AI Governance in Financial Services: What FINRA and SEC Expect
TL;DR: While there's a lack of explicit AI governance requirements, firms should use existing regulatory rules to inform their use of AI.
As artificial intelligence continues to integrate into daily business operations — from client chatbots to generative marketing tools — regulators are signaling a simple but firm message: existing rules still apply.
In Q2 2025, while no formal AI-specific regulations were introduced, both FINRA and the SEC emphasized that AI must be governed with the same care as any other business tool. During our Q2 Regulatory Roundup webinar, Eversheds Sutherland panelists and Smarsh regulatory experts shared how firms can responsibly navigate this evolving space.
Why AI governance matters now
Financial services firms are increasingly deploying AI tools that generate content, automate decisions, or assist with client communications. But as usage increases, so do regulatory risks — especially if output is unsupervised or if client data is handled without appropriate safeguards.
Though no AI-specific rulebook exists yet, firms are expected to apply existing standards for supervision, recordkeeping, data privacy, and marketing to these tools. The challenge is mapping emerging technologies to long-standing obligations and doing so transparently.
Current regulatory landscape for AI
We’ve written previously on evolving AI governance regulations. With the most recent expectations, here are what firms should keep in mind:
• FINRA reiterated in Regulatory Notice 24-09 that its rules are technology-neutral. AI tools must be supervised like any other communications or decision-making system.
• Common AI uses include: chatbots, automated research summaries, content generation, policy searches, and client data analytics.
• Third-party vendor oversight is critical. Firms must understand how AI features are embedded in external platforms and ensure contracts prohibit unauthorized use of client data.
• Marketing content created by AI must still meet FINRA Rule 2210: clear, balanced, and not misleading.
"You need to know what’s happening with the information that you feed into that tool."
Common AI uses in financial services
During the live Q2 webinar, attendees were asked to identify their biggest compliance concern related to AI. Here’s how they responded:
These results reinforce that while AI adoption is rising, concerns about oversight, documentation, and risk management remain top of mind.
Key compliance risks and how to address them
Recordkeeping is a growing concern. Firms must determine whether AI outputs qualify as business communications that require archiving, and how to capture them. Beyond communications, firms should assess whether AI systems or outputs trigger other types of recordkeeping obligations.
"It’s probably the most difficult question for last — books and records requirements. When is an AI-generated communication a record of the firm? There's not a good answer to this yet."
While Smarsh specializes in communications oversight, compliance teams must think holistically about data governance and records across operational functions.
This includes being mindful of:
- Regulatory focus on “AI washing,” claims that overstate a firm’s capabilities, could lead to future enforcement actions
- Not waiting for complete guidance from FINRA and the SEC — the lack of a rule is not a shield
- Ensuring AI use is covered in your Written Supervisory Procedures (WSPs), and reviewing any client-facing AI under applicable communications rules
- Creating cross-functional AI governance frameworks spanning compliance, risk, legal, and technology input
How Smarsh can help with AI governance
The absence of AI-specific regulation doesn’t equate to a regulatory vacuum. As firms adopt increasingly sophisticated tools, regulators are watching how they apply long-standing principles of supervision, transparency, and documentation to new technologies.
At Smarsh, we’ve seen that firms that treat AI governance not as a one-time policy update but as an ongoing operational practice are best positioned to stay ahead of scrutiny and to use emerging tools responsibly and effectively.
Because when it comes to AI, the real risk isn’t regulation. It’s waiting too long to prepare for it.
Share this post!
- AI Governance in Financial Services: What FINRA and SEC Expect - August 13, 2025
- AI Compliance in Financial Services: Top Questions Answered - August 13, 2025
- SEC Crypto Regulation 2025: From Crackdowns to Constructive Frameworks - August 7, 2025
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
FEATURED CONTENT
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
Watch it Work
Contact Us
Chat
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US