FINRA’s 2026 Annual Oversight Report underscores both familiar priorities and emerging risks shaping the regulatory landscape. While Regulation Best Interest, senior investor protections, and financial responsibilities remain central themes, the report introduces new considerations around Generative AI (GenAI), cybersecurity, and technology-driven vulnerabilities.
Cybersecurity and Cyber-enabled Fraud
Cybersecurity remains a dominant supervisory priority, closely linked to core privacy and safeguarding obligations. The report ties cyber risk management to:
- Regulation S-P, including Rule 30, which requires written policies and procedures describing administrative, technical, and physical safeguards to protect customer information.
- Regulation S-ID, which requires firms that maintain covered accounts to implement a written program to detect, prevent, and mitigate identity theft.
- FINRA Rules 3110 and 4370, addressing supervision and business continuity programs.
Effective practices emphasize cross-functional coordination among cybersecurity, AML, and vendor risk teams, supported by controls that are formally documented, implemented, and tested.
Generative AI
GenAI does not alter firms’ existing obligations around recordkeeping, supervision, outsourcing, or fair dealing with customers. When AI tools support client communications:
- Content must remain fair and balanced regarding products and services.
- Supervisory evidence should be retained, and chatbot interactions must be supervised and archived just like other communications.
- Firms should establish enterprise-level oversight with formal review and approval processes.
- References to AI-enabled tools should accurately describe how the technology is used, including both benefits and risks. The report also cautions against reliance on limited or outdated datasets that can produce incorrect or skewed outputs.
Third-Party and Technology Risk
Outsourcing does not outsource responsibility. Firms must maintain a reasonably designed supervisory system covering all outsourced activities to meet obligations under FINRA Rule 1220 (Registration), Rule 3110 (Supervision), Rule 4370 (Business Continuity Plan) and Rule Regulation S-P.
Rising cyberattacks and service outages among third-party vendors pose the potential for wide-scale disruption. To mitigate these risks, firms should:
- Conduct initial and ongoing due diligence of vendor-supported systems.
- Maintain a detailed inventory of vendor services, connected systems, and the firm data vendors can access.
AML and Market Manipulation
The report continues to scrutinize AML programs under FINRA Rule 3310, highlighting common weaknesses such as:
- Monitoring systems that are not tailored to the firm’s risk profile.
- Under-resourced alert review and investigations.
- Failure to escalate red flags identified outside the AML function.
To protect vulnerable clients, firms are encouraged to use temporary holds on disbursements when exploitation is suspected, consistent with FINRA Rule 2165.
FINRA also notes persistent gaps in trade surveillance and a rise in small-cap pump-and-dump schemes. In October 2025, FINRA began a targeted review of firm practices related to public and private offerings of small-cap, exchange-listed issuers with foreign operations.
Market Integrity
Market integrity priorities include the Consolidated Audit Trail (CAT), best execution, market access, and extended hours.
- CAT Reporting: Incomplete, inaccurate, and untimely submissions persist, compounded by weak error correction and limited oversight of third-party reporting agents. Firms are expected to map internal records to CAT fields and review CAT feedback regularly.
- Best Execution: Obligations include a regular and rigorous evaluation of execution quality across venues and order types, with attention to payment for order flow and venue incentives. The report underscores complete Rule 606 order routing disclosures and the need for written supervisory procedures that address these reviews.
- Market Access (SEA Rule 15c3-5): Firms should maintain pre-trade financial risk controls aligned to their business model and document intra-day adjustment. A post-trade review for potential manipulative activity is also expected (see AML and Market Manipulation).
- Extended-Hours Trading: Clear, prominent risk disclosures are required. Orders executed during extended hours should be included in best execution assessments, CAT, and trade reporting facility (TRF) reporting. Supervisory procedures should explicitly account for lower liquidity and wider spreads.
Regulation Best Interest
Regulation Best Interest remains a core focus. The report highlights issues under the Care Obligation, including:
- Insufficient product due diligence
- Recommendations that do not align with the client’s profile
- Inadequate consideration of cost and available alternatives
- Weak or missing documentation of account type and rollover recommendations
Additional concerns include conflicts of interest, disclosure quality, and compliance obligations, particularly for complex products such as variable annuities, options, and private placements.
For private placements, firms should conduct reasonable due diligence on the issuer and offering, document management responses to red flags, and maintenance of deal-specific due diligence files. The report also flags variable annuity exchange patterns, including increased fees, restarted surrender periods, insufficient written supervisory procedures, and a lack of documented rationale and principal review, as areas of supervisory concern.
Senior Investors and Trusted Contacts
Protecting senior investors and vulnerable clients’ remains a priority. Many firms fall short in making reasonable efforts to obtain trusted contact information and in providing disclosure that explains how trusted contact details may be used. FINRA also encourages firms to embed senior and vulnerable investor protection, including escalation processes, within their AML policies.
Conclusion
This year’s report offers a practical roadmap for firms to benchmark supervisory programs against current and emerging risks. ACA recommends that firms:
- Review the report in full and map findings to the firm’s current and planned business activities.
- Identify process, documentation, and training gaps, especially in AI governance, cybersecurity, and vendor oversight, AML surveillance, and market integrity.
- Compare report-identified risks to existing controls and refine the supervisory framework accordingly.
Partner with ACA to assess the implications for your firm and to design targeted enhancements that strengthen compliance, reduce operational risk, and improve examination readiness.