PODCAST
Navigating the 2026 Regulatory Oversight Report: Key Insights from FINRA Leadership
The Annual Regulatory Oversight Report is one of FINRA’s most valued resources for member firms—and this year, we're publishing it earlier than ever in response to member feedback. The 2026 Report features insights on cyber-enabled fraud, senior investor protection, generative AI, and much more. It also reflects our FINRA Forward commitment to empowering member firm compliance by sharing intelligence from across our Regulatory Operations.
This episode features four FINRA leaders: Ornella Bergeron, Senior Vice President, Risk Monitoring, and Acting Head of Member Supervision; Bill St. Louis, Executive Vice President and Head of Enforcement; Feral Talib, Executive Vice President and Head of Market Oversight; and Bryan Smith, Senior Vice President and Acting Head of Strategic Intelligence. They discuss takeaways from the report, and how firms can leverage its effective practices and research to strengthen their compliance programs.
Resources mentioned in this episode:
2026 Regulatory Oversight Report
FINRA Crypto and Blockchain Education Program
Blog Post: FINRA Forward’s Rule Modernization—An Update
Blog Post: Vendors, Intelligence Sharing and FINRA’s Mission
Blog Post: FINRA Forward Initiatives to Support Members, Markets and the Investors They Serve
SEC Regulation Best Interest (Reg BI)
5310. Best Execution and Interpositioning
Ep. 168: Investing Wisely in 2025: Avoiding Scams and Achieving Your Financial Goals
Ep. 173: Vendor Vigilance: Navigating Third-Party Risk
Ep. 177: Previewing FINRA’s Crypto and Blockchain Education Program
Ep. 180: Building Cybersecurity Resilience Through FINRA Forward
Listen and subscribe to our podcast on Apple Podcasts, Google Podcasts, Spotify, YouTube or wherever you listen to your podcasts. Below is a transcript of the episode. Transcripts are generated using a combination of speech recognition software and human editors and may contain errors. Please check the corresponding audio before quoting in print.
FULL TRANSCRIPT
00:00 – 00:58
Margherita Beale: The Annual Regulatory Oversight Report is one of FINRA’s most anticipated and valued resources for member firms—and this year, we're publishing it earlier than ever in response to member feedback. The 2026 Report features insights on cyber-enabled fraud, senior investor protection, generative AI, and much more. It also reflects our FINRA Forward commitment to empowering member firm compliance by sharing intelligence from across our Regulatory Operations.
I'm Margherita Beale and in this special episode of FINRA Unscripted, we're joined by FINRA regulatory operations leaders to discuss what's in this year's report and how you can use these insights to strengthen your compliance programs. Here to lead the discussion is Bryan Smith, FINRA Senior Vice President and Acting Head of Strategic Intelligence. Bryan, over to you.
00:59 – 02:43
Bryan Smith: Thank you, Margherita. Welcome to the FINRA 2026 Regulatory Oversight Report podcast, where we will be discussing the newly released Regulatory Report and will provide some in-depth insight from individuals whose teams provide the content for that report. But before we get started, I think it is important to talk about why we create this report and why we feel is a helpful resource for our member firms.
First, it provides transparency as to what FINRA is seeing and common regulatory findings this past year. But, and perhaps more importantly, it also provides insight and intelligence from across the industry, so that member firms can better understand the risks and threats those firms may be facing, thus enabling firms to implement more effective controls.
It also demonstrates the value of FINRA's ability to aggregate information across the industry, and the release, and the earlier nature of it are in line with our FINRA Forward initiative, with a major tenet being the empowering of member firm compliance. This is a part of those efforts, and today we'll hear about some of the other actions FINRA is taking to support you and your firm in addressing the identified risks and threats.
And so, as we get started today, I'd like to introduce our panel, whose members are the ones who are contributing to this report and whose work is then reflected in its pages. So, you know, my name is Bryan Smith, and I'm a senior vice president here at FINRA, and I currently oversee our strategic intelligence group. Prior to that, I served for the last two years over the complex investigations group within national cause and financial crimes. And prior to that, I served for 21 years at the FBI overseeing most recently their cybercriminal operations. Happy to be here today with such a distinguished panel. And now I'll turn it over to Ornella.
02:44 – 04:40
Ornella Bergeron: Thank you, Bryan. It’s so wonderful to be here today. So, I'm Ornella Bergeron, and I currently serve as the acting head of Member Supervision. And I'm also the senior vice president over the risk monitoring program.
