What FINRA’s 2026 AI Guidance Actually Means for St. Louis Financial Services Firms

Badge 25+ Years
Badge Inc.5000
Badge Sophos Gold Partner
Badge 3 min
Badge 97%

A Plain-English Breakdown for St. Louis RIAs, Broker-Dealers, and Wealth Managers

In December 2025, FINRA published its 2026 Annual Regulatory Oversight Report, a nearly 90-page document that most financial firm principals will never read. That’s understandable. What matters is knowing what’s in the section that applies to you right now.

For 2026, FINRA added a dedicated section on generative AI for the first time. The message is straightforward: AI is no longer a novelty FINRA is watching from a distance. It is a supervised technology subject to the same compliance framework as any other tool your firm uses. If your financial services firm is using AI, or your employees are using it on their own, then your compliance program needs to account for it.

Note: Nothing here constitutes legal or compliance advice. For guidance specific to your firm’s obligations, consult securities counsel or your compliance consultant.

Hear From Our
Happy Clients

Read Our Reviews

The Core Message: FINRA’s Rules Don’t Change Because You’re Using AI

FINRA has been consistent on this point across multiple guidance documents, and the 2026 Report repeats it directly: FINRA’s rules are technologically neutral. Using generative AI does not change a firm’s obligations under supervision (Rule 3110), communications with the public, recordkeeping, or fair dealing. The technology changes; the regulatory standard doesn’t.

What that means practically: if an advisor uses an AI tool to draft a client communication, that communication is still subject to the same review and approval requirements as one they typed themselves. If the firm uses AI to assist with supervisory functions, the supervisory system still needs to be reasonably designed. If AI generates a recommendation, the firm is still responsible for that recommendation under Reg BI.

FINRA specifically flags “hallucinations” as a risk; instances where an AI model generates inaccurate or misleading information presented as fact. A model that misinterprets a regulatory requirement, misstates client account data, or produces incorrect market information is creating downstream compliance failures that the firm owns, not the vendor.

The Books-and-Records Problem Most Firms Haven’t Solved

This is the specific issue that will catch the most firms off guard during examinations. The 2026 Report makes clear that prompt and output logs need to be classified as firm records when AI is used in supervision, client recommendations, or customer interactions. That means they need to be retained, retrievable, and available to examiners.

Most firms using AI tools right now have no retention mechanism for AI-generated outputs. An advisor uses a chatbot to draft a client summary, pastes it into an email, and sends it. The email might be archived; the AI interaction that produced it almost certainly isn’t. Under the 2026 Report’s guidance, that’s a recordkeeping gap.

The practical fix requires both a policy decision and a technical one. First, the firm needs written guidance on which AI use cases trigger recordkeeping obligations. Second, the IT environment needs to support retention of those records in a format that satisfies Exchange Act books-and-records rules. Most consumer-facing AI tools don’t do this natively; it requires either enterprise-grade platforms with built-in logging, or a workflow that captures outputs into the firm’s existing archiving system before anything reaches a client.

Vendor Due Diligence: Your AI Tool Is a Third-Party Vendor

The 2026 Report reinforces FINRA’s longstanding position that outsourcing a function doesn’t outsource the compliance responsibility. This applies to AI vendors the same way it applies to IT service providers, AML monitoring systems, and custodian platforms.

If your firm is using a third-party AI tool, FINRA expects documented due diligence on how that vendor handles firm and client data, whether it uses your data to train its models, how it logs and retains interactions, what its security controls look like, and how it notifies you if its model changes or an incident occurs. Most vendor agreements for consumer AI tools don’t address these questions at all. FINRA now expects that gap to be identified, and either remediated through updated contract terms or documented as a known risk with compensating controls.

From an IT perspective, this means AI tools must go through the same vendor risk assessment process as any other technology that touches client data. A firm that approved an AI drafting tool without reviewing its data handling terms has a vendor diligence gap. The same applies to AI features embedded in platforms your firm already uses; if Microsoft Copilot is turned on in your M365 environment, that’s an AI deployment that needs to be evaluated, documented, and governed.

