Artificial Intelligence

AI Compliance in Financial Services: Top Questions Answered

August 13, 2025by Tiffany Magri

Smarsh provides this material for informational purposes only. Smarsh does not provide legal advice or opinions. You must consult your attorney regarding your compliance with applicable laws and regulations.

Artificial intelligence (AI) is rapidly transforming the financial services industry — streamlining everything from meeting transcription and client communication to research generation and compliance workflows. But with innovation comes complexity. AI compliance in financial services is now a top priority as firms face evolving regulatory expectations, heightened privacy risks, and new governance challenges.

Blog summary:
AI is reshaping financial services, streamlining tasks from meeting transcription to research generation — but it also introduces new compliance, privacy, and governance challenges. This post answers top AI compliance questions from financial firms, offering practical guidance on governance, data privacy, books and records obligations, and emerging risks to help organizations adopt AI responsibly under SEC, FINRA, and global regulations.

Why it matters

In this post, we answer the most common AI compliance questions from financial firms, offering practical guidance on governance, data privacy, books and records obligations, and emerging risks. Whether you’re a small advisory firm or a global institution, these insights can help you adopt AI responsibly while staying aligned with SEC, FINRA, and global regulations.

AI compliance governance and accountability in financial services

How can we govern AI use without in-house legal or IT teams?

Start with a lean but effective cross-functional governance framework. Engage external consultants, define approved use cases, and document oversight responsibilities.

Who is accountable if AI-generated content shared with clients is inaccurate or misleading?

The firm is. AI outputs must be reviewed and validated before use in client-facing communications. Regulatory liability remains with the business — not the tool.

Should small businesses trust and use AI platforms, or does it increase risk?

AI can boost productivity, but without governance, risks rise. Small firms should:

Use enterprise-grade tools
Document approved use cases
Train staff
Retain outputs when required

What percentage of compliance jobs will be affected by AI in the next 2–3 years?

AI is expected to augment — not replace — compliance roles, automating tasks like transcription and surveillance while increasing the need for oversight, governance and policy development. As noted in recent regulatory discussions, human judgement will remain critical for ensuring decisions are explainable, auditible and defensible.

AI compliance for data privacy, PII and security

How can we help prevent AI tools from capturing or leaking PII or PHI?

Use enterprise-grade tools with encryption, model isolation, and opt-outs from training. Conduct vendor due diligence and implement internal controls to restrict sensitive data entry.

Is it safe to use tools like Google Gemini or Microsoft Copilot for PII?

It may be appropriate if:

Data is encrypted and excluded from training
A Data Processing Agreement (DPA) is in place
The tool is configured for enterprise use with audit trails and access controls

How should we evaluate whether an AI tool is secure?

Assess areas such as:

Where data is stored and processed
Whether it’s used for training
Vendor certifications (e.g., SOC 2, ISO 27001)
Integration with compliance systems (e.g., Smarsh)

How do we manage users in countries with stricter or more lenient privacy laws?

Consider applying the strictest applicable standard across your organization. For example, GDPR or CCPA may require consent, transparency, and data minimization, even if local laws are more lenient.

AI compliance: Books and records requirements

What AI use cases might trigger books and records requirements?

Examples include:

Meeting summaries with investment advice
AI-generated research or trade ideas
Client communications drafted by AI
Internal notes influencing decisions

Do AI meeting transcripts (e.g., from Zoom, Circleback, JumpAI) count as records?

They may be considered records if they capture business-related content. SEC Rule 17a-4 and FINRA Rule 4511 apply regardless of whether the content is internal or external.

Is transcription-only (no audio/video) treated differently for compliance?

Not necessarily. The content, not the format, determines regulatory obligations.

Are AI chats and prompts subject to retention?

They may be, particularly if they:

Support regulated activity
Contain client communications
Influence investment decisions

Prompts may also be relevant for investigations or monitoring misuse.