So, a little about Member Supervision. We execute our regulatory responsibilities across multiple programs. Including the examinations program, the risk monitoring program, the membership application program, which is now also part of risk monitoring, and the National Cause and Financial Crimes Detection programs that houses our investigation teams, as well as our various, technical some of our very technical specialty teams. And we also have an intelligence function, which is our newest function that is led by you, Bryan. And, and together, these programs execute our, regulatory responsibilities. And, so as far as the risk monitoring program, I mentioned, I also lead the risk monitoring program, that is the primary point of contact for member firms. Risk monitoring has numerous regulatory touch points with our membership. They're responsible for evaluating risk for each of our member firms, which enables us to implement a risk-based program, that effectively focuses our resources and our regulatory responses.
So, I've been with FINRA, over 35 years. So, my entire career, I started at the New York Stock Exchange's division of member firm regulation as an examiner. And I became part of FINRA, at its inception back in 2007. Previous, previous to my current roles, I was a unit leader in the Risk, Oversight and Operational Regulation group of Member Supervision, responsible for the regulatory, supervision and examinations of our largest member firms. I also held various other roles, risk monitoring leadership roles, management analyst, and examiner positions here at FINRA.
04:40 – 04:48
Bryan Smith: So, there's a lot that's in there, that purview and then a lot of experience there. But that's not the only things that we have within regulatory operations. Feral, why don’t you talk about yourself and your team.
04:41 – 05:40
Feral Talib: Thanks, Bryan. I'm Feral Talib and I head up the market oversight division at FINRA. We primarily oversee the surveillance and investigations into market activity and market events across the U.S. We have, over 3,300 securities firms in our remit and 624,000-plus registered reps transacting in 26, exchanges, that, file into our surveillance, our proprietary surveillance systems, creating alerts for us to review. The collective activity, on average, is a little below a trillion market events a day that we filter through. We'll review surveillance alerts and conduct investigations, and we will refer the results to the SEC, to a variety of, law enforcement agencies all the way up to our enforcement division for further action, as appropriate.
I've been in the industry about 30 years. A majority of it spent on the private side. I have been with FINRA about two years.
05:41 – 05:45
Bryan Smith: Thank you. And the last part of the regulatory operations, but certainly not the least, Bill, you want to talk about your team?
05:45 – 06:31
Bill St. Louis: Thank you, Bryan. I'm Bill St. Louis, and I lead FINRA's Enforcement Department. Prior to leading the Enforcement Department, I had a series of senior roles in enforcement and in member supervision. The member supervision roles included district director, regional director, co-leader of risk monitoring, leader of the National Cause and Financial Crimes section in Member Supervision, and I also had oversight over the Membership Application Program.
In Enforcement, we receive referrals from member supervision and market oversight, and we collaborate very well with our colleagues in those departments. Our main focus really is on bringing disciplinary action when it's appropriate, and we try to get that right, and we all work together to ensure that we bring those cases that should be brought.
06:32 – 06:51
Bryan Smith: Thank you. Now, this year's report is out a little bit earlier than usual. And then it also contains some information that we've produced before in previous reports, but also some new information. Ornella, do you want to talk to us a little bit about why the change in the timing of it, and then what we can expect to see?
06:52 – 08:14
Ornella Bergeron: Yeah, absolutely, Bryan. So as far as timing goes, we heard the industry loud and clear, right? They wanted the report out sooner so that they can have the report and the information that's in it so that so that they can leverage it and as part of their compliance planning for 2026. And especially because we have some new areas in, in, in the report like GenAI, we have updated a lot of the areas, so it's important for them for member firms to have the information earlier.
As far as the content and how do we decide sort of what goes into the report, we really rely heavily on data analysis to help us drive the topics we include. So, for example, we leverage data from engagement on our website to pinpoint the topics firms have clearly found most valuable from past years. Basically, where are we getting the most hits?
And then we also conduct deep dive into our examination, investigation, enforcement and other data to make sure we're sharing findings and effective practices regarding the areas where we see the most issues, which will be obviously most helpful for firms. So, for example, we included new findings and effective practices this year in, evergreen topics: Reg BI, senior investor issues and managing risk related to third-party vendors, all topics that have been there before, but a lot of really great new content.
08:14 – 09:07
Bryan Smith: Yeah, and I think one of the things with that is that things change. And so even though it's a topic that might have been in previous reports, there's going to be a new wrinkle to it. There's new technology that enables some of that activity. I was also struck with the report of, not only does it have the regulatory obligations that firms have in that space, but also the findings over this past year.
