Long before the advent of artificial intelligence (“AI”), U.S. broker-dealers and SEC-registered investment advisers (“RIAs”) deployed automated tools to facilitate communications with customers, assist with portfolio management, and support their operational functions, among other use cases. Broker-dealers employ virtual assistants to provide responses to basic customer inquiries, such as portfolio holdings, accounts balances, and market data,1 and to develop investment strategies, including analyzing the success of specific features and marketing practices at influencing retail investor behavior.2 RIAs use automated tools to supplement aspects of their advisory relationships with clients, including through the use of robo-advisers, to provide investors with computer-generated advice delivered through an application. Now they can do all that and more, using AI and machine-learning-based models to inform their investment decisions.3
Unsurprisingly, the use of AI in the securities industry has drawn attention from its regulators,4 including the Financial Industry Regulatory Authority, Inc. (“FINRA”), an independent self-regulatory organization and principal regulator of U.S. broker-dealers, the U.S. Securities and Exchange Commission (“SEC”), which has supervisory jurisdiction over broker-dealers and RIAs.5 While these regulators are still developing their approach toward AI, they have already set forth sufficient guidance that financial firms must take note. FINRA has published multiple reports on the topic, while the SEC has proposed a comprehensive set of new rules (“Proposed SEC Rules”) while simultaneously applying existing rules to perceived misuses of AI.
Broker-dealers and RIAs continue to allocate significant resources to the development and use of AI applications to create new products, increase revenues, maximize economic efficiencies, and improve the overall customer experience. As firms' use of AI increases, so does the risk of regulatory scrutiny. For this reason, when evaluating and adopting AI applications into their operations, it is important for firms to see it through the lens of the regulator, taking into consideration the principles set forth in current regulatory guidance, including conflicts of interests, data governance, customer privacy, recordkeeping, disclosure obligations, and supervisory control systems, with the goal of investor protection. In this regard, the following (1) summarizes FINRA's guidance with respect to broker-dealers' use of AI, (2) provides an overview of the SEC's regulatory posture with respect to AI, and (3) sets forth certain legal and compliance considerations given the current regulatory environment.
FINRA'S CURRENT REGULATORY FRAMEWORK
In 2020, FINRA published a report, “Artificial Intelligence (“AI”) in the Securities Industry” (the “2020 FINRA Report”)6 that provides a comprehensive roadmap for member firms to consider when integrating AI into their existing supervisory and compliance programs. In particular, it highlights key compliance considerations for member firms' use of AI, which include: (1) updating the firms' model risk management programs to account for the use of AI, which correspond with the requirements set forth under FINRA Rule 3110 (Supervision);7 (2) identifying and either reducing or eliminating data bias, which falls under FINRA Rule 2010 (Standards of Commercial Honor and Principles of Trade), “to observe high standards of commercial honor and just and equitable principles of trade;”8 (3) ensuring the protection of financial and personal customer information, noting that this is a “key responsibility and obligation of FINRA member firms,”9 which corresponds with firms' obligations to comply with SEC Regulation S-P (Privacy of Consumer Financial Information and Safeguarding Personal Information)10 and Regulation S-ID (Identity Theft Red Flags);11 (4) the application of Reg BI and FINRA Rule 2111 (Suitability)12 to recommendations generated by AI tools to retail investors and retail customers; and (5) increased cybersecurity risks associated with information firms take from new sources and related requirements set forth under FINRA guidance.13 FINRA has also advised that member firms are responsible for the content of communications created using AI, including the applicable content standards in FINRA Rules 2210 (Communications with the Public)14 and 2220 (Options Communications),15 (and for funding portals, Rule 200(c) (Funding Portal Conduct)), 16 which generally require that communications be fair and balanced and prohibit the inclusion of false, misleading, promissory, or exaggerated statements or claims.
In its 2024 FINRA Annual Regulatory Oversight Report (the “2024 FINRA Report”), FINRA highlighted AI, including generative AI, as an emerging compliance risk for broker-dealers, and advised that broker-dealers should be mindful of how these technologies may implicate their existing regulatory obligations.17 In particular, FINRA stated that the use of AI could implicate most aspects of a firm's regulatory obligations, including anti-money laundering, books and records, business continuity, customer protection, cybersecurity, model risk management, research, SEC Regulation Best Interest (“Reg BI”)18 and supervision.19 Given the breadth of the scope of AI, regulatory compliance and customer protection would require the input from a team representing a broad variety of compliance specialties to update a firm's compliance program and corresponding internal controls.20
THE SEC'S EFFORTS
To date, the SEC has proposed rules intended to address potential conflicts of interest introduced by AI,21 settled two enforcement actions against RIAs for alleged AI washing,22 and senior members of SEC Staff have issued statements and provided remarks that discuss the potential risks to customers associated with firms' use of AI, each of which are described below.
Overview of Proposed SEC Rules
In his testimony before the U.S. Senate Subcommittee on Financial Services and General Government on June 13, 2024, Gary Gensler, Chair of the SEC, stated that, given the “robust” feedback the SEC has received in response to the Proposed SEC Rules, SEC Staff may “reopen or repropose” the Proposed SEC Rules altogether.23 Notwithstanding this statement, some of the principles articulated in the Proposed SEC Rules could still serve as a basis for potential SEC enforcement or a new SEC rule, including identifying and mitigating conflicts of interests, establishing effective policies and procedures governing the firms' development and use of AI, and maintaining books and records evidencing the same.
