AI governance in financial services is no longer a distant concern, according to a new fireside conversation hosted by RegTech firm Red Oak Compliance, featuring Eversheds Sutherland partner Brian Rubin.
Rubin, who spent his early career inside SEC Enforcement and served as deputy chief counsel of enforcement at NASD (now FINRA), now defends firms facing examinations and investigations. That dual perspective, Red Oak Compliance notes, shapes his reading of the current landscape.
Speaking with Red Oak chief supervision evangelist James Cella, Rubin said, “The enforcement cycle is already forming. Someone only on the regulatory side might not fully appreciate how quickly firms are adopting AI. And somebody who’s only been on the industry side might not grasp how regulators are going to dust off their old traditional rules — supervision, record-keeping, communications requirements — and hold firms accountable.”
Rubin sees a familiar pattern playing out, echoing prior enforcement waves around email, social media and off-channel communications. In each case, rapid adoption was followed by regulatory silence, then enforcement under long-standing rules. He said, “Just because there are no specific AI rules doesn’t mean enforcement isn’t coming. Off-channel communications is a perfect example. Firms were penalized for texting using old record-keeping rules. I expect we’ll be seeing the same kinds of things with AI.”
In his assessment, “AI is firmly in the existing rules apply phase.” Supervision duties, books and records requirements, and anti-fraud provisions all still apply to AI-generated content.
Examiners are already probing exaggerated AI claims, or “AI washing”, alongside operational gaps such as unreviewed AI communications, missing records and ignored surveillance outputs. Rubin observed, “The technology is new, but the compliance risks aren’t really that new.” A third exposure is unauthorised AI use, with staff feeding client data into public tools, mirroring off-channel enforcement.
For chief compliance officers, his message is emphatic. Rubin said, “AI isn’t just an IT project. You need governance, you need compliance, legal, technology, and business, all with a documented approval process for use cases.” Regulators expect reasonableness, not perfection, but reasonableness must be evidenced through documentation, which also serves as the primary shield against CCO personal liability.
Across supervision, marketing and distribution teams, Red Oak Compliance highlights that AI accelerating content production without a compliant review workflow increases, rather than reduces, the compliance burden.
Rubin said, “You’ve got to train employees about what AI can do and what it can’t do. Emphasizing that AI is a helper, not a decision maker. It’s not infallible. You have to foster a culture that views technology through a compliance-conscious lens.”
For more, read the full story here.
Read the daily RegTech news
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst





