35 ChatGPT Prompts for Compliance Officers (Claude, ChatGPT & DeepSeek)
It's the second week of Q2. Your external auditor's fieldwork starts in 18 days. The SEC released updated guidance on insider trading policies last Tuesday that requires a policy revision before year-end. Your annual compliance training program is due for a full refresh, the board wants a quarterly risk report by the 15th, and you just received a whistleblower complaint that needs a documented response plan before 5 PM.
The compliance function is, fundamentally, a writing function. Every regulatory requirement produces a written artifact: policies, procedures, risk assessments, audit reports, training materials, investigation records, board presentations, and regulatory correspondence. The analysis is yours. The documentation consumes the hours.
The Society of Corporate Compliance and Ethics (SCCE) 2024 Compliance Salary Survey found that compliance officers report an average of 41% of their workweek on documentation tasks — policy maintenance, audit preparation documentation, regulatory filings, training content, and reporting. For compliance officers at financial services and healthcare organizations with complex regulatory environments (FINRA, SEC, OCC, CMS, OIG), that number exceeds 50%.
These 35 prompts cover seven compliance documentation workflows: policy drafting and maintenance, audit preparation and documentation, risk assessment, regulatory reporting and correspondence, compliance training materials, incident and investigation documentation, and board and executive reporting. They work with Claude, ChatGPT, and DeepSeek.
Critical note: Compliance documentation must be reviewed by a qualified compliance professional and, where legally required, by legal counsel before implementation, distribution, or regulatory submission. Regulatory requirements vary significantly by industry, jurisdiction, and applicable agency. AI-generated drafts are starting frameworks — they do not substitute for professional judgment, legal review, or subject-matter expertise specific to your regulatory environment.
Why Compliance Officers Write More Than They Should Have To
Three structural pressures drive the compliance documentation burden.
First, the regulatory environment never stops generating new documentation requirements. In a single year, a financial services compliance officer may need to respond to SEC no-action letters, FINRA regulatory notices, OCC guidance updates, and state-level money transmission rule changes — each requiring policy review, possible revision, and documented evidence of the review process. The documentation of the compliance review is itself a compliance requirement.
Second, audit cycles create concentrated documentation demands that cannot be smoothed across the year. External auditors arrive with a prepared request list. Internal audit functions require evidence packages. Regulators conducting examinations expect organized documentation of controls. Compliance officers who have been executing their programs well throughout the year still face the challenge of translating 12 months of activity into coherent, examiner-ready documentation in a compressed timeline.
Third, the board reporting function is both critical and underserved. Boards have a fiduciary duty to oversee the compliance function, but most board members are not compliance professionals. Translating a year's worth of regulatory activity, risk identification, control deficiencies, and program metrics into a 10-slide board presentation that drives informed governance decisions — without losing material substance — is a genuinely difficult communications challenge that compliance officers do repeatedly with limited support.
These 35 prompts handle the structural documentation layer. Your regulatory expertise and professional judgment remain essential.
Category 1: Policy Drafting and Maintenance
Prompt 1 — New Compliance Policy
Write a compliance policy.
Policy name: [SPECIFIC — e.g., "Insider Trading and Information Barriers Policy", "Anti-Money Laundering Policy", "Code of Conduct", "Conflicts of Interest Policy", "Data Privacy Policy"]
Organization type: [INDUSTRY + SIZE — e.g., "250-employee financial services broker-dealer"]
Applicable regulations: [SPECIFIC — e.g., "SEC Rule 10b-5, FINRA Rule 3110, applicable state securities laws"]
Key requirements this policy must address: [LIST — e.g., "Pre-clearance of personal securities transactions, blackout periods, information barrier procedures, reporting obligations"]
Enforcement mechanism: [HOW VIOLATIONS ARE HANDLED — e.g., "Disciplinary action up to termination; mandatory reporting to Legal/Compliance"]
Policy owner: [ROLE — e.g., "Chief Compliance Officer"]
Review cycle: [ANNUAL / EVENT-TRIGGERED]
Policy format with sections: Purpose, Scope, Definitions, Policy Requirements (numbered), Responsibilities by Role, Reporting Obligations, Exceptions Process, Consequences of Non-Compliance, Review and Update Schedule. Plain professional language. Unambiguous — every requirement should be actionable. 500-600 words.
Prompt 2 — Policy Gap Analysis
Write a policy gap analysis.
