Artificial intelligence is reshaping financial services from algorithmic trading and portfolio optimization to customer onboarding, compliance surveillance and investment advice generation. Broker-dealers and investment advisers have deployed AI and machine-learning tools across virtually every function of their businesses.
But as Wall Street races to adopt AI, federal securities regulators have stepped up enforcement actions. The U.S Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) have both been explicit that existing legal obligations, including anti-fraud provisions, fiduciary duty, supervision rules, books and records requirements, and marketing rules apply to AI-enabled conduct with no regulatory grace period for novel technology. The SEC has issued significant enforcement orders directly implicating AI and algorithmic systems, FINRA has charged supervision and AML failures in matters where automated tools were central to the underlying violation and both agencies have made generative AI a standing examination priority.
By examining the emerging regulatory enforcement landscape, financial services firms can better understand what actions they can take to avoid becoming the next AI enforcement headline.
The Enforcement Landscape
The starting point for understanding AI regulation in the securities industry is to recognize that regulators have not created a new framework for AI—instead, they are applying the existing one and more importantly, they are enforcing it.
FINRA’s rules are technologically neutral. Existing obligations around supervision, communications, recordkeeping and fair dealing apply to AI just as they apply to any other tool or technology. A firm cannot point to the novelty of an AI system as an explanation for why established compliance obligations do not apply. The regulatory framework is not new. What is new is the extent to which firms are deploying AI in ways that test whether their compliance infrastructure has kept pace.
Key cases concerning AI washing, governance failures, and supervision and controls in an automated environment highlight areas where regulatory exposure is greatest:
AI Washing: In re Delphia (USA) Inc.
According to an SEC order, from August 2019 to August 2023, investment advisory firm Delphia allegedly represented in regulatory filings, advertisements and on social media that it used AI and machine learning to analyze clients’ spending and social media data to inform its investment advice when, in fact, no such data was ever used. During an SEC examination in July 2021, Delphia admitted as much and agreed to correct the false statements. Yet the order alleged that the materially misleading representations continued through August 2023. The order further alleged that the firm also lacked adequate policies and procedures governing advertising accuracy and had no social media review process at all. The order found willful violations of multiple sections of the Advisers Act and the Marketing Rule. Delphia was censured and ordered to pay a $225,000 civil penalty.
The case demonstrates that every AI claim in a mandatory disclosure document to the SEC, website, press release or social media communication is a legal representation subject to the anti-fraud provisions of the Investment Advisers Act. The SEC enforcement staff will treat the gap between AI claims and reality as fraud.
Algorithmic Governance Failures: In re Two Sigma Investments, LP and Two Sigma Advisers, LP
An SEC order alleged that beginning in March 2019, Two Sigma identified that numerous personnel had unfettered read and write access to a database storing live-trading model parameters, allowing unauthorized changes without review or approval, and failed to remediate the vulnerability for years despite employee warnings. Between November 2021 and August 2023, it is alleged that a modeler exploited this access to make unauthorized changes to 14 live-trading models, causing certain funds to overperform by more than $400 million and others to underperform by approximately $165 million. Two Sigma voluntarily repaid approximately $165 million to affected funds.
The order also alleged that Two Sigma’s separation agreements required departing employees to represent they had not filed a governmental complaint in order to receive post-separation payments, thus violating Rule 21F-17(a)’s prohibition on impeding whistleblower communications. Nearly 300 employees signed these agreements. The order found multiple willful violations of the Advisers Act and other rules. Both parties were ordered to pay a $45 million civil penalty.
The lesson for firms is known vulnerabilities in algorithmic systems must be remediated. Fiduciary duty applies to AI governance. Firms should also review employment agreements for any provisions that could chill SEC communications.
Model Validation Failure: In re Brex Treasury LLC
Brex Treasury deployed a machine-learning model to screen account applications, assigning a score to prospective accounts to determine how to evaluate fraud check results. However, FINRA’s accept, waiver and consent (AWC) letter alleged that the firm had initially developed the model using data from its historical customer base of venture-backed and middle-market companies and then attempted to apply it to a wider population that included small business customers all without reasonable policies and procedures governing the design, testing and validation of the model.
As a result, the AWC alleged that the firm automatically approved accounts despite significant fraud red flags, including one account that had been flagged for potential manipulation. The AWC further alleged that from 2020 through 2021, Brex Treasury approved hundreds of potentially fraudulent accounts that attempted over $15 million of transactions using deposited funds that failed to settle.
The firm was found to have violated two FINRA rules and Brex Treasury consented to the imposition of a censure and a $900,000 fine.
The case highlights that a machine learning model trained on one population cannot be extended to a materially different population without rigorous testing and validation. FINRA enforcement will pursue the firm—not the vendor—for failing to govern third-party AI tools.
Algorithmic Error and Unregistered Oversight: In re Interactive Brokers LLC
A FINRA AWC alleged that Interactive Brokers updated a securities-lending algorithm in a way that caused the firm to rely on anticipated loan return activity that did not materialize, inadvertently creating or increasing segregation deficits in affected securities on more than 800 occasions, totaling approximately $30 million during the relevant period.
