SERC’ling Up is your resource for staying ahead in today’s fast-evolving financial landscape. This newsletter delivers perspectives on the latest enforcement trends, regulatory updates and high-stakes developments affecting broker-dealers, investment advisers, financial institutions and corporate clients. Drawing on the firm’s blend of government and industry experience, SERC’ling Up provides actionable intelligence to help clients anticipate risks, respond effectively to scrutiny and remain resilient in a shifting regulatory environment.
FINRA’s 2026 Annual Regulatory Oversight Report provides updated observations drawn from FINRA’s regulatory operations programs. This year, in addition to perennial topics (e.g., Reg BI and Net Capital), FINRA introduced a new section on GenAI and highlighted overlapping cybersecurity and cyber-related fraud concerns.
While the report does not establish new legal or regulatory obligations, member firms are encouraged to review it closely and assess whether its findings and effective practices warrant updates to their own supervisory frameworks. FINRA is expected to prioritize examination of how firms are managing these areas throughout 2026.
New Topic for 2026: GenAI
FINRA observed several member use cases for GenAI, including the most common, “summarization and information extraction” from large volumes of data. The Report advises firms using GenAI tools to consider how to identify and mitigate risks (e.g., hallucinations and bias) and urges them to tailor controls and supervisory programs for GenAI usage. For example, FINRA suggests that firms conduct robust testing of its GenAI tools (including AI agents) to identify privacy, integrity, reliability, and accuracy issues and ongoing monitoring, using output logs and GenAI model tracking, to ensure GenAI tools perform as expected.
FINRA also notes that firms should ensure their supervision and governance practices cover use cases, model risks, fair and balanced customer communications, vendor diligence, capture of AI-enabled communications within firm books and records, and technology change management.
Other Noteworthy Topics
While the 2026 Report is largely consistent with the 2025 Report, several priorities are refined or expanded in response to recent developments.
Cybersecurity and Cyber-Enabled Fraud
Cybersecurity and cyber fraud remain a central focus with FINRA reciting a laundry list of threats targeting member firms and their customers — many of which are further enabled by GenAI. Of note are new account fraud and account takeover threats in which fraudsters use GenAI tools to circumvent identification verification processes — e.g., the use of voice clones, fake ID documents and social media mining to personalize phishing emails. Some suggested practices include reminding customers to periodically change passwords, training employees to be alert for suspicious repetitive patterns of behavior in the opening of multiple accounts, additional verification or authentication when anomalies are detected in customer login attempts, and encouraging cyber and information technology staff to coordinate with anti-money laundering (AML) staff on cybersecurity concerns and to report suspicious activity.
FINRA also reminds firms of the SEC’s Regulation S‑P amendments (e.g., mandatory breach response and customer notifications) and reiterated expectations under Regulation S‑ID and FINRA Rules 3110 and 4370.
As a component of the FINRA Forward initiative, FINRA also launched the Cyber & Operational Resilience (CORE) program, which identifies, assesses, and shares cyber and technology risk intelligence (e.g., vendor-related threats or systemic tech failures) directly with potentially impacted firms, delivering insights and mitigation tactics.
AML and Market Manipulation
With respect to AML issues, FINRA continues to cite failures to detect, investigate, escalate and report suspicious activity and urges proactive use of Rule 2165 (to place temporary holds on transactions/disbursements when there is a reasonable belief of customer exploitation) and trusted contacts for vulnerable clients.
Surveillance gaps related to manipulative trading continue to attract FINRA’s attention, particularly under-tuned alerts, limited cross-product or cross-customer reviews, and weak documentation. The 2026 Report identifies a rise in small-cap pump-and-dump schemes (including use of nominee accounts, account-takeover purchases and social-media recruitment) involving exchange-listed equities, broadening the 2025 focus on microcap and IPO-related pump-and-dump activity. FINRA also reports that in October 2025, it initiated a targeted examination of firm practices regarding public and private offerings of small-cap exchange-listed issuers with business operations in foreign jurisdictions.
With the noted increases in small-cap manipulation, the 2026 Report emphasizes that firms should consider enhancing cross‑product and cross‑customer manipulation surveillances, with particular attention to small‑cap equities and coordinated social‑media promotion patterns.
Third-Party Risk Management
A new topic in 2025, third-party risk management, returns in the 2026 Report. This year, FINRA stresses that firms must maintain a reasonably designed supervisory system covering all outsourced activities to comply with key obligations under FINRA Rules 1220 (Registration), 3110 (Supervision), 4370 (Business Continuity Plan) and SEC Regulation S-P.
