By: Amber Tatman
Sr. Director, Compliance Advisory Services
Comply
When I tell people I studied intelligence for years before becoming a compliance consultant, they’re often baffled by my interest in these seemingly disparate areas. Yet, after years in compliance, I’ve realized that the disciplines of intelligence and compliance share much of the same DNA.
Need-to-Know and Need-to-Show
The intelligence profession operates on “need-to-know” principles: restrict information to those who require it; in compliance, data protection and systems entitlements should follow the same principles. However, compliance also operates by a slightly different principle: “need-to-show.” Advisers must be able to demonstrate adherence to rules and procedures. The overarching framework is similar because, among other things, both disciplines require:
- Collecting relevant information without drowning in noise;
- Synthesizing insights from multiple sources;
- Analyzing information for patterns and gaps;
- Continuously updating assessments as conditions change, and
- Testing.
Your Cover Story
Every intelligence officer needs a cover story: a coherent, defensible narrative that holds up under scrutiny. Your compliance program is your cover story. Examiners don’t check boxes; they test whether your narrative is coherent, consistent, and supported by evidence. Many advisers describe impressive portfolio management and research capabilities, but that story doesn’t always translate cleanly into documented practice. Intelligence professionals call this “cover for status”, maintaining appearances without substance. It works until someone presses hard enough.
The Tradecraft: To maintain regulatory readiness, stress-test your “cover story.” Engage an expert to conduct a mock examination; if they can poke holes in your story, so can examiners. Prepare presentations explaining unusual or high-risk areas so you can give examiners the lens through which to view your firm. Make it easy for examiners to understand your program and believe your cover—if you don’t, they’ll have to keep digging.
Raw Data Isn’t Actionable Intelligence
Intelligence professionals know that information is not intelligence. Raw data from signals intelligence (SIGINT) intercepts or open source (OSINT) data becomes actionable intelligence only after analysis and contextualization. Many advisers treat compliance as a collection exercise; gather enough emails, maintain enough spreadsheets, convene enough committees, and somehow compliance magically results.
The Tradecraft: During your reviews, ask yourself one of the hardest questions in intelligence work: “What can I infer from this evidence?” Does your trade blotter demonstrate that you’re getting the best execution or just that you have a trade blotter?
Know Your Adversary (Even If They’re Not Really Your Adversary)
Intelligence professionals conduct assessments to understand an adversary’s intentions. Investment advisers need to do the same with examination priorities, though calling examiners “adversaries” would be inaccurate and unwise.
The SEC publishes examination priorities annually. Imagine if hostile intelligence agencies published their upcoming collection priorities: “Hint, hint! This year, we’re REALLY interested in your nuclear research and AI technology!” Yet many advisers treat these examination priorities as nothing more than content for their annual compliance meeting slide decks.
The Tradecraft: Map your firm’s highest risk activities against current examination priorities. Where they overlap is where you should concentrate on your resources.
All-Source Analysis
Intelligence professionals learned from 9/11 that silos create blind spots that can be exploited. The CIA, FBI, and NSA each had puzzle pieces, but nobody assembled the big picture. All-source analysis was not adequately conducted, with tragic results. Advisory firms make the same mistake; trading, operations, marketing, senior management, and compliance operate in silos. When examiners jump between your disclosures, trade records, policies and procedures, and marketing materials, they’re conducting all-source analysis- looking for contradictions in your program. Are your disclosures and procedures consistent and accurate? Do your employees tell consistent stories? In intelligence work, these contradictions are “anomalies.” In an exam, they’re simply called “deficiencies”.
The Tradecraft: Conduct your own all-source review. Cross-reference your disclosures, policies and procedures against actual practices and documentation. Break down internal silos. Find your own anomalies first.
Red Team Exercises
Military and intelligence organizations conduct “red team” exercises in which one group tries to defeat another group’s defenses. The point isn’t to win; it’s to find vulnerabilities before real adversaries do.
If you don’t red-team your own compliance program, you are inviting examiners to do it for you; at that point, you’re not preparing —you’re defending.
The Tradecraft: If you haven’t stress-tested your compliance program, you haven’t truly tested it at all. Intelligence agencies do this constantly because they know that untested defenses are theoretical defenses. Engage an expert consultant to conduct a mock examination to attempt to find gaps in your program; if they succeed, you’ve found your vulnerabilities while the stakes are low.
Think Like an Intelligence Professional
There are many parallels between intelligence work and compliance beyond those outlined here, especially when it comes to preparation, judgment, and credibility.
To build a better compliance program, think like an intelligence professional: more tradecraft and less checkbox thinking. Examiners already approach reviews this way. Perhaps it’s time you do, too.