X

FINRA Highlights Compliance Focus for 2026

"The 2026 Report includes new and updated content on cyber-enabled fraud, senior investors and trends in generative artificial intelligence . . . These insights from our oversight activities—combined with other intelligence—are designed to help member firms identify emerging risks and implement effective controls as needed."
Greg Ruppert, FINRA Chief Regulatory Operations Officer
"The 2026 Report includes new and updated content on cyber-enabled fraud, senior investors and trends in generative artificial intelligence . . . These insights from our oversight activities—combined with other intelligence—are designed to help member firms identify emerging risks and implement effective controls as needed."
Greg Ruppert, FINRA Chief Regulatory Operations Officer

In its 2026 FINRA Annual Regulatory Oversight Report, FINRA highlighted areas of focus for the new year, reviewed recent compliance deficiencies and observations and offered guidance for member firms on their regulatory obligations.

In the report, FINRA outlined regulatory obligations related to financial crimes, Gen AI, firm operations, crypto, market integrity and trading, and financial management, as summarized below:

Financial Crimes Prevention

Regulatory Obligations: Firms must adhere to SEC Regulations S-P (Privacy of Consumer Financial Information) and S-ID (Identity Theft Red Flags), as well as FINRA Rules 3110 ("Supervision") and 4370 ("Business Continuity Plans") regarding cybersecurity. Under the Bank Secrecy Act ("BSA") and FINRA Rule 3310 ("Anti-Money Laundering Compliance Program"), firms are required to develop and implement a written Anti-Money Laundering ("AML") program reasonably designed to detect and report suspicious transactions. Additionally, FINRA rules prohibit manipulative trading practices, including Rules 2010 ("Standards of Commercial Honor and Principles of Trade"), 2020 ("Use of Manipulative, Deceptive or Other Fraudulent Devices"), and 5210 ("Publication of Transactions and Quotations").

Findings

  • Cybersecurity: FINRA observed threats including ransomware, data breaches, and "quishing" (QR code phishing), as well as GenAI-enabled fraud such as deepfake audio/video and polymorphic malware.
  • AML: Firms failed to reasonably tailor AML programs to their business or detect red flags, particularly regarding small-cap public offerings and omnibus accounts. Firms also failed to verify customer identities within reasonable timeframes, sometimes auto-approving accounts despite invalid Social Security numbers.
  • Manipulative Trading: Firms lacked procedures to identify patterns of manipulation or failed to tailor surveillance to different "sources of order flow." FINRA noted a continued increase in small-cap fraud involving exchange-listed equities, often utilizing nominee accounts and social media scams.

GenAI

Regulatory Obligations: FINRA said its rules are technologically neutral; concluding that existing rules regarding supervision (Rule 3110), communications, and recordkeeping apply to the use of Generative AI. If a firm relies on GenAI tools for supervision, its procedures must consider the integrity, reliability, and accuracy of the AI model.

Findings and Trends.

  • Model Risks: Firms must manage risks related to "hallucinations" (where models generate inaccurate information presented as fact) and "bias" (skewed outputs due to limited or inaccurate training data).
  • AI Agents: FINRA highlighted emerging risks regarding "AI Agents" that autonomously perform tasks. Risks include agents acting beyond their intended authority, lack of auditability in multi-step reasoning, and potential misuse of sensitive data.
  • Fraud: Fraudsters are using GenAI to create voice clones, fake ID documents, and deepfake selfies to circumvent identity verification processes.

Firm Operations

Regulatory Obligations

  • Third-Party Risk: Firms must maintain supervisory systems for outsourcing activities to ensure compliance with FINRA Rule 3110 and Rule 4370 ("Business Continuity Plans and Emergency Contact Information").
  • Outside Business Activities (OBA) and Private Securities Transactions (PST): FINRA Rules 3270 ("Outside Business Activities of Registered Persons") and 3280 ("Private Securities Transactions of an Associated Person") require registered persons to notify firms of OBAs and PSTs so firms can evaluate them.
  • Books and Records: SEA Rules 17a-3 ("Records to be made by certain exchange members, brokers and dealers") and 17a-4 ("Records to be preserved by certain exchange members, brokers and dealers") and FINRA Rule 4511 ("General Requirements") require firms to preserve financial records and business-related communications.
  • Senior Investors: FINRA Rule 4512 ("Customer Account Information") requires firms to make reasonable efforts to obtain Trusted Contact Person information.