AI as an Attack Vector: What FINRA Is Seeing From Threat Actors

The 2026 Report doesn’t just address how firms use AI; it addresses how attackers are using it against firms. This is the section most compliance discussions miss entirely, and it has direct IT implications.

FINRA specifically identifies the following AI-enabled threats currently targeting financial firms:

  • Deepfake audio and video: voice clones used in call-center interactions to impersonate clients or personnel, and AI-generated video used to defeat identity verification procedures. FINRA flags this specifically in the context of account takeovers and new account fraud.
  • AI-generated identity documents: fake IDs, falsified account documents, and AI-produced KYC materials that bypass automated verification systems. FINRA observed these being used in new account fraud schemes targeting broker-dealers in 2025.
  • Polymorphic malware: malicious software that uses AI to constantly change its appearance and evade signature-based detection. Traditional antivirus is not designed to catch this; behavioral EDR is.
  • Highly targeted phishing: AI-generated phishing emails that use social media mining and public data to personalize attacks at a scale and quality that previously required significant manual effort. The emails are grammatically correct, contextually accurate, and designed around the recipient’s actual role and relationships.

For financial firms, the practical implication is that the threat environment has changed faster than most security stacks have adapted. Signature-based antivirus won’t catch polymorphic malware. Standard email filters aren’t calibrated for AI-generated phishing. Identity verification procedures designed for 2020 fraud patterns don’t account for deepfake audio. FINRA’s 2026 Report essentially tells firms: your defenses need to be evaluated against the current threat model, not the one that existed when you last reviewed your cybersecurity program.

What an Examiner Will Ask About Your AI Usage

Based on the 2026 Report and current examination trends, here is what FINRA examiners are likely to ask about AI at your firm:

  1. Do you have a written inventory of the AI tools your financial services firm uses, including those embedded in platforms like Microsoft 365?
  2. Do your written supervisory procedures address AI use? If advisors or staff are using AI tools, is there a formal approval process before deployment?
  3. How does the firm retain AI-generated communications or outputs that constitute firm records?
  4. Have your AI vendors been assessed for how they handle firm and client data? Do your contracts address data retention, model training, and security incident notification?
  5. Has your cybersecurity program been updated to address AI-enabled threats, including deepfakes, AI-generated phishing, and polymorphic malware?
  6. If your firm uses AI agents (tools that autonomously execute tasks), what human oversight and audit trail requirements are in place?

Most firms currently can’t answer more than two or three of these questions with documented evidence. That’s not a criticism; the guidance is new and the technology moved faster than compliance frameworks. But FINRA’s 2026 Report signals that the grace period for treating AI as an emerging technology that doesn’t need formal oversight is over.

How Alliance Tech Helps St. Louis Financial Firms Navigate the AI Compliance Gap

The IT layer of AI compliance, which is the part that deals with vendor assessment, M365 Copilot configuration, records retention architecture, EDR and behavioral detection for AI-enabled threats, and audit logging for AI interactions, is where Alliance Tech operates. We don’t write compliance policies, but we build and manage the technical environments that need to support them.

For financial firms in St. Louis, Clayton, Chesterfield, and across the metro that are starting to work through their AI governance obligations, we can assess what your current environment looks like, identify the specific technical gaps that FINRA’s guidance creates, and help structure an IT environment that supports the recordkeeping, vendor oversight, and threat detection requirements the 2026 Report lays out.

Call ((314) 649-8888 or schedule a free assessment online. We’ll give you a straightforward read on where your firm’s IT environment stands relative to FINRA’s current expectations.

Latest Blog Posts

IT Services for Wealth Managers Done Right: How Retirement Wealth Design Built Compliance-Ready IT Infrastructure in One Week
IT Services for Wealth Managers Done Right: How Retirement Wealth Design Built Compliance-Ready IT Infrastructure in One Week
Read More
The 2026 SEC Compliance Cybersecurity Guide for Financial Services Firms
The 2026 SEC Compliance Cybersecurity Guide for Financial Services Firms
Read More
How AT&T’s 1993 Ads Saw the Future
How AT&T’s 1993 Ads Saw the Future
Read More
Read Tech Blog