Brokers, financial advisors and others in the financial industry subject to regulation by the Financial Industry Regulatory Authority (“FINRA”) to document their careful selection and management of any machine learning, deep learning, neural networks, large language model (“LLM”) and other natural language processing (“NLP”), and other generative artificial intelligence tools (“Gen AI”) in their businesses with all relevant FINRA, securities and other laws and regulations.

Gen AI Tool Use Benefits & Risks

As FINRA’s 2024 Annual Regulatory Oversight Report notes, brokers, financial advisors and their organization increasingly are using Gen AI and other similar tools for a wide range of marketing and other operational purposes.

Gen AI technology presents both promising opportunities for investors and member firms and some attendant risks.³ Among other things, properly used Gen AI tools may:

• Analyze and synthesize vast sets of financial and market data, summarize large and complex documents, and power educational resources that may help investors at all experience levels understand and navigate markets more effectively;
• Allow an associated person to, for example, easily locate and query a member firm’s policies and procedures or forms, to generate summaries derived from the member firm’s research reports, or to obtain issuer-specific information by drawing on SEC filings and earnings call transcripts.
• Allow member firms to leverage Gen AI tools to aid in surveillance by, for example, generating reports with summaries for the member firm’s (human) compliance personnel of potential evidence of malfeasance, such as market abuse or insider trading.
•  

Along with these potentially promising benefits, Gen AI also can create added concerns about accuracy, privacy, bias, intellectual property,         possible exploitation by threat actors, and other risks.

FINRA Warning To Monitor Regulatory Compliance When Using Gen AI Tools

FINRA Regulatory Notice 24-09 published June 27, 2024, warns FINRA members to use care to ensure continued compliance with FINRA and other securities laws and rules when using Gen AI or other similar technologies in their businesses.   

The Notice reminds members that FINRA and other securities laws continue to apply when member firms use Gen AI or similar technologies in their business, just as they apply when member firms use any other technology or tool.⁴  The Notice notes, for example, that FINRA Rule 3110 requires that a member firm have a reasonably designed supervisory system tailored to its business. If a firm is using Gen AI tools as part of its supervisory system—for the review of electronic correspondence, for instance—the Notice states its policies and procedures should address technology governance, including model risk management, data privacy and integrity, reliability, and accuracy of the AI model.  

Where applicable, the Notice states the FINRA rules apply whether member firms are directly developing Gen AI tools for their proprietary use or when leveraging the technology of a third party, including through embedded features in existing third-party products.

The applicability and implications of FINRA’s rules as applied to the use of Gen AI use depend on how a member firm deploys the AI technology. The Notice warns that depending how a member firm uses Gen AI, Gen AI use could implicate virtually every area of a member firm’s regulatory obligations.⁶  The Notice warns that as with any technology or tool, a member firm should evaluate Gen AI tools before deploying them to ensure that the member firm will continue to comply with existing FINRA rules applicable to the business when using those tools.

FINRA already has provided some guidance about the use of Gen AI tools by members.  Before publishing the Notice, for example, FINRA already had released guidance discussing the specific application of the content standards of FINRA Rule 2210 (Communications with the Public).  In that guidance, FINRA stated that Rule 2210 applies whether member firms’ communications are generated by a human or technology tool.⁵ 

Beyond the Rule 2210 guidance, the Notice also highlights other FINRA resources that FINRA encourages members to use to help shape and manage their organizations’ Gen AI use in their operations.  These include including:

• FINRA FinTech Topic Page;
• 2024 FINRA Annual Regulatory Oversight Report;
• FINRA Report – Artificial Intelligence (AI) in the Securities Industry (June 2020);
• FINRA Podcast: An Evolving Landscape: Generative AI and Large Language Models in the Financial Industry (March 2024);
• FINRA, SEC, NASAA Investor Insight: Artificial Intelligence (AI) and Investment Fraud (January 2024);
• National Institute of Standards and Technology (NIST) Artificial Intelligence Framework (January 2023); and
• Various resources cited within the Notice.

SEC AI Regulation & Scrutiny

FINRA-regulated individuals and organizations also are reminded that the Security and Exchange Commission (“SEC”) also increasingly is focusing on AI and other data and technology related risks. In recent years, Chairman Gary Gensler and other SEC officials have identified a number of areas of potential securities market threats from the use of AI including tools and practices exposing the market and investors to fraudulent practices and deception; AI bias; and conflicts of interest or intensify existing financial vulnerabilities.

For instance, the SEC has scrutinized broker-dealer and investment advisor digital engagement practices and investment advisors use of technology to develop and provide investment advice for several years. See e.g,. SEC Release No. 34-92766; IA-5833; File No. S7-10-21, The SEC noted that investment advisory
clients may face risks when artificial intelligence models use poor quality, inaccurate or biased data that
produce outputs that are or lead to poor or biased advice whether incorporated unintentionally through use of data sets that include irrelevant or outdated information, including information that exists due to historical practices or outcomes, or through the selection by human personnel of the data or types of data to be incorporated into a particular algorithm. Accordingly, the SEC asked for input on how advisers account for, identify, evaluate and mitigate biases and disparities that raise investor protection issues.

In response to some of these concerns, the SEC Investor Advisory Committee (“IAC”) has proposed the Establishment of an Ethical Artificial Intelligence Framework For Investment Advisors in which the IAC proposed, among other things recommended that the SEC:

• Increase and enhance SEC staffing and AI expertise;
• Request and use data, comments and observations from the Division of Examinations in its inspections of advisers using artificial intelligence to draft best practices on the ethical use of artificial intelligence;
• Consider frameworks developed by regulatory authorities around the world, such as The Monetary Authority of Singapore and organizations such as the CFA Institute to expand and enhance its 2017 Guidance regarding robo-advisers for purposes of developing and providing recommendations on the use of AI by investment advisors and broker-dealers

See IAC letter to SEC Chairman Gary Gensler (April 6, 2023).