Findings

  • OBA/PST: Firms incorrectly interpreted "selling compensation" too narrowly (e.g., focusing only on direct commissions) and failed to supervise or record PSTs for compensation.
  • Books and Records: Firms failed to capture and archive electronic correspondence of part-time staff or those using third-party vendor email addresses. FINRA also noted inadequate supervision of "off-channel" communications (e.g., text messages, personal email).
  • Senior Investors: Firms failed to make reasonable attempts to obtain TCP information for all non-institutional customers or failed to provide written disclosures explaining when a TCP may be contacted.

Crypto

Regulatory Obligations: Federal securities laws and FINRA rules apply to crypto assets that are securities. FINRA Rule 2210 ("Communications with the Public") governs communications with the public, and Rule 3110 requires supervision of crypto asset-related activities.

Findings

  • Communications: Firms disseminated promotional materials with false or misleading statements, such as comparing crypto assets to cash without a sound basis or making misleading claims about SIPC protection.
  • Supervision: Firms failed to conduct appropriate due diligence on crypto asset private placements and products recommended to customers.
  • AML: Firms failed to establish AML programs reasonably designed to detect suspicious crypto asset transactions.
  • Transfers: Firms improperly rejected ACATS transfer requests for brokerage assets because the customer also held a separate crypto balance at the firm's affiliate.

Market Integrity and Trading

Regulatory Obligations

  • Consolidated Audit Trail (CAT): Firms must comply with SEA Rule 613 and the CAT NMS Plan regarding reporting, clock synchronization, and data accuracy.
  • Best Execution: FINRA Rule 5310 ("Best Execution and Interpositioning") requires firms to use reasonable diligence to ascertain the best market for a security. Rule 606 of Regulation NMS requires disclosure of order routing information.
  • Fair Pricing: FINRA Rule 2121 ("Fair Prices and Commissions") requires dealers to mark up or mark down transactions from the prevailing market price.
  • Market Access: SEA Rule 15c3-5 ("Risk management controls for brokers or dealers with market access") requires firms to control risks associated with market access to prevent jeopardizing financial stability.

Findings

  • CAT: Firms failed to repair errors by the T+3 deadline, submitted incomplete data, and failed to reasonably supervise third-party reporting agents.
  • Best Execution/Rule 606: Firms failed to compare execution quality against competing markets and published inaccurate quarterly reports (e.g., incorrectly stating they do not receive payment for order flow).
  • Fair Pricing: Firms incorrectly determined the PMP by relying on limited quotations rather than contemporaneous costs or by using third-party software they did not understand.
  • Market Access: Firms set unreasonable pre-trade capital and credit thresholds and failed to document the reasonability of those controls.

Financial Management

Regulatory Obligations

  • Net Capital: SEA Rule 15c3-1 ("Net capital requirements for brokers or dealers") requires firms to maintain minimum net capital levels. SEA Rule 17a-11 ("Notification provisions for brokers and dealers") requires notification of deficiencies.
  • Liquidity Risk: SEA Rule 15c3-3 ("Customer protection-reserves and custody of securities") requires segregation of customer assets, which impacts liquidity. FINRA expects effective liquidity risk management per Regulatory Notice 21-12.
  • Customer Assets: SEA Rule 15c3-3 requires firms to maintain possession or control of customer fully paid and excess margin securities.

Findings

  • Net Capital: Firms failed to record transactions timely or maintain records on an accrual basis, leading to inaccurate net capital computations. Firms also lacked processes to accurately compute capital charges for nonmarketable securities and underwriting commitments.
  • Liquidity: Firms reported inaccurate information on the Supplemental Liquidity Schedule, such as incorrectly reporting agent lenders rather than principals in securities borrowed transactions.
  • Customer Assets: Firms failed to establish reasonably designed supervisory systems for determining required reserve deposits and failed to obtain specific authorization before transferring customer free credit balances to third parties.

Primary Sources

  1. FINRA: 2026 FINRA Annual Regulatory Oversight Report

Tags

Regulated Activities
Supervision / Compliance
Regulated Entities
Broker-Dealers
Body of Law
Securities Law
Jurisdiction
US - Federal
Organization
FINRA / MSRB / SEC Exchanges / SIPC / Accountants
Sub-Author
FINRA