Fund Compliance Program and CCO

Rule 38a-1 requires every registered investment company to (1) adopt written compliance policies and procedures, (2) appoint a fund Chief Compliance Officer (CCO) approved by the fund board who reports directly to the board, and (3) perform an annual review, including a written CCO report covering program operation, material compliance matters, and recommended changes. (17 CFR § 270.38a-1)

Key takeaways:

• Your compliance program must be written, fund-approved, and scoped to the fund’s actual risks and operations. (17 CFR § 270.38a-1)
• The CCO role is a board-facing control point: board-approved, board-removable, and responsible for an annual written report. (17 CFR § 270.38a-1)
• Annual reviews must be real testing and evaluation, not a calendar task; retain evidence that links findings to changes. (17 CFR § 270.38a-1)

“Fund Compliance Program and CCO” is an operational requirement, not a policy-writing exercise. Under Rule 38a-1, the fund must have written compliance policies and procedures that are designed to prevent violations of the federal securities laws, and the fund must designate a CCO who reports directly to the fund’s board. (17 CFR § 270.38a-1) The rule then forces a governance cycle: at least annually, the adequacy of the policies and procedures must be reviewed, and the CCO must provide a written annual report to the board that addresses how the program operated, identifies material compliance matters, and recommends changes. (17 CFR § 270.38a-1)

For a CCO, CCO-designate, or GRC lead supporting a fund complex, the fastest path to “operationalized” is to build a board-ready compliance architecture: a mapped policy inventory, a monitoring and testing plan tied to risk areas, a defined reporting cadence to the board, and a disciplined evidence file. If you can show how issues are detected, escalated, remediated, and reported to the board, you can usually answer the hardest exam questions without scrambling.

Regulatory text

Regulatory excerpt (operator view): Each registered investment company must adopt written compliance policies and procedures, designate a chief compliance officer who reports directly to the board, and conduct annual reviews of compliance program adequacy. (17 CFR § 270.38a-1)

What the rule requires in practice: Rule 38a-1 requires funds to adopt comprehensive written compliance policies and procedures, appoint a CCO approved by the fund board, conduct at least annual reviews of compliance adequacy, and require the CCO to provide an annual written report to the board on (a) operation of the policies and procedures, (b) material compliance matters, and (c) any recommended changes. The CCO may only be removed by board action. (17 CFR § 270.38a-1)

Plain-English interpretation

You need a fund-level compliance program that is written down, implemented in day-to-day operations, and overseen through the fund board. The board must formally approve the CCO appointment (and controls CCO removal), and the CCO must provide a written annual report that proves the program is functioning and evolving based on what you learned during the year. (17 CFR § 270.38a-1)

Who it applies to

Entities

• Registered investment companies (funds) that fall under the scope of Rule 38a-1. (17 CFR § 270.38a-1)

Operational context (where this shows up)

• Fund complexes where the fund relies on multiple third parties (adviser, administrator, distributor, custodian, transfer agent, pricing vendors, etc.). The fund’s program still must cover compliance risks introduced by third parties because those risks affect the fund’s ability to prevent violations. (17 CFR § 270.38a-1)
• Board governance environments where directors expect clear reporting, escalation criteria, and evidence that compliance is more than attestations. (17 CFR § 270.38a-1)

What you actually need to do (step-by-step)

1) Define program scope and ownership (fund-level)

1. List the fund(s) in scope and identify the compliance program boundary: which policies are fund policies, which are adviser policies adopted by the fund, and which are service-provider procedures relied upon by the fund.
2. Set responsibility lines: which activities are owned by the fund CCO, which are delegated to the adviser’s compliance team, and what the fund receives as reporting.
3. Create a compliance program “table of contents”: a controlled index of policies and procedures the fund has adopted. This becomes your exam map and board packet backbone.

Deliverable: a controlled compliance program inventory aligned to the fund’s operations. (17 CFR § 270.38a-1)

2) Adopt written compliance policies and procedures

1. Draft or refresh written policies and procedures so they match actual operating practices. If you cannot describe the workflow, you do not have a procedure.
2. Bind policies to specific risk areas that matter for the fund (for example: valuation support, trading practices, disclosures, conflicts, portfolio compliance, service provider oversight). Keep the mapping in an appendix so updates do not rewrite the full manual.
3. Embed escalation and exception handling: define what must be escalated to the CCO immediately, what is reported on a schedule, and what triggers board notification as a “material compliance matter.” (The rule requires the annual report to cover material compliance matters; you need criteria to identify them consistently.) (17 CFR § 270.38a-1)
4. Complete formal fund adoption: document the approval path, including the board materials and board minutes/resolutions reflecting adoption.