In response to growing concerns that broker-dealers might use certain predictive analytics and similar technologies to optimize for, predict, guide, forecast, or direct investment-related behaviors or outcomes in a manner that puts their own interests ahead of investors’, in July 2023 the SEC published a Proposed Rule that if adopted generally would require a firm to evaluate and determine whether its use of certain technologies in investor interactions involves a conflict of interest that results in the firm’s interests being placed ahead of investors’ interests. The proposed rule would require firms to eliminate, or neutralize the effect of, any such conflicts, but firms would be permitted to employ tools that they believe would address these risks and that are specific to the particular technology they use, consistent with the proposal. The proposed rules would require firms to adopt written policies and procedures reasonably designed to achieve compliance with the proposed rules and to make and keep books and records related to these requirements. See also, Fact Sheet.

Managing AI Compliance Risks & Opportunities

All members and their organizations should ensure that they have audit and maintain an inventory of all Gen AI, PDA and other similar tools and conduct documented assessments to confirm the use of these tools does not adversely impact their continued compliance with relevant FINRA and other security rules before its deployment taking into account this and all other relevant FINRA rules and guidance. Because many third-party tools and services may include or incorporate Gen AI tools, FINRA regulated parties should require third party vendors to disclose or establish other processes for reliably determining when third party provided tools or services include or may impact the FINRA regulated party’s compliance and steps for monitoring and managing these impacts.

Moreover, all members using AI will need to establish documented processes and procedures for monitoring the continued appropriateness of the use of these and other Gen AI, PDA and other tools in light of emerging experience and guidance.

Since FINRA and the SEC also have indicated that additional enforcement, guidance or both are likely to emerge, these processes should include a reliable process for monitoring FINRA guidance for updates and timely responding to these developments.

Members and other interested parties with questions and concerns about emerging uses of AI may wish to consider sharing input with FINRA. the SEC and other relevant agencies. In this respect, the FINRA Notice invites members and other interested parties to engage and communicate with FINRA about potential supervisory and compliance implications of evolving Gen AI and other related technology uses as they evolve.  Among other things, the Notice:

• Invites members and other interested parties to follow FINRA’s process for interpretive requests⁷ to seek interpretive guidance from FINRA to the extent member firms find ambiguity in the application of FINRA rules based on their specific use of Gen AI or other technology
• Encourages member firms to have ongoing discussions with their Risk Monitoring Analyst as AI-related issues or other changes in their business arise.⁸
• Encourages members to share feedback with FINRA on how its rules might be modernized in light of the use of Gen AI tools or other emerging technologies, consistent with investor protection and market integrity. FINRA will continue engaging with its members, regulators, policymakers and other interested parties on the use of Gen AI, LLMs and other emerging technology. Any parties interested in discussing these matters further with FINRA are welcome to contact our Office of General Counsel for policy and rules-related discussion, and REMA/Office of Financial Innovation for all other Gen AI engagement.

In the face of the Notice and other FINRA guidance on the use of AI in their operations, brokers, financial advisors and other FINRA related parties should use care in selecting, deploying, monitoring and managing any Gen AI or other tools in their businesses. In light of FINRA’s warning about the importance of pre-use compliance evaluation, brokers and financial advisors and their organizations should adopt written policies governing the use of Gen AI and other tools. These policies should prohibit pre-use compliance evaluation and approval before any Gen AI tools are deployed or used within their operations. regardless of whether developed and deployed in house or incorporated into third-party provided tools or services.

FINRA and SEC regulated parties also should monitor and take appropriate steps to guard their organizations and sensitive data, systems and operations against ransomware, cybersecurity and other threats created or enhanced by their own or third parties’ use of Gen AI or other technologies in light of the requirements of the Fair and Accurate Credit Transactions Act, federal and state electronic crimes and cybersecurity statutes, the SEC’s recently adopted cybersecurity rule, and other federal and state laws as well as the demonstrated market and operational risks associated with breaches.

FINRA regulated parties also should take steps to monitor enforcement, audit, and other regulatory and experiential developments potentially impacting on their past or continued use of Gen AI or other similar tools.

Of course, FINRA isn’t the only regulatory agency warning users about AI compliance risks. The Equal Employment Opportunity Commission (“EEOC”) is one of a growing number of other agencies that also have sounded warnings about compliance risks associated with the use of AI technologies. See, e.g. The Americans with Disabilities Act and the Use of Software, Algorithms, and Artificial Intelligence to Assess Job Applicants and Employees (May 12, 2024). FINRA and SEC regulated parties also should be cognizant of their direct compliance obligation and those of their customers and business partners under these and other laws.

For Additional Information

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on  here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you need have questions or need assistance with this or other cybersecurity, health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, to inquire about arranging for compliance audit or training, or need legal representation on other matters, contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297. 

About the Author 

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of cybersecurity, workforce, technology and other compliance, risk management and mitigation, incident and other investigations, regulatory and government affairs, and other strategic, operational, regulatory and legal and consulting management work for insurance, financial services, employee benefits, managed care and other health and life science, technology, government entities and contractors and other public and private businesses. As part of this work, she has extensively worked, spoken and published on the defensible design, use and management of artificial intelligence and other systems and processes throughout her career.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership with healthcare and life sciences, employment and employee benefits, managed care and insurance, data and technology and other related industries and organizations. Known for her skill combined use of her extensive legal and operational knowledge to help these and other clients develop, operationalize and defend employment, employee benefits, compensation and other staffing and workforce; data, systems and other technology; heath benefit and other healthcare and life science, managed care and insurance; employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational actions and practices. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here. 

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here. 

IMPORTANT NOTICE

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™