Report Highlights Trends in Generative AI, Small-Cap and Cyber-Enabled Fraud, Among Other Topics
FINRA published today the 2026 FINRA Regulatory Oversight Report, a vital resource that draws insights from FINRA’s regulatory operations programs that member firms can use to help enhance their resiliency and strengthen their compliance programs.
In response to feedback from member firms about how valuable the report is for their annual compliance planning and in support of a key FINRA Forward initiative—empowering member firm compliance—the report is being published earlier than usual. FINRA Forward is a series of initiatives to improve FINRA’s effectiveness and efficiency in pursuing its mission of protecting investors and safeguarding market integrity. Member firms have said they use the report to identify the findings and effective practices that are applicable to their businesses, incorporate the reports’ topics in their risk assessment processes, perform a gap analysis of their compliance programs, and for training, among other uses, which are detailed in the report.
“Our 2026 FINRA Regulatory Oversight Report captures important findings and translates them into practical guidance our member firms can act on immediately. We are not just identifying risks, we are equipping our member firms with the intelligence and resources needed to mitigate risks effectively. By sharing these insights, FINRA is engaging with members to help strengthen