And some of that can be enforcement actions, but also then other things that, the investigative team to found and as far as best practices. And then a key point, I think, is those effective practices of what firms can be doing, not just what they shouldn't be doing, but what can you be doing, to then better address some of these.
So as we move forward, I want to just kind of start with some of the highlights that we've seen within this. And, Bill, I'm going to start with you because, you know, as an enforcement team, you see a lot that comes through the door. You're handling, like you said, everything that is going to get referred over, and there may be an action taken. What are some of the highlights that you saw within this past year?
09:08 – 13:35
Bill St. Louis: Great. Over the years, I've heard from firms that they find the report to be very helpful. And we certainly hope and expect that the 2026 report is also going to be very helpful. I know that people are always looking in the report to see what's new. They want to see new risk areas, new issues. But from an Enforcement perspective, we continue to see some firms, have issues complying with certain areas or certain rule sets that have been a focus for a long time. So, I'll share three such areas.
Best execution. We continue to have cases, formal action, disciplinary action stemming from best execution findings that come to us from Feral’s team and market oversight, or from the examination program in Ornella’s team. What we're essentially looking for is to see whether or not firms are reasonably reviewing the execution quality of their current routing arrangements and also whether or not they're reviewing the execution quality in competing markets. And we're looking at firms, executing firms and retail firms.
Another area of focus for us is on the firm's regular and rigorous reviews. We're trying to see whether or not they've given proper consideration to the factors laid out in the rule, including price improvement and speed of execution. And as in the past, the report also has some best practices laid out and in the best execution area, there are a number of best practices laid out, but one of those is whether or not firms are using properly tailored exception and surveillance reports to help them comply with their best execution obligations.
Another area, you referred to it as an evergreen area. Is regulation best interest. Reg BI has been in place now for a few years. But we still see firms having fundamental errors and application of the rule. So, we're doing this now in early December, and we've already surpassed last year's entire year's total Reg BI cases. And like I said, we're in early December. The majority of our Reg BI cases involve individuals who have violated the care obligation vis-a-vis the recommendations to retail customers. But we also bring some corresponding cases against member firms for failing to supervise such recommendations.
So of course, we're seeing excessive trading as an issue, but we're also seeing best interest cases related to recommendations of option strategies. Speculative fixed income investments, ETP transactions and penny stocks, and overconcentration issues in the duty of care space. We're also seeing duty of care issues related to recommendations made to replace or switch existing products like variable annuities, mutual funds, or 529 plans without the representative really understanding, all of the nuances and complexities of some of those products. Again, the report lays out one way that some firms are mitigating the duty of care risk is to really invest in training around complex and risky products.
And the third issue that we're seeing is AML. We're seeing firms who have failed to maintain written supervisory procedures reasonably designed to detect and report, suspicious activity. We're seeing issues around inadequate customer due diligence. We're seeing CIP failures in the face of very red flags indicating, that more attention needs to be paid around those CIP submissions. And we're also seeing firms not conducting the type of independent testing that identifies clear and material weaknesses.
So, these requirements that I just laid out are not new. These are foundational obligations laid out in our Federal Rule 3310 and the Bank Secrecy Act. And yet we still see AML failures and supervisory failures in another area in connection with signs of potential manipulative trading activity, occurring at firms. Indeed, we've seen this, threat evolve over time, including ramp-and-dump and pump-and-dump schemes, targeting exchange listed issuers operating outside of the United States. We recently announced a targeted exam or sweep in this area. And that sweep is focused on, firm practices around these offerings and there will be more to come on that.
13:36 – 13:54
Bryan Smith: Well, thank you, Bill. And, you know, one of the things is that certainly enforcement actions sometimes need to be taken, but there's also intelligence that comes from other part of the organization. And so I'll turn it over to Ornella and Feral to talk a little bit about what it is that you would highlight from the report as to what you're seeing, some that may have gone to Enforcement and some that may not have. Ornella?
13:54 – 15:54
Ornella Bergeron: Yeah, absolutely. So, I'll talk a little bit about how the different groups in Member Supervision are engaging with member firms related to some of the topics that are in our Regulatory Report this year. We engage often through our regulatory programs, risk monitoring exams, our investigation teams. So we really do see and hear a lot. for most for most of the areas that are included in the report. So I'll highlight a few areas.