Deliverables: fund-approved written policies and procedures, plus approval evidence. (17 CFR § 270.38a-1)

3) Designate a CCO who reports directly to the board

1. Prepare the CCO designation package for the board: role description, reporting lines, independence considerations, and proposed reporting cadence.
2. Document board approval of the CCO appointment and ensure the governance documents reflect that the CCO reports directly to the board and is removable only by board action. (17 CFR § 270.38a-1)
3. Operationalize “direct reporting”: schedule executive sessions (as appropriate), define how the CCO can reach the chair/independent directors, and set expectations for interim escalation outside the annual report cycle.

Deliverables: board-approved CCO appointment documentation and reporting protocol. (17 CFR § 270.38a-1)

4) Build monitoring, testing, and issue management that can feed the annual review

1. Create a compliance monitoring and testing plan mapped to your policy inventory. Tie each test to: objective, population, frequency (your choice), evidence, and owner.
2. Establish issue intake and triage: how you log issues (complaints, breaches, exceptions, third-party incidents), how you assign severity, and who approves closure.
3. Track remediation to completion: corrective action plans, target dates you set, validation testing, and closure rationale.

This is the engine that makes the annual review credible. (17 CFR § 270.38a-1)

5) Conduct the annual review of program adequacy

1. Define “adequacy” criteria in your annual review workplan: coverage of key risk areas, effectiveness of controls, change management, and third-party oversight touchpoints.
2. Execute the review using evidence from monitoring/testing, audits, compliance breaches, regulatory developments tracked internally, and service provider reports received by the fund.
3. Produce review outputs: findings, root causes, themes, and recommended changes to policies/procedures and the testing plan. (17 CFR § 270.38a-1)

Deliverable: annual review workpapers and a management summary you can stand behind.

6) Deliver the CCO’s annual written report to the board

Your annual written report must cover:

• Operation of the policies and procedures
• Material compliance matters
• Recommended changes (17 CFR § 270.38a-1)

Practical structure that holds up in board and exam settings:

• Program overview and notable changes
• Testing performed and results (by risk area)
• Material compliance matters: what happened, impact, escalation, remediation status
• Third-party oversight summary (what you relied on, what you reviewed, exceptions)
• Recommended enhancements (policy updates, new controls, resourcing, reporting changes)

Deliverable: signed annual written report with board presentation materials and minutes showing it was provided. (17 CFR § 270.38a-1)

Required evidence and artifacts to retain

Use this as your “exam-ready binder” checklist:

Governance & board

• Board minutes/resolutions approving:
  • Adoption of fund compliance policies and procedures (17 CFR § 270.38a-1)
  • CCO designation and reporting line (17 CFR § 270.38a-1)
• CCO role description and org chart showing direct reporting to the board (17 CFR § 270.38a-1)
• Annual written report and board materials (agenda, deck, handouts) (17 CFR § 270.38a-1)

Program documentation

• Controlled policy/procedure manual (version history, approvals)
• Compliance program inventory and risk-to-policy mapping
• Monitoring/testing plan and completed test workpapers
• Issue log, breach logs, complaints log (as applicable), escalation records
• Corrective action plans and closure evidence

Third-party oversight evidence (fund-facing)

• Service provider due diligence reports received and reviewed
• Exception tracking and follow-up communications
• Any compliance certifications or reports you rely on, with your review notes

Tip for operators: retain evidence of your review, not just the third party’s report. The question will be “what did the fund/CCO do with this?” (17 CFR § 270.38a-1)

Common exam/audit questions and hangups

• “Show me where the board approved the compliance program and the CCO.” Bring minutes/resolutions and the approval package. (17 CFR § 270.38a-1)
• “How does the CCO report directly to the board in practice?” Show meeting cadence, interim escalation routes, and examples of communications. (17 CFR § 270.38a-1)
• “Walk me through your annual review methodology.” Examiners look for a workplan, evidence of execution, and linkage from findings to program changes. (17 CFR § 270.38a-1)
• “Define ‘material compliance matter’ for this fund.” If you cannot define it, you cannot consistently report it. Document criteria and show examples of how you applied them. (17 CFR § 270.38a-1)
• “How do you oversee key third parties?” Show intake of provider reporting, issue follow-up, and board reporting of meaningful exceptions as part of the program’s operation. (17 CFR § 270.38a-1)

