Executive Summary
The FINRA 2026 Annual Regulatory Oversight Report provides essential guidance for firms to strengthen compliance and supervisory practices. The 2026 edition introduces new content and adds to existing sections: there is a new dedicated section for “GenAI: Continuing and Emerging Trends,” and callout boxes highlight other key areas such as cybersecurity threats, AML and other frauds, and technology management.
Regarding Generative AI, FINRA warns that its use — whether in-house or via third-party vendors, introduces new compliance challenges: e.g., data privacy, transparency, auditability, “hallucinations” and potential misuse. The report reaffirms that firms cannot outsource their regulatory obligations, including the use of third-party vendors, and must conduct due diligence, maintain oversight, and ensure contractual clarity around security and data handling.
Cyber-enabled and other fraud remain a major concern. FINRA highlights increased use of technology by bad actors, including GenAI-enabled scams and fraudulent activity via social media, impostor websites, and other sophisticated channels. AML, sanctions screening, and general fraud/suspicious activity detection continue to be core areas of focus for compliance supervision. Additionally, firms remain under pressure to improve customer due diligence (CDD), suspicious activity monitoring, red-flag identification and escalation, transaction surveillance, and reporting.
Highlighted below are additional key areas from the report such as training, outside business activities (OBAs), private securities transactions (PSTs), the use of questionnaires, conflicts of interest, the importance of staying current with regulatory changes and maintaining updated written supervisory procedures (WSPs). Firms should integrate these priorities into training, compliance programs, and supervisory frameworks to align with FINRA expectations and safeguard investor trust.
Training: Embedding Regulatory Priorities into Education
FINRA encourages firms to leverage the report for training and gap analysis. Incorporating these priorities into compliance education ensures that staff understand evolving regulatory expectations and the rationale behind supervisory controls.
Beyond annual training requirements, FINRA expects firms to use targeted, role-based education to address specific risk areas highlighted in the report. Training programs should evolve alongside business models, product offerings, and emerging technologies such as GenAI, ensuring that registered representatives, supervisors, and compliance teams are equipped to identify and escalate potential issues in real time.
- Highlight recent findings and effective practices.
- Include case studies on OBAs, PSTs, and conflicts of interest.
- Reinforce the importance of timely disclosures and accurate recordkeeping.
Outside Business Activities & Private Securities Transactions
FINRA reiterates its focus on FINRA Rules 3270 and 3280, which govern OBAs and PSTs. Key observations include:
- Misinterpretation of ‘selling compensation,’ where firms overlook indirect benefits from PSTs.
- Inadequate supervisory oversight following PST approvals.
- Missing documentation and failure to record PSTs in firm recordkeeping systems.
FINRA notes that weaknesses in OBA and PST programs often stem from inconsistent intake processes, limited visibility into ongoing activities, and insufficient follow-up once approvals are granted. These gaps increase the risk of undisclosed compensation, investor harm, and supervisory failures.
Best Practices:
- Require pre-approval for all OBAs and PSTs.
- Document both direct and indirect compensation streams.
- Implement robust supervisory reviews and ensure transactions are captured in books and records.
FINRA also signals potential harmonization under Rule 3290, which could simplify compliance while maintaining investor protections.
Firms should monitor this potential rulemaking closely and prepare for possible changes by assessing current workflows, documentation standards, and supervisory controls related to OBAs and PSTs.
Conflicts of Interest: A Persistent Priority
Conflicts of interest continue to underpin many compliance risks. FINRA’s guidance emphasizes:
- Enterprise-wide conflict management frameworks.
- Oversight of compensation structures and incentive programs.
- Vigilance in private placements and outside activities.
Embedding conflict checks into supervisory reviews and leveraging questionnaires can help firms gather disclosures of potential conflicts such as OBAs, personal accounts, and compensation arrangements, then assess and mitigate these risks effectively.
FINRA expects firms to move beyond reactive conflict identification and toward proactive, ongoing monitoring. This includes regularly reassessing conflicts as business relationships, compensation models, and product offerings evolve, and ensuring mitigation strategies are clearly documented and enforced.
