FINRA’s 2026 Annual Regulatory Oversight Report largely reinforces the regulator’s long-standing supervisory priorities—such as Regulation Best Interest (Reg BI), net capital, AML, and market manipulation—but introduces a notable shift in emphasis. For the first time, the report includes a standalone section on generative artificial intelligence (GenAI), while expanding its discussion of cybersecurity and cyber-enabled fraud.
Although the report does not create new legal obligations, it serves as a roadmap for where FINRA examiners are likely to focus throughout 2026. Member firms are explicitly encouraged to reassess supervisory systems, controls, and governance frameworks in light of the observations and “effective practices” highlighted in the report.
The message is clear: the regulatory baseline remains familiar, but the risk surface has expanded. AI adoption, third-party technology dependence, and digitally enabled fraud are no longer edge cases—they are now core examination themes.
Why is FINRA zeroing in on GenAI now?
GenAI is the most significant addition to the 2026 report. FINRA notes that firms are already deploying GenAI tools across a range of use cases, most commonly for summarization and information extraction from large datasets. While these applications can improve efficiency, FINRA is signaling concern around the risks they introduce.
The regulator highlights issues such as hallucinations, bias, data privacy, accuracy, and reliability, urging firms to design supervisory controls tailored specifically to GenAI usage. This includes:
- Robust pre-deployment testing of GenAI tools and AI agents
- Ongoing monitoring through output logs and model tracking
- Governance frameworks covering model risk and change management
- Ensuring AI-driven communications remain fair, balanced, and compliant
- Capturing AI-enabled communications in books and records
Importantly, FINRA extends these expectations beyond internally developed tools. Firms are expected to conduct appropriate vendor diligence when GenAI is embedded in third-party platforms, reinforcing the link between AI risk and third-party risk management.
Investor Takeaway
Cybersecurity, fraud and AML: familiar risks, sharper tools
Cybersecurity remains a central theme, but the 2026 report reflects how GenAI is amplifying traditional fraud vectors. FINRA points to rising threats such as new account fraud and account takeovers driven by AI-enabled techniques, including voice cloning, synthetic identity documents, and hyper-personalized phishing.
FINRA’s guidance stresses coordination across compliance, cybersecurity, and AML teams. Suggested practices include enhanced login anomaly detection, employee training to spot repetitive suspicious behaviors, stronger authentication when anomalies arise, and closer integration between cyber incident response and AML escalation processes.
The report also references ongoing obligations under SEC Regulation S-P, Regulation S-ID, and FINRA Rules 3110 and 4370, reinforcing expectations around breach response, customer notifications, and business continuity planning.
As part of its FINRA Forward initiative, FINRA has also launched the Cyber & Operational Resilience (CORE) program, designed to share threat intelligence and mitigation insights directly with potentially affected firms. This reflects a more proactive supervisory posture as cyber risks become increasingly systemic.
Crypto, market manipulation and third-party risk move higher
The 2026 report devotes expanded attention to crypto assets, cataloging regulatory developments from 2025, including stablecoin legislation, SEC staff statements, and changes to custody guidance. FINRA makes clear it is actively monitoring how firms adapt disclosures, financial responsibility treatment, and governance frameworks in response.
Market manipulation surveillance also remains under scrutiny. FINRA reports a rise in small-cap pump-and-dump schemes, often involving nominee accounts, account takeovers, and coordinated social media promotion. The regulator urges firms to enhance cross-product and cross-customer surveillance, particularly where social media-driven activity intersects with thinly traded securities.
Third-party risk management—introduced as a topic in 2025—returns with sharper expectations. FINRA emphasizes that outsourcing does not outsource responsibility. Firms must maintain supervisory systems covering vendors, including those providing mission-critical technology or GenAI-enabled services. This includes inventorying vendor access to firm data, contract controls, incident response testing, and managing downstream fourth-party risks.
Investor Takeaway
What firms should expect next
FINRA’s 2026 report does not rewrite the rulebook, but it does recalibrate priorities. Expect examinations to probe not just whether policies exist, but whether they scale with modern technology risks. Influencer supervision, GenAI chatbot recordkeeping, mobile app nudges, extended-hours trading controls, and CAT/CAIS reporting accuracy all remain firmly on the radar.
For broker-dealers, the takeaway is pragmatic: review how AI tools, vendors, and cyber controls fit into existing supervisory frameworks, and document that alignment clearly. FINRA is signaling that in 2026, resilience will be measured not just by compliance with legacy rules, but by how firms manage fast-evolving, technology-driven risks.