GenAI at member firms — four pillars: Supervision (Rule 3110), Communications (Rule 2210), Recordkeeping (4511 & 17a-4), Fair dealing (Rule 2010)

AI use cases are emerging quickly in the financial industry. FINRA published a use case portfolio reflecting the most common AI applications it has observed among member firms. FINRA categorizes and defines these uses to give regulators, member firms, and others a shared vocabulary for discussing fast-evolving AI technology.

Here is a mapping between FINRA's AI use cases and the rules and guidance that apply to each.

One note on structure: three things apply to every row, so we have pulled them out rather than repeating them throughout.

The table below adds what is specific to each use case.

FINRA AI use case mapping

FINRA AI Use Case Pointed FINRA Rules / Guidance
Summarization & Info Extraction
(FINRA's #1 use case)
Hallucination risk — inaccurate summaries of rules or client data affecting decisions; Reg S-P if client info is processed; SEA 17a-4 / Rule 4511 if source docs are records
Conversational AI & Q&A Rule 2210 (chatbot output = firm communication); Advertising Reg FAQ B.4 & D.8; 17a-4 retention of communications; hallucination
Sentiment Analysis Bias guidance — skewed outputs from limited or outdated training data; testing (integrity, reliability)
Translation Rule 2210 if client-facing (translated disclosures must remain fair and balanced); accuracy
Content Generation & Drafting Rule 2210 + Ad Reg FAQ B.4/D.8 (firm responsible for AI-drafted communications); Rule 2010; 4511/17a-4; hallucination
Classification & Categorization Bias; books-and-records integrity if classifying transactions; testing
Workflow Automation & Process Intelligence Full agents section: autonomy without human validation, acting beyond intended scope, auditability of multi-step reasoning, data sensitivity, domain knowledge, and reward misalignment; FINRA suggests human-in-the-loop protocols, tracking agent actions, and guardrails to limit agent behaviors
Coding Cybersecurity program contemplating AI risks; malicious or insecure code
Query (natural-language DB access) Reg S-P (client data exposure); least-privilege access; monitoring of prompts
Synthetic Data Generation Data provenance; bias inherited into synthetic sets; derived-data use
Personalization & Recommendation Reg BI / Rule 2111 (suitability), Rule 2210, Rule 2010 (fair dealing); bias skewing recommendations
Analysis & Pattern Recognition Model integrity if used within the supervisory system itself (Rule 3110 explicitly); bias; ongoing monitoring for concept drift
Data Transformation Record integrity (4511/17a-4 — transformed records must stay accurate); Reg S-P
Modeling & Simulation Model risk management / governance framework with documentation; robust testing (privacy, integrity, reliability, accuracy); financial-management accuracy

Three takeaways from the mapping

Agentic AI builders need compliance baked into the infrastructure. One could imagine addressing FINRA compliance within an individual agent, but that would be hard to maintain and scale. The better approach is to build or adopt an infrastructure that enforces FINRA compliance for every agent running on it, not rules spread across dozens of individual implementations.

Buyers will need new service agreements. Firms adopting third-party AI will need contracts that specifically address agent controls, audit logs, and data protection. Standard SaaS agreements were not written with agentic AI in mind.

Synthetic data is still an open question. The synthetic data use case reflects a genuine gap: the industry and AI builders need to work through provenance, bias inheritance, and derived-data use together. This is not a solved problem yet.

Legal disclaimer: For informational purposes only. PitCrew Agents Inc. is not an RIA, broker-dealer, or law firm; this is not legal, financial, or compliance advice. Consult your CCO or legal counsel before implementing changes. PitCrew assumes no liability for actions taken based on this platform or content.