The Securities and Exchange Commission is ringing a warning bell about the increasing use of outsourced compliance duties by the investment management industry.

An exam risk alert, released on Monday by the Office of Compliance Inspections and Examinations, addresses the growing reliance on unaffiliated third parties, including consultants and law firms, by investment advisers and funds that outsource the role of their chief compliance officer. While outsourced CCOs are capable of performing key compliance responsibilities—updating firm policies and procedures, preparing regulatory filings, conducting annual compliance reviews—there are notable pitfalls to avoid.

As part of its Outsourced CCO Initiative, OCIE evaluated the compliance function at nearly 20 firms. Most outsourced CCOs were “generally effective in administering compliance programs.” The alert, however, is hardly a seal of approval. Significant compliance-related issues were identified at registrants with an outsourced CCO who also served that role for multiples firms or that “did not have sufficient resources to perform compliance duties.”

OCIE clarified that an effective compliance program relies upon the correct identification of a registrant’s risks in light of its business and operations, with policies and procedures designed to address those risks. Some of the examined outsourced CCOs, however, could not articulate these specific business or compliance risks. In some instances, the risks described to the staff by the registrant’s principals were different than the risks described by the outsourced CCO.

Some outsourced CCOs also used standardized checklists to gather firm information. While the use of questionnaires may be a helpful tool, some “were generic and did not appear to fully capture the business models, practices, strategies, and compliance risks that were applicable to the registrant,” OCIE says. Responses included incorrect or inconsistent information about the firms’ business practices and outsourced CCOs “did not appear sufficiently knowledgeable about the registrant to identify or follow-up with the registrant to resolve such discrepancies.” The hazards of this approach were illustrated using a March 2015 action against investment advisor Aegis Capital where the Division of Enforcement alleged that the conduct of its outsourced CCO contributed to the firm making false filings because he “did not personally review [the adviser’s] records” to validate the information and relied “exclusively on information provided to him by [advisory personnel].”

Several of the compliance manuals reviewed as part of the initiative were created using outsourced CCO-provided templates and were “not tailored to registrants’ businesses and practices and…contained policies and procedures that were not appropriate or applicable.” Similarly, under the watch of outsourced CCOs, adopted policies were not always applicable to the advisers’ businesses and operations. Critical control procedures were not performed, or not performed as described, by registrants, OCIE said.

Outsourced CCOs infrequently visited registrants’ offices and conducted only limited reviews of documents or training on compliance-related matters while on-site, the risk alert adds. These CCOs had limited visibility into, and authority within the organization.

“Advisers and funds with outsourced CCOs should review their business practices in light of the risks noted in this Risk Alert,” OCIE wrote. “A CCO, either as a direct employee of a registrant or as a contractor or consultant, must be empowered with sufficient knowledge and authority to be effective. Each registrant is ultimately responsible for adopting and implementing an effective compliance program and is accountable for its own deficiencies."