FINRA's 2026 Regulatory Oversight Report and AI Governance: What Broker-Dealers Must Address

FINRA's 2026 Annual Regulatory Oversight Report, published in December 2025, added a dedicated Generative AI section for the first time in the report's history. This is a significant signal. When FINRA creates a standalone section on a topic in the AROR, it becomes an examination priority across the member firm population.

This article breaks down what the 2026 AROR requires, what it means operationally for broker-dealers, and where the specific compliance gaps are most likely to appear during examinations.

What FINRA's 2026 AROR Actually Says

The 2026 report specifies several expectations for broker-dealers deploying or considering GenAI tools:

Governance and model risk frameworks. FINRA expects firms to establish supervision, governance, or model risk management frameworks with clear policies and procedures for developing, implementing, using, and monitoring GenAI. Documentation must be maintained throughout the AI lifecycle — from evaluation to deployment to retirement.

Controls for hallucinations, bias, and cybersecurity risks. The report explicitly calls out AI hallucinations and bias as compliance risks that require active controls. Firms deploying AI in client-facing applications, research, or supervision must have mechanisms to detect and address AI outputs that are inaccurate or biased.

Ongoing human oversight. FINRA is unambiguous that human monitoring of AI model outputs is essential. This is not a transitional requirement pending better AI technology. It is a structural expectation — AI-assisted decisions and communications require human review before they affect customers.

Agentic AI oversight. The 2026 report specifically addresses autonomous AI agents as a novel oversight challenge. FINRA notes that agentic AI may require tracking of system actions and restrictions on system access. This is forward-looking language, but firms piloting or deploying AI agents that take autonomous actions on behalf of the firm or its customers need written frameworks now.

Accurate AI-related disclosures. FINRA reiterates the requirement — consistent with the SEC's AI washing enforcement actions — that descriptions of GenAI capabilities in customer communications and marketing materials must be accurate, balanced, and not overstated. The report specifically references the "AI washing charges brought by other regulators" as context.

The Operational Implications for Broker-Dealers

FINRA's technology-neutral regulatory approach means existing rules apply to AI without modification. That has specific operational implications:

FINRA Rule 3110 (Supervision). Every use of AI in a business activity of the firm is subject to supervisory oversight. If a registered representative uses an AI tool to assist in drafting customer communications, that output must be reviewed under the same supervisory framework as communications written entirely by the representative. There is no AI exception to Rule 3110.

FINRA Rule 2210 (Communications with the Public). AI-generated marketing content, social media posts, newsletters, or customer-facing materials are subject to Rule 2210's requirements for fair, balanced, and not misleading content. AI tools that generate marketing content without a review process create Rule 2210 exposure.

Books and Records (Rules 4511-4514). If AI tools generate content that constitutes a business record — including customer communications, research, trade justifications, or compliance documentation — those records are subject to retention requirements. Most firms have not updated their recordkeeping policies to explicitly address AI-generated content.

Vendor Management. FINRA's rules apply whether firms use AI directly or through third-party vendors. If your order management system, CRM, or compliance surveillance platform has embedded AI features, your firm is responsible for governance of those features. Vendor agreements should address data handling, model transparency, audit trail availability, and the firm's ability to supervise AI-generated outputs.

Where Examination Gaps Are Most Likely

Based on FINRA's stated priorities and the patterns emerging from early AI-related examinations, broker-dealers are most at risk in the following areas:

No AI inventory. FINRA examiners will ask for a list of AI tools in use across the firm. Firms that cannot produce one — including AI embedded in third-party tools — will face examination criticism before any substantive compliance question is reached.

WSPs that predate GenAI. If your Written Supervisory Procedures were last updated before 2024 and do not address GenAI, you have a documented compliance program gap. FINRA expects WSPs to be living documents updated as the firm's business and risk profile changes. AI adoption at the firm level triggers that update obligation.

Undisclosed AI use in customer communications. Registered representatives using personal AI accounts to draft customer emails or proposals — with no supervisory review and no disclosure — creates simultaneous Rule 3110, Rule 2210, and potentially Rule 4511 exposure.

AI in advertising with no substantiation. Firms that reference AI capabilities in their advertising or customer materials without contemporaneous substantiation files are exposed to the same Marketing Rule violations that resulted in SEC AI washing enforcement actions against investment advisers.

No training documentation. FINRA expects firms to train personnel on the firm's AI governance policies. Firms without documented training programs will face criticism during examination for inadequate compliance culture around AI.

Building a FINRA-Compliant AI Governance Program

A FINRA-compliant AI governance program for a broker-dealer has the following components:

An AI inventory documenting every tool in use, including embedded AI in third-party platforms, with classification by risk level and customer-facing designation.

Updated WSPs that address GenAI usage, supervision of AI-generated communications, review processes for AI-assisted customer interactions, and escalation procedures for AI-related incidents.

Technical controls enforcing the WSPs — including DLP rules blocking submission of customer data to unauthorized AI platforms and logging of AI tool usage by employees.

Annual compliance review documentation showing that AI governance was explicitly included in the firm's Rule 3110 supervisory review.

Training records showing all registered persons received training on the firm's AI usage policies and the applicable regulatory obligations.

Most firms can write the policies. The harder problem is enforcement — and enforcement requires infrastructure control.