In my  2024 blog, I reported the new name and the new format of FINRA’s annual publication.  This year there is new leadership to announce as Greg Ruppert has been named to the newly minted position of Chief Regulatory Operations Officer.¹  In this role, Mr. Ruppert leads a cross-functional team that consists of Member Supervision, Market Oversight, and Enforcement teams. 

I have commented in previous blogs regarding the format of the FINRA Annual Regulatory Oversight Report (AROR),  so I  won’t repeat my kudos to FINRA for maintaining a useful resource.  Well, maybe just a few more…the format is very user-friendly, updates are readily visible and the material very informative, making this a go-to resource for compliance professionals.  If you haven't already - check it out. 

In this blog, I  address a few highlights of interest to me, and hopefully to you as well, from the 2026 report. 

AI/GenAI 

At first glance, the topic of Generative AI on the table of contents pops  out due to its newness and the bold, red emphasis. I imagine many will head to that topic section  first. Let's follow suit.

The AI/GenAI topic is 100% new content. As such, it merits consideration from top to bottom.  From my perspective, FINRA’s guidance is timely, as firms are increasingly considering or using AI/GenAI for internal efficiency, summarization, and information extraction.  FINRA describes its emphasis as technology-neutral, noting that the  applicability of its rules regarding any technology apply equally to AI and GenAI tools.  

Bullet by bullet, the guidance is current, meaningful, and direct such that it translates      very well to procedures, a due diligence checklist, and to training of its compliance and operations personnel, including field supervisors. For independent Broker-Dealers, I believe the oversight of AI uses in remote branch locations is especially challenging and predict it may become a topic in future FINRA releases.  For now, I strongly encourage compliance  leaders to carefully review and consider approaching risk along the structure outlined in the AROR. 

Cyber 

In the AROR, FINRA offers new insight into cyber related fraud, describing a variety of sophisticated threats that target firms and their customers. Data breaches continue to plague the industry and can result from both internal and external threats. Impersonations also wreak havoc and, as I have learned from personal experience, so do fraudsters who create imposter websites.

The effective practices noted by FINRA include a few new suggestions, such as revisiting bring your own device (BYOD) programs; cross-team communication among a firm’s information technology, operations, and its AML personnel; and monitoring third-party vendors.  It seems to me to be a good incentive to consider reviewing contractual arrangements for hardened cyber protections and breach notifications. FINRA also promotes training and security awareness.   

FINRA does not cite here what I believe is a very valuable resource: Investor Alerts regarding avoiding fraud, identifying red flags, and safeguarding consumer identify. These alerts provide relevant and timely instruction and education for the investing public and clients in a readable and easily accessible format.²  

Further insight can be gleaned from your own compliance network. I asked one of my respected info security experts, Khosaim Basrai, the Chief Compliance Officer of R F Lafferty, about his thoughts. Here is his reply, which I believe speaks to the scope of potential harm we all face as professionals, principals, and consumers. 

“In our present cyber security environment, there are a few key points to protect your digital footprint. The user has to understand where  their daily interactions are on the web using daily devices (smartphones/laptops, etc.) .

No matter what app or software, the users interact with, e.g., food delivery to banking portals, one must secure the app with strong passwords and Multi Factor Authentication (MFA). 

Maintain your digital profile routinely; schedule a date and time every quarter or monthly. Login into ALL portals. Check personal information, address, telephone numbers, etc. Look for anything out of the ordinary, e.g., address change applied without the user's knowledge. If the account has been compromised, the hackers will slowly change personal information on portals to apply for new credit cards under the user's name. This is the initial step hackers use to initiate identity theft. 

Stay educated. Be vigilant against evolving threats like sophisticated phishing attempts and AI-driven scams.” 

 While not exhaustive, I hope these suggestions along with the advice provided in the AROR  are meaningful to each of you. 

Anti-Money Laundering 

Recent exam findings related to Anti-Money Laundering (AML) are substantially expanded  in the AROR and provide a meaningful checklist for AML Compliance Officers. FINRA recommends considering adding detection measures related to suspicious activity in omnibus accounts and small cap offerings to an AML compliance program.  FINRA continues to suggest that firms should provide means for the escalation of potentially suspicious activity from departments outside the traditional walls of compliance, such as IT, cyber,    and operations.

