The Financial Industry Regulatory Authority (FINRA) released its Annual Regulatory Oversight Report earlier this week and is shining a light on the rapidly growing and evolving use of Artificial Intelligence (AI) technology by broker-dealers, and the potentially far-reaching impacts of that use on the financial industry's regulatory landscape. In FINRA's own words, "[t]he use of AI tools could implicate virtually every aspect of a member firm's regulatory obligations."
FINRA's laundry list of key focus areas for potential regulatory implications includes, of particular note, model risk management (including testing, data integrity and governance, and explainability), customer information protection, and third-party vendor management and supervision—all of which were previously identified as areas presenting key challenges and regulatory considerations in FINRA's June 2020 Report on AI in the securities industry. These areas were also of primary focus in the National Institute of Standards and Technology's (NIST) development of its Artificial Intelligence Risk Management Framework, which the FINRA Report includes as a resource for member firms to consider before integrating AI technology into their broker-dealer operations.
FINRA's commentary on the emerging risks associated with expanded use of AI technology aptly notes that the development of AI-based business tools "has been marked by concerns about accuracy, privacy, bias, and intellectual property." It's no surprise then that adequate data management infrastructure and customer information protection protocols are at the core of the best practices frameworks being developed by entities such as NIST.
These focus areas identified by the FINRA report are not unique to the securities industry—businesses across a wide swath of industries have piloted or rolled out AI-based programs or services, prompting regulating authorities across the board to take a closer look at the infrastructural safeguards in place in those businesses. One notable example is the Federal Trade Commission's (FTC) recent complaint against Rite-Aid, filed by in mid-December 2023, which alleges that the company's years-long, allegedly surreptitious use of facial recognition technology on its customers was marked by egregious failures in data testing and governance as well as lackluster diligence efforts to select and monitor its third-party tech vendors. According to the FTC, these deficiencies amounted to unfair business practices warranting sanctions against Rite-Aid and permanent injunctive relief requiring Rite-Aid to develop "reasonable procedures" to prevent harm to its consumers by its use of AI technologies.
As AI technology continues to develop and present new ways to expand and improve business capabilities and offerings, companies seeking to deploy nascent technology should take heed of FINRA's and the FTC's increasing scrutiny of the regulatory implications of its use. The message is clear: to better ensure a company's compliance with current regulatory requirements, it is critical to develop, maintain, and review comprehensive data testing, monitoring, and governance protocols and thorough third-party vendor selection and oversight frameworks.
The FINRA 2024 Regulatory Oversight Report concludes its discussion on the emerging risk of AI with an astute reminder to member firms that the regulatory landscape with respect to AI technology use is liable—and likely—to adapt as the area continues to develop. The likelihood that FINRA will propose new regulations in the near future with an eye towards managing broker-dealers' increasing use of AI technologies makes it all the more important that member firms develop good hygiene habits now with respect to their data management and vendor selection processes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.