AI Compliance for Financial Advisors: What SEC and FINRA Actually Expect in 2026

You pasted a client question into ChatGPT last Tuesday. Got a solid draft response. Tweaked it, sent it off. Took four minutes instead of forty.

Nobody on your compliance team knows you did it. There is no record of the prompt. No review of the output. No documentation that AI was involved at all.

You are not alone. A 2025 FINRA survey found that over 60% of registered representatives had used generative AI tools in some capacity related to their practice. Most of them had no written policy governing that use.

This is not a hypothetical compliance problem. It is a current one.

The Adoption Is Ahead of the Guardrails

Financial advisors are practical people. When a tool saves time, they use it. ChatGPT, Microsoft Copilot, Google Gemini, and dozens of fintech-specific AI tools have become part of the daily workflow for thousands of advisors. They draft client emails, summarize research, generate social media posts, outline financial plans, and prep meeting notes.

The problem is not that advisors are using AI. The problem is that most are using consumer-grade AI tools that were never designed for a regulated environment. These tools do not log interactions for recordkeeping. They do not screen outputs for compliance with the SEC Marketing Rule. They do not flag when a generated paragraph crosses from education into a performance claim.

And regulators have noticed.

What SEC and FINRA Actually Say About AI

Let's be specific about the regulatory framework, because the obligations are not speculative. They exist today.

The SEC Marketing Rule (Rule 206(4)-1)

Adopted in 2020 and fully enforceable since November 2022, the Marketing Rule applies to every advertisement by an investment adviser. That includes AI-generated content. If you use ChatGPT to draft a LinkedIn post about portfolio performance, that post is an advertisement under the rule. It must meet the same standards as any other marketing material: no untrue statements of material fact, no unsubstantiated claims, no cherry-picked performance data, and fair presentation of material risks.

AI tools are particularly dangerous here because they generate confident, authoritative-sounding text. A large language model will produce a paragraph about "consistent outperformance" or "strong risk-adjusted returns" without hesitation. Those phrases can constitute performance claims that trigger specific disclosure and substantiation requirements.

The SEC has been explicit: the method of creation does not change the compliance obligation. AI-generated content is held to the same standard as content you write by hand.

FINRA Rules 2210 and 3110

FINRA Rule 2210 governs communications with the public. It classifies communications into three categories: correspondence, retail communications, and institutional communications. Each category has different pre-use approval and supervision requirements.

AI-generated content does not get a separate category. If you use AI to draft a retail communication, it is a retail communication. It requires principal pre-use approval if your firm's procedures require it. If you use AI to draft correspondence to 25 or more retail investors within 30 days, that correspondence may be reclassified as a retail communication with heightened supervision requirements.

FINRA Rule 3110 requires firms to establish and maintain supervisory systems reasonably designed to achieve compliance. If your advisors are using AI tools and your supervisory system does not account for that use, your system has a gap. FINRA examiners are asking about AI use during routine examinations. "We don't have a policy" is not an acceptable answer.

SEC Proposed Rule on Predictive Data Analytics (2023)

While this proposed rule has not been finalized as of this writing, it signals clear regulatory intent. The SEC proposed requiring firms to evaluate and eliminate or neutralize conflicts of interest associated with the use of predictive data analytics, including AI, when interacting with investors. The underlying concern is that AI tools could optimize for firm revenue rather than client outcomes without the advisor or client realizing it.

Even without a final rule, the fiduciary duty that already applies to investment advisers covers this ground. If an AI tool is influencing your recommendations and you have not evaluated whether that influence aligns with your client's best interest, you have a fiduciary problem.

Books and Records (Rule 204-2 and SEA Rule 17a-4)

Every communication related to your business must be retained. That includes AI prompts and outputs. If you paste a client's financial situation into ChatGPT and generate a draft recommendation, both the prompt and the response are business records under SEC and FINRA rules.

Most consumer AI tools do not produce exportable, archivable records in formats that meet regulatory retention requirements. Chat histories can be deleted. Prompts are not time-stamped in a way that satisfies audit standards. Outputs are not automatically captured in your firm's books and records system.

This is not a technicality. It is a books and records violation waiting to happen.

Five Compliance Risks When Advisors Use AI Without Guardrails

1. Unreviewed Client Communications

You draft a client email using AI. The model generates a sentence suggesting that a particular strategy "typically provides downside protection in volatile markets." You do not catch the implied performance claim. The email goes out. That is a potential Marketing Rule violation and, depending on the context, a potential suitability issue.

AI outputs require the same review as any other client communication. The speed of AI generation creates a specific risk: the faster you produce content, the less time you spend reviewing it.

2. Performance Claims and Substantiation Failures

Large language models generate text that sounds factual whether or not it is. If you ask an AI tool to help you write a quarterly commentary, it may produce statements about historical returns, benchmark comparisons, or risk metrics that are fabricated or inaccurate. The model is generating plausible text, not verified data.

Publishing AI-generated performance claims that you have not independently verified against your own records is a substantiation failure under the Marketing Rule.

3. Recordkeeping Gaps

Every use of AI in connection with your advisory business creates records that should be retained. Prompts containing client information, AI-generated drafts, and final communications all fall within recordkeeping obligations. If your AI interactions happen outside your firm's approved communication channels, those records may not be captured.

