AI use cases are emerging quickly in the financial industry. FINRA published a use case portfolio reflecting the most common AI applications it has observed among member firms. FINRA categorizes and defines these uses to give regulators, member firms, and others a shared vocabulary for discussing fast-evolving AI technology.
Here is a mapping between FINRA's AI use cases and the rules and guidance that apply to each.
One note on structure: three things apply to every row, so we have pulled them out rather than repeating them throughout.
- FINRA's rules are technologically neutral and continue to apply whenever firms use generative AI (Regulatory Notice 24-09)
- Rule 3110 supervision — a firm relying on AI tools must consider the integrity, reliability, and accuracy of the AI model in its supervisory system
- RN 21-29 vendor oversight — applies to PitCrew as a third-party vendor
The table below adds what is specific to each use case.
FINRA AI use case mapping
| FINRA AI Use Case | Pointed FINRA Rules / Guidance |
|---|---|
| Summarization & Info Extraction (FINRA's #1 use case) |
Hallucination risk — inaccurate summaries of rules or client data affecting decisions; Reg S-P if client info is processed; SEA 17a-4 / Rule 4511 if source docs are records |
| Conversational AI & Q&A | Rule 2210 (chatbot output = firm communication); Advertising Reg FAQ B.4 & D.8; 17a-4 retention of communications; hallucination |
| Sentiment Analysis | Bias guidance — skewed outputs from limited or outdated training data; testing (integrity, reliability) |
| Translation | Rule 2210 if client-facing (translated disclosures must remain fair and balanced); accuracy |
| Content Generation & Drafting | Rule 2210 + Ad Reg FAQ B.4/D.8 (firm responsible for AI-drafted communications); Rule 2010; 4511/17a-4; hallucination |
| Classification & Categorization | Bias; books-and-records integrity if classifying transactions; testing |
| Workflow Automation & Process Intelligence | Full agents section: autonomy without human validation, acting beyond intended scope, auditability of multi-step reasoning, data sensitivity, domain knowledge, and reward misalignment; FINRA suggests human-in-the-loop protocols, tracking agent actions, and guardrails to limit agent behaviors |
| Coding | Cybersecurity program contemplating AI risks; malicious or insecure code |
| Query (natural-language DB access) | Reg S-P (client data exposure); least-privilege access; monitoring of prompts |
| Synthetic Data Generation | Data provenance; bias inherited into synthetic sets; derived-data use |
| Personalization & Recommendation | Reg BI / Rule 2111 (suitability), Rule 2210, Rule 2010 (fair dealing); bias skewing recommendations |
| Analysis & Pattern Recognition | Model integrity if used within the supervisory system itself (Rule 3110 explicitly); bias; ongoing monitoring for concept drift |
| Data Transformation | Record integrity (4511/17a-4 — transformed records must stay accurate); Reg S-P |
| Modeling & Simulation | Model risk management / governance framework with documentation; robust testing (privacy, integrity, reliability, accuracy); financial-management accuracy |
Three takeaways from the mapping
Agentic AI builders need compliance baked into the infrastructure. One could imagine addressing FINRA compliance within an individual agent, but that would be hard to maintain and scale. The better approach is to build or adopt an infrastructure that enforces FINRA compliance for every agent running on it, not rules spread across dozens of individual implementations.
Buyers will need new service agreements. Firms adopting third-party AI will need contracts that specifically address agent controls, audit logs, and data protection. Standard SaaS agreements were not written with agentic AI in mind.
Synthetic data is still an open question. The synthetic data use case reflects a genuine gap: the industry and AI builders need to work through provenance, bias inheritance, and derived-data use together. This is not a solved problem yet.