So crypto asset and tokenization is the first topic I'd like to highlight. It's an area that we're actively monitoring and responding to market, legislative and policy developments. It's a rapidly evolving area. And really encourage firms to do the same. And our annual report really has some great resources that firms can leverage to to help with that. There's various groups within FINRA that are engaging more with firms to really understand their involvement and what they're planning in this space. And especially as it relates to tokenization, we're hearing more firms are thinking about tokenization, looking to get into tokenization, but there doesn't seem to be a consistent definition of tokenization as we're learning, as we're talking to firms. So, we really want to understand what does it mean for them? What's their role, what's their involvement? So that we can better understand the risk there? As firms are exploring activities in this space, I really encourage, I really encourage firms to notify their risk monitoring teams and let us know about new and planned activities related to crypto assets.
Again, it really help us understand the landscape, the risk, and, we can provide guidance where we can and hopefully be a resource for firms. And then our examination teams are conducting and we'll we'll continue continue to conduct specialized reviews, examining multiple facets of crypto operations. We're also focused on how firms communicate about crypto products. The report highlights findings from our exams, including some new ones and great effective practices.
15:55 – 16:17
Bryan Smith: I think, with that, it kind of reflects on that ever-changing environment that's out there and that, and we'll probably talk about this later, is Gen AI is that the crypto space is evolving. And what it looked like two years ago is different than it is today. And I think that the importance of having the engagement with risk monitoring about what firms are thinking about so that we can help them as they move through this changing marketplace.
16:18 – 18:21
Ornella Bergeron: Agreed. And then just a couple other areas just wanted to highlight very briefly. Overnight trading is another emerging area that we're engaging with firms. And this is really driven by firms looking to expand their offerings based on growing demand from their customers. So, we've been conducting, specifically risk monitoring has been conducting, targeted outreach to firms that are active or exploring overnight trading opportunities to understand their business, what they're planning in terms of margin, how they're planning to supervise the activity, the training they're offering their teams, their risk management frameworks and so on. So, this is going to continue to be an area of focus for us in 2026. And in the meantime, our report highlights areas that we're focusing on related to extended hours trading. The findings we're seeing, including in the areas of supervision and reporting issues, as well as effective practices and some really great resources for firms to leverage.
And then finally, I'll just mention, upcoming rule changes, because there's quite a few. And they're called out in the report, but we have been engaging with firms a lot on new rules that have upcoming implementation dates, including amendments to Regulation SP, new requirements of the customer protection rule for firms that compute daily reserve formula computations, as well as new clearing requirements for U.S. Treasury securities. So we're doing a lot of outreach to impacted firms to assess their readiness and understand any compliance challenges. Make sure firms are aware of the upcoming rules. And they're prepared and we’re available to provide guidance where we can as well as escalating, challenges that exist.
So, for example, with Regulation SP, which, implementation date right around the corner for some firms, we recently did a webinar for firms. And then we also covered regulation SP implementation recommendations as part of our cyber workshops and tabletop exercises we've been doing.
18:22 – 18:30
Bryan Smith: Now Feral, there is a lot in there that I know you also have some insight into with your team. So why don't you tell me about some of the highlights that you're seeing?
18:30 – 20:08
Feral Talib: The primary risk we're seeing right now is market manipulation and low price securities, which is, experiencing a reemergence. It used to be, heavily concentrated in OTC markets, but now we're seeing the activity in listed stocks. We continue to monitor the market for real time intelligence, so we can see and notice red flags in real time where low float, high price changes, and foreign securities listed in U.S. markets when they start moving, we collaborate with the industry. We reach out to law enforcement and to the SEC to take real time action. The other, the flip side of that coin is account takeovers to support the, the pump portion of the pump and dump, which we're seeing some new sophisticated, methodology and account takeovers. We are concentrating on speeding up our response here. The, crypto treasuries we are, reviewing with a close side. There's manipulation insider trading in these new, in new asset classes.
We're also, expanding our rapid remediation program, which, involves a quick reach out to member firms whenever there is an issue in the market that's usually data related and there is no malicious intent behind it, but it seems to be error driven and in order to market integrity and, not to try to be punitive and build a case against them. Would rather reach out to them quickly and let them know of something that's going wrong so they can correct it, rapidly, as the name implies.
That area is growing because there is increased automation in the market and in firms, everything's getting faster, not slower. So, error rates are going to peak, at least temporarily as we adjust to these new technologies. And we're trying to, collaborate with the firms so we can find these issues in their systems and their interaction with the market and correct them quickly.
