<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

Can ChatGPT Help Your Compliance Department? Not Yet.

5 min read
Feb 28, 2023

Everyone is talking about ChatGPT and how it’s taking over the world. ChatGPT is a chatbox driven by artificial intelligence (AI) that takes large amounts of data and uses it to write human-sounding text on a wide range of topics.  

It can write a poem on risk management in the style of Shakespeare or explain quantum mechanics in terms a second grader can understand. It solves math word problems and writes HTML code. It can take a paragraph and rewrite it.  

ChatGPT is already used to write job descriptions, social media copy, student essays for school assignments. It can offer creative inspiration and explain complex topics. 

But what about compliance? Can ChatGPT help your compliance department? The short answer is not yet. 

Table of contents 

Why ChatGPT is a bad fit for compliance right now  

Question #1: A ChatGPT compliance fact fail 

Question #2: ChatGPT invents an answer to a compliance question  

Question #3: ChatGPT offers a vague non-answer 

One area where ChatGPT excels

Why ChatGPT is a bad fit for compliance 

ChatGPT talks a good compliance game – so good that you might be tempted to take its word as fact. But don’t trust this latest iteration of artificial intelligence (AI) technology with your compliance questions.  

ChatGPT is programmed to write answers that are plausible, not necessarily factual. While responses sound authoritative and are grammatically correct, they aren’t guaranteed to be factual.  

Here are three compliance questions I asked ChatGPT and the misguided responses I received. 

Question #1: A ChatGPT compliance fact fail 

Q: Do credit unions have to comply with CRA?

A: Yes, credit unions are subject to the Community Reinvestment Act (CRA) if they are insured by the National Credit Union Administration (NCUA) and have more than $10 million in assets. The CRA requires insured depository institutions, including credit unions, to meet the credit needs of the communities in which they operate, including low- and moderate-income neighborhoods.

It's worth noting that not all credit unions are subject to the CRA. Credit unions that are not insured by the NCUA, such as state-chartered credit unions, are not subject to federal CRA requirements. However, state-chartered credit unions may be subject to state-level CRA requirements, which vary by state. 

This answer is just plain wrong. Credit unions don’t have to comply with federal CRA requirements. CRA only applies to banks. The only exception are credit unions operating in states with their own CRA requirements. 

Strike 1. 

Question #2: ChatGPT invents an answer to a compliance question 

Q: Tell me about an enforcement action against a bank that had problems with third-party vendor management. 

A: One example of an enforcement action against a bank for problems related to third-party vendor management is the 2016 enforcement action against Wells Fargo by the Office of the Comptroller of the Currency (OCC). 

The OCC identified deficiencies in Wells Fargo's third-party vendor management program, particularly with regard to the bank's oversight of its third-party service providers. The OCC found that Wells Fargo failed to conduct adequate due diligence and ongoing monitoring of certain vendors that provided critical services to the bank, including mortgage processing and loan servicing. 

The OCC also found that Wells Fargo had insufficient controls in place to manage the risks associated with its third-party vendors. For example, the OCC found that Wells Fargo had failed to adequately assess the cybersecurity risks associated with its vendors and had not ensured that its vendors were compliant with the bank's information security standards. 

As a result of these deficiencies, the OCC issued a cease and desist order against Wells Fargo that required the bank to take a series of remedial actions to improve its vendor management program. These actions included: 

  • Conducting a comprehensive review of its third-party vendor management program and developing a plan to address deficiencies.
  • Ensuring that all vendors providing critical services to the bank were subject to a formal due diligence process and ongoing monitoring.
  • Ensuring that all vendor contracts included appropriate provisions for managing risks and protecting the bank's interests.
  • Improving controls related to vendor selection, oversight, and reporting. 

The OCC also ordered Wells Fargo to pay a $35 million penalty for its deficiencies in third-party vendor management. 

This enforcement action highlights the importance of having robust vendor management programs in place to mitigate the risks associated with outsourcing critical services to third-party vendors. Banks must ensure that they have adequate controls and oversight in place to manage these risks and remain in compliance with applicable regulations. 

Examples help when you’re trying to convince the board or management to invest more in compliance—but only when those examples are true. 

ChatGPT made up this enforcement action against Wells Fargo. But it sounds so true, right? That’s because ChatGPT took an actual $35 million 2016 OCC enforcement action against Wells Fargo and changed the circumstances to match the query.  

The real enforcement action on which ChatGPT’s answer is based had to do with employees opening fraudulent credit card accounts to meet sales incentives.  

Strike 2. 

Question #3: ChatGPT offers a vague non-answer 

Q: Our bank is considering offering a $50 gift card to potential new customers who open a new account with a minimum deposit of $200. Is this promotion permissible?  

A: Offering a $50 gift card to potential new customers who open a new account with a minimum deposit of $200 is generally permissible as long as it complies with applicable regulations and guidelines. 

That’s not a very helpful answer. ChatGPT doesn’t explain the applicable regulations and guidelines—it doesn’t even tell you what they are so you can look them up yourself. 

Strike 3. 

One area where ChatGPT excels 

Clearly ChatGPT is not about to take over compliance right now. It doesn’t have the accurate data, details, or facts-driven programming needed to provide actionable compliance information. It’s much better to stick with experts who know compliance like the ones at Ncontracts. 

As a final challenge, I asked ChatGPT to write a poem about why financial institutions should use Ncontracts’ compliance management solution. And I have to say, when it comes to cheesy poetry, ChatGPT had the edge.  


Banks and credit unions, listen close,  
Here's a story that I suppose,  
Will make your hearts all start to race,  
About compliance and keeping pace. 

Ncontracts is the tool you need,  
To keep you safe from a compliance misdeed.  
It's accurate, reliable and precise,  
A smarter tool, you won't find twice! 

A knowledge-as-a-service approach,  
Keeps you compliant, it's no reproach.  
Human experts there for you,  
Legal compliance is their virtue. 

They'll guide you through the process with care,  
And make sure that you're fully aware,  
Of any regulatory changes new,  
So you're always ahead of the crew. 

Ncontracts is the perfect choice,  
A voice of reason, a legal voice.  
So don't be tempted by ChatGPT,  
Ncontracts is the one to guarantee.


I couldn’t have said it better myself. 

Want a real compliance resource? Our Ncomply solution can help. 



Subscribe to the Nsight Blog