According to the SEC, the Proposed SEC Rules are aimed at addressing conflicts of interest that may arise in connection with RIAs' or broker-dealers' use of predictive data analytics and similar technology, which would result in placing the firms' interests ahead of investors' interests.24 Specifically, the Proposed SEC Rules are intended to address technologies that are designed (either intentionally or unintentionally) to consider firm-favorable information in a manner that outweighs investor interests. For example, an RIA that uses a model with an algorithm that only generates investment recommendations that would also satisfy a minimum amount of fees for the RIA would be viewed as a conflict of interest. The Proposed SEC Rules would also amend rules under the Exchange Act and the Investment Advisers Act of 1940, as amended (“Advisers Act”) that would require firms to make and maintain certain records that, according to the SEC, would facilitate the Staff's examination and enforcement capabilities.
The Proposed SEC Rules generally require brokerdealers and RIAs to “eliminate or neutralize” the effect of conflicts of interest associated with its use of a “covered technology” in “investor interactions” that place the firm's or its associated person's interest ahead of “investors” interests.25 Firms would be required to have written policies and procedures reasonably designed to prevent violations of, in the case of RIAs, or achieve compliance with, in the case of broker-dealers, the Proposed SEC Rules. Included in the policies and procedures would be written descriptions of the process for evaluating any use or potential use of a covered technology in any investor interaction and a written description of the process of determining how to eliminate or neutralize the effect of any conflicts of interest identified under the Proposed SEC Rules. Firms also would need to maintain books and records demonstrating compliance with the requirements of the Proposed SEC Rules.26 Concern for the compliance challenges faced by broker-dealers and RIAs under the Proposed SEC Rules are amply demonstrated by the comments the SEC received from market participants. Such comments highlight some of the provisions that the SEC will most likely modify when it revisits the rules as they are currently drafted.
Commenters on the Proposed SEC Rules have asserted that there is already a robust standard for addressing similar conflicts generally under Reg BI for broker-dealers — highlighting the discrepancies between “conflict of interest” as defined under Reg BI and the Proposed SEC Rules, which leads to implementation challenges for firms subject to both standards.27
Commenters have agreed that conflicts of interest that arise from RIA's use of a covered technology, that is determined to place the RIA's interest ahead of a client's, must be neutralized.28 However, they note that the Proposed SEC Rules would constitute a departure from the SEC's prior position on dealing with conflicts of interest, which has historically permitted an RIA's conflicts to be addressed through disclosure and informed consent. Elimination or neutralization of a conflict of interest is far more difficult than disclosure and consent.29
A primary criticism of the Proposed SEC Rules is the scope of the definitions. For example, commenters found the definition of “covered technology” 30 to be overly broad and would include technologies and applications used in the day-to-day operations that are not generally associated with emerging technologies or predictive data analytics. 31 Moreover, given the potential tools and technologies that may fall within the definition of “covered technologies,” 32 firms would likely need to identify all client-facing technologies and programs to evaluate whether any conflicts of interest are present. This process is likely to complicate the offering of existing tools offered to customers and may be costly for firms. Further, firms with less resources may also be forced to use external consultants and compliance experts to assess their compliance programs.
In addition, the SEC Proposed Rules broadly define “investor interaction” to include: “engaging or communicating with an investor, including by exercising discretion with respect to an investor's account; providing information to an investor; or soliciting an investor. However, the term does not apply to interactions solely for purposes of meeting legal or regulatory obligations or providing clerical, ministerial, or general administrative support.” 33 Unlike Reg BI, which applies when a firm makes a recommendation in securities or an investment strategy involving securities to a retail customer, “investor interaction” as currently defined in the SEC Proposed Rules, applies to any activity by a broker-dealer or RIA that involves an investor, not just a recommendation. According to the SEC, the term is not intended to capture communications that qualify as recommendations, but that have the effect of “guiding or directing investors to take an investmentrelated action.”34
Further, the proposed definition of “investor” varies for broker-dealers and investment advisers. For brokerdealers, “investor” includes “a natural person, or the legal representative of such natural person, who seeks to receive or receives services primarily for personal, family, or household purposes.” 35 The definition of “investor” for investment advisers, however, would include “a client or prospective client, and any current or prospective investor in a pooled investment vehicle advised by the investment adviser.” 36 The differing definitions would particularly affect firms that are dually-registered as broker-dealers and RIAs. Indeed, to the extent that the same covered technology is used by a firm both in its capacity as a broker-dealer and an RIA, such covered technology would be subject to the Proposed SEC Rules. On the other hand, a firm that is solely registered as a broker-dealer might be able to exclude certain technologies from the requirements of the Proposed SEC Rules on the basis that such technology is exclusively used for institutional investor interactions. Furthermore, dually-registered firms would need to be aware of the new recordkeeping requirements under both the Exchange Act and Advisers Act.
To view the full article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.