The CRM Auto-Enrichment That Broke Their Compliance Review

A 6-advisor RIA wanted enriched contact records. When a prospect filled out a form, the system would pull their LinkedIn profile, their company info, their connection graph, anything that might help an advisor prep.

We built it. It worked. Records got enriched. Advisors had better context for first calls.

Three months in, an internal compliance audit caught us.

What broke

The enrichment service we used pulled data from sources that included social media scraping. Some of that data was from sites the firm's compliance policy specifically prohibited (background-check-style sites, certain data brokers).

Our system was technically pulling that data into the CRM. Our system had not asked anyone whether those sources were allowed. Our system had also not logged which data point came from which source, so when compliance asked "where did you get this?" we couldn't easily answer.

The compliance officer was reasonable. She didn't shut us down. But she required: - A full audit of every enriched record - Removal of data from prohibited sources - A signed attestation from each enrichment vendor about their data sources - A new approval process for any new enrichment source going forward

The audit alone took 80 hours of staff time. Most of it was manual because we hadn't logged source provenance.

Root cause

I wired the enrichment service into the workflow without reading the firm's compliance policy. I assumed the firm would tell me if there were restrictions.

The firm's compliance officer assumed the consultant would have asked.

Both of us were wrong. The enrichment service itself was happy to provide data from any source it could legally access. We never bridged the gap between "legally accessible" and "compliant for this specific firm's policies."

What we did instead

After the audit we rebuilt the enrichment with three changes:

One, source-by-source allow-list. Each enrichment vendor and each data type within the vendor had to be on a pre-approved list. New sources required compliance sign-off.

Two, full provenance logging. Every field in the enriched record now has a source tag and a timestamp. Audit queries can answer "where did we get this?" in seconds.

Three, compliance review at scope time. Every new automation project now starts with a 30-minute conversation with the compliance officer. We share the data flow diagram before any code is written.

What I tell prospects now

If you're a regulated business — wealth, legal, healthcare, anything with a compliance officer — the compliance officer is in the kickoff meeting. Always. Non-negotiable.

If your firm doesn't have a compliance officer but has regulators, you're operating in compliance whether you know it or not. Get someone to read the regs for the project before you build.

For wealth specifically, the relevant regs depend on registration. SEC-registered RIAs have different rules than state-registered. Broker-dealers have FINRA. Each has nuances. Don't guess.

The lesson

The technical work was correct. The technology shipped what we asked of it.

The mistake was a scoping mistake. I didn't include compliance as a stakeholder. I treated it as a department to inform after the fact instead of an authority to consult upfront.

In regulated industries, compliance is not a department. It's a co-architect of every system you build. Adopt that frame or pay the audit tax later.

The thing nobody mentions

The compliance officer at this firm became one of my best advocates inside the company. Once she saw I respected the process, she championed every subsequent project. The relationship that started with a near-fire turned into a 4-engagement run.

Compliance officers aren't adversaries. They're allies who haven't been treated like allies. Bring them in early. The relationship pays compound interest.