What FINRA rules apply to AI systems in broker-dealer operations?

FINRA does not have a single AI rule. Existing rules apply based on what the AI system does: Rule 2111 (suitability) and Reg BI (best interest) when AI generates or assists investment recommendations; Rule 3110/3120 (supervision) for all AI activities requiring written supervisory procedures; SEA Rules 17a-3/4 (books-and-records) for AI recommendations, communications, and override decisions; Rule 2210 (communications) for AI-generated client communications; and Rule 4370 (business continuity) for AI systems that are mission-critical.

What must broker-dealer written supervisory procedures include for AI systems?

WSPs must specifically name AI systems and define: how each system is monitored (frequency, responsible persons), conditions that trigger supervisory escalation to human review, how override decisions are documented, change management approval procedures for model updates, and vendor oversight for third-party AI. Annual supervisory control tests (Rule 3120) must include AI-specific methodology — testing whether the AI produces suitable recommendations, sample size and selection, findings, and remediation. Generic WSPs referencing 'algorithms' without naming specific systems do not satisfy Rule 3110.

Does SEA Rule 17a-4 WORM requirement apply to AI recommendation records?

Yes. Rule 17a-4 requires records to be preserved in non-rewritable, non-erasable (WORM) format for three years, two of which must be readily accessible. AI recommendation records stored in mutable databases do not satisfy this requirement unless backed by an immutable audit layer that can demonstrate records have not been modified since creation. Cryptographic signing at the time of each recommendation — so that any subsequent modification is detectable — satisfies the WORM requirement for AI decision records. Records must also be retrievable by account, date range, and model version to satisfy examination requests.

FINRA AI Compliance: What Broker-Dealers Must Document for AI-Assisted Recommendations

Q: What per-recommendation documentation does FINRA require for AI recommendations?

For each AI-generated or AI-assisted recommendation, required documentation includes: the customer profile snapshot at recommendation time (the actual state used by the AI, not the current live profile), the factors the AI weighted and in what direction, alternatives that were considered and why they were not recommended, and documentation that cost and conflicts of interest were applied in the recommendation logic. FINRA Regulatory Notice 21-20 explicitly states that firms must be able to explain the basis for AI recommendations consistent with Rule 2111 and Reg BI.

FINRA does not have a single AI rule — AI systems in broker-dealer operations must satisfy Rules 2111 (suitability), Reg BI (best interest), Rule 3110/3120 (supervision), SEA 17a-3/4 (books-and-records), Rule 2210 (communications), and Rule 4370 (business continuity). The documentation obligation follows the recommendation, not the technology. FINRA examiners look for: per-recommendation records capturing customer profile snapshot and factors weighted, WSPs naming the AI system, WORM-format preservation, annual supervisory control test including AI, and algorithm change management procedures.

Suitability and Best Interest Documentation

FINRA Rule 2111 and Regulation Best Interest require broker-dealers to have a reasonable basis that a recommendation is suitable for the specific customer and acts in their best interest. When AI generates or influences a recommendation, per-recommendation records must capture: the customer profile snapshot at recommendation time (not the current profile from a live database, but the actual state used by the AI), the factors the AI weighted and in what direction, alternatives that were considered and why they were not recommended, and cost and conflict-of-interest considerations applied. "The algorithm decided" is not documentation of suitability — the factors and their weights must be recorded per recommendation.

Written Supervisory Procedures for AI Systems

FINRA Rule 3110 requires WSPs for all activities including technology use. WSPs must specifically name AI systems in use and define: how the system is monitored, frequency of review, who is responsible, what conditions trigger supervisory escalation to human review, how override decisions are documented, and vendor oversight procedures for third-party AI. Rule 3120 requires an annual supervisory control test signed by a senior principal — for AI systems, this test must include specific methodology for evaluating whether the AI produces suitable recommendations, the test sample and findings, and remediation taken. Generic WSPs that reference "algorithms" without naming specific systems do not satisfy Rule 3110.

Books-and-Records for AI Recommendations

SEA Rules 17a-3 and 17a-4 require creation and WORM-format preservation of recommendation records for three years. For AI systems: records must include each recommendation with inputs, outputs, and rationale at generation time; human override decisions (what AI recommended, what human decided, reason for override); and model version in effect at the time of each recommendation. Records must be retrievable by account, date range, and model version — not just in bulk export. Rule 17a-4 requires non-rewritable, non-erasable format; AI records stored in mutable databases require an immutable audit layer with cryptographic signing to satisfy WORM requirements.

Algorithm Change Management Requirements

FINRA Regulatory Notices 15-09 and 21-20 require documented change management for algorithm and model updates. Required elements: pre-deployment testing documentation for all model changes including LLM API provider version updates, principal approval workflow for material changes (with "material" defined in WSPs), behavioral baseline comparison quantifying the scope of behavioral change, rollback procedures enabling reversion to prior model versions, and a change log as a books-and-records obligation. Foundation model API version updates present a specific risk: providers may release behavioral changes without advance notice. FINRA-compliant AI programs must include procedures for detecting unannounced model updates through behavioral monitoring and triggering the change management process.