Policy being reviewed: [CURRENT POLICY TITLE + DATE]
Regulatory update or trigger: [SPECIFIC — e.g., "SEC Regulation Best Interest updated guidance, March 2026" OR "Internal audit finding re: vendor management controls" OR "New business line requiring coverage"]
Current policy coverage: [WHAT THE CURRENT POLICY ADDRESSES]
Gaps identified: [SPECIFIC — what the current policy does not cover adequately]
Risk associated with each gap: [REGULATORY RISK / OPERATIONAL RISK — qualitative]
Recommended revisions: [SPECIFIC — additions, deletions, or modifications by section]
Priority: [IMMEDIATE / NEXT POLICY REVIEW CYCLE — with rationale]
Policy gap analysis format. Organized as a table with: Gap Description, Current Policy Language, Required Change, Regulatory Basis, Risk Level, Priority. Followed by narrative summary. 300-400 words + table.
Prompt 3 — Policy Communication to Employees
Write an employee communication announcing a policy update.
Policy updated: [POLICY NAME]
What changed: [SPECIFIC — key differences from prior version]
Why it changed: [PLAIN LANGUAGE — regulatory requirement, internal finding, best practice update]
What employees need to do: [SPECIFIC — read the policy, complete training, certify, change behavior]
Deadline: [SPECIFIC DATE]
Where to find the policy: [PLACEHOLDER]
Who to contact with questions: [ROLE — Compliance Officer, HR, Legal]
Employee communication email. Plain language — no regulatory jargon. Short paragraphs. Lead with what changed and what employees need to do. Under 300 words. Professional but accessible tone — employees should understand what's required of them without needing a follow-up email.
Prompt 4 — Policy Review Log Entry
Write a policy review log entry.
Policy: [POLICY NAME + VERSION + DATE]
Review type: [ANNUAL SCHEDULED REVIEW / TRIGGERED REVIEW — if triggered, specify trigger]
Reviewer(s): [ROLE(S) — e.g., "Chief Compliance Officer, General Counsel"]
Review date: [DATE]
Regulatory developments reviewed: [LIST — rules, guidance, no-action letters, examination findings in this period]
Changes identified: [YES/NO — if yes, describe briefly]
Changes made: [SPECIFIC — or "No changes required; policy remains adequate"]
Approval: [WHO APPROVED AND DATE]
Next review scheduled: [DATE]
Policy review log entry format. This document is evidence of your compliance program's policy maintenance process — it will be reviewed by auditors and examiners. Factual, specific, and complete. 150-200 words.
Category 2: Audit Preparation and Documentation
Prompt 5 — Audit Preparation Checklist
Write an audit preparation checklist.
Audit type: [EXTERNAL AUDIT / INTERNAL AUDIT / REGULATORY EXAMINATION / SOC 2 / ISO 27001 / HIPAA]
Auditing entity: [AUDIT FIRM NAME OR REGULATORY AGENCY — type only]
Audit scope: [AREAS BEING REVIEWED — e.g., "Anti-money laundering controls, customer due diligence, SAR filing process"]
Fieldwork dates: [DATE RANGE]
Lead point of contact from your team: [ROLE]
Prior audit findings: [LIST — outstanding findings from last cycle that auditors will follow up on]
Audit preparation checklist. Organized by work stream: (1) Documentation gathering, (2) Evidence compilation, (3) Staff preparation, (4) Systems access for auditors, (5) Prior findings remediation status, (6) Logistics. For each item: what's needed, who owns it, due date, status. Format as a table. 400-500 word introduction + table.
Prompt 6 — Control Testing Documentation
Write a control testing documentation record.
Control being tested: [SPECIFIC — e.g., "Quarterly review of high-risk customer accounts", "Annual AML training completion rate", "Segregation of duties controls in payment processing"]
Control frequency: [DAILY / WEEKLY / MONTHLY / QUARTERLY / ANNUAL]
Testing period: [DATE RANGE]
Sample selected: [HOW — e.g., "Random sample of 25 accounts from 847 in high-risk category"]
Testing methodology: [WHAT YOU DID TO TEST — e.g., "Reviewed account review records for completeness, timeliness, and approval sign-off"]
Results: [QUANTIFIED — e.g., "23/25 accounts reviewed within required timeframe with complete documentation; 2 exceptions identified"]
Exceptions: [DESCRIBE EACH — root cause and remediation taken]
Overall control assessment: [EFFECTIVE / PARTIALLY EFFECTIVE / INEFFECTIVE — with basis]
Tester: [ROLE]
Date: [DATE]
Control test documentation record. Auditor-facing — this is evidence. Complete, factual, and traceable. 300-400 words.
