FINRA Warns Firms on Use of Generative AI
Commentary by Annmarie Giblin
FINRA reminded member firms to comply with their regulatory obligations if they use generative AI ("Gen AI") or large language models ("LLMs") in the course of their business.
In new guidance, FINRA noted the rapid development of technologies "capable of generating significantly better text, synthetic data, images, or other media in response to prompts," and LLMs able "to identify, summarize, predict and generate new text-based content." FINRA reaffirmed the importance of compliance with FINRA Rule 3110 ("Supervision"), which requires member firms to design supervisory systems tailored to its business. FINRA stated that a member firm using Gen AI must have policies and procedures outlined within the supervisory system that address technology governance, including model risk management, data privacy and integrity, reliability and accuracy of the AI model.
Further, FINRA stated that its rules apply "whether member firms are directly developing Gen AI tools for their proprietary use or when leveraging the technology of a third party." FINRA encouraged member firms to "evaluate Gen AI tools" prior to deployment.
Commentary
FINRA's Regulatory Notice provides helpful reminders on general regulatory considerations, but also suggests that FINRA, like most regulators, is struggling to fit this emerging technology squarely into the box of existing regulation. The conclusion, for now, is that existing regulation is sufficient to address the use of AI for members; but looking ahead, it is likely that more regulation is coming.
The takeaway from this guidance is that members should ensure that their use and development of AI Solutions are vetted in the same way that they evaluate the use of any other technology or tool, and that it is extremely important to keep proper audit trails for such due diligence as it may be needed to demonstrate compliance. Further, the guidance should serve as a reminder that members remain liable for third-party vendors, regardless of the services they are providing, technical aspects of the tools they are using, or the member's understanding of such tools. Indeed, FINRA makes clear that alleging ignorance of the technology and relying on a third-party vendor's assurance to a member's detriment will not be a defense to non-compliance.