FINRA AI Governance: Regulatory Notice 24-09, Supervision Obligations, and Broker-Dealer Compliance

Q: How does Regulation Best Interest apply to AI-generated investment recommendations?

Regulation Best Interest (Reg BI) requires broker-dealers to act in the best interest of retail customers when making a recommendation of any securities transaction or investment strategy involving securities. When an AI system generates investment recommendations, the recommendation obligation attaches to the firm — not the AI. This means the firm must ensure the AI's recommendations satisfy Reg BI's four component obligations: disclosure (customers understand the recommendation is AI-assisted), care (the recommendation is based on reasonable diligence), conflict of interest (conflicts affecting the AI's recommendations are identified and mitigated), and compliance (the firm has policies and procedures to achieve Reg BI compliance for AI-generated recommendations). Firms cannot satisfy Reg BI by pointing to an AI's own assessment of best interest — the obligation runs to the firm, and the firm must supervise AI recommendations as it would supervise registered representative recommendations.

Q: What should broker-dealer Written Supervisory Procedures cover for AI?

FINRA's supervisory rules (FINRA Rules 3110, 3120) require member firms to establish and maintain a system of supervision reasonably designed to achieve compliance with applicable FINRA rules and securities laws. For AI systems, the WSPs should address: (1) the approval process for deploying new AI systems, including pre-deployment testing and governance review; (2) the designation of a principal responsible for supervising each AI system; (3) procedures for monitoring AI system outputs for policy compliance, accuracy, and bias; (4) escalation procedures when AI systems produce outputs that may violate FINRA rules; (5) procedures for reviewing AI-generated customer communications before delivery; (6) recordkeeping procedures for AI-assisted activities; and (7) procedures for updating AI systems and re-testing after changes. Firms that cannot produce AI-specific WSPs during a FINRA examination risk findings under Rule 3110.

FINRA AI Governance: Regulatory Notice 24-09, Supervision Obligations, and Broke

FINRA's Regulatory Notice 24-09 (published May 2024) put member firms on notice that existing FINRA rules apply to AI-assisted activities. This is not a new rule — it is an interpretation of existing obligations applied to new technology. The implication is significant: broker-dealers that have deployed AI without building AI-specific governance into their supervisory systems are likely out of compliance with rules they have had for decades.

This guide examines each category of FINRA obligation affected by AI deployment, with specific attention to the Written Supervisory Procedures requirements, Regulation Best Interest suitability obligations, communication supervision under Rules 2210 and 2211, and recordkeeping rules that govern AI-generated outputs. It concludes with a mapping of how pre-execution AI governance infrastructure addresses these obligations.

FINRA Regulatory Notice 24-09: Core Expectations

Regulatory Notice 24-09 addresses member firms' use of AI tools, including generative AI. The notice identifies several key principles that govern AI deployment at broker-dealers:

Technology neutrality: FINRA rules apply to activities conducted with AI just as they apply to the same activities conducted by humans. AI does not create an exemption from suitability, supervision, or communication rules.
Supervisory system obligation: Firms must have a supervisory system reasonably designed to achieve compliance with applicable rules, including rules that govern AI-assisted activities.
WSP requirement: Written Supervisory Procedures must address the firm's use of AI, including approval processes, monitoring requirements, and escalation procedures.
Pre-deployment due diligence: Firms must understand the AI tools they deploy, including the basis for recommendations, potential biases, and failure modes.
Ongoing monitoring: Firms must monitor AI systems in production for compliance, accuracy, and drift — the same ongoing supervision obligation that applies to registered representative activities.

The Technology-Neutral Standard

FINRA's technology-neutral approach means that a firm cannot argue that an AI system's recommendation is exempt from Reg BI because the AI made it autonomously. The recommendation obligation runs to the firm. When the firm deploys an AI system that generates investment recommendations, the firm is making those recommendations through the AI. The care obligation, conflict-of-interest obligation, and disclosure obligation attach to the firm — not to the AI.

FINRA Rules 3110 and 3120: Supervision Systems for AI

FINRA Rule 3110 requires member firms to establish and maintain a system to supervise the activities of associated persons that is reasonably designed to achieve compliance with applicable securities laws and regulations, and with FINRA rules. Rule 3120 requires firms to establish a system of supervisory controls and procedures to test and verify that their supervisory procedures are reasonably designed.

For AI systems, these rules require a supervision system that addresses the AI-specific risks that could cause the firm to violate applicable rules. The supervision system must be reasonably designed — which means it must be appropriate for the nature and scope of the AI deployment, not generic.

