FINRA 2026 Oversight Report flags GenAI, recordkeeping, and cybersecurity risks

The Financial Industry Regulatory Authority (FINRA) has published its 2026 FINRA Regulatory Annual Oversight Report, an annual release aimed at empowering member firms to “enhance their resiliency and strengthen their compliance programs.”

Firms use the report to identify which effective practices are most relevant to their operations, incorporate the flagged risk areas in their risk assessment processes, perform gap analysis of their compliance programs and policies, and for ongoing training. The report has identified a range of evolving risk areas, including generative artificial intelligence (GenAI), cybersecurity, operational resilience (particularly relating to third parties), recordkeeping, and how firms communicate with the public.

In an accompanying release, Greg Ruppert, Executive Vice President and Chief Regulatory Operations Officer at FINRA, said:

“We are not just identifying risks, we are equipping our member firms with the intelligence and resources needed to mitigate risks effectively … Ultimately, this report is essential because member firm compliance protects investors and safeguards the integrity of our markets.”

Ruppert highlighted several of the flagged risk areas and the essential nature of firms leveraging the report’s findings:

“Whether it’s about the evolving threat of cyberattacks, including those powered by bad actors exploiting artificial intelligence [or] the increase in manipulation tactics that exploit market participants … this report delivers useful, real-world insights from our regulatory oversight work. Our goal is simple: help firms build stronger compliance programs and more resilient operations so that investors can participate in markets with greater confidence.”

What are the risks and focuses highlighted in the FINRA 2026 Oversight Report?

Generative AI

Unsurprisingly, GenAI has a prominent place in the FINRA Oversight Report, which notes that many firms have begun to “implement GenAI solutions with a focus on efficiency gains, particularly with respect to internal processes and information retrieval. Interestingly, the top use case for GenAI among FINRA members is “summarization and information extraction,” involving condensing large volumes of data and extracting key information from unstructured documents.

FINRA’s report details “notable risks and challenges” that firms must be cognizant of, including:

• AI agents acting autonomously without human validation or approval, and acting beyond the user’s level of authority
• Complicated, multi-step reasoning tasks making outcomes hard to trace or explain, reducing transparency and explainability
• Agents operating autonomously, unintentionally storing, exploring, disclosing, or misusing sensitive proprietary information
• Risks unique to GenAI, such as bias and hallucinations

The report also highlights the need for firms using GenAI to “generate or otherwise assist in creating communications to customers” to ensure that these communications comply with relevant regulatory rules, and to ensure that GenAI and AI chatbot communications with investors are retained to meet recordkeeping requirements.

FINRA’s guidance to help firms leverage GenAI compliantly includes:

• Developing supervisory processes to develop and use GenAI at an enterprise level including governance and model risk management frameworks
• Introducing approaches to identify and mitigate associated risks like accuracy, hallucinations, and bias
• Ongoing monitoring of prompts, responses, and outputs to confirm that GenAI solutions are performing as expected and in a compliant manner – including storing prompt output logs
• Establishing where to have “human in the loop oversight protocols”

Books and records

The last year has seen FINRA on the front foot with recordkeeping enforcement actions, hitting multiple firms and individuals with considerable fines for failing to maintain records (with many of these cases involving off-channel communications).  

The FINRA report reminds readers that broker-dealers must meet the “minimum requirements” of recordkeeping set out in Securities and Exchange Commission (SEC) Rules 17a-3 and 17a-4, including how long these records must be retained and the formats they are retained in. FINRA Rule 4511 also requires firms to make and keep books and records.

FINRA notes its investigations discovered failures “to maintain certain electronic communications”, including “not retaining, archiving, and reviewing non-email electronic communications conducted through firm-approved channels.” The suggested steps firms should take to avoid similar failures include:

• Testing third-party recordkeeping vendors’ capabilities to fulfil regulatory obligations by simulating a regulatory examination and requesting records
• Monitoring for indications that associated persons are using off-channel communications, such as a decrease or absence of activity on previously used firm-approved channels
• Frequently revising keywords used to surveil for the potential use of off-channel communications

Cybersecurity, operational resilience, and third-party risk

FINRA has “observed an increase in the reporting of cyberattacks and outages at firms’ third-party vendors,” which is unsurprising given a recent spate of high-profile, high-impact outages and cyberattacks, including Amazon Web Services, CrowdStrike, and Capita.   

What FINRA describes as “the financial industry’s reliance on third-party vendors to support key systems and covered functions” may result in a “large number” of firms being impacted should a cyberattack or outage at a sizable third-party provider be successful.

FINRA’s observations have noted a variety of cybersecurity threats targeted at firms, from familiar “phishing, smishing, or quishing” attacks to ransomware and extortion, account takeovers, data breaches, and account impersonations.

The best-practice measures firms can undertake to increase their resilience to third-party and cyber risks from the report include:

• Conducting initial and ongoing due diligence on third-party vendors supporting mission-critical systems
• Assessing how third parties use GenAI in their products or services
• Maintaining an inventory of all third-party vendor-provided services, hardware, software, and systems in use
• Keeping an inventory of data types accessed or stored by vendors
• Assessing the potential impact of a cybersecurity incident or outage at a third-party vendor on services, and monitoring that third-party for vulnerabilities or breaches

Communications with the public

FINRA’s 2026 Oversight Report reminds readers that there are several FINRA rules dedicated to “ensuring that member communications are fair and balanced, and that investors do not receive misleading information,” including FINRA Rule 2210 (Communications with the public).

FINRA identified that there have been multiple instances where firms have evidenced inadequate supervision of social iedia Influencers advertising their services (“finfluencers”), including failures to:

• Establish, maintain, and enforce a system designed to supervise communications disseminated on the firm’s behalf by finfluencers
• Review and approve influencer’s content prior to the influencer posting on social media
• Review or supervise influencer communications posted in online interactive electronic forums
• Retain all retail communications finfluencers post on the firm’s behalf

Over the last few years, FINRA has been a driving force behind enforcement actions targeting both individual finfluencers and the firms employing them that have breached Rule 2210 and exhibited the above failings.

The regulator also identified multiple instances of firms sharing “false, misleading, inaccurate, or unbalanced information in mobile apps” leading them to violate FINRA rules, including:

• Failures to disclose/inaccurately disclosing the risk of loss associated with certain options transactions
• Distributing false or misleading promotions through social media and “push notifications” that made promissory claims or omitted material information

Something old, something new

FINRA’s mix of risk advisories includes well-worn topics many are all too familiar with, including recordkeeping, off-channel communications, and operational resilience. Yet, if the regulator’s enforcements over the last year have taught us anything, it is how often firms and individuals continue to get “the basics” wrong.

Firms must take note of how quickly the evolution of technology is changing the regulatory risk landscape. GenAI has fundamentally changed how organizations work internally and externally. With AI and cyberattacks making the third-party vendor web even more tangled, and finfluencers altering how businesses reach new and existing audiences, firms need to look at the tools and talent they employ to make sure they stay on the right side of regulation – whatever 2026 may throw at them.

With a complete suite of Connectors to capture communications across every business channel, including ChatGPT, Global Relay offers firms the ability to leverage the power of GenAI tools by maintaining comprehensive records while mitigating compliance gaps.