In December 2025, FINRA published its 2026 Annual Regulatory Oversight Report โ€” the detailed compliance guidance document that broker-dealers use to calibrate their programs to regulator expectations for the coming year. The 2026 report includes a substantially expanded standalone section on generative AI that represents the most detailed public statement FINRA has made about what it expects from firms deploying GenAI tools.

The guidance is not legally binding in the same way a rule is. But FINRA examination findings are drawn directly from the Oversight Reportโ€™s expectations, and firms that cannot demonstrate compliance with the expectations the Report articulates face findings, corrective action, and potential disciplinary proceedings.

For any broker-dealer that has deployed or is planning to deploy generative AI tools โ€” in client communications, research, compliance workflows, trading support, or internal operations โ€” the 2026 Reportโ€™s GenAI section is the compliance baseline they must meet.

Why FINRA Is Focused on GenAI

The 2026 Reportโ€™s GenAI section expands substantially from the 2025 version, reflecting two years of rapid deployment of AI tools across financial services and a corresponding accumulation of regulatory concerns.

The fundamental challenge GenAI creates for FINRA-regulated firms is supervisory. FINRAโ€™s member firm regulatory framework has always required firms to supervise their employees and their communications with customers. A registered representative who makes an inaccurate statement about a security to a customer creates firm liability. A GenAI tool that makes the same inaccurate statement creates the same liability โ€” but at the scale and speed of software rather than of an individual employee.

The 2026 Report reflects FINRAโ€™s judgment that many firms have deployed GenAI tools without building the supervisory and governance infrastructure that the technology requires.

Pre-Deployment Assessment

The 2026 Reportโ€™s first expectation: firms must assess regulatory compliance obligations before deploying GenAI and establish governance frameworks to supervise GenAI usage before the tools go live.

FINRA explicitly states that it expects firms to evaluate, before deployment:

  • Whether the GenAI toolโ€™s intended use falls within an activity that is subject to FINRA rules or securities law
  • What records must be maintained for compliance purposes given the toolโ€™s function
  • How outputs from the tool will be supervised and by whom
  • What testing has been conducted to identify the toolโ€™s failure modes โ€” hallucinations, bias, accuracy limitations โ€” in the specific context of the firmโ€™s use case

This pre-deployment assessment obligation represents a meaningful departure from how many firms have approached GenAI adoption. Firms that have deployed GenAI tools reactively โ€” in response to business unit requests, vendor demonstrations, or competitive pressure โ€” without a formal pre-deployment compliance review are operating outside the framework FINRA describes.

Governance Framework Requirements

The 2026 Report specifies that firms must establish a supervision, governance, or model risk management framework that includes:

Clear Policies and Procedures

Firms must have written policies and procedures governing:

  • Which GenAI tools are approved for use
  • Who is authorized to use them and in what contexts
  • What categories of use are prohibited (e.g., generating customer communications that are not reviewed by a registered representative, or using GenAI to make securities recommendations without human oversight)
  • How exceptions or new use cases are evaluated and approved

The policy framework must be operationally implemented โ€” not just documented. A policy that permits GenAI use for certain purposes while prohibiting others must be technically enforced through access controls, not merely stated in a handbook.

Comprehensive Documentation

The framework must maintain documentation throughout the lifecycle of each GenAI deployment, including:

  • The business case and intended use
  • The pre-deployment compliance assessment
  • Testing results and identified limitations
  • Ongoing monitoring data
  • Incident records and remediation actions

This documentation requirement has practical implications for firms that use third-party GenAI tools with limited visibility into model behavior. If the vendor cannot provide documentation about the modelโ€™s training data, known failure modes, and accuracy characteristics in the firmโ€™s specific use case, the firmโ€™s documentation will be incomplete.

Testing Requirements

The 2026 Report identifies specific testing areas that firms must address before deploying GenAI:

Privacy. Does the tool handle personal data about customers, employees, or counterparties in compliance with applicable privacy requirements? Does it retain or transmit personal data in ways the firm has not authorized?

Integrity. Are the toolโ€™s outputs accurate and consistent? Is there evidence that the tool can be manipulated to produce outputs that deviate from intended behavior?

Reliability. Does the tool perform consistently across different prompts, users, and market conditions? Does performance degrade under specific conditions that are likely to arise in the firmโ€™s use environment?

Accuracy. For tools used in customer-facing contexts or in compliance-critical applications, what is the error rate? How does the error rate compare to the acceptable threshold for the use case?

Testing must be tailored to the specific use case โ€” a GenAI tool used to draft internal communications is tested differently from one used to generate research summaries for clients or to screen compliance alerts.

Hallucination Risk Management

The 2026 Report identifies hallucinations โ€” instances where a GenAI model generates information that is inaccurate but presented as factual โ€” as a specific risk category requiring dedicated management.

In the financial services context, the consequences of hallucinations are material. A GenAI tool that provides a customer with inaccurate information about a securityโ€™s price, return history, risk profile, or regulatory classification can cause direct financial harm and create regulatory liability for the firm. A GenAI tool used in a compliance workflow that generates incorrect regulatory citations or misstates rule requirements can cause compliance failures.

FINRAโ€™s expectation: firms must understand the hallucination risk of each GenAI tool they deploy in the specific context of their use case, and must implement controls that are commensurate with the potential harm from hallucination in that context.

For customer-facing applications, this typically means human review of GenAI-generated content before it is provided to the customer โ€” particularly for content that includes factual claims about specific securities or investment products. For compliance workflow applications, it means validation of GenAI outputs against authoritative sources before the outputs are relied upon for compliance decisions.