Frequent implementation mistakes (and how to avoid them)

1. Policies that do not match operations. Fix by documenting actual workflows first, then writing procedures that reflect them.
2. CCO independence is asserted, not operationalized. Fix by setting clear direct-reporting mechanisms and documenting board interactions. (17 CFR § 270.38a-1)
3. Annual review is a narrative without workpapers. Fix by running the annual review as a project with a workplan, testing outputs, and a findings log tied to changes. (17 CFR § 270.38a-1)
4. “Material compliance matters” are decided ad hoc. Fix by defining criteria and keeping a running list during the year so the annual report is a summary, not a scavenger hunt. (17 CFR § 270.38a-1)
5. Third-party oversight is outsourced entirely. Fix by documenting the fund’s review steps, questions asked, and follow-ups completed; keep those notes with the provider artifacts.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this page, so this section is intentionally limited to what the rule requires and what exam teams commonly test against the text. Your practical risk is straightforward: if you cannot show board-approved written policies and procedures, a board-approved CCO with direct reporting, and a substantiated annual review with an annual written report, you will struggle to evidence compliance with Rule 38a-1. (17 CFR § 270.38a-1)

Practical 30/60/90-day execution plan

Use phases so you can move quickly without inventing deadlines that do not match your board calendar.

First phase: Immediate stabilization

• Confirm current-state: what policies the fund has adopted, who the named CCO is, and what board evidence exists. (17 CFR § 270.38a-1)
• Build a single compliance program inventory (policy index + owner + last approval).
• Stand up an issues log and a central evidence repository (board materials, testing evidence, third-party reports).

Second phase: Near-term build-out

• Refresh policies/procedures that are outdated or mismatched to operations; route for fund adoption where needed. (17 CFR § 270.38a-1)
• Create/refresh the monitoring and testing plan mapped to policies.
• Define “material compliance matter” criteria and escalation paths, then socialize with key stakeholders (adviser, administrator, other third parties).

Third phase: Operational maturity (run the cycle)

• Execute monitoring/testing and track exceptions through remediation.
• Prepare the annual review workplan and begin accumulating workpapers throughout the year.
• Draft the annual written report structure early, then populate it as issues and testing results occur, so board reporting is evidence-driven. (17 CFR § 270.38a-1)

Where Daydream fits: If you are coordinating multiple third parties and need a clean evidence trail for board reporting, Daydream can act as the system of record for third-party due diligence, issue tracking, and audit-ready artifacts tied back to your compliance program inventory.

Frequently Asked Questions

Does the fund need its own compliance program if the adviser already has one?

The fund must adopt written compliance policies and procedures and conduct an annual review under Rule 38a-1. (17 CFR § 270.38a-1) Many funds rely on adviser/service-provider procedures, but the fund still needs fund-level adoption, oversight, and evidence.

What does “CCO reports directly to the board” mean operationally?

The reporting line must allow the CCO to communicate with the board without management filtering and to provide the required annual written report. (17 CFR § 270.38a-1) Document the cadence, attendees, and escalation path.

What has to be in the CCO annual written report?

The rule summary requires coverage of the operation of policies and procedures, material compliance matters, and recommended changes. (17 CFR § 270.38a-1) Build the report around those headings and attach supporting exhibits from testing and issue management.

How do we define “material compliance matters”?

Rule 38a-1 requires reporting on material compliance matters, so you need written criteria the fund can apply consistently. (17 CFR § 270.38a-1) Common practice is to consider investor impact, regulatory exposure, recurrence, and control breakdown, then document your rationale case-by-case.

Can the adviser remove the fund CCO?

The rule summary states the CCO may only be removed by board action. (17 CFR § 270.38a-1) Align employment/engagement terms and governance documents to avoid conflicting authority in practice.

What evidence will an examiner ask for first?

Expect requests for board materials approving the program and CCO, the most recent annual written report, and proof the annual review was performed with supporting workpapers. (17 CFR § 270.38a-1) Keep these items in a single, controlled location.