Elements of a Reasonably Designed AI Supervision System

Based on FINRA guidance, examination findings, and published best practices, a reasonably designed supervision system for AI should include:

Written Supervisory Procedures (WSP) Checklist for AI

AI System Inventory and Approval Process — Procedures for identifying, documenting, and obtaining compliance and supervisory approval before deploying any AI system in a customer-facing or decision-influencing capacity. Includes pre-deployment testing requirements and sign-off by a designated principal.

Suitability and Reg BI Review for AI Recommendations — Procedures for ensuring AI systems that generate securities recommendations satisfy Reg BI's care obligation. Includes review of training data, model logic, conflict-of-interest assessment, and ongoing accuracy monitoring.

Communication Review for AI-Generated Content — Procedures for reviewing AI-generated customer communications (chatbot outputs, AI-drafted letters, AI-assisted prospectuses) under FINRA Rule 2210 and 2211 before delivery or distribution.

Recordkeeping Procedures for AI-Assisted Activities — Procedures for retaining records of AI-assisted transactions, recommendations, and communications in the form and for the periods required by Exchange Act Rules 17a-3 and 17a-4.

Ongoing Monitoring and Surveillance — Procedures for ongoing monitoring of AI system outputs, including automated surveillance for outputs that may violate FINRA rules, periodic review by a designated principal, and escalation procedures for anomalies or violations.

Bias and Fairness Assessment — Procedures for assessing AI systems for discriminatory or biased outputs, particularly for customer-facing AI systems that provide recommendations or communications affecting diverse customer populations.

Third-Party AI Vendor Due Diligence — Procedures for assessing third-party AI vendors, including security, accuracy, and compliance with applicable rules. Includes contractual requirements for AI vendors and ongoing monitoring of vendor compliance.

Regulation Best Interest and AI-Generated Recommendations

Reg BI (SEC Release No. 34-86031) requires broker-dealers to act in the best interest of retail customers when making recommendations. The regulation imposes four component obligations:

Reg BI Component	Requirement	AI Implication	Governance Approach
Disclosure Obligation	Disclose material facts about the recommendation, including conflicts	Customers must understand when recommendations are AI-generated and any conflicts in the AI system's design	AI governance logs confirm disclosure requirements met before recommendation delivery
Care Obligation	Exercise reasonable diligence, care, and skill to understand and match recommendation to customer	AI recommendations must be based on customer profile data, not generic algorithms; firm must validate AI logic	Policy controls enforce that customer profile data is present before recommendation is generated; decision record shows inputs used
Conflict of Interest Obligation	Identify and mitigate conflicts; eliminate conflicts that cannot be mitigated	Revenue biases in AI training (recommending higher-margin products) must be identified and addressed	Policy rules can block or flag recommendations where conflict rules are triggered; conflict detection logged in decision record
Compliance Obligation	Written policies and procedures to achieve Reg BI compliance	WSPs must specifically address AI-generated recommendations and the firm's Reg BI controls for AI	WSPs reference AI governance infrastructure; audit records demonstrate ongoing compliance

FINRA Rules 2210 and 2211: AI-Generated Communications

FINRA Rule 2210 governs communications with the public, classified as institutional communications, retail communications, and correspondence. Rule 2211 adds specific requirements for variable annuity and variable life insurance communications. Both rules apply to communications regardless of the medium or the author — including AI-generated content.

The Principal Review Requirement

Rule 2210(b) requires that retail communications be approved by a registered principal before use or filing with FINRA. Correspondence used in connection with the securities business of a member must be reviewed by a registered principal as appropriate. When an AI system generates customer-facing communications, each communication is subject to these review requirements unless an exception applies.

Practically, AI-generated communications at scale require automated pre-screening through a governance layer that enforces communication compliance rules before delivery. The governance layer acts as the first line of supervisory review, flagging or blocking communications that violate applicable rules, and generating a review record that the registered principal can use for supervisory oversight. This does not eliminate the principal review obligation — it provides the infrastructure that makes meaningful principal review feasible at scale.

