Regulators are focused on the internal controls being used in the financial industry to govern the use of AI. Consequently, having strong AI policies and procedures is a must. AI can be integrated into various business operations such as transcription and summary of video teleconferences and meetings, writing emails and client communication, portfolio analytics, compliance surveillance, social media marketing, and predictive analysis to name just a few. Investment Advisers (IAs) and Broker Dealers (BDs) are expected to adopt safeguards that protect clients, confidential information and trade secrets of the business from AI-related risks.
SEC and FINRA have shared that while they remain agnostic to the use of AI, if AI is deployed, financial services firms must consider existing regulatory requirements to address internal controls including supervision and disclosure obligations based on the firm’s use of AI in their business.
Establishing an AI governance structure involves careful planning and mapping. First, take a comprehensive inventory of all AI-enabled tools, and document how they are used. Next, consider if the firm has conducted vendor due diligence on the software and considered the data that is retained, safeguards surrounding data retention, existing cyber controls, and incident response reporting in the event of a breach. Then establish an internal testing group before deployment to identify risks and anomalies. This will help to then establish the internal controls for the AI tool as you deploy, train, and monitor the AI tool’s functionality. Prior to deploying, be sure that client disclosures, as required are in place, and that employee training, acknowledgements, and periodic attestations are established. Finally, include AI as an area reviewed as part of the firm’s annual review program.
For more specific considerations by subject area, contemplate the following when developing your AI protocols and firm training.
The SEC, FINRA and state regulators continue to scrutinize firms’ marketing practices, especially those that make claims regarding AI use. According to the Marketing Rule any marketing or advertising claiming use of AI must be substantiated.
This ensures that firms remain transparent and honest with investors as the Marketing Rule prohibits false or misleading statements in advertising.
The SEC has pursued enforcement actions against firms that misrepresented their AI capabilities, commonly referred to as “AI washing”, which may be an under-or overestimation of the firm’s use of AI.[1]
Advisers using AI tools for portfolio management, investment recommendations or predictions are at risk of violating their fiduciary duty or Regulation Best Interest if comprehensive oversight, or clear and transparent client communication are not implemented.
This is especially important when dealing with Generative AI as results can lead to inaccurate information, biased output, skewed outcomes, and conflicts of interest. [2]
FINRA Rule 3110 requires that firms develop and implement supervisory parameters that maintain compliance. In addition, both the SEC and FINRA have established that existing supervisory laws such as FINRA 3110, are to be applied to the supervision of AI use.[3]
Therefore, human oversight of AI outputs is a regulatory expectation and the SEC and FINRA will investigate if and how firms have adapted existing guidelines to AI use, including supervisory controls and designation of a manager to oversee the firm’s use of AI.
Cybersecurity and AI risks continue to be flagged in tandem with EXAM priorities as AI continues to introduce new and sophisticated risks. AI systems that collect, process, or store client data introduce new vulnerabilities, including unauthorized data access, model manipulation, and third-party vendor exposure.
Firms must ensure their cybersecurity programs account for AI-specific risks, including the possibility that malicious actors may use AI to carry out more sophisticated attacks.
When authoring your AI policies, consider the following:
1. Customize your Compliance Manual with AI-specific Policies and Procedures: As firms employ AI-based tools and services across their operations, they must author customized policies and procedures so that firm personnel understand how, where and when to use AI.
2. Evaluate AI for Conflicts of Interest: Before deploying any AI tool that interfaces with clients or influences investment decisions, assess whether the tool could optimize outcomes in the firm’s favor rather than the clients. The SEC has specifically expressed concern that conflicts may arise when advisers or brokers are using technology in ways that place their interests ahead of investors’ interests. Be sure to eliminate or mitigate such conflicts and disclose the conflict to your clients.
3. Restrict Unapproved AI Use: Employees accessing consumer-grade AI tools for work purposes without firm approval or monitoring creates significant compliance risks. Firms should establish clear policies on approved tools and enforce those policies.
4. Ensure Marketing Accuracy: Any public-facing reference to AI in websites, pitch materials, or Form ADV must accurately describe how the technology is actually used. Overstatement of AI capabilities has already drawn SEC enforcement. If claims cannot be substantiated, they should be removed.
5. Supervise Third-party AI Vendors: Firms must conduct due diligence on any third-party AI provider, including reviewing how client data is handled, stored, and protected, and ensure vendor contracts support the firm’s compliance obligations.
6. Address AI-Related Cybersecurity Risks: AI systems introduce specific vulnerabilities that general cybersecurity programs may not address. Firms should assess their AI tools for data leakage risks, unauthorized access, and vendor security practices, and ensure their incident response plans cover AI-related breaches.
7. Review And Test Controls Annually: It is important for firms to consider how they will comply with applicable regulations when evaluating AI tools. That evaluation should not stop at deployment controls and should be tested on an ongoing basis to account for updates to technology and new regulatory guidance.
Jacko Law Group understands the regulatory concerns surrounding the use of AI. We are here to assist firms with implementing strong internal protocols that manage risk, protect clients, and meet the requirements of the SEC and FINRA. For more information, contact us at [email protected].
[1] www.sec.gov/newsroom/press-releases/2024-36
[2] www.finra.org/rules-guidance/notices/24-09
[3]www.finra.org/sites/default/files/2025-12/2026-annual-regulatory-oversight-report.pdf
Author: Michelle L. Jacko, Managing Partner, Jacko Law Group, PC (“JLG).
JLG works extensively with investment advisers, broker-dealers, investment companies, private equity and hedge funds, banks, and corporate clients on securities and corporate counsel matters. For more information, please visit https://www.jackolg.com/.
The information contained in this article may contain information that is confidential and/or protected by the attorney-client privilege and attorney work product doctrine. This email is not intended for transmission to, or receipt by, any unauthorized persons. Inadvertent disclosure of the contents of this article to unintended recipients is not intended to and does not constitute a waiver of attorney-client privilege or attorney work product protections.
The Risk Management Tip is published solely based on the interests and relationship between the clients and friends of the Jacko Law Group P.C. (“JLG”) and should in no way be construed as legal advice. The opinions shared in the publication reflect those of the authors, and not necessarily the views of JLG. For more specific information or recent industry developments or particular situations, you should seek legal opinion or counsel.
You hereby are notified that any review, dissemination or copying of this message and its attachments, if any, is strictly prohibited. These materials may be considered ATTORNEY ADVERTISING in some jurisdictions.
Jacko Law Group provides tailored legal services and effective strategies for success, delivering exemplary solutions to complex legal and regulatory challenges to ensure that both business efforts and compliance obligations are satisfied.
