Despite initial uncertainty and scepticism, artificial intelligence (AI) tools have been steadily integrated into our day-to-day routines. Generative AI (GenAI) tools like ChatGPT are being leveraged by businesses of all kinds, including in financial services, for productivity and efficiency savings, among a myriad of other applications.
The last year has seen a staggering 3,000% increase in the number of firms capturing ChatGPT data, according to Global Relay’s Data Insights: Communications Capture Trends in 2025/26 report. This dramatic increase suggests a confidence shift around the role of GenAI in business. However, with AI regulation still in its infancy and guidelines still developing, firms must understand the rules currently governing AI use, and how they can leverage compliance technology to meet regulatory requirements.
Full speed AI-head: AI adoption gains momentum
The shift in stance of the Securities and Exchange Commission (SEC) and Financial Conduct Authority (FCA) towards embracing innovation and evolving AI technologies has no doubt spurred AI adoption among industry players.
There are many examples of firms increasing their adoption of GenAI. Deloitte UK gave 75,000 staff members access to AI-powered assistants to help build PowerPoint presentations and write emails, and JPMorgan Chase granted employees access to generative assistants to summarize and generate text. A September 2025 study from OpenAI found 49% of U.S. companies were reportedly leveraging ChatGPT across a variety of use cases.
However, AI’s rapid development may mean that firms are utilizing AI tools without policies in place to capture them. A survey by Finextra found that 65% of U.K. professionals admitted to using unapproved AI tools for customer interactions. Similarly, a study from UpGuard found that 68% of security leaders admitted to using unapproved GenAI tools.
The 3,000% increase in firms capturing ChatGPT data in 2025 builds on the 400% increase seen in the 2024 Data Insights: Communications Capture Trends report. It is highly likely that this figure will continue grow in line with increased use of GenAI platforms by financial services firms amid a more permissive regulatory environment. Though the AI adoption trend continues to grow, firms must bear in mind that more ready regulatory acceptance does not mean diminished compliance expectations.
What are the current regulations around ChatGPT?
Regulators have not yet issued guidelines that specify standards associated with ChatGPT or related generative platforms, though existing guidelines like SEC Rule 17a-3 and 17a-4 do require that all business-related communications, whether AI-generated or otherwise, be captured for recordkeeping purposes.
Similarly, the Department of Justice’s (DOJ) amended Evaluation of Corporate Compliance Program (ECCP) has extended preservation requirements to include emerging technological advancements, stating that it will look to understand how a firm’s “data retention and business conduct policies have been applied” and if policies “permit the company to review business communications.” Therefore, any messaging considered to be “business communications” as outline by SEC Rule 17a-4 would, by extension, be required to be captured to meet the DOJ’s ECCP.
The Financial Industry Regulatory Authority (FINRA) has expressed a similar sentiment in Regulatory Notice 24-09 on “regulatory obligations when using GenAI tools.” This notice states that regulatory obligations apply when firms are using generative AI within their business operations in the same way they apply when firms use any other technologies or tools.
While regulators have taken steps to lay ground rules around AI model use, such as the Commodity Futures Trading Commission (CFTC) promoting the National Institute of Standards and Technology (NIST) cybersecurity frameworks, or the Office of the Superintendent of Financial Institutions (OFSI) establishing model risk management guidance to address associated risk, standards for generative behavior within business workflows have not yet been specifically defined largely because AI’s introduction to financial operations is unprecedented.
In the case of personal data, capturing prompts entered into GenAI platforms might involve personal data or proprietary information, which requires firm to find the balance between communications capture requirements and data privacy rules, such as those outlined in the General Data Protection Regulation (GDPR).
Managing ChatGPT risk in the workplace
AI is quickly and constantly evolving, meaning regulation will need to remain flexible to keep up to speed. Consequently, it is incumbent on firms to implement principles and maintain documentation that supports responsible use and provide transparency and explainability of AI’s place in their operations.
1. Keep ChatGPT data logged and loaded into the archive
With multiple regulations requiring that businesses prioritize complete capture of relevant business and communications data, maintaining logs of AI prompts and outputs that are used for regulated activity, such as business decisions, advice, or communications is essential.
2. Maintain structured, secure, and retrievable records
Beyond just retaining communications, generative AI records must be tamper-evident, timestamped, indexed, and easily retrievable. Should firms face a regulatory inquiry that requires them to produce documents quickly and completely, a structured log of communications could be the difference between compliance and consequences.
3. Compliant tools make for compliant firms
Firms must also ensure that any AI platform they implement allows for retention and audit logs to meet compliance requirements. Enterprise-grade tools will typically offer these abilities as opposed to often opaque consumer tools. In addition, defining internal policies and outlining the AI interactions and outputs that must be stored and audited, and how long these interactions must be stored for, is essential.
4. Prioritize security and resiliency
As a repository for huge amounts of potentially sensitive data, ChatGPT and other GenAI platforms are an incredibly tempting target for bad-actors and cyber breaches. Regulators are setting increasingly stringent expectations that firms ensure high standards of operational and cyber resilience. With platform updates or outages causing unexpected issues with data integrity or availability, firms must make sure they are leveraging solutions that will keep the data they enter into GenAI platforms secure, as well as protected from loss, corruption, or unavailability due to external factors.
5. Practice data privacy
With reports estimating that around 77% of employees share sensitive company data with ChatGPT or similar platforms, ensuring that individuals understand data privacy measures is paramount. Firms should research data privacy laws within the jurisdictions they operate in to determine what is applicable to their business. Upon identifying these laws, the next step is practicing data minimalization where possible and obtaining necessary consent.
Final thoughts
Firms must define precise tactics to establish comprehensive governance, ensure fairness, prioritize transparency, and maintain accountability as it relates to GenAI’s use in business contexts.
To maximize the power of tools like ChatGPT while also ensuring complete recordkeeping compliance, firms should look to implement solutions that capture the AI business and communications data that will keep them on the right side of regulation – now, and into the future.
With a complete suite of Connectors to capture communications across every business channel, including ChatGPT, Global Relay offers firms the ability to leverage the power of GenAI tools by maintaining comprehensive records while mitigating compliance gaps.