20:09 – 20:47
Bryan Smith: Yeah. And I think, yeah, there's a couple things in there with some of the kind of the effective practices that that are listed in the report. And granted, this is a report that talks about things that happened this last year, but some of those effective practices are making phone calls right away. And informing FINRA as to when there's an event, whether that's the the risk monitoring analyst, whether it's to one of your teams, and then the downstream actions that can be taken from that.
And so, I know that there's been seizures that have been done by law enforcement based off phone calls from firms. And so you've got a mitigation of a threat because a phone call was made and people took action very quickly. Wsee that a lot of different areas, not only with your teams, but with the teams over in member supervision as well.
20:48 – 21:05
Feral Talib: Absolutely. This is a this is a risk that concerns, everyone. So if you see something we want to talk to you reach out to us. We have, anonymous tip lines. If people want to remain anonymous, you can contact us directly. We're always happy to talk to member firms and investors that are seeing issues in the market so we can react to them first.
21:05 – 21:18
Bryan Smith: I'm going to come right back to you, if that's all right. So, talk a little bit about, threats to firms and what are the risks that you see out there that are most important for firms to be understanding and recognizing?
21:18 – 22:17
Feral Talib: Part of the risks I see is, what's old is new again, because of technological advancements. Vulnerable investors, in different, subgroups have always been targeted. But, the targeting was not as effective. Whereas now with advanced technology, it's easier to isolate these vulnerable investors and focus efforts on, harming them by fraudsters, is something for firms to be aware of. You know, investors, account holders above a certain age are easier to isolate and put in a group so fraudsters can target them. Account takeovers are getting, far more sophisticated. Two-factor authentication is no longer a guaranteed to hold an account safe when you're dealing with, technologies that allow you to spoof phone numbers, imitate, people's voices. Anything that has urgency behind it, we need to approach with caution, because, the technology is making all of these old frauds much more risky. Again, we had built barriers to control them. And now we have to reassess those barriers to see if they're still appropriate.
22:17 – 22:49
Bryan Smith: Yeah. Spending 21 years at the FBI, what I saw across that entire time period, was that something you saw one year or five years later, it was coming back, but it was coming back in a different way because of the technology enablement. And so, I think that's a really good point for firms to realize that these things are going to continue on. And what you've got to start doing is bringing together the expertise from the functional side, as well as then from the technical side if you have a hope to have a chance against the adversaries in this space. Absolutely. Bill, how about you, your perspective as far as threats to firms?
22:49 – 25:44
Bill St. Louis: Sure. So, we have a section in the report on third-party risk. I know, third-party risk typically presents in the cyber space, but there's just general third-party risk and I'll give a few examples.
So we continue to see cases involving firms that are working with, third-party vendors, where the vendors providing information to the member firms so that the member firm can meet its regulatory obligations. And the firms are not checking to make sure that the information is correct. And then, on the flip side of that, we see, firms providing correct information to their vendors in connection with meeting regulatory obligations. And because of compatibility issues, a coding error, that correct information isn't being ingested properly into the vendor systems and is not making it on to, books and records. So you have a books and records problem and you have a bigger problem, especially around records that are delivered and sent to customers.
And then we have the opposite, where vendors are providing correct information to the member firms. Same issue around compatibility or coding errors. And, the information isn't making it, in the way, we expect it to be, coming in and books and records are having problems.
So, I think this all comes back to testing, testing, testing, making sure the systems are working the way we expect them to work and that we are periodically making sure that the vendor the flow of information between and to the vendor in the member firm is working the way it's supposed to be working.
Another risk that we see is around crypto. But some of it can be anticipated. Some of it, I think, catches firms off guard a little bit. So we are wrapping up one of our final cases coming from our crypto communications sweep. And I think the report does a very good job in capturing the essence of the issues that we found in the sweep. Especially firms having information about crypto that is not fair and balanced, arguably a little bit misleading or sometimes omitting material information.
We also see, communications around SIPC, for example, whether or not SIPC coverage is being provided to the crypto business that's being described. And of course, that has to be exact and precise. And we've seen issues around that. We also see, issues around, who's offering the crypto assets. Sometimes it's an affiliate, it's not a registered broker dealer, and the communications are not clear around that. And that can also be misleading to a customer.
Another area that we continue to see crypto raise its head is around, undisclosed outside business activities and private securities transactions. And yes, the report has a robust section on on that. That's definitely an evergreen section. It's one of the areas that generates the most number of disciplinary action.
25:44 – 25:45
Bryan Smith: An evolving evergreen section.
