Some studies report that firms spend around 7 percent of total operating cost on compliance. As you're thinking about that, I'm not going tell you if you're at 3.5 percent or if you are at 7 percent that you're too little or too much. It's just a benchmark.

 The next step is, once you figure out your budget for compliance, you have to figure out how to spend that budget. There are three different ways to do that. You can hire fully in-house, which is still the way most firms do it. Two, you can hire a firm like ours to be an outsourced CCO to run the program. Or you can do a combination of the two. We have seen some data that roughly two-thirds of firms use an outside firm like ours to some extent, even if they have an in-house CCO. Most firms are starting to do some sort of hybrid.