FINRA flags generative AI risks and governance expectations

The Financial Industry Regulatory Authority’s (FINRA) 2026 Annual Regulatory Oversight Report includes a dedicated section on generative artificial intelligence (GenAI) and highlights supervisory, governance, cybersecurity, testing, monitoring, and third‑party risk considerations for FINRA member firms deploying AI tools.

The report underscores that FINRA expects member firms to stay increasingly vigilant and to modify, to the extent necessary, their written supervisory procedures (WSPs) to be appropriately tailored to their evolving use of technology.

We provide the top points of the report and key considerations for FINRA member firms.

Key points from FINRA’s report

FINRA’s “GenAI: Continuing and Emerging Trends” section notes that “using GenAI can implicate rules regarding supervision, communications, recordkeeping and fair dealing.” Notably, to the extent a member firm relies on GenAI tools as part of its supervisory system, “its policies and procedures may consider the integrity, reliability and accuracy of the AI model.”

FINRA’s report suggests that member firms should be wary of falling into a set-it-and-forget-it mindset through the overreliance on automation and related advantages and features provided by GenAI. The report indicates that FINRA expects at least some level of human oversight and/or modified quality control testing to demonstrate that a member firm’s WSPs are reasonably designed when using GenAI. FINRA’s report also notes that the use of autonomous AI agents is rapidly evolving and may present novel regulatory and supervisory considerations in monitoring such AI agents.

Specifically, FINRA’s report notes that member firms “may want to consider,” among other things:

• Enterprise-level supervisory processes concerning the development and use of GenAI
• Policies and procedures reasonably designed to identify and mitigate GenAI risks, such as those related to accuracy and bias
• Robust testing of privacy, integrity, reliability, and accuracy with GenAI use
• Tailoring cybersecurity programs to be reasonably designed to include risks associated with using GenAI, both by the member firm and third-party vendors used by the member firm.

Key insights and takeaways

FINRA recognizes that GenAI can provide member firms with potential benefits, particularly where automation may lead to efficiencies. However, FINRA perceives “notable risks and challenges” in the use of GenAI that could negatively impact market participants.

FINRA expects member firms to adapt their WSPs so they are mapped to the member firms’ use of GenAI. The Securities and Exchange Commission (SEC), which also regulates securities market participants and enforces various securities laws that require firms to implement certain policies and procedures, likely has the same perspective.

Consequently, to stay in front of the potential risks FINRA flagged regarding GenAI use, member firms may wish to consider:

• Revising, where appropriate, WSPs to expressly account for the risks FINRA has identified
• Conducting mock audits or examinations tailored to test GenAI use and supervisory oversight, including human monitoring of model outputs
• Reviewing and, where appropriate, revising vendor agreements to determine if the member firm understands how its third-party vendors are using GenAI, and whether such firm has designed reasonable controls around potential risks, including as it concerns evaluating vendor AI usage, configurations, and data controls
• Updating threat models for potential GenAI‑enabled fraud and strengthening data loss prevention risk-mitigation measures
• Reassessing testing for possible market abuses, such as layering, spoofing, wash trading, and social‑media‑driven activity
• Tracking legislation, rulemaking, enforcement actions, and FINRA and SEC statements for evolving expectations around GenAI

Member firms may find opportunities in pursuing new technology, including GenAI. As firms consider implementing these technologies, they are encouraged to evaluate their WSPs in parallel to ensure that they remain in compliance.

For more information

For more information about FINRA’s increased focus on GenAI, please contact the authors of this alert, your DLA Piper relationship attorney, or any member of DLA Piper’s White Collar and Investigations or Securities Enforcement and Regulation practice groups.