With a rise in cyberattacks and operational outages at third-party vendors, FINRA warns that a single incident at a critical service provider can affect large segments of the industry. To mitigate this risk, firms should conduct initial and ongoing due diligence of vendors supporting mission-critical systems (including those using or integrating GenAI tools), maintain detailed inventories of vendor services, systems and the firm data they access, and ensure that contracts contain robust data-protection, confidentiality and GenAI-related restrictions.
FINRA also expects firms to implement comprehensive vendor-risk management policies, assess the impact of potential outages, monitor for vulnerabilities or breaches, involve vendors in incident-response testing, manage data-return or destruction at contract termination, revoke access promptly when relationships end and evaluate any fourth-party risks associated with downstream providers.
Outside Business Activities and Private Securities Transactions
FINRA highlights Regulatory Notice 25-05, which sought comments on a proposal to streamline FINRA Rules 3270 and 3280 into a new Rule 3290 to reduce burdens related to associated persons’ outside activities and private securities transactions. In July 2025, the Board of Governors approved the proposal for SEC submission. Until SEC adoption, legacy requirements remain in force.
Crypto Assets: Regulatory Developments and Communications Controls
The 2026 Report catalogs 2025 regulatory developments, including the GENIUS Act on stablecoins, several SEC Divisions’ staff statements and FAQs, and the withdrawal of the 2019 custody staff statement, each with implications for custody, financial responsibility treatment, disclosures and product governance. FINRA notes that it is actively monitoring and responding to market, legislative and policy developments in this rapidly evolving area.
Communications and Sales: Reg BI and Form CRS
FINRA’s 2026 themes on communications and Reg BI are consistent with 2025 but with sharpened emphasis on influencer supervision and recordkeeping, including a review of influencers’ static content and retention of influencer posts made on a firm’s behalf, and retention of GenAI chatbot communications.
Further, FINRA reminds firms to review mobile app disclosures, nudges and push notifications for complex products, margin, options and crypto. FINRA noticed an increase in Regulation Best Interest care, conflicts, disclosure and compliance failures, with particular scrutiny around complex products, rollover and account‑type recommendations, and annuity exchanges.
Consolidated Audit Trail (CAT) and Customer and Account Information System (CAIS)
The 2026 Report flags CAIS exemptive relief and a proposed amendment to eliminate certain personally identifiable fields for natural persons and legal entities. If approved, the CAIS Amendment would eliminate requirements to report customer names, customer addresses and years of birth for natural persons with transformed SSNs or ITINs, natural persons without transformed SSNs or ITINs, and legal entities.
The 2026 Report reiterates past year’s findings on CAT reporting supervision, including a completeness and accuracy review, T+3 error repair, clock synchronization and supervisory controls.
Extended Hours Trading
FINRA recommends establishing reasonably designed supervisory processes tailored to overnight trading such as venue-specific overnight price bands to comply with best execution obligations and manipulative trading monitoring for activity designed to set or trade outside those bands.
Net Capital and Annual Reporting
FINRA reminds members that it recently published Regulatory Notice 25-12 (FINRA Announces Update of the Interpretations of Financial and Operational Rules) and flags 2025 rule developments, including EDGAR submission mandates for annual reports, segment reporting disclosures (ASC 280) and XBRL implementation timelines. The Report also highlights the SEC staff’s cryptocurrency FAQs (e.g., haircut treatment) and recaps frequent net capital computation, classification and accrual errors, emphasizing FINOP oversight and involvement in complex transactions.
For questions about this alert, contact the authors or your McGuireWoods contact.
McGuireWoods’ Securities Enforcement & Regulatory Counseling (SERC) Practice Group is a national leader in securities enforcement defense and broker-dealer and investment adviser regulatory counseling. Anchored by former SEC and FINRA attorneys from enforcement and trading and markets as well as prominent federal prosecutors, the team manages complex securities investigations at every stage — from informal inquiries and routine exams through investigations, litigation and appeals — all while staying at the forefront of developing issues confronting the securities industry.
Contacts
John V. Ayanian
Elizabeth J. Hogan
Todd M. Beaton Jr.
Jackie A. Wells
E. Andrew Southerling
Nellie E. Hestin
David L. Hirsch
Cassie N. Gallo
Chelsea Smith Press