25:45 – 26:43
Bill St. Louis: An evolving evergreen area. Exactly. We see registered individuals working as fundraisers, promoters, investors in crypto, all unbeknownst to their member firms. And we also see a more human nexus, which I think sometimes firms may not see, which is registered representatives who are victims of crypto related scams. And unfortunately, in some of those instances, we see those registered individuals trying to recover their losses by, among other things, borrowing money from their customers without the firm's knowledge. So, I think a lot of firms, are, unaware of the, their crypto exposure and how it can come to their front door. Beyond just whether or not you're advertising crypto or you're engaging in crypto assets. Sometimes, there are other ways for it to be a threat to the firm, actually.
26:43 – 26:40
Bryan Smith: Yeah, certainly. And, Ornella, we’ll close out with you. What are you seeing from the firms’ side?
26:40 – 30:08
Ornella Bergeron: So I think that the two risks I've wanted to highlight are cybersecurity and cyber-enabled fraud. As well as maybe expand a little bit on the third-party risk that, Bill St. Louis already touched on. When I look at the report for me, those are two big risks that really jump out, where we're seeing a lot of issues. And both of these areas have been in our report, previously. Put it this way, the fraud topic itself really does take up a lot of real estate in our in our report.
So as far as cybersecurity and cyber-enabled fraud, we continue to see a variety of sophisticated cybersecurity threats targeting our member firms and their customers. Threat threats include account impersonation where threat actors are using stolen customer information in combination with a compromised or spoofed email address to initiate actions from customers’ accounts. Imposter sites is another threat we're seeing. Attacks leveraging spoofed domains and social media profiles, including those that impersonate financial firms, registered reps and in some cases, FINRA staff, all to defraud customers, and and firms.
And then there's also relationship scams that we're seeing that are targeting customers directly through social media or through text messages, establishing trust and then defrauding their victims. Feral touched on the new account fraud and account takeovers, which is also which is a big one. And then going back to third-party risk, we're also seeing firms exposed to cyber risks indirectly from attacks on external third-party vendors that they're using.
So those are, some and we're doing a lot from vendor perspective from within our perspective to help combat this risk, proactively sharing intelligence with firms, including through targeted emails to impacted firms, leveraging the information that we have, from our vendor questionnaire through threat intelligence products, as well as public alerts that we've been putting out. We’ve created the Financial Intelligence and Fusion Center, which is a dedicated program to proactively collect and disseminate actionable cybersecurity and fraud intelligence to firms through a secure portal. It's a program that's being piloted currently with some member firms. And then we're we've increased the offering of tabletop exercises and workshops that are focused on cyber threats.
In terms of the third-party or vendor risk, again, we call it out with cyber, but also we have a separate dedicated section in the report, because really firms are relying quite a bit on third parties to support key systems and critical functions. So we continue to see an increase in cyber attacks and operational issues involving third-party vendors. An area we continue to monitor in the interest of member firms through the information that we're collecting about critical vendors. And we have used this information to proactively alert firms on cybersecurity and other vendor related events. We've also lots of engagement with firms, based to better understand how they use and supervise third parties. And in some cases, it's fourth parties as well. So, the vendor information that we have, has allowed us to better understand the potential impact and effect a third-party vendor might have on our firms, as well as the security market in general. We are planning a refresh of the vendor, the the vendor information in early January so that we have the most under most up to date information to leverage.
30:08 – 31:48
Bryan Smith: So there's a lot to unpack in there, particularly with some of the cyber threats. And it goes back to that conversation that we had earlier about the bleed-over of some of these threat actors into different areas. And so, data breaches leads to account takeovers, which leads to a and new account fraud. It also is enabled for ransomware and BEC and a whole host of other activities.
And I'm struck by to hear you talk about some of those FINRA Forward initiatives, the cyber workshops, the third-party risk program, the CORE platform that has been initiated to help member firms. And I think one of the things with that is, you know, I know with some of those tabletop exercises, you think about these as being geared towards technical people and IT folks. And, and I would say that they should attend those types of things. But I think it's also important to recognize that that's an audience that goes beyond just the technical part, and that the more you have different personnel across fraud, AML, cyber, and they're talking about what the threats that they're seeing, they all see it from a different perspective, which is a lot of what we've talked about here is that there's different insight that market has into the small cap fraud issue, as opposed to the teams that you oversee and member supervision. And so it's important to bring those together. We're doing that here. And one of the best practices we're saying is that firms should be doing that and looking for opportunities to put some of their people in some of those workshops as well.