Prompt 7 — Remediation Tracking Report
Write a remediation tracking report for audit findings.
Audit source: [WHICH AUDIT/EXAMINATION — e.g., "2025 Annual Internal Audit of AML Program"]
Findings requiring remediation: [FOR EACH FINDING]:
- Finding: [DESCRIPTION + SEVERITY — Critical/High/Medium/Low]
- Remediation required: [SPECIFIC — what needs to change]
- Owner: [ROLE]
- Target completion date: [DATE]
- Current status: [NOT STARTED / IN PROGRESS / COMPLETE — with brief update]
- Evidence of completion (for completed items): [DOCUMENT/RECORD TYPE]
Outstanding findings: [COUNT + OLDEST OPEN DATE]
Overdue findings: [COUNT + ESCALATION PLAN]
Remediation tracking report format. Table for findings status. Executive summary paragraph at top. Progress metrics (% complete, on-track vs. overdue). 300-400 word introduction + tracking table.
Category 3: Risk Assessment Documentation
Prompt 8 — Enterprise Compliance Risk Assessment
Write an enterprise compliance risk assessment.
Organization type: [INDUSTRY + SIZE]
Regulatory environment: [KEY APPLICABLE REGULATIONS — e.g., "FINRA, SEC, state insurance regulators"]
Risk categories to assess: [REGULATORY / OPERATIONAL / CONDUCT / THIRD-PARTY / DATA PRIVACY / ANTI-CORRUPTION — select applicable]
Assessment methodology: [INHERENT RISK × CONTROL EFFECTIVENESS = RESIDUAL RISK — standard or describe yours]
Risk factors to evaluate for each area: [e.g., "Business activity volume, product complexity, customer population characteristics, employee turnover, control maturity"]
Risk assessment format. For each risk category: (1) Inherent risk rating (High/Medium/Low) with rationale, (2) Key controls in place, (3) Control effectiveness assessment, (4) Residual risk rating, (5) Recommended risk mitigation actions. Summary heat map description. 600-800 words.
Prompt 9 — Third-Party Risk Assessment
Write a third-party compliance risk assessment.
Vendor/third party: [TYPE — e.g., "Cloud-based customer data processor", "Outsourced AML transaction monitoring vendor", "Introducing broker relationship"]
Services provided: [SPECIFIC — what they do and what data/access they have]
Applicable regulatory requirements: [e.g., "OCC guidance on third-party risk management; GDPR Article 28 processor obligations; FINRA Rule 3110 supervision of OSJs"]
Due diligence completed: [LIST — e.g., "SOC 2 Type II report reviewed, financial stability check, compliance questionnaire completed, site visit"]
Risk identified: [SPECIFIC — gaps in their controls, concentration risk, regulatory status issues]
Residual risk rating: [HIGH / MEDIUM / LOW]
Ongoing monitoring plan: [FREQUENCY AND METHOD — e.g., "Annual SOC 2 review, quarterly compliance attestation, incident notification requirement in contract"]
Third-party risk assessment format. Evidence-based. Specific findings. Monitoring plan with owner and frequency. 400-500 words. This document supports vendor approval and ongoing oversight.
Category 4: Regulatory Reporting and Correspondence
Prompt 10 — Regulatory Examination Response Letter
Write a regulatory examination response letter.
Regulator: [AGENCY — e.g., "FINRA", "OCC", "CFPB", "SEC", "State Insurance Department"]
Examination request or finding: [SPECIFIC — what the examiner asked for or found]
Your response: [SPECIFIC — factual response to each item, additional context, corrective actions taken or planned]
Documentation being provided: [LIST — what you're submitting with the letter]
Timeline for any outstanding items: [SPECIFIC — if some items require additional time]
Regulatory correspondence format. Professional, factual, cooperative tone. Address each examination item in the same order as the examiner's request. Be specific about documentation provided. If providing a corrective action plan, be specific about timelines and owners. 400-500 words. This letter becomes part of your examination file.
Prompt 11 — Suspicious Activity Report (SAR) Narrative
Write a SAR narrative for a suspicious activity filing.
IMPORTANT: Use placeholder descriptions only — no real names, account numbers, dates, or identifying information in this AI prompt.
