Why AI enforcement is coming for financial firms

AI governance in financial services is not a future problem but a present one, according to Brian Rubin, whose insights were shared in a recent fireside conversation hosted by RegTech firm Red Oak Compliance.

Rubin, a partner at Eversheds Sutherland, began his career inside SEC Enforcement and served as deputy chief counsel of enforcement at NASD, now FINRA. Today, he defends firms facing examinations and investigations, giving him a rare dual perspective on how regulators are approaching AI.

Speaking with Red Oak chief supervision evangelist James Cella, Rubin said, “The enforcement cycle is already forming. Someone only on the regulatory side might not fully appreciate how quickly firms are adopting AI. And somebody who’s only been on the industry side might not grasp how regulators are going to dust off their old traditional rules — supervision, record-keeping, communications requirements — and hold firms accountable.”

Rubin sees a familiar pattern playing out. Email, social media and off-channel messaging via text and WhatsApp all followed the same trajectory: rapid adoption, regulatory silence, then enforcement under long-standing rules. He said, “Just because there are no specific AI rules doesn’t mean enforcement isn’t coming. Off-channel communications is a perfect example. Firms were penalized for texting using old record-keeping rules. I expect we’ll be seeing the same kinds of things with AI.”

According to the Red Oak discussion, examiners are already zeroing in on exaggerated AI claims, so-called AI washing, alongside operational gaps such as unreviewed AI-generated communications, missing records and ignored surveillance outputs. A third concern is unauthorised AI use, where employees feed client data into public tools, creating confidentiality and data security exposure. Rubin observed, “The technology is new, but the compliance risks aren’t really that new.”

His advice to chief compliance officers is blunt: governance must precede deployment. He said, “AI isn’t just an IT project. You need governance, you need compliance, legal, technology, and business, all with a documented approval process for use cases.” The regulatory standard is reasonableness, not perfection, but reasonableness must be evidenced through documentation, review processes and clear escalation paths. That documentation also protects CCOs personally, since liability risk rises when a known material problem goes unaddressed.

Rubin stressed that culture matters as much as process. He said, “You’ve got to train employees about what AI can do and what it can’t do. Emphasizing that AI is a helper, not a decision maker. It’s not infallible. You have to foster a culture that views technology through a compliance-conscious lens.”

For more, read the full story here.

Read the daily FinTech news
Copyright © 2026 FinTech Global

Enjoying the stories?

Subscribe to our daily FinTech newsletter and get the latest industry news & research

Investors

The following investor(s) were tagged in this article.