Bias Risk Controls

The 2026 Report flags bias as a distinct risk category. Bias arises when GenAI models produce outputs that systematically favor or disfavor particular groups in ways that reflect skewed training data rather than current conditions or applicable standards.

In financial services, bias in GenAI outputs can produce:

  • Fair lending violations. A GenAI tool used in credit assessment that produces systematically less favorable outputs for applicants of particular demographic groups creates disparate impact liability under the Equal Credit Opportunity Act and related regulations โ€” regardless of whether the modelโ€™s developers intended discriminatory outcomes.

  • Supervisory failures. A GenAI compliance screening tool that is less effective at detecting certain types of violations for certain types of transactions or customers may produce a supervision framework that is structurally biased in its coverage.

  • Client service disparities. A GenAI tool used in client communications that provides less thorough or accurate information to certain categories of clients creates regulatory fairness concerns.

FINRAโ€™s expectation: firms must assess whether GenAI tools used in high-stakes contexts produce outputs that exhibit bias, and must implement controls โ€” including testing on diverse data sets, regular bias audits, and human review of outcomes โ€” that identify and mitigate bias before it produces harm.

Ongoing Monitoring

Pre-deployment testing is necessary but not sufficient. The 2026 Report requires ongoing monitoring of GenAI tools after deployment to confirm that they continue to perform as expected and produce compliant behavior.

What ongoing monitoring must include:

Prompt and output logging. Firms must store records of prompts submitted to GenAI tools and the outputs generated, sufficient to enable supervisory review and troubleshooting. For customer-facing applications, these logs are likely required as business records under FINRA Rule 4511.

Performance drift detection. GenAI models can change over time as vendors update underlying models, and the inputs firms provide (market data, customer information, regulatory text) also change. Performance that was acceptable at deployment may degrade. Monitoring must detect performance drift and trigger review.

Output sampling and review. Firms must sample GenAI outputs on an ongoing basis for accuracy, compliance, and bias indicators. Sampling rates should be commensurate with the risk profile of the use case.

Incident reporting. When monitoring detects a problem โ€” hallucinations, bias indicators, compliance failures โ€” there must be a documented escalation and remediation process.

Emerging Concern: Autonomous AI Agents

The 2026 Report flags the use of autonomous AI agents in financial services as a โ€œrapidly evolvingโ€ area presenting โ€œnovel regulatory and supervisory considerations.โ€

FINRA is specifically concerned about AI agents that can take actions โ€” placing orders, executing transactions, sending communications, making compliance filings โ€” without explicit human approval for each individual action. The challenge for the supervisory framework: FINRAโ€™s rules require firms to supervise the activities of their associated persons. An AI agent that acts autonomously is not an associated person, but its actions create the same compliance obligations and the same harm potential.

The 2026 Report does not provide definitive guidance on how FINRAโ€™s rules apply to autonomous AI agents. It signals that FINRA is actively developing its position and that firms deploying AI agents should expect evolving regulatory expectations.

The UK CMAโ€™s March 2026 guidance on agentic AI and consumer law โ€” which established obligations around transparency, human oversight, and compliance by design for AI agents in consumer-facing contexts โ€” provides a useful preview of the regulatory direction FINRA may take on this issue.

What Firms Must Implement Before the Next Examination Cycle

Based on the 2026 Reportโ€™s expectations, broker-dealers that have deployed GenAI should assess their programs against the following:

Pre-deployment assessment documentation. For each GenAI tool currently deployed: can you produce documentation of the pre-deployment compliance review that was conducted? If no formal review was done, that is a gap.

Written policies and procedures. Do you have documented policies governing GenAI use, including approved use cases, prohibited uses, authorized users, and the approval process for new use cases?

Testing records. Can you produce testing results for deployed GenAI tools that address privacy, integrity, reliability, and accuracy? Are the test results specific to your firmโ€™s use case, not just the vendorโ€™s general marketing materials?

Hallucination and bias controls. For customer-facing or compliance-critical GenAI applications: what specific controls address hallucination risk and bias risk? Are those controls documented?

Monitoring infrastructure. Are you logging prompts and outputs? Are you sampling for compliance? Is there a documented escalation and remediation process for identified problems?

Vendor oversight. For third-party GenAI tools: what diligence have you done on the vendorโ€™s own compliance infrastructure? What contractual rights do you have to audit, receive documentation, and require remediation?

FINRAโ€™s 2026 GenAI governance expectations are not the end point โ€” they are the floor. As GenAI deployment in financial services matures, regulatory expectations will become more specific and more demanding. Firms that build governance infrastructure now will be better positioned to adapt as those expectations evolve.

The alternative โ€” waiting for examination findings or enforcement actions to identify gaps โ€” is more costly in remediation effort and more damaging to regulatory relationships than building the program proactively.

Sources: FINRA 2026 Annual Regulatory Oversight Report (December 2025); FINRA.org GenAI section; Debevoise Data Blog (FINRAโ€™s 2026 Regulatory Oversight Report: Continued Focus on Generative AI and Emerging Agent-Based Risks); DLA Piper (FINRA flags generative AI risks and governance expectations); Sidley Austin (FINRA Issues 2026 Regulatory Oversight Report); FinTech Global (How FINRAโ€™s 2026 report reshapes GenAI compliance); Shumaker Loop & Kendrick (Generative Artificial Intelligence in Financial Services: A Practical Compliance Playbook for 2026). This article is provided for informational purposes only and does not constitute legal advice.