Investigating red flags communicated by the clearing firm regarding an introduced customer continues to be an area of risk, and FINRA provides considerable detail regarding its expectations for robust Customer Identification (CIP) and  Customer Due Diligence (CDD)  programs.  In this regard, FINRA describes what it deems to be problematic, including failures to collect required ID without a reasonable and timely verification. FINRA provides examples that include failing to detect when theft or red flags might indicate a customer could be acting as an agent for an undisclosed principal, such as in a nominee account.

Some of the AML staples, testing and training, are also refreshed in the AROR. Regarding testing, the new material calls out verifying the qualifications of the tester and the scope of the test, and ensuring that all business lines, and especially new business lines, are tested.   

Crypto 

Crypto is officially on the scene.  It is striking to me that the FINRA notices were all from prior years and very nearly all of the SEC resources have hit the presses in 2025.  Starting with the rescission of SAB 121 in January and the Staff Memo regarding Meme Coins in February, month after month the SEC forged ahead with crypto guidance.  Over the past year, the SEC has advised the industry of its position on mining activities, stablecoins, registered and unregistered securities offerings, distributed ledger technology, exchange traded products, and custody.  Each of these is cited in the AROR, and all are worth a review to ensure that compliance professionals continue to maintain a working knowledge of the digital sector of the market.   

Guidance of note includes recommendation from FINRA regarding due diligence of crypto assets that are securities and are offered privately. In my observation, this is a growing trend, and shoring up a firm’s due diligence is critical to successfully vetting these offerings before approval.  I suggest that compliance professionals couple the FINRA Guidance in the AROR³ with the SEC’s FAQ regarding the application of Reg BI⁴ when offering private placements for rounding out the approval of a private offering of this type.    

FINRA also advises that firms be well informed of the mechanics of an offering that incorporates digital assets by knowing: 

• The identities and background of the initial development team (for the assessment of potential conflicts) 
• The total supply of the underlying crypto assets, whether there is a cap on supply and what the minting and burning schedule is, as well as any material events impacting the supply of the crypto assets, such as halving events and protocol modifications 
• Any markets associated with the crypto asset(s) 

 Notably, FINRA continues to reinforce its expectation dating to 2021 that encourages firms to reach out to the Risk Monitoring Analyst or other FINRA staff about any new or intended activities involving digital assets. 

Based on my experiences, a MatCon is frequently requested upon notice but should not be considered an insurmountable obstacle.  I have found that the MAP staff are knowledgeable about the innerworkings of various aspects of the digital asset marketplace.

By this time, they have reviewed a good number of such requests, and the questions they raise are often meaningful guidance to the applying firm. An added bonus, I find that there is substantial value in the peace of mind that follows an approved MatCon. 

Communications with the Public 

FINRA’s guidance on communications has been expanded to address firms’ supervision of social media influencers as well as the associated record-keeping.  This is a topic that comes up frequently in my consulting practice, and the AROR provides practical advice that you can take directly from the source.  

FINRA provides supplementary material to its prior guidance that reminds firms that static content, whether posted by the firm or by an influencer, is a retail communication and must be reviewed and  retained. Read this excerpt from the list of findings and be sure to take note: “Not reviewing or supervising influencer communications on the firm’s behalf posted in online interactive electronic forums in the same manner as required for supervising and reviewing firm correspondence.” If not already, now would be the time to address supervision and retention of social media influencer communications.  

Read more in the 2026 report 

In addition to the topics that caught my eye, there are sure to be topics of particular interest to you, so please have a look as you endeavor to map out your own 2026 priorities. 

Sources: 

1. FINRA Executives | Regulatory Operations | FINRA 

2. Protect Your Money | FINRA 
3. 2026 FINRA Annual Regulatory Oversight Report | Member Firms' Nexus to Crypto | FINRA
4. Frequently Asked Questions on Regulation Best Interest | Disclosure Obligation | SEC  
   

    

The opinions provided are those of the author and not necessarily those of Saifr or its affiliates. This information is general and educational in nature, is for informational purposes only, and should not be construed as legal advice. Saifr does not assume any duty to update any of the information. 

1245606.1.0