So, we talked about FINRA Forward, we talked about some of the risks that we're seeing out there. One of the ones that we have not hit on yet is one that's, in the news quite a bit is GenAI, and it's a new highlighted topic in this year's report. Why is this so important right now, Ornella? And what are some of the key aspects that you think for firms should be thinking about related GenAI?
31:49 – 32:17
Ornella Bergeron: So in the report, we share how we've seen firms explore the use of AI, including areas like summarization and information extraction, conversational AI and question answering, workflow automation and process intelligence, and content generation and classification. And the report includes a really nice infographic that lays it out very nicely in terms of what firms or firms are exploring in this space.
32:18 – 32:46
Bryan Smith: And if I could jump in on that, the feedback that I've received from from firms is that when you think about AI as a new topic and really any technology, it's hard to get an understanding of how do I organize this, how do I put my thoughts together? And by having that framework, which I think there's 14 categories that the team has laid out as far as how do you organize GenAI? It really starts to put a structure together to think, oh, here's how I can think about this. These are areas that I should be concerned about, whereas other areas may be a different group within that firm.
32:47 – 34:04
Ornella Bergeron: Definitely. But with all the benefits that GenAI has, firms really do need to understand that this transformative technology could cause significant operational and compliance risks. So effective practices include having robust governance frameworks, continuous monitoring, proactive risk management in the space. And obviously, supervision and testing are key.
The report also includes a callout about the emerging trend of GenAI agents, which we're starting to hear more about as we're talking to firms, which also offers a lot of benefits. But, there's also potential risks and challenges that could result adverse impacts to investors and firms. So it's a space we're continuing to monitor and better understand the benefits and risk.
But, big picture, as we're talking to firms, we’re observing firms taking a conservative and measured approach before they implement new AI tools, especially when it comes to customer facing interactions. So, I also want to encourage firms to continue to have those ongoing discussions with their risk monitoring teams as GenAI issues arise or as they're planning to do more in this space.
34:05 – 34:11
Bryan Smith: And that's there's a lot there in the firm perspective. A little bit on the adversary side of it. Feral, why don’t you to dive a little deeper into that piece.
34:11 – 36:44
Feral Talib: Yeah, I'll talk about the dark side of it, as is my wont. From a surveillance perspective, we're seeing two different lanes here. One is, GenAI intended to defraud people. The other is GenAI intended to defraud systems. From the people side, the bad actors now have access to sophisticated technology that lets you create anything from fake news reports that look entirely authentic, to, investors imitating of famous people, investors, people in the social media focus recommending specific stocks that are faked. They are doing press releases. They can do coordinated social media posts, even comments on a specific social media post. You can get thousands of, comments from, potential investors, which are actually GenAI-generated, and they're just giving you a unique look, as if there is a groundswell of support for this stock, whereas it's probably a handful of people access to their technology.
The lesson there for investors is unless you're talking to your register representative or to a regulator, you should approach everything, with suspicion. It is a difficult time for, especially certain subcategories of investors, to differentiate between what's real and what's not. And it's better to not jump on an opportunity that seems too good and take a moment to think if it is actually too good to be true.
On the system side, this gets a little bit more complicated. For example, wash trading, the classic surveillance that all firms and FINRA has had against. Now it's getting more sophisticated where wash trades can be layered and designed to disappear and avoid detection by these systems. Spoofing, layering can be designed to imitate human behavior where, when our systems are looking for, an automated repeat pattern, the patterns keep shifting around, giving the appearance of natural market activity.
And the other side of it is these, manipulative, systems used to be targeted to changing the price of a stock or pumping the price of a stock. But now there's so much automation in this in the markets already legitimate automation that there are algos targeting other algos trying to trigger a buying spree by algos looking for certain flags in the market, by imitating those flags that are difficult for humans or surveillance systems to pick up on. But algos do pick up on it.
So the moral of the story there is that this is a digital arms race. So as bad actors become more sophisticated, control systems have to keep up with it and get more sophisticated as well.
36:43 – 37:54
Bryan Smith: Yeah. And that's a that's a really good point. And there are some things in the in this report, it talks about some of the effective practices within the space. But also we'll put a plug in for those of you who've not seen the GenAI adversarial use intelligence products that FINRA has been pushing out over this last year, I believe there's 6 or 7 products that have been released to date, and in those they walk through the various scenarios. So instead of talking about GenAI as an overarching technology, it's addressing it in the context of what we talked about today small cap fraud, business email compromise, ransomware. And so you're getting that perspective. And so to your point where it's a bit of an arms race, firms can take advantage of the inherent knowledge that they have and the expertise of understanding these schemes outside of AI. But now then, thinking about it in the context of that technology, and that, you know, those products will continue to come out. But we're always looking for insight from member firms about what they want to hear about in those. So please let your risk monitoring analysts know if you have an insight, or you want to see something written about that.