During an examination, if an examiner asks how a particular client communication was drafted and you cannot produce the underlying AI interaction, you have a recordkeeping deficiency.

4. Suitability and Best Interest Violations

If you use AI to generate recommendations or talking points for client meetings, the output reflects the model's training data, not your client's specific situation. An AI tool does not know your client's tax situation, risk tolerance evolution over time, liquidity needs, or estate planning considerations unless you provide that context. And providing that context to a consumer-grade AI tool raises its own data security concerns.

Using AI-generated recommendations without thoroughly evaluating them against your client's specific circumstances undermines the suitability analysis that Reg BI and the fiduciary standard require.

5. Advertising and Social Media Violations

Social media content generated by AI is subject to the same advertising rules as traditionally created content. An AI-generated LinkedIn post, tweet, or blog article that contains misleading claims, omits material disclosures, or presents an unbalanced view of investment risks is an advertising violation regardless of how it was created.

The volume risk is real here. AI makes it easy to produce five social media posts a day instead of one a week. More content means more compliance surface area. If your review process was designed for lower volumes, it may not scale.

Building a Compliance-First AI Workflow

If you are going to use AI in your practice, and you probably should, here is how to do it without creating regulatory exposure.

Step 1: Establish a Written AI Use Policy

Your firm needs a written policy that addresses AI use by advisors. This policy should specify which AI tools are approved, what types of tasks they can be used for, what information can and cannot be entered into AI tools, and how AI-generated outputs must be reviewed before use.

If your firm does not have this policy yet, draft one. Do not wait for a regulatory mandate. FINRA has made clear that supervisory systems must be reasonably designed for the technologies your firm actually uses.

Step 2: Solve the Recordkeeping Problem First

Before you use any AI tool for client-related work, determine how you will capture and retain the AI interaction. If you cannot retain the prompt and output in a format that meets your recordkeeping obligations, you should not use that tool for regulated activities.

This is the single most common gap. Most advisors using consumer AI tools have zero recordkeeping for those interactions.

Step 3: Implement Pre-Use Compliance Review for AI Outputs

AI-generated content intended for clients or public distribution should pass through the same compliance review as any other communication. For retail communications, that means principal review and approval before distribution. For correspondence, that means supervisory review on the schedule your WSPs require.

Do not treat AI-generated content as pre-approved because a machine produced it. Treat it as a first draft that requires human compliance review.

Step 4: Prohibit Client PII in Consumer AI Tools

Client names, account numbers, Social Security numbers, financial details, and other personally identifiable information should never be entered into consumer-grade AI tools. These tools typically do not meet the data security standards your firm is obligated to maintain.

If you need AI assistance with tasks that require client data, use tools that are specifically designed for regulated environments, with appropriate data handling, encryption, and contractual protections.

Step 5: Train and Document

Train your advisors on AI compliance obligations. Document the training. When FINRA or the SEC examines your firm, evidence that you identified the risk, established policies, and trained your people will matter.

Training should cover: what counts as a business record when using AI, how to review AI outputs for compliance issues, what information cannot be shared with AI tools, and how to document AI use in their workflow.

How FinSay.ai Approaches This Problem

We built FinSay.ai specifically for financial advisors who want to use AI without the compliance headaches described above.

Aria, our AI assistant, is designed for regulated advisory work. Unlike consumer AI tools, Aria operates within compliance guardrails from the start. Responses are structured to avoid unsubstantiated performance claims, include appropriate risk language, and flag content that may require compliance review before client delivery.

Built-in compliance checks. Every AI-generated output runs through compliance screening that catches common violations: unsupported performance claims, missing risk disclosures, misleading comparisons, and language that could be interpreted as guarantees. This does not replace your compliance department. It gives your compliance department a cleaner first draft to review.

The Prompt Builder. Most compliance issues with AI start with the prompt. Advisors who write vague prompts get outputs that require extensive revision. Our prompt builder guides advisors toward inputs that produce compliant, useful outputs on the first pass. It structures the request so the AI understands the regulatory context before generating a response.

Recordkeeping by design. Every interaction with Aria is logged and exportable. Prompts, outputs, timestamps, and user information are captured in a format designed for regulatory retention requirements. When an examiner asks how a communication was drafted, you have the documentation.

FinSay.ai does not guarantee compliance. No tool can. But it reduces the gap between how advisors actually use AI and what regulators actually expect.

What Happens Next

The regulatory framework around AI in financial services will continue to develop. The SEC's predictive data analytics proposal, FINRA's ongoing examination priorities focused on AI use, and state-level regulations all point in the same direction: advisors who use AI need documented, supervised, compliance-integrated workflows.

The advisors who build those workflows now will be ahead of the curve when specific AI regulations arrive. The advisors who continue using consumer AI tools without guardrails are accumulating risk with every prompt.

---

This article is published by the FinSay Team. It is intended for informational purposes only and does not constitute legal or compliance advice. Consult your compliance department or legal counsel for guidance specific to your firm's obligations.

Try FinSay.ai free. Purpose-built AI for financial advisors with compliance guardrails, recordkeeping, and workflow tools designed for regulated environments. No unreviewed outputs. No recordkeeping gaps. No compliance guesswork. Start your free trial at finsay.ai

Get the FinSay newsletter. Weekly insights on AI compliance, advisor technology, and practice management for financial advisors who take their regulatory obligations seriously. Subscribe at finsay.ai