The release of FINRA’s 2026 Annual Regulatory Oversight Report (the “Report”) outlines a set of key priorities for the upcoming year’s examination and enforcement priorities. This year, the Report delivers critical regulatory clarity on two compliance challenges facing broker-dealers: governing and implementing generative AI and continued diligence around off-channel communications. Compliance practitioners at FINRA-regulated firms should carefully review this guidance to identify potential gaps in their current programs and strengthen their supervisory frameworks.
GenAI Governance: From Emerging Risk to Regulatory Priority
This year FINRA includes a new, dedicated section on “GenAI: Continuing and Emerging Trends.” Its inclusion signals a fundamental shift – GenAI governance has moved from theoretical concern to regulatory expectation in all but a year. The Report establishes a foundational principle that compliance teams must internalize: FINRA’s Rules apply to GenAI tools, just as they apply to any other technology.
The Report identifies Summarization and Information Extraction as the most prevalent GenAI use case among member firms followed by Conversational AI And Question Answering, Content Generation and Drafting, and Querying. While each of these use cases offer efficiency gains, they also introduce unique compliance risks requiring comprehensive governance structures.
Based on FINRA’s guidance, compliance practitioners should consider several governance principles when evolving compliance practices to meet expectations.
Enterprise Risk Assessment and Supervision
FINRA expects firms to develop “supervisory processes to develop and use GenAI at an enterprise level.” This requires more than adding AI considerations to existing technology governance—it demands dedicated frameworks accounting for GenAI’s unique characteristics. Compliance teams should consider establishing cross-functional GenAI review committees with representatives from Compliance, IT, Risk, Legal, cybersecurity, and business units to evaluate opportunities during procurement and prior to deployment.
Compliance teams should leverage battle-tested, industry-leading standards like the ISO 42001 certification for AI Management Systems when vetting GenAI systems. The ISO 42001 standard as well as AI risk frameworks from NIST or the Cloud Security Alliance provide clear and demonstrable evidence of the rigor and completeness of an AI platform’s development, oversight, and security practices.
The ISO 42001 standard ensures AI platform developers have implemented:
- Clear accountability structures for AI system governance
- Risk-based methodologies for identifying and treating AI-specific risks
- Data governance frameworks ensuring quality and provenance
- Continuous improvement processes adapting to emerging risks
An ISO 42001 certification is a key element of any GenAI risk assessment and management program.
Comprehensive Testing Protocols
FINRA emphasizes that firms should conduct “robust testing of GenAI to understand the capabilities, limitations and performance” of models. Compliance practitioners should establish structured testing across four dimensions: privacy (protection of sensitive information), integrity (consistency and reliability of outputs), reliability (performance under varying conditions), and accuracy (factual correctness). Documentation of test results and acceptance criteria creates audit trails demonstrating reasonable supervision.
Ongoing Monitoring with Human Oversight
Post-deployment monitoring represents a critical control often overlooked in initial implementations. The Report emphasizes “ongoing monitoring of prompts, responses and outputs to confirm the GenAI solution continues to perform as expected and results in compliant behavior.” Firms should implement prompt and output logging for accountability, model version tracking to identify performance changes, and regular validation checks where subject matter experts review sample outputs. This “human-in-the-loop” approach provides early detection of degraded performance or emerging risks before they become compliance failures.
The meaningful analysis of prompts and responses for potentially problematic confidential, proprietary, security, or behavioral data is now a baseline FINRA expectation. Ensuring that compliance technologies can adequately capture, retain, and replay content is essential in creating a supervisory program. Understanding content in context, for example, through overviews that allow compliance teams to see how GenAI content is created and then subsequently used in email, chat, or other communications is critical.
Off-Channel Communications
FINRA’s Books and Records guidance evidences the ongoing importance of electronic communication recordkeeping and supervision practices. The Report outlines several practices for the effective monitoring for off-channel communications.
Message Volume Reconciliation
Compliance teams should implement systematic volume baseline analysis for registered representatives across all approved communication channels. FINRA’s guidance suggests that “a decrease or absence of activity on certain previously used firm-approved communication channels or tools” may indicate off-channel migration. Daily or monthly volume baselines with exception reporting for significant deviations provide early warning of potential violations. For example, if a representative averaging 50 Microsoft Teams chat messages per day suddenly drops to 5 without business justification, supervisory review should investigate potential off-channel activity.
AI Analytics and Pattern-Based Surveillance
Beyond volume metrics, firms should deploy surveillance identifying behavioral anomalies suggesting parallel off-channel conversations: incomplete conversation threads, references to discussions not captured in firm systems, or responses lacking contextual alignment with visible communications. While the Report describes the need to revise key word policies to account for off-channel risk, based on Theta Lake’s research, 99% of firms are using, or planning to use, AI for supervision, which is often more elastic and adaptable to uncovering issues.
In addition, the ability to replay conversations in context is a critical component of any off-channel compliance strategy. The ability to view and analyze conversations as they move across platforms is key for understanding off-channel communications patterns.
Ongoing Considerations
Compliance teams should recognize that both GenAI governance and off-channel communication supervision represent evolving challenges requiring continuous program refinement. FINRA’s Report provides the regulatory roadmap, but effective implementation demands thoughtful program design and ongoing assessment leveraging modern compliance tools. Firms that proactively adopt these frameworks and technologies will differentiate themselves from those facing examination findings and potential enforcement actions.