// CoreGuard policy evaluation for FINRA Rule 2210 communications
{
  "request_type":   "customer_communication",
  "comm_type":      "retail_communication",
  "channel":        "chatbot_output",
  "policy_set":     "finra_2210_v2",
  "checks_run": [
    "performance_claims_disclosure",
    "guaranteed_returns_prohibition",
    "risk_disclosure_present",
    "misleading_statement_detection",
    "promissory_language_detection",
    "testimonial_disclosure"
  ],
  "decision":       "BLOCK",
  "triggered_rule": "guaranteed_returns_prohibition",
  "flagged_text":   "guaranteed 12% annual return",
  "principal_review_required": true,
  "signature":      "hmac-sha256:9f2b..."
}

Prohibited Content in AI-Generated Communications

Rule 2210(d) prohibits communications that contain false, exaggerated, unwarranted, promissory, or misleading statements. AI systems — particularly LLMs — are prone to generating content that violates these prohibitions, including:

Guaranteed return claims — LLMs may generate language suggesting that returns are guaranteed or certain
Past performance claims without the required disclosure that past performance does not guarantee future results
Superlative claims — describing products as "the best," "safest," or "risk-free" without basis
Promissory language — statements that commit the firm to future performance or outcomes
Omissions of material risks — AI systems that emphasize benefits while omitting required risk disclosures

A pre-execution governance layer that evaluates AI-generated communications against FINRA Rule 2210 requirements before delivery — blocking or flagging prohibited content — is the scalable approach to communication compliance at firms deploying AI in customer-facing roles.

Exchange Act Rules 17a-3 and 17a-4: Recordkeeping for AI Activities

Exchange Act Rules 17a-3 and 17a-4 require broker-dealers to make and keep specified records of business activities. Rule 17a-4 requires that records be retained for specified periods in a non-rewriteable, non-erasable format. For AI-assisted activities, the recordkeeping obligation applies to the AI's outputs and the firm's governance records.

Required records for AI-assisted activities include:

Trade order records (17a-3(a)(6)) — records of AI-generated or AI-assisted trade orders
Customer communication records (17a-3(a)(7)) — AI-generated customer correspondence retained for three years
Supervisory system records (17a-3(a)(19)) — records of the firm's supervisory system, including WSPs governing AI
AI governance records — records sufficient to demonstrate that AI-assisted activities were conducted within the firm's supervisory framework

WORM Storage Requirement

Rule 17a-4(f) requires that records be stored in a format that is non-rewriteable and non-erasable (WORM). AI governance records — including decision certificates showing that AI communications were evaluated against compliance rules — must be stored in WORM-compliant storage. Cryptographically signed decision records where the signature is computed at the time of the AI interaction, and stored in append-only infrastructure, satisfy the integrity requirement that underlies the WORM obligation.

CoreGuard → FINRA Obligation Mapping

FINRA Rule 3110 — Supervision System

Firms must have a reasonably designed supervision system for AI activities, including WSPs governing AI use, approval processes, and ongoing monitoring.

CoreGuard — Policy Pack Architecture

Policy packs implement the supervisory rules as executable controls. Each policy evaluation generates a record showing which rules ran and the result — providing the audit evidence for supervisory reviews. Policy packs are versioned and their changes documented.

FINRA RN 24-09 — Communication Supervision

AI-generated customer communications must be reviewed for compliance with Rule 2210 before delivery. Principal review is required for retail communications.

CoreGuard — Pre-Execution Communication Screening

CoreGuard evaluates AI-generated text against Rule 2210 policy controls before delivery. Blocked or flagged communications are held for principal review. Every screening produces a signed record showing the checks run and the disposition.

Reg BI — Care Obligation for AI Recommendations

AI-generated investment recommendations must be based on reasonable diligence and matched to customer profiles. The firm bears the obligation.

CoreGuard — Input Enforcement and Decision Records

Policy controls enforce that customer profile data is present and valid before recommendation is generated. Decision certificates capture the inputs used, enabling demonstration that the care obligation was applied.

Exchange Act 17a-4 — WORM Recordkeeping

Records of AI-assisted activities must be retained in non-rewriteable, non-erasable format for specified periods (3–6 years depending on record type).

CoreGuard — Signed Decision Certificates

HMAC-SHA256 signed certificates are tamper-evident and append-only. Certificate storage integrates with WORM-compliant infrastructure. Configurable retention periods align with 17a-4 schedules.