Activity type: [CATEGORY — e.g., "Structuring", "Wire fraud indicators", "Third-party money laundering indicators", "Cyber-enabled fraud"]
Suspicious conduct described: [FACTUAL BEHAVIORAL DESCRIPTION — what pattern of activity was observed, in plain language]
Amount involved: [$AMOUNT RANGE — no specific figures in AI prompt]
Detection method: [e.g., "System alert on transaction pattern", "Relationship manager escalation", "AML system alert"]
Prior suspicious activity: [YES/NO — reference prior SARs if applicable in general terms]
SAR narrative format following FinCEN guidance: (1) Who is involved, (2) What happened, (3) When and where, (4) Why it's suspicious, (5) How the activity was conducted. Under 500 words. Plain language. Factual — no speculation. Third person. Do not include legal conclusions. Note: actual SAR filing requires all required FinCEN fields and review by a BSA Officer.
Prompt 12 — Annual Compliance Report to Board/Audit Committee
Write an annual compliance report to the board.
Organization type: [INDUSTRY + SIZE]
Reporting period: [YEAR]
Compliance program components: [LIST — e.g., "Policies and procedures, training, testing and monitoring, investigations, regulatory affairs, third-party oversight"]
Key metrics for the year:
- Regulatory examinations: [NUMBER + OUTCOMES]
- Internal audit findings: [NUMBER + SEVERITY BREAKDOWN]
- Employee training completion rate: [%]
- Regulatory changes addressed: [NUMBER + KEY ITEMS]
- Incidents or investigations: [NUMBER — no details for board report, just high-level]
- Third-party reviews completed: [NUMBER]
Significant compliance activities: [3-5 MAJOR PROGRAM ACTIVITIES — e.g., "Implemented new AML system", "Completed regulatory examination with no findings", "Launched revised Code of Conduct"]
Risk areas: [TOP 3 EMERGING COMPLIANCE RISKS + MITIGATION STEPS]
Resource adequacy assessment: [HONEST — is the program adequately resourced?]
Priorities for next year: [3-5 SPECIFIC]
Annual compliance report for board/audit committee. Executive-level audience — no technical regulatory jargon without explanation. Lead with program effectiveness, not activity volume. Board members need to discharge their governance obligations; give them the information to do that. 600-700 words.
Category 5: Compliance Training Materials
Prompt 13 — Annual Compliance Training Module Script
Write a compliance training module script.
Topic: [SPECIFIC — e.g., "Conflicts of Interest", "Anti-Bribery and Corruption (FCPA/UK Bribery Act)", "Insider Trading Prevention", "Data Privacy Under GDPR"]
Audience: [ALL EMPLOYEES / SPECIFIC ROLE — e.g., "Sales and business development staff", "Finance team"]
Regulatory basis: [WHY THIS IS REQUIRED — regulation or internal policy requirement]
Key messages (3-5): [WHAT EMPLOYEES MUST KNOW AND DO]
Scenario to include: [REALISTIC EXAMPLE FROM YOUR INDUSTRY — describe the situation]
Duration: [TARGET — e.g., "15-minute self-paced module"]
Assessment: [YES — include 3-4 knowledge check questions at the end]
Training module script. Engaging voice, not lecture format. Open with a scenario that creates relevance before explaining rules. Explain the "why" behind each requirement — employees comply better when they understand the rationale. Avoid regulatory citation dumps. End with clear behavioral guidance: "If you encounter X, do Y." Include knowledge check questions with correct answers indicated. 600-700 words.
Prompt 14 — Manager Training: Compliance Escalation
Write a training guide for managers on compliance escalation.
Organization type: [INDUSTRY]
Escalation scenarios relevant to managers: [SPECIFIC — e.g., "Employee raises a concern about a colleague's expense reporting", "Customer complaint alleges mis-selling", "Direct report discloses conflicts of interest situation", "Manager discovers policy violation in their team"]
Escalation path: [WHO TO CONTACT — HR, Legal, Compliance, Ethics hotline — your organization's actual structure]
Non-retaliation policy: [BRIEF — what protections exist for reporters]
Documentation required when escalating: [WHAT MANAGERS SHOULD CAPTURE]
Common mistakes managers make: [SPECIFIC — e.g., "Trying to handle it themselves", "Delaying escalation", "Failing to document", "Discouraging the reporter"]
Manager training guide format. Practical and scenario-based. Decision tree for common situations. What to do and what NOT to do for each scenario type. Under 600 words. Managers should be able to identify when to escalate and how to do it confidently.
Category 6: Incident and Investigation Documentation
Prompt 15 — Compliance Incident Investigation Plan
Write a compliance incident investigation plan.
