Generative AI has transitioned rapidly from an experimental curiosity to a core operational tool across financial services.
According to Saifr, firms are now deploying GenAI to power marketing campaigns, customer communications, AML transaction monitoring, and KYC verification, among a growing range of other applications. The efficiency gains are substantial, but so too are the regulatory implications that accompany them.
Saifr recently discussed the steps of building a GenAI Governance Framework, as well as takeaways from FINRA’s 2026 oversight report.
FINRA’s 2026 Annual Regulatory Oversight Report makes the industry’s obligations unambiguous: the regulatory frameworks that have long governed traditional business activities apply with equal force to GenAI-powered operations. Compliance teams can no longer treat AI governance as a separate discipline — they must integrate it fully into existing supervisory, communications, and recordkeeping structures.
Key risks identified by FINRA
The report sets out several risk categories that compliance professionals should take seriously. Chief among them is the issue of accuracy and hallucinations. GenAI models are capable of generating factually incorrect information with considerable confidence, and when such errors surface in investor communications, marketing content, or compliance guidance, the consequences can be severe — from unsuitable product recommendations to outright misinterpretations of regulatory requirements. A chatbot that fabricates performance data, or an AI system that misreads a rule, can expose a firm to enforcement action and investor harm.
Bias and concept drift present a subtler but equally pressing challenge. Models trained on historical data risk perpetuating existing biases in areas such as risk assessment and marketing targeting, while concept drift — the gradual degradation of model accuracy as markets evolve — compounds the problem over time. An AML system trained on pre-pandemic transaction data, for instance, may struggle to detect emerging fraud patterns or generate excessive false positives that overwhelm investigative teams.
The autonomy of AI agents is also flagged as an emerging frontier of risk. As advanced agents become capable of independently executing tasks across multiple systems, accountability gaps emerge. FINRA’s supervisory model requires registered human decision-makers at critical junctures, and firms must ensure that autonomy does not come at the cost of human accountability. Underpinning all of this is the question of data sensitivity — GenAI applications routinely require access to vast quantities of proprietary and personally identifiable information, and inadequate data governance can result in privacy violations, unauthorised disclosures, and cybersecurity failures.
Existing regulations apply without exception
FINRA’s position is clear: no regulatory carve-out exists for AI-generated outputs. Rule 3110 supervisory obligations extend to GenAI outputs and model behaviours, and firms cannot delegate supervisory responsibility to algorithms. Rule 2210 governs AI-generated marketing content and customer service responses with the same rigour applied to human-produced materials, regardless of how the content was created.
Recordkeeping requirements similarly apply to GenAI systems — firms must retain logs of AI prompts, outputs, model versions, training data sources, and human oversight actions, ensuring they can reconstruct decision-making processes during examinations or enforcement investigations.
Building an effective governance framework
Forward-looking compliance programmes are moving beyond reactive risk management to establish comprehensive GenAI governance structures. This begins with creating a cross-functional committee to review and approve all GenAI use cases before deployment, maintain an enterprise-wide inventory of AI applications, and report regularly to senior management and boards. Clear usage policies, covering both permitted and prohibited applications, are essential, as is training personnel on disclosure obligations when AI is used in customer interactions.
Testing protocols must extend beyond basic functionality. Pre-deployment testing should evaluate accuracy across diverse scenarios, assess bias, and validate performance under stress conditions.
Ongoing testing should detect concept drift and verify that model updates have not introduced new vulnerabilities, with firms maintaining thorough documentation of prompts, expected and actual outputs, and any remediation actions taken.
Human-in-the-loop oversight remains a critical control. In a regulated environment where a qualified, licensed human must review high-risk decisions — covering customer recommendations, AML alerts, complaint responses, and advertising approvals — firms must embed that human judgement into operational processes. Reviewers must possess sufficient expertise to critically evaluate AI outputs and understand how each application fits within the firm’s existing supervisory framework.
Cybersecurity integration is equally important. Vendor due diligence should scrutinise how third-party AI providers protect firm data, what security certifications they hold, and how breaches will be communicated. Incident response plans must address GenAI-specific scenarios, including unauthorised access to training data or manipulation of model outputs. Throughout, firms should maintain model cards documenting each system’s purpose, capabilities, limitations, and known biases, with robust version control in place as models are updated or retrained.
Act now, not later
The case for acting promptly is compelling. Firms that rush AI deployment without adequate governance risk customer harm, unintended operational consequences, and heightened regulatory scrutiny. A logical starting point is to inventory all GenAI applications currently in use or proposed for deployment, auditing use cases across all business lines — with particular focus on marketing, AML, and KYC, where regulatory attention is greatest.
According to Saifr, written supervisory procedures should be updated explicitly to address GenAI governance, integrating with existing compliance programmes rather than creating standalone structures. Ongoing monitoring, bias checks, and regular reconciliation of anticipated versus actual outputs should follow. Finally, staff training must be tailored to specific roles, with more intensive programmes for employees who interact directly with GenAI systems.
The regulatory landscape around GenAI will continue to evolve, but one principle is unlikely to change: firms remain responsible for their regulatory obligations whether those obligations are fulfilled by humans or machines. Firms that build robust governance frameworks today will be better positioned to adapt as both technology and regulation advance.
Read the full Saifr post here.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