FINRA Examination Readiness for AI Governance

FINRA's 2025 Annual Regulatory Oversight Report identified AI governance as an examination priority. Based on published FINRA guidance, examination letters, and known findings, broker-dealers should anticipate the following requests during AI-focused examinations:

AI system inventory — a complete list of AI tools deployed in customer-facing or trading-related activities, including vendor name, use case, and deployment date
Written Supervisory Procedures — WSP sections specifically addressing AI, including approval process, monitoring, and escalation procedures
Pre-deployment review documentation — evidence that compliance and supervisory review occurred before each AI system went live, including testing results and principal sign-off
Communication review records — samples of AI-generated customer communications and evidence of principal review
Rec BI documentation for AI recommendations — evidence that AI recommendations are based on customer profile data and satisfy the care obligation
Audit trail samples — records of AI-assisted activities demonstrating compliance monitoring
Incident records — documentation of AI system failures, policy violations, or anomalous outputs, and the firm's response

Build the AI Supervision Infrastructure FINRA Expects

CoreGuard provides the pre-execution governance layer, signed audit records, and policy enforcement infrastructure that satisfies FINRA's supervisory system expectations for AI. Deploy in front of any AI system in under a day.

Request Demo Financial Services Use Cases

Frequently Asked Questions

What does FINRA Regulatory Notice 24-09 require for AI governance at broker-dealers?

FINRA Regulatory Notice 24-09, published in May 2024, outlines FINRA's expectations for member firms' use of artificial intelligence. The notice emphasizes that existing FINRA rules apply to AI-assisted activities the same way they apply to human-assisted activities. Key expectations include: (1) firms must have reasonably designed supervisory systems with WSPs addressing AI use; (2) AI systems used to generate recommendations must satisfy Regulation Best Interest obligations; (3) AI-generated communications must be reviewed and supervised under FINRA Rules 2210 and 2211; (4) records of AI-assisted activities must be retained under FINRA's recordkeeping rules; and (5) firms must assess AI system risks before deployment, including bias, hallucination, and model drift.

How does Regulation Best Interest apply to AI-generated investment recommendations?

Regulation Best Interest requires broker-dealers to act in the best interest of retail customers when making a recommendation of any securities transaction or investment strategy. When an AI system generates investment recommendations, the recommendation obligation attaches to the firm — not the AI. This means the firm must ensure the AI's recommendations satisfy Reg BI's four component obligations: disclosure (customers understand the recommendation is AI-assisted), care (recommendation is based on reasonable diligence and customer profile), conflict of interest (conflicts affecting the AI's recommendations are identified and mitigated), and compliance (the firm has policies and procedures for AI Reg BI compliance). Firms cannot satisfy Reg BI by pointing to an AI's own assessment of best interest — the obligation runs to the firm.

What FINRA recordkeeping rules apply to AI-generated communications?

FINRA Rule 4511, Exchange Act Rule 17a-3, and Exchange Act Rule 17a-4 collectively govern recordkeeping at broker-dealers. Communications generated by AI systems — including customer-facing chatbot interactions, AI-drafted correspondence, AI-generated research summaries — are subject to the same retention requirements as communications produced by registered representatives. Exchange Act Rule 17a-4 requires that records be retained for specified periods in a non-rewriteable and non-erasable (WORM) format. AI-generated communications must be retained in their original form, including any AI governance metadata showing that policy controls were applied before delivery.

What should broker-dealer Written Supervisory Procedures cover for AI?

FINRA's supervisory rules require member firms to establish and maintain a system of supervision reasonably designed to achieve compliance with applicable rules. For AI systems, the WSPs should address: (1) the approval process for deploying new AI systems, including pre-deployment testing and principal sign-off; (2) the designation of a principal responsible for supervising each AI system; (3) procedures for monitoring AI system outputs for policy compliance, accuracy, and bias; (4) escalation procedures when AI systems produce outputs that may violate FINRA rules; (5) procedures for reviewing AI-generated customer communications before delivery; (6) recordkeeping procedures for AI-assisted activities; and (7) procedures for updating AI systems and re-testing after changes. Firms that cannot produce AI-specific WSPs during a FINRA examination risk findings under Rule 3110.

What are FINRA's examination priorities for AI in 2025–2026?

FINRA's 2025 Annual Regulatory Oversight Report identified AI as a priority examination area. FINRA examiners are focused on: (1) whether firms have documented the AI systems they use and the supervisory framework for each; (2) whether AI-generated recommendations satisfy Reg BI care and disclosure obligations; (3) whether AI-generated communications are reviewed before delivery and retained under applicable rules; (4) whether firms have assessed AI systems for bias and discriminatory outcomes; (5) whether firms' WSPs specifically address AI; and (6) whether firms can demonstrate that AI systems operate within approved parameters and that deviations are detected and remediated. FINRA has also signaled focus on generative AI specifically, given the risk of AI producing inaccurate, misleading, or inappropriate content in customer communications.