Sign in Subscribe
Share

Why AI Can't Write Your Compliance Program

(And What You Actually Need Instead)

I get it. You just registered your RIA. You have a thousand things competing for your attention, and compliance feels like the thing standing between you and actually serving clients. So you open ChatGPT and type “write me a compliance manual” and 30 seconds later you have 40 pages of professional-looking policies that cite the right rules and sound like a lawyer wrote them.

I’ve seen the output. It’s not bad. It hits the right buzzwords, mentions fiduciary duty in all the right places. If you’re just looking to check a box, it gets you there.

Here’s the problem: examiners don’t check boxes. They pull threads.

The minimum standard read closely enough

The SEC’s Compliance Rule (Rule 206(4)-7, which requires every registered adviser to adopt written policies and procedures) doesn’t just say “have policies.” The adopting release is specific: your policies and procedures must be designed to prevent violations from occurring, detect violations that have occurred, and correct them promptly.

The three-part test under SEC Rule 206(4)-7

That’s a three-part test. Prevent, detect, correct. When you measure AI-generated compliance output against that standard, it falls short on at least two of the three. It can write a policy that sounds preventive. But it rarely addresses how you’d actually catch a problem, and almost never addresses what happens when something goes wrong.

Your examiner is going to test all three layers. Not just “do you have a policy?” but “show me how you’d catch a problem” and “show me what you did the last time something went wrong.”

What AI gets wrong about your specific firm

I’ve reviewed compliance programs from advisers who used AI to draft their policies. The output looks professional, cites the right rules, and reads like a compliance consultant wrote it. But the same patterns keep showing up.

The AI doesn’t know your firm. It doesn’t ask whether you’re registering with the SEC or your state, so it defaults to the most common answer, which for a small startup is usually the wrong one. I’ve seen AI-generated compliance programs reference federal examination procedures for firms that would never see a federal examiner because they’re under the $100M threshold and state-registered. I’ve seen them include entire sections on regulatory obligations that don’t apply to most small advisory firms under current rules. An examiner reading those sections wouldn’t think “this firm is thorough.” They’d think “this firm doesn’t understand its own regulatory obligations”

Policies are not procedures

I tested this myself. I asked ChatGPT to write a best execution policy for an advisory firm. What I got back was a few sentences that stated the obligation in broad terms. It read well. It sounded like compliance.

But if I handed it to someone and said “go implement this,” they wouldn’t know where to start. There were no specifics about what to review, how often, what data to look at, or how to document the results. It was a statement of intent, not an operational guide.

That’s the gap. AI can tell you what you’re supposed to do. It can’t tell you how to actually do it in a way that holds up when an examiner asks you to walk them through your process. And when the examiner finishes reading your policy, the next question is always “show me the last time you did this.”

This isn’t a knock on AI. I use it every day in my own work. But there’s a difference between using AI as a starting point and treating AI output as your compliance program.

Too much detail can hurt you too

Here’s the part that might surprise you: even if AI wrote a detailed procedure, that could actually hurt you.

If your policy commits to a specific frequency, sample size, or named report, and you fall short even once, that’s a deficiency. Not because what you did was unreasonable. Because what you did didn’t match what you wrote. Your own manual became the standard they held you to.

AI will happily write you the most thorough, granular compliance manual imaginable. Every procedure locked to a frequency, a sample size, a specific report name. It looks impressive on paper. And every line of specificity is a promise you’re making to your regulator that you now have to keep.

Knowing where to be specific and where to build in flexibility is the kind of judgment that comes from sitting across from an examiner, not from generating text.

Why this matters more than you think

Most compliance deficiencies don’t come from firms trying to cut corners or deceive anyone. They come from well-intentioned people who built a program that looked right on paper but didn’t hold up under scrutiny because nobody pressure-tested it.

And I understand the instinct to minimize the compliance spend early on. Every dollar going to compliance is a dollar not going to growth. But you’re managing people’s life savings. Their retirement. Their kids’ college funds. The money they can’t afford to lose. In that context, “I didn’t know” is not a defense that regulators accept, and it’s not a defense your clients deserve.

The SEC’s FY2026 exam priorities explicitly name newly registered advisers as a priority for examination. They’re not waiting for you to figure it out. They’re coming to see if you already have.

Build it right the first time

I’m building the RIA Starter Kit because I’ve seen what happens when firms rely on AI output or free templates as their compliance program. Every template is built by a practitioner with IACCP and CIPM credentials who reviews compliance programs for a living and knows where the gaps are because he’s seen examiners find them.

If you want early access, drop your email below.

Subscribe to RIA Starter Kit

Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe