Open source · AI-assisted · human-decided

A reviewer packet, not a compliance verdict.

Compliance Flag captures a web page or draft, uses an AI model to flag passages that may raise SEC Marketing Rule questions, and saves the findings with rule citations, excerpts, and the exact source it reviewed for a qualified human to judge.

Know what your marketing said when it was reviewed, what the scan flagged, and what evidence the reviewer had in front of them.

See a sample report Install from PyPI

Developed by Quillmark LLC as part of its open-source work. Customizations are welcome.

Compliance Flag project flag
Saved evidence with every scan

HTML report, structured JSON, captured source, and metadata artifacts stay together in the output folder.

The problem

A web page gets reviewed once. Then it keeps changing.

Bios get updated. A testimonial gets added. Market commentary goes out weekly. Footer disclosures shift in a redesign. None of it feels like a campaign launch, so none of it triggers a review, and months later nobody can say exactly what the site said when compliance last looked at it.

Compliance Flag exists for the gap between reviews: it captures the page as it is today, flags what may deserve attention, and preserves the evidence either way.

Current SEC examination materials still put marketing in the review path: the Division of Examinations' FY 2026 priorities say adviser compliance-program exams typically evaluate core areas including marketing, and its December 2025 Risk Alert says the Division continues to focus on Marketing Rule compliance.

What you get

Every scan keeps four things together.

The output is built for review files: the source, the flagged text, the rule context, and a readable record of what happened.
01

The captured source

The page or file exactly as reviewed, saved beside the report, so "what did it say at the time?" always has an answer.

02

Flagged passages

Excerpts with severity, the specific rule provision cited, and a plain-language explanation of why the passage was flagged.

03

Suggested remediation

Starting points for the reviewer: drafts to react to, not instructions to follow.

04

A clean record

Structured JSON and a readable HTML report, suitable for keeping with the firm's review files.

Sample finding

What a finding actually looks like.

The report is the product. A reviewer sees severity counts, the cited rule, the flagged passage, the explanation, and possible next steps in one place.
Critical: 0 High: 0 Medium: 1 Low: 3
Medium #1

Fair and balanced reference to specific investment advice

§ 275.206(4)-1(a)(5)

Last January, we shared several views with clients. Among these, we expected the Fed would likely begin easing in the second half of the year; the Fed did begin cutting rates in September... We also anticipated a narrowing of the large-cap/small-cap valuation gap, which did not materialize.
Why it was flagged

The passage references specific prior investment views. The report treats that as a review question because the Marketing Rule requires references to specific investment advice to be presented in a fair and balanced manner.

Reviewer starting point

Confirm the prior-view examples are representative and that support exists for the full record offered on request.

Read the full sample report
How it works

Technical staff run it. Compliance decides what it means.

The current release is a command-line tool. In practice, a developer, consultant, or technically comfortable team member can run the scan and hand the report to the people responsible for review.
1

Select

An authorized URL or local draft the firm owns, controls, or has permission to assess.

2

Scan

The CLI captures the source and sends it, with bundled SEC rule text, to a frontier model from Anthropic's Claude family. The response is validated against a strict report schema before anything is written.

3

Review

The reviewer compares excerpts against the saved source and decides what to accept, reject, revise, or archive.

pip install compliance-flag
compliance-flag scan --url https://example.com

Model configuration, output formats, and flags are covered in the usage docs.

Built in the open

You can read exactly how it decides what to flag.

The rule sources, prompts, report schema, and lint logic are public. If your diligence process asks how the AI decides, the answer is a repository, not a black box.
GitHub repository Source code, prompt assets, report schema, examples, issues, releases, and repository files. Regulatory sources & provenance What source materials are bundled, what dates they carry, and what reviewers should verify. Design decisions Why the tool avoids compliance verdicts, preserves captures, and validates reports before writing.

Compliance Flag is a Quillmark open-source project, built by Matthew Ketter. The shared thesis behind the work: I build AI systems for regulated and high-stakes work — systems that show their evidence and leave judgment with humans.

FAQ

Frequently Asked Questions

What is Compliance Flag?

Compliance Flag is an open-source, AI-assisted command-line tool from Quillmark LLC. It helps teams capture RIA marketing content and draft SEC Marketing Rule reports for review.

Is Compliance Flag an AI tool?

Yes. The current CLI uses an AI model through the user's API key to analyze captured content and draft findings. The model output is validated into a report format, but it still requires human review.

Does it provide legal or compliance advice?

No. Compliance Flag supports review work, but its outputs are only drafts. Qualified personnel still need to evaluate the facts, the authority, the context, and the final decision.

Can it prove a page is compliant?

No. A clean output does not mean a page is compliant. It only means the scan did not flag an issue within its current scope, prompt, model behavior, and available regulatory source materials.

What is the current status?

The current release is an alpha command-line tool that requires a compatible model API key. The roadmap tracks reliability, cost, reviewer trust, source preservation, model-provider testing, and release-readiness improvements as the project develops.

What content should it be used on?

Use it only on websites, files, pages, or other content that you own, control, administer, or have explicit permission to assess. Do not run URL scans against third-party websites without authorization.

Why keep a sample report?

The sample report shows what the tool actually writes: source reference, executive summary, severity counts, rule-grounded findings, excerpts, explanations, and suggested remediation.

Contact

Interested in working with us?

For implementation questions, project support, consulting inquiries, or related development work, email us.
support@complianceflag.com

Compliance Flag and Quillmark LLC are not law firms and do not provide legal, compliance, regulatory, investment, tax, accounting, or financial advice. The project, scan outputs, articles, and examples are for informational and operational use only. They should be reviewed by qualified personnel before use. Compliance Flag and Quillmark LLC do not determine that any communication meets all applicable requirements and are not affiliated with, endorsed by, or acting on behalf of the SEC or any other regulator. Regulatory and enforcement references are based on source materials and may not reflect later developments.

Compliance Flag is a Quillmark Open Source initiative. Compliance Flag is not endorsed by, sponsored by, or affiliated with any AI model provider.