RAG systems Skills for compliance officer in investment banking: What to Learn in 2026

AI is changing compliance in investment banking in a very specific way: it is turning the job from mostly review and escalation into a mix of policy interpretation, evidence retrieval, and model oversight. The firms that are moving fastest are using RAG systems to answer questions like “show me every trade surveillance alert tied to this desk and the supporting policy language” without forcing a human to search five systems manually.

For a compliance officer, that means the relevant skill set is no longer just regulatory knowledge. You need enough technical fluency to evaluate RAG outputs, challenge bad retrieval, and explain why a system is or isn’t fit for use in a controlled environment.

The 5 Skills That Matter Most

1. •

   Regulatory document structuring

   RAG systems only work well if the source material is clean enough to retrieve from. For compliance, that means knowing how to break policies, procedures, surveillance standards, SAR narratives, KYC rules, and internal controls into chunks that preserve meaning and citation quality.

   In practice, you should understand how to structure documents so answers can be traced back to exact paragraphs, version dates, and ownership. If you can’t control source quality, you can’t trust the model’s response in front of auditors or regulators.

2. •

   Prompting for controlled compliance use cases

   This is not about writing clever prompts. It’s about asking precise questions that force the system to stay within policy scope, cite sources, and avoid over-interpretation.

   A compliance officer should know how to frame prompts like: “Answer only using the attached market abuse policy and cite section numbers” or “List exceptions found in this control log without summarizing beyond the evidence.” That matters because vague prompts create hallucinations, and hallucinations in investment banking compliance become governance problems fast.

3. •

   RAG evaluation and testing

   You need to know how to test whether a retrieval system is actually useful before anyone relies on it for reviews or escalation support. That includes measuring whether the right documents are retrieved, whether answers are grounded in sources, and whether edge cases fail safely.

   For a compliance officer, this skill maps directly to model risk management. If you can define test cases around restricted lists, conflicts of interest, personal account dealing, or communications surveillance scenarios, you become valuable in validation discussions instead of being passive consumer of vendor claims.

4. •

   Data lineage and access controls

   Compliance teams live or die by traceability. In an AI workflow, you need to know where data came from, who can see it, what was excluded, and how sensitive content is protected.

   This matters because RAG often pulls from policy repositories, case management systems, email archives, and watchlists. A strong compliance officer understands permission boundaries well enough to spot when a retrieval layer might expose MNPI-related content or confidential investigation material to the wrong user group.

5. •

   AI governance and model risk literacy

   You do not need to become an ML engineer. You do need enough understanding of governance frameworks to ask the right questions about validation scope, human review points, audit logging, retention, vendor controls, and change management.

   In investment banking compliance, this skill separates people who can approve safe use cases from people who just say “no” to everything. The goal is not building models yourself; it is knowing how to govern them inside the bank’s control environment.

Where to Learn

• •

  DeepLearning.AI — Retrieval Augmented Generation (RAG) course

  Good for understanding how retrieval works end-to-end: chunking, embeddings, vector search, grounding. Take this first if you want technical fluency in 2–3 weeks without getting lost in theory.

• •

  Coursera — AI for Everyone by Andrew Ng

  Not technical enough on its own, but useful for building a shared language with data science and engineering teams. Pair it with your own policy examples so you can translate concepts into compliance terms.

• •

  NIST AI Risk Management Framework (AI RMF 1.0)

  This should be required reading for anyone touching AI governance in regulated environments. It helps you think about map-measure-manage style controls that fit bank oversight processes.

• •

  OpenAI Cookbook / Anthropic documentation on RAG patterns

  Use these as practical references for prompting patterns, citation handling ideas, and evaluation basics. You don’t need every API detail; you need exposure to what good implementation looks like so you can challenge weak vendor designs.

• •

  Book: Designing Machine Learning Systems by Chip Huyen

  Strong for understanding production failure modes: drift, monitoring gaps, data dependencies, and feedback loops. Even though it’s not compliance-specific, it gives you the operating model context behind any RAG deployment.

A realistic timeline:

• •Weeks 1–2: Learn RAG basics and document structuring
• •Weeks 3–4: Practice prompting against real policy text
• •Weeks 5–6: Build simple evaluation tests and review outputs
• •Weeks 7–8: Study governance controls and map them to bank processes

How to Prove It

• •

  Build a policy Q&A prototype

  Load your firm’s public-facing policies or anonymized internal policies into a simple RAG app and test whether it answers common compliance questions with citations. Focus on high-value queries like gifts & entertainment thresholds or communications retention rules.

• •

  Create a surveillance triage assistant

  Use sample alert descriptions plus policy text to generate first-pass categorization: true issue vs false positive vs needs review. The point is not automation; it is showing that you can design a controlled assistant with clear escalation boundaries.

• •

  Write an AI control checklist for vendors

  Produce a one-page checklist covering data sources, access control, logging, grounding quality, testing evidence, human oversight, and retention. This shows you understand operational risk better than most non-technical reviewers.

• •

  Run an evaluation pack on bad inputs

  Test the system with ambiguous prompts, conflicting policy versions, outdated procedures and missing citations. Document where it fails and what guardrails would fix it; that is exactly the kind of thinking regulators respect.

What NOT to Learn

• •

  Generic “learn Python” tutorials with no compliance use case

  Basic coding can help later, but spending months on general programming before touching RAG will slow you down. Learn just enough tooling to inspect workflows and build small proofs of concept tied to real controls.

• •

  Prompt engineering hype content

  Tricks about writing “better prompts” won’t help much if your source material is messy or your governance model is weak. For investment banking compliance, structure beats cleverness every time.

• •

  Broad AI strategy content with no operational detail

  Executive summaries about transformation do not teach you how alerts get reviewed or how evidence gets cited in an exam response. Stay close to workflows: surveillance cases , KYC refreshes, investigations, attestation reviews, policy exception handling.

If you want relevance in 2026 as a compliance officer in investment banking, the winning move is not becoming an AI generalist. It is becoming the person who understands both regulatory controls and how RAG systems fail under pressure.

Keep learning

• •The complete AI Agents Roadmap — my full 8-step breakdown
• •Free: The AI Agent Starter Kit — PDF checklist + starter code
• •Work with me — I build AI for banks and insurance companies

By Cyprian Aarons, AI Consultant at Topiax.