So, as we close out, I'd like to just go around to each of you and ask that you just provide kind of one thing as a takeaway that you'd like our, listeners to, to take from this. Ornella, we’ll start with you.
37:54 – 38:46
Ornella Bergeron: Yeah so, it's an incredibly long report. But full of lots of regulatory intelligence that we think is very valuable for firms. It's incredibly valuable for firms, I think, to know what we're seeing and anticipating. But not all topics are going to apply, so depending on a firm's business model. So what I would suggest firms do right away is really to review the report and identify those areas that are most relevant.
Many of the topics that we talked about are evergreen. They're not new, but all topics contain new content. So, identify those gaps that may exist, leveraging the effective practices in the report and the resources in the report to be able to help control and or prevent the types of issues or risks that are highlighted that we're seeing. So we really want our report to be a helpful resource for firms to leverage for their compliance planning.
38:46 – 38:47
Bryan Smith: Okay. And Bill?
38:47 – 39:17
Bill St. Louis: Sure. So I really urge firms to consider incorporating some of what they see in the report into their firm element and other training. I know that there are many firms that do that, but not all. And I think this is a really good resource for them to help design their training for the year. Also, I think Ornella touched on this, I think the report can be helpful with gap analysis that firms do. And, hopefully this will, help that practice and make that more efficient.
39:17 – 39:18
Bryan Smith: All right. Feral?
39:18 – 40:07
Feral Talib: What I would recommend is that firms review their surveillance and control systems for the risks highlighted in the report and more. When I was in the industry, this was common practice annually when the FINRA report came out, to check our systems against what FINRA was highlighting. A that is good practice I do recommend people do that in large firms and small firms. But B, I think what they need to pay attention to is if you have a risk that you that was covered historically, don't move past it quickly. It bears reviewing whether the risk itself and the way that bad actors are approaching that risk has have evolved and if your controls are still effective. A focus on the new risks is obviously important because there may be gaps in controls there, but areas that historically have been covered should be reviewed as well to make sure that the risk hasn't moved on from under the control system.
40:08 – 41:28
Bryan Smith: Well, first I just want to thank all of you, my fellow panelists, for a great conversation here. A lot of really useful information. I'd also like to thank all the listeners and those who have attended and then those who in advance are going to read the report and take some insight from it.
You heard this earlier in the conversation about how that report and the timing of it and the content has been informed by questions and information provided by all of you. And so, I would ask that, as you read the report, if there's something that you would like to see more of in next year's report, you'd like more clarification, you'd like additional intelligence products put out over the next couple of months on those types of things, let us know. Talk to us at a conference. Talk to your risk monitoring analyst. We are here listening. We are here trying to provide you with the information and the intelligence that you need to better protect your firms and protect your investors, and how we can help in that space, we are here to do that.
I will also remind you that while there's a lot of great effective practices that are in the report, there's no new regulatory obligations that are listed in there. This is guidance for all of you to help you in that fight against a common adversary. And just know that you've got a willing partner here at FINRA. And we thank you for your time.
41:30 – 41:55
Margherita Beale: Thank you, Bryan, and thank you to all of our panelists. Well, that's it for today's episode of FINRA Unscripted. All the resources mentioned in today's episode, including the Regulatory Oversight Report, will be listed in the episode notes. Listeners, if you don't already, please be sure to subscribe to FINRA Unscripted wherever you listen to podcasts to stay up to date on all our latest episodes. Today's episode was produced by me, Margherita Beale, engineered by John Williams, in collaboration with FINRA's Video team Carlin Petree, Costis Waltz, Declan McGeady, Mike Weiner, and Andy Myers. Thank you for listening. Until next time.
41:55 – 42:30
Outro Music
42:09 – 42:41
Disclosure: Please note FINRA podcasts are the sole property of FINRA, and the information provided is for informational and educational purposes only. The content of the podcast does not constitute any FINRA Rule or amendment or interpretation to such rules. Compliance with any recommended conduct presented does not mean that a firm or person has complied with the full extent of their obligations under FINRA Rules, the rules of any other SRO or securities laws. This podcast is provided as is. FINRA and its affiliates are not responsible for any human or mechanical errors or omissions. Parties may not reproduce these podcasts in any form without the express written consent of FINRA.