Go Back

FINRA issues a gentle reminder and a note of caution

Last Thursday FINRA published its latest Notice, Notice 24-09, reminding members of their regulatory obligations when using GenAI and LLMs. Alex de Lucena, Director of Product Strategy at Shield, provides an overview of the Notice and its implications for firms using these tools in their eComms surveillance.  

An existing foundation

FINRA strikes the right tone in asserting the effectiveness of existing rules as arbiters of GenAI capabilities while creating no new AI-specific regulations or interpretations. But policies and controls associated with GenAI must keep pace for firms to stay compliant, something FINRA will surely begin to examine. Ultimately, Notice 24-09 is less a call to arms than a reminder for compliance functions to do their jobs as they continue to educate themselves and vet the value of GenAI derived tools.  

Experiment and evidence

The Notice describes numerous examples of potentially acceptable uses of GenAI, including querying internal policies, summarizing research, or obtaining contextually specific information from SEC filings and earnings transcripts. Of particular note are two descriptions for uses in eComms surveillance: Misconduct detection and alert summarization.  

Clear throughout the Notice is that FINRA has kept a keen eye on this space. Undoubtedly, they have sampled or considered, many of these tools themselves and expect firms to be doing the same.  

But a note of caution rings out “[Firms] should be mindful of the potential implications, of using GenAI, to meet their regulatory obligations”. In particular FINRA calls out, “concerns about accuracy, privacy, bias, intellectual property, and possible exploitation by threat actors”.  

This list of potential issues broadly tracks with concerns already associated with GenAI. FINRA is squarely putting the onus on firms to filter their adoption of GenAI through firms’ own ability to adeptly scrutinize adoption against these elements.  

eComms Surveillance shout out

The Notice specifically calls out examples of AI being used in eComms surveillance – twice. 

Detecting Risk – For firms using GenAI to detect risks across eComms, FINRA lays out an obligation to ensure policies and procedures appropriately address technology governance, “including model risk management, data privacy and integrity, reliability and accuracy” with regards to any models.  

Many tier 1s have already built out significant MRM functions. Likewise, attentive vendors have looked to meet the challenge of providing the level of detail and transparency necessary to meet MRM standards. For these firms and vendors, the Notice aligns with work they are already doing. Certainly, there is more work to do but the foundation is there.  

For firms that have not fully developed MRM and model governance functions, this eComms specific guidance will have the effect of pushing remaining firms looking to use AI to first beef up their AI-related policies and associated control functions. (Consultants and AI SMEs can celebrate as many will look to their expertise as firms educate themselves and develop internally acceptable approaches.)  

FINRA’s specific language around eComms detection could also have a chilling effect with regards to adoption as firms may decide the detection controls, they have in place are suitable (high false positives and subpar risk coverage be damned!). 

Summarization - FINRA lays out a vague GenAI driven summarization example where firms “aid in surveillance by . . . generating reports with summaries for the member firm’s (human) compliance personnel of potential evidence of malfeasance, such as market abuse or insider trading.”  

This language takes some parsing. The Notice seems to see the value in using AI-derived “reports” to evidence issues across either specific messages, activity, or both.   

This example both catalyzes the imagination and calls for more information. Across some vendors, summarization currently reigns supreme given the relative ease of development and the ancillary use cases for AI-derived summaries. But these present-day examples of summarization represent a first draft of how GenAI can be used to help comms surveillance. Questions about how firms should adjust their dispositions as these tools, and their utility, advance.  

Here FINRA offers a path, blessing the use of queries and summaries to improve efficiencies and insights, with the specific warning that a higher standard is expected where AI-derived assistants become controls.  

Doing our jobs

For firms and vendors alike there is work to do as we all look to substantiate which AI capabilities can truly add value to how we surface and improve efficiencies across the policing of risk. 

The Notice exemplifies the good work FINRA has done of educating itself on how GenAI works, its potential and its peril. Whatever tools firms choose to adopt, they must expend an equivalent effort in understanding how Gen-AI works and what new controls are needed to judge its efficacy.  

Vendors have an equivalent obligation to educate their customers in good faith. Some of them have contented themselves yelling about the “revolutionary” impact of their GenAI derived tools without offering more than lip service, at best, to aid the deliberative and risk-based approach through which compliance functions adapt to change. Honest vendors truly invested in positively affecting risk outcomes must both innovate and educate in equal measure. 

Policies and controls  

FINRA will be looking to corroborate GenAI adoption against updated firm policies and controls. For firms this is the work that lies ahead but one that creates a potential horse-and-cart conundrum. Firms are being asked to update policies for tools whose potential and pitfalls are not yet fully understood. This can have the effect of over- or under-sizing a firms disposition toward GenAI, unnecessarily delaying benefits.  

As with all things compliance, a risk-based approach is necessary—one that utilizes existing controls and knows how to proactively participate in the GenAI revolution upon us. FINRA is endorsing this approach and will be checking to see that we have done the work. 


Follow Us

Subscribe to Shield’s Newsletter

Capture everything. Deploy anywhere. Store in one place.