Do meeting transcripts from AI tools like Circleback need to be retained under the Investment Advisers Act of 1940 or the Investment Company Act of 1940?

They may need to be retained if they document business-related communications or decisions.

AI compliance for specific tools and platforms

What LLMs are integrated with Smarsh? Which are secure enough for SEC compliance?

Smarsh supports enterprise-grade integrations with OpenAI (ChatGPT Enterprise), Microsoft 365 Copilot, Google Gemini, and AWS Bedrock. Only enterprise versions with auditability and capture capabilities are suitable for regulated use.

How does Smarsh handle LLMs from major providers?

Smarsh enables capture, retention, and supervision of AI-generated content across platforms, ensuring compliance with books and records requirements.

How can we archive AI usage (e.g., Teams, ChatGPT) with Smarsh?

Smarsh offers native integrations for:

Microsoft Teams (including Copilot)
ChatGPT Enterprise
Zoom AI
Email and CRM systems

Is there guidance on FinnyAI, which crafts outbound messages and voicemails?

If used in prospecting or client communication, content may be subject to retention and supervision. Evaluate whether it qualifies as a business record.

AI compliance for communication channels

Should we disclose our texting software in our ADV II or privacy policy?

Consider disclosing if used for client communication. Transparency is a best practice under Reg S-P and global privacy laws.

How do we handle AI-generated summaries in Zoom or Teams?

Consider treating them like any other business communication, particularly if they contain regulated content such as client discussions, investment advice, or supervisory decisions. In certain cases, they may need to be retained and supervised. Regulators focus on content, not the tool, so the key is to evaluate what is captured and whether it supports or documents regulated activity

What are the risks of using tools like JumpAI for client meeting transcription?

Potential risks include:

Capturing regulated content without retention
Lack of auditability or supervision
Privacy concerns if PII or PHI is included

Do we need client consent for meeting note-taking with tools like Zocks?

Yes, especially in jurisdictions with two-party consent laws or under regulations like GDPR and CCPA.

Emerging AI compliance concerns in financial services

How can we tell if a phone call or email is real or AI-generated?

Implement verification protocols, train staff on phishing and spoofing, and consider AI-detection tools for inbound communications. In many jurisdictions, especially those with two-party or “all-party” consent laws, as well as under global privacy regulations like GDPR and CCPA, consent may be required before recording or transcribing a meeting.

What’s the risk of using Copilot to rewrite meeting notes or follow-ups?

Generally low — if outputs are archived in CRM or email systems. Firms must ensure:

AI use is within approved boundaries
Outputs are retained
Governance prevents drift into regulated activity

How much can regulators rely on Smarsh AI?

Smarsh AI capabilities support compliance but do not replace it. Human oversight and governance remain essential.

Final thoughts

AI is no longer an optional tool — it’s a core part of how financial professionals work. That also means AI compliance in financial services must be treated as a strategic imperative. The most successful firms will be those that build AI governance into their existing communication and documentation systems, ensuring regulated activity is properly supervised and archived.

By combining proactive governance, cross-functional collaboration, and clear AI policies, financial firms can innovate confidently while better positioning themselves to meet evolving regulatory requirements.

The bottom line: if AI touches your business records, client communications, or decision-making processes, it falls under compliance — and must be managed accordingly.

FEATURED E-BOOK

Financial Services and Generative AI

Navigating a new era of innovation

Read Now

Share this post!

Author
Recent Posts

Tiffany Magri

Senior Regulatory Advisor at Smarsh

As a Regulatory Advisor at Smarsh, Tiffany Magri monitors, evaluates and consults on the financial services regulatory landscape. Tiffany has more than 10 years of experience facilitating compliance with laws and regulations, policies, and risk management. Prior to joining Smarsh, Tiffany was a Senior Associate at Benefit Street Partners and a Compliance Analyst at Broadstone and Manning & Napier Advisors.

Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

watch it work

More Resources