Written by: John O’Connell | The Oasis Group

When FINRA determines that a supervision gap has become material, it publishes a regulatory notice, and the next examination cycle asks about it. That process moves in months.

The historical pattern is unambiguous. FINRA moved faster than the SEC on electronic communications supervision. It moved faster on social media. It moved faster on digital advertising standards. It moved faster on off-channel messaging. Each time a new technology created a gap between how registered representatives were actually working and what the firm's Written Supervisory Procedures addressed, FINRA closed the guidance gap before the SEC had organized its first comment period. There is no structural reason to expect AI to be different. There are several reasons to expect it to move faster.

The question is not when the SEC will act. The question is whether your WSPs will be ready when FINRA does.

Your Written Supervisory Procedures Have a Gap the Size of 2023

FINRA Rule 3110 requires that Written Supervisory Procedures address all aspects of the firm's business. AI tools used by registered representatives are part of the business. The gap between that requirement and the content of most BD WSPs is significant, and it is consistently the same gap: the procedures were written for humans recommending to humans, and the AI tools that now sit in the recommendation workflow, the communication workflow, and the research workflow are simply not addressed.

The specific deficiencies I find most consistently are these. No procedure governing the review of AI-generated or AI-assisted client communications before they are sent. No approval process a registered representative must complete before using a new AI tool in their workflow. No documentation standard for recommendation rationale that addresses how AI contributions are captured and retained. No definition of what constitutes material AI use that would require any form of disclosure to the client or in Form CRS.

An examiner who finds these gaps does not need a new rule to write a finding. They need only your existing Rule 3110 obligations and a comparison to your current business practices.

Regulation Best Interest Has No AI Exception

Reg BI's care obligation applies to every recommendation, whether AI-generated, AI-assisted, or entirely human. The technology that produces or influences the recommendation does not change the standard to which the recommendation is held.

The conflict-of-interest provisions of Reg BI extend specifically to AI tools with embedded incentives the client is unaware of. The AI tool may have an unintentional bias based on its training data. For example, if the algorithm was trained on data that reflects firm-favorable outcomes, or if the tool systematically surfaces proprietary products ahead of comparable alternatives, you have a conflict-of-interest disclosure obligation that the absence of an AI-specific rule does not eliminate. The obligation exists under the rule already in force.

The reasonable basis standard does not change because an algorithm contributed to a recommendation. If a registered representative cannot explain the basis for a recommendation that an AI tool materially influenced, there is no reasonable basis. Supervisory procedures must address how AI-assisted recommendations are reviewed by a human supervisor before reaching a client. That is the current standard for meeting existing Reg BI obligations, not a future requirement.

Form CRS disclosure is also an open question that firms cannot afford to leave unresolved. Whether material AI use in the brokerage process requires disclosure under the current Form CRS framework is a question on which the SEC has not provided clear guidance. Firms with no position on this question are creating exposure on both sides simultaneously. Take a position, document the reasoning, and build disclosure language that reflects it.

Rule 17a-4: The Recordkeeping Clock Is Already Running

Rule 17a-4 requires the capture and retention of all business communications, regardless of channel or technology. The rule does not distinguish between an email, a text message, a Teams chat, and an AI-generated client communication. It requires preservation of business communications. AI-generated outputs used in client-facing activities are business communications.

The enforcement history here is instructive in a way that should concentrate your attention. The off-channel communications enforcement wave of 2022 through 2024 cost the industry billions of dollars in penalties. Not because new rules were written, but because existing recordkeeping rules were applied to WhatsApp, Signal, and other messaging platforms that firms had allowed their employees to use without adequate capture and retention controls. The firms that paid the largest penalties had not made a deliberate decision to violate the rules. They had failed to apply existing rules to new technology before the enforcement action arrived.

AI recordkeeping is the next chapter of the same story. The technology is new. The obligation is not. AI-assisted research summaries, recommendation rationale documents, meeting prep outputs, and client communications generated by firm-deployed AI tools carry the same preservation requirements as email. If those outputs are not flowing into your archiving infrastructure, you have a Rule 17a-4 gap that does not require FINRA to publish a single regulatory notice to become an examination finding.

Four WSP Updates to Make Before the Next Examination Cycle

1. Define AI tools. Establish a clear, documented definition of what constitutes an AI tool under the firm's supervision framework. What is subject to the AI governance program and what is not. Without a definition, the boundary of the supervision obligation is undefined, and undefined is not a defensible compliance position when an examiner is comparing your procedures to your business.

2. Establish a pre-approval process for registered representative AI tool use. No registered representative should use a new AI tool in client-facing or recommendation-generating activities without a documented prior approval. The approval process should review the tool's data handling practices, its potential for creating undisclosed conflicts, and how its outputs will be captured and retained. Document the approval, the reviewer, and the date it was granted.

3. Build AI into the supervisory review procedure for recommendations. Specify who reviews AI-assisted recommendations, what they are reviewing for, and how that review is documented in the record. The review record is evidence that the supervisory obligation is being met. A procedure that says recommendations should be reviewed is not a review record. A documented review that shows who reviewed it and when is.

4. Address AI-generated and AI-assisted client communications in your retention infrastructure. Define the review and approval requirements for client-facing communications that AI contributed to or generated. Connect those communications to your archiving system so they are captured with the same completeness as email and other business records. The off-channel enforcement precedent tells you exactly what happens when this step is skipped.

The SEC being slow on AI rules is not good news for broker-dealers. It means the clock you are actually on is FINRA's, and FINRA's clock runs faster. Every day without updated WSPs is a day the next examination cycle is writing your finding for you.

Related: Good Debt vs. Bad Debt: Turning Borrowing Into a Wealth-Building Tool

Endnotes

Financial Industry Regulatory Authority. "FINRA Rule 3110: Supervision." FINRA.org, www.finra.org/rules-guidance/rulebooks/finra-rules/3110. Accessed 23 Mar. 2026.

United States Securities and Exchange Commission. "Rule 17a-4: Records to Be Preserved by Certain Exchange Members, Brokers and Dealers." SEC.gov, www.sec.gov/rules/final/34-38245.txt. Accessed 23 Mar. 2026.