Stay Current with Regulatory Changes
FINRA reminds firms to stay apprised of new or amended securities laws, rules, and regulations. Regulatory landscapes evolve quickly, and failing to adapt can expose firms to compliance gaps and enforcement risk.
- Monitor FINRA notices and SEC updates regularly.
- Incorporate changes into training and supervisory programs promptly.
- Communicate updates across all relevant business units.
FINRA emphasizes that regulatory change management should be formalized, documented, and repeatable. Firms should be able to demonstrate not only awareness of regulatory updates, but also how those changes were assessed, implemented, and tested across the organization.
Keep Supervisory Procedures and Compliance Programs Updated
Written Supervisory Procedures (WSPs) and compliance programs must reflect current regulatory requirements and firm practices. Outdated procedures can undermine supervisory effectiveness and lead to violations.
- Conduct annual reviews of WSPs.
- Update procedures immediately when rules change or new products/services are introduced.
- Document all revisions and communicate them to staff.
FINRA continues to observe disconnects between written procedures and actual supervisory practices. Firms should ensure WSPs accurately reflect how supervision is performed in practice, particularly in areas involving technology-enabled supervision, remote work, and third-party tools.
Compliance Takeaways
- Integrate the FINRA Oversight report into training programs for all registered personnel.
- Enhance OBA/PST oversight with structured approval processes and documentation.
- Maintain a robust conflict-of-interest framework across all business lines.
- Leverage questionnaires strategically to uncover hidden risks.
- Stay informed on regulatory changes and update compliance programs accordingly.
- Review and refresh WSPs regularly to ensure alignment with current rules and firm practices.
Collectively, these actions help firms demonstrate a strong culture of compliance, improve supervisory consistency, and reduce regulatory risk in an increasingly complex operating environment.
How RegEd Can Help with Compliance Challenges
Anti-Money Laundering (AML) training:
RegEd’s Anti-Money Laundering (AML) Program enables producers to fulfill AML training requirements and then share those results with all participating carriers. Learn more.
Conflicts of Interest:
Enables firms to seamlessly monitor, identify and remediate conflicts of interest and code of conduct issues related to outside business activities, personal securities accounts, and gifts, gratuities and contributions. The solution captures a full audit trail of requests, approvals, exceptions and remediation, and provides ready documentation for internal and external regulatory reporting. Learn more.
Policies & Procedures Management:
Enables comprehensive, end-to-end administration and oversight of all elements of the firm’s policies and procedures. It ensures that critical compliance information is synchronized with current rules and regulations, and also streamlines preparedness for regulatory audits and market conduct exams with strong documentation and detailed evidence of compliance. Learn more.
Regulatory Change Management:
RegEd’s Regulatory Change Management is a workflow-enabled enterprise software solution that provides firms with everything they need to be aware of, comply with, and demonstrate compliance with all relevant regulatory changes. Comprised of more than 30 regulatory experts with over 300 years of combined knowledge and experience in the insurance and securities industries, RegEd’s Regulatory team delivers regulatory change analysis for new and amended rules that is easily digestible for compliance and business units.
- Free resources to focus on high-value work
- Improve relationships with business units
- Ensure Policies & Procedures are in line with regulatory requirements
- Achieve peace of mind knowing that regulatory changes are handled
Compliance Questionnaires:
RegEd’s Compliance Questionnaires provides a robust set of integrated, workflow-driven, enterprise tools that enables firms to initiate, distribute and track annual compliance questionnaires required by FINRA, and other critical questionnaires integral to maintaining a strong compliance program. Learn more.
About RegEd
RegEd is the market-leading provider of RegTech enterprise solutions with relationships with more than 200 enterprise clients that represent more than 35 of the top 50 insurance companies.
Established in 2000 by former regulators, the company is recognized for continuous regulatory technology innovation with solutions hallmarked by workflow-directed processes, data integration, regulatory intelligence, automated validations, business process automation and compliance dashboards. The aggregate drives the highest levels of operational efficiency and enables our clients to cost-effectively comply with regulations and continuously mitigate risk.
Trusted by the nation’s top financial services firms, RegEd’s proven, holistic approach to RegTech meets firms where they are on the compliance and risk management continuum, scaling as their needs evolve and amplifying the value proposition delivered to clients. For more information, please visit www.reged.com.