FINRA’s 2026 Annual Regulatory Oversight Report has set a clear tone for the year ahead, placing generative AI (GenAI) governance and off-channel communications squarely at the centre of supervisory and enforcement attention.
According to Theta Lake, for broker-dealers and other FINRA-regulated firms, the message is unambiguous: emerging technologies and electronic communications risks are no longer peripheral concerns but core regulatory priorities.
Compliance leaders are being urged to review their supervisory systems, identify weaknesses, and ensure that frameworks are robust enough to withstand heightened scrutiny.
A notable development in this year’s report is the introduction of a dedicated section on GenAI, signalling that the technology has shifted from a theoretical innovation risk to a practical compliance obligation.
FINRA makes it clear that its existing rules apply to GenAI tools in the same way they apply to any other technology used within a firm. This means that model outputs, automated drafting tools, conversational interfaces and data extraction systems all fall within established supervisory and recordkeeping expectations.
FINRA identifies summarisation and information extraction as the most common GenAI use cases among member firms, followed by conversational AI, content drafting and data querying. While these tools promise operational efficiencies, they also introduce new layers of risk, particularly around data protection, output accuracy and unintended disclosures.
Compliance functions must therefore embed GenAI oversight into enterprise risk management rather than treating it as a standalone IT initiative.
The regulator expects firms to develop supervisory processes for GenAI at an enterprise level. In practice, this means building cross-functional governance structures that bring together compliance, legal, risk, cybersecurity, IT and business leaders before procurement and deployment decisions are made.
Rather than retrofitting controls after implementation, firms are being encouraged to design structured risk assessments at the outset, evaluating accountability, data provenance, model performance and resilience.
Industry-recognised standards such as ISO 42001 for AI management systems, along with frameworks from NIST and the Cloud Security Alliance, are highlighted as practical benchmarks.
These frameworks provide structured approaches to accountability, risk-based methodologies, data governance and continuous improvement – all of which align with FINRA’s supervisory expectations. Certification and documented controls can also serve as evidence of reasonable supervision during examinations.
Testing and monitoring are further emphasised. FINRA calls for robust testing to understand model capabilities and limitations, covering privacy safeguards, output integrity, reliability under varying conditions and factual accuracy. Importantly, documentation of testing protocols and acceptance thresholds is essential to demonstrate that firms have exercised appropriate oversight.
Once deployed, GenAI systems must be subject to ongoing monitoring, including logging of prompts and outputs, version tracking and regular human review. This human-in-the-loop approach is positioned as a safeguard against model drift and compliance failures.
Alongside AI governance, FINRA reiterates its long-standing focus on electronic communications supervision. The 2026 report underscores the continued risk posed by off-channel communications and outlines practical monitoring strategies. Volume reconciliation across approved platforms is one such control. A sudden drop in activity on firm-approved systems, without clear business justification, may signal migration to unmonitored channels and should trigger supervisory review.
Beyond simple volume analysis, behavioural surveillance is becoming more sophisticated. Firms are encouraged to use analytics capable of identifying anomalies such as incomplete message threads, references to conversations occurring elsewhere, or contextual inconsistencies. The ability to capture, retain and replay communications in context is also critical, particularly as conversations increasingly span multiple digital platforms.
Overall, FINRA’s latest report reflects a regulatory environment that expects firms to combine technological innovation with disciplined governance. Both GenAI oversight and off-channel communication monitoring demand continuous refinement rather than one-off policy updates.
Firms that proactively align with these expectations, leveraging modern compliance technologies and structured governance frameworks, are likely to be better positioned during examinations than those that treat these issues as secondary operational matters.
Find more on RegTech Analyst.
Copyright © 2026 FinTech Global