Incident type: [SPECIFIC — e.g., "Whistleblower complaint alleging expense reimbursement fraud", "Customer complaint alleging disclosure violations", "Potential FCPA violation in overseas business unit"]
Date complaint/incident received: [DATE]
Preliminary facts known: [BRIEF — what you know at the outset]
Investigation scope: [WHAT WILL BE REVIEWED — documents, systems, interviews]
Investigation team: [ROLES — compliance, legal, HR, external counsel if appropriate]
Timeline: [PLANNED COMPLETION DATE + KEY MILESTONES]
Confidentiality approach: [HOW INFORMATION WILL BE CONTROLLED]
Regulatory notification assessment: [IS NOTIFICATION REQUIRED — which regulator, timeline]
Interim measures: [ANY PROTECTIVE STEPS DURING INVESTIGATION — e.g., "IT data preservation hold, temporary reassignment of involved employee"]
Investigation plan format. This document starts the investigative record. Specific about scope and methodology. Include a privilege assessment note (whether attorney-client privilege should be asserted). 300-400 words. Reviewed by Legal before finalizing.
Prompt 16 — Compliance Investigation Summary Report
Write a compliance investigation summary report.
Investigation trigger: [BRIEF — what initiated the investigation]
Investigation period: [DATE RANGE]
Scope: [WHAT WAS REVIEWED]
Methodology: [DOCUMENT REVIEW + INTERVIEWS — general description]
Key findings: [SPECIFIC — what was found; what was not found]
Violations identified: [SPECIFIC — policy, regulatory, or legal violations, if any]
Root cause: [WHY IT HAPPENED — process failure, policy gap, individual misconduct, insufficient oversight]
Remediation recommended: [SPECIFIC — corrective actions, process changes, disciplinary actions if applicable, training required]
Regulatory notification required: [YES/NO + BASIS — consult Legal]
Document retention: [THIS REPORT AND SUPPORTING MATERIALS ARE TO BE RETAINED UNDER [POLICY/RETENTION SCHEDULE]]
Investigation summary report format. Factual and objective. Written as a standalone document — a reader with no prior knowledge should understand what happened, why it matters, and what should happen next. 500-600 words. Reviewed by Legal before finalizing and before any regulatory notification is made.
Category 7: Board and Executive Reporting
Prompt 17 — Quarterly Compliance Dashboard Summary
Write a quarterly compliance dashboard narrative summary.
Quarter: [Q1/Q2/Q3/Q4 + YEAR]
Key metrics this quarter:
- Open regulatory matters: [NUMBER + BRIEF DESCRIPTIONS]
- Training completion: [% CURRENT + TREND]
- Policy updates completed: [NUMBER + KEY ONES]
- Monitoring and testing: [CONTROLS TESTED + PASS RATE]
- Third-party reviews: [NUMBER COMPLETED]
- Incidents/investigations: [NUMBER — high level only]
Significant developments: [REGULATORY CHANGES, EXAMINATION ACTIVITY, PROGRAM MILESTONES]
Emerging risks: [2-3 ITEMS REQUIRING BOARD AWARENESS]
Actions requested from board: [SPECIFIC — if any, e.g., "Approve budget for new AML system", "Confirm risk appetite on [TOPIC]"]
Quarterly dashboard summary. For audit committee or full board. 2-3 paragraphs. Lead with overall program status (green/yellow/red). Highlight what changed from last quarter. Board members should understand compliance posture and what decisions, if any, they need to make. Under 350 words.
Start With These Three
- Prompt 1 — New compliance policy. The building block of every compliance program. Use this template when regulatory guidance changes or a new business activity requires policy coverage — generate the structure in 10 minutes and invest your time in the substance and the legal review.
- Prompt 6 — Control testing documentation. Auditors request this evidence constantly. Use this template to document every control test as you run it — building your evidence package throughout the year rather than reconstructing it under examination pressure.
- Prompt 12 — Annual compliance report to board. The highest-visibility document the compliance function produces. Use this template to lead with program effectiveness and risk posture rather than activity lists, and give your board the governance information they need to discharge their fiduciary duties.
Get the Complete Compliance Officer AI Toolkit
These 35 prompts cover the core compliance documentation workflows. The complete Compliance Officer AI Toolkit includes 80+ prompts covering FCPA and UK Bribery Act program documentation, HIPAA compliance documentation, financial services regulatory correspondence, data privacy impact assessments, compliance program maturity assessments, and M&A compliance due diligence checklists.
👉 Get the Compliance Officer AI Toolkit — Use LAUNCH30 for 30% off — limited uses remaining.
Works with Claude, ChatGPT, and DeepSeek. Copy-paste ready. No AI expertise required.
Top comments (0)