FINRA’s 2026 Oversight Report Sharpens Focus on AI, Cyber Risk, & Market Integrity

Key Takeaways

• AI Governance Takes Center Stage: FINRA introduces a dedicated focus on generative AI, urging firms to test, monitor, and govern GenAI tools while addressing risks such as hallucinations, bias, data integrity, and privacy.
• Cyber Fraud Grows More Sophisticated: FINRA highlights rising cyber-enabled fraud, including AI-powered account takeover and new account fraud, and stresses stronger authentication, monitoring, and coordination between cyber and AML teams.
• Small-Cap Manipulation Draws Heightened Scrutiny: The report flags a rise in pump-and-dump schemes involving small-cap, exchange-listed equities, often coordinated through social media, and signals expanded examination activity in this area.
• Third-Party Risk Remains a Priority: FINRA reiterates expectations for robust vendor oversight, warning that outages or breaches at critical service providers, including those using GenAI, can create systemic risk.
• Examinations Will Follow the Themes: While the report creates no new rules, FINRA makes clear that its 2026 examinations will focus on how firms are managing AI, cyber risk, AML controls, market surveillance, and outsourced activities in practice.

Deep Dive

FINRA’s 2026 Annual Regulatory Oversight Report offers a window into how risk is showing up across broker-dealers, drawn directly from the regulator’s examination and enforcement experience. While the report does not introduce new rules, it highlights recurring weaknesses and emerging pressure points, from the use of generative AI to cyber-enabled fraud and small-cap market manipulation, that are expected to shape FINRA’s supervisory focus throughout 2026.

The report does not introduce new legal or regulatory obligations. Instead, it draws on FINRA’s examination and oversight work to highlight where firms are struggling, where controls are breaking down, and where supervisory frameworks may not be keeping pace. Those observations are expected to guide FINRA’s examination priorities throughout 2026.

At the center of this year’s update is generative artificial intelligence, which makes its debut as a standalone topic. FINRA notes that firms are already using GenAI tools in live environments, most commonly to summarize and extract information from large data sets. That alone, the regulator suggests, raises questions about accuracy, reliability, bias, and data protection that traditional supervisory programs were not designed to address.

FINRA stops short of prescribing specific controls, but it is clear about what it expects firms to think through. Robust testing before deployment, ongoing monitoring once tools are live, and visibility into how models behave over time all feature prominently. The report encourages firms to log outputs, track models, and test for privacy, integrity, and accuracy issues, particularly as some firms experiment with more autonomous AI agents.

Just as importantly, FINRA signals that GenAI should not sit outside existing governance structures. Supervision, customer communications, vendor oversight, books and records, and technology change management all need to account for AI-enabled activity. In other words, AI may be new, but it is not exempt from old regulatory fundamentals.

That same theme, technology outpacing controls, runs through FINRA’s discussion of cybersecurity and fraud. The report describes a threat landscape that is both familiar and newly dangerous, with bad actors increasingly using GenAI tools to scale and personalize attacks. New account fraud and account takeovers feature prominently, particularly schemes that rely on voice cloning, fabricated identity documents, and data scraped from social media to defeat verification processes.

FINRA points to practical steps firms should consider, such as additional authentication when anomalies appear in login activity, closer monitoring of repetitive account-opening patterns, and better coordination between cybersecurity teams and AML staff. The report also reinforces expectations under the SEC’s amended Regulation S-P, reminding firms that incident response and customer notification are no longer optional or informal exercises.

In parallel, FINRA highlights its own efforts to share intelligence through the Cyber & Operational Resilience program, launched under the FINRA Forward initiative. The program is designed to identify and communicate emerging cyber and technology risks, including vendor-related threats and systemic failures, directly to firms that may be affected.

Financial crime and market integrity concerns continue to run through the report. On the AML side, FINRA again flags failures to detect and escalate suspicious activity, particularly where vulnerable customers are involved. The regulator encourages firms to make more consistent use of tools such as Rule 2165, which allows temporary holds when exploitation is suspected, and to rely more actively on trusted contact information.

Market manipulation remains another area where FINRA sees recurring weaknesses. The 2026 report expands on last year’s concerns by pointing to a rise in pump-and-dump schemes involving small-cap, exchange-listed equities. These schemes often combine nominee accounts, account takeovers, and coordinated social-media promotion, exposing gaps in firms’ surveillance programs. FINRA also notes that it conducted a targeted examination in late 2025 focused on offerings by small-cap issuers with foreign operations, underscoring its concern about this segment of the market.

Third-party risk, first elevated in the 2025 report, returns with added urgency. FINRA warns that operational outages or cyber incidents at a single critical service provider can have industry-wide consequences. Firms, the regulator says, should not only conduct initial vendor due diligence but maintain detailed inventories of outsourced services, monitor vendors on an ongoing basis, test incident response plans with them, and think carefully about downstream (or fourth-party) risks—especially where GenAI tools are involved.

The report also touches on a wide range of other developments, from crypto-asset policy shifts and custody guidance to influencer supervision, mobile app disclosures, extended hours trading, and evolving reporting requirements under CAT and CAIS. In each case, FINRA’s focus remains on whether firms’ supervisory systems are actually functioning as designed.

Greg Ruppert, FINRA’s executive vice president and chief regulatory operations officer, framed the report as a practical tool rather than a compliance checklist. “We are not just identifying risks, we are equipping our member firms with the intelligence and resources needed to mitigate risks effectively,” he said, adding that strong compliance ultimately protects investors and supports market integrity.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.