FINRA’s recent observations highlight how member firms are increasingly incorporating Generative AI into their operations. While this technology offers significant efficiency gains, it also introduces new supervisory, operational, and regulatory considerations. The following summarizes FINRA’s key findings and guidance.
Primary Areas Where Generative AI Is Being Used
Member firms are deploying Generative AI to improve efficiency, particularly for internal workflows and information retrieval. The most common use case is summarization and information extraction, enabling firms to condense large volumes of unstructured text and isolate relevant entities and relationships.
Beyond that leading category, FINRA identifies a broad portfolio of emerging Generative AI applications:
- Conversational AI and question answering: Virtual assistants, chat interfaces, and voice-enabled tools that provide natural-language responses.
- Content generation: Drafting reports, documents, marketing materials, and other written outputs.
- Classification and categorization: Sorting and labeling documents, transactions, or datasets.
- Workflow automation and process intelligence: Using AI-enabled routing, automation, and agent-driven execution.
- Coding and querying: Producing functional code or retrieving answers from structured databases through natural language.
- Supporting analytics: Sentiment analysis, translation, personalization, pattern recognition, data transformation, synthetic data generation, modeling, simulation, client-facing functions, and operational modeling.
Firms are also beginning to explore AI agents, which are systems capable of performing multi-step tasks autonomously, increasing the scope of automation but also introducing higher-stakes oversight requirements.
Key Risks Associated With Generative AI
FINRA’s guidance underscores that existing securities laws and FINRA rules apply fully to Generative AI technologies. Several categories of risk are especially salient:
- Accuracy and hallucinations: Models may generate outputs that are incorrect, misleading, or confidently stated as fact. Inaccurate rule interpretations, client data, or market information can influence decisions and increase regulatory exposure.
- Bias and Skewed Outputs: Training data limitations, outdated information, or flawed model design can produce biased or unrepresentative results, affecting client interactions, risk assessments, or operational decisions.
- Cybersecurity Risks: Generative AI may expose new attack surfaces for threat actors—either through a firm’s use of AI tools or the misuse of AI technologies by adversaries. Firms must consider how Generative AI affects data provenance, vendor risk, and detection capabilities.
- AI Agent–Specific Risks: For autonomous agent systems, additional concerns include operating outside intended authority, inconsistent domain knowledge, difficulty tracing or auditing multi-step reasoning, potential misuse or mishandling of sensitive data, misaligned reward mechanisms leading to harmful or noncompliant actions
These risks heighten the need for disciplined governance and ongoing human oversight.
Formal Supervision and Governance Policies
FINRA emphasizes that firms must maintain supervisory systems designed to ensure compliance when Generative AI is adopted. Effective governance practices include:
- Formal review and approval processes: Evaluating proposed Generative AI use cases with involvement from both business and technology stakeholders.
- Enterprise-level governance frameworks: Defining policies for development, deployment, and use of Generative AI systems, supported by thorough documentation across the model lifecycle.
- Model risk management: Establishing controls to assess model reliability, integrity, data sources, and limitations; incorporating human validation where appropriate.
- Cybersecurity-integrated oversight: Aligning AI oversight with cybersecurity programs to address data sensitivity, vendor risk, and AI-enabled threats.
Firms must also consider guardrails for AI agents, such as access controls, role-based authorization, activity tracking, and human-in-the-loop protocols.
Testing and Ongoing Monitoring of Generative AI Systems
FINRA stresses the importance of robust testing and continuous monitoring when firms employ models or prompts that may be reused or embedded in recurring processes. Key expectations include:
- Comprehensive pre-deployment testing: Assessing accuracy, reliability, privacy, and integrity; validating expected capabilities and identifying limitations.
- Prompt and output logging: Storing prompts and responses to support auditability, accountability, and troubleshooting. Tracking which model version produced each output is especially valuable.
- Regular monitoring and review: Conducting periodic checks for errors, bias, drift, or unexpected behavior. Human review remains essential for decisions with regulatory or client impact.
- Oversight of autonomous agents: Monitoring system access, data handling, and decision pathways; implementing guardrails to restrict undesirable agent actions.
Ongoing validation ensures that Generative AI-driven processes remain compliant, predictable, and aligned with firm standards even as models evolve.
What Should I Do?
Multiple forward looking companies are issuing public policies regarding how they are using, monitoring and controlling the use of AI, with the goal being the assurance of quality output/results. FINRA’s observations make clear that Generative AI is rapidly becoming embedded in financial services, with the greatest traction in text summarization, information extraction, and internal automation. Alongside these benefits, firms must address accuracy risks, bias, cybersecurity concerns, and the complexities introduced by autonomous AI agents. Effective governance, rigorous testing, and continuous monitoring are essential to ensure that Generative AI tools perform reliably and in full compliance with regulatory obligations.