The AWC also alleged that the firm’s written supervisory procedures failed to address how to identify or resolve deficits caused by early returns, and the firm lacked a system to detect issues causing those deficits. Critically, an unregistered person led and oversaw software development for the firm’s securities finance business—supervising a team of approximately 20 unregistered individuals—and devised and approved updates to the algorithm without direct involvement by any registered person. Interactive Brokers consented to a censure and a $475,000 fine.
The key takeaway here is that an algorithm performs functions requiring registered oversight, registered persons must be involved in its design, modification and approval. Written supervisory procedures must address how algorithmic errors are identified and resolved.
The Explainability and Governance Challenge
A common thread running through the cse examples cited is the visibility gap that often exists between what an AI system is doing and what compliance can see, test and explain. Some machine-learning models are described as “black boxes” because it may be difficult or impossible to explain how they generate predictions or outcomes. This is a particular concern in applications with autonomous decision-making features. These challenges are compounded in regulated contexts by hallucinations, where a model generates inaccurate information presented as fact, and bias, and where outputs are skewed by limited or unrepresentative training data.
For companies using third-party vendors, outsourcing does not transfer regulatory responsibility. Firms are reminded that outsourcing an activity or function to a third party does not relieve them of their ultimate responsibility for compliance with all applicable securities laws, regulations and FINRA rules. Firms should conduct initial and ongoing due diligence on third-party vendors, assess how vendor products use AI, and ensure contracts include appropriate protections against misuse of firm or customer data.
AI agents—systems capable of autonomously planning, deciding and acting to complete tasks without predefined rules—present a distinct layer of supervisory complexity. FINRA has identified key risks including unchecked autonomy, scope creep, auditability challenges and data sensitivity concerns. Firms deploying agents should establish clear guardrails, human-in-the-loop oversight protocols and access controls from the outset.
Additionally, FINRA’s 2026 Annual Regulatory Oversight Report now includes a dedicated section on generative AI. This is a strong signal that AI compliance is now a standing regulatory priority, not an emerging one.
Among the use cases FINRA has observed, firms have started to implement generative AI solutions with a focus on efficiency gains, particularly with respect to internal processes and information retrieval, with the top generative AI use case being summarization and information extraction. Even these seemingly internal use cases carry serious regulatory implications.
Generative AI-enabled fraud involves threat actors exploiting the technology to generate fake content, imposter sites, false identification documents, deepfake audio and video, and polymorphic malware. Fraudsters are using generative AI to gain access to financial accounts and create new accounts in the names of unsuspecting investors. Firms’ AI governance must account for AI being used against them, not only by them.
Improving AI Governance
Firms should not wait for an examination or enforcement action to discover whether their compliance structures are keeping pace with their AI use. Ironically, the firms that fare best in examinations and enforcement actions are rarely the most technologically sophisticated. They are, however, the ones that identified the compliance questions early and built the proper infrastructure to answer them. A proactive review should address, at minimum, the following actions:
- Maintain an AI inventory: Keep a current inventory of all AI tools in use. This includes their functions, data inputs, decisions they inform and regulatory obligations they touch. Firms should be updating the inventory whenever tools are deployed, modified or applied to new customer populations.
- Treat every AI claim as a legal representation: Every statement a firm makes about its AI, whether in filings, marketing, client communications or social media, is subject to anti-fraud standards. Firms must implement a clear review and approval process for all AI-related representations.
- Build AI governance into written supervisory procedures (WSP): WSPs should address model design, testing, validation, access controls, change approval and error resolution for all AI systems used in regulated functions.
- Conduct genuine vendor due diligence: Firms should be proactively assessing how vendor AI tools are built and trained, reviewing contractual protections, and validating that tools are appropriate for the firm’s regulatory obligations and customer population before deployment.
- Ensure registered oversight of algorithmic functions: Where an algorithm performs a function requiring registered oversight, registered persons should be involved in its design, modification and approval. Auditing who, registered or not, has authority over regulated algorithmic systems, is critical.
- Address recordkeeping obligations: AI tools may generate new categories of records. Firms should confirm that AI-related records, including chatbot communications, prompt logs and model outputs, are captured and retained in compliance with applicable rules.
- Review cybersecurity and privacy controls: Firms should assess whether cybersecurity programs address AI-specific risks, both as the firm deploys AI and as threat actors exploit AI against the firm and its customers.
- Review employment agreements for whistleblower compliance: Firms should confirm that no provision in separation agreements, NDAs or other employment documents could impede employees from communicating with the SEC.
The Compliance Imperative
The recent enforcement record makes clear that the law has not paused for AI technology to mature. The SEC has issued significant AI-related enforcement orders, FINRA has charged supervision and AML failures in cases where algorithmic tools were central and the 2026 Annual Regulatory Oversight Report treats generative AI as a current supervisory priority.
The lesson across every case is that these were not technology failures—they were governance failures. The risk is not the technology, but rather the absence of governance long required under existing law. As AI becomes embedded across Wall Street, compliance must evolve in step. Firms that fail to do so risk becoming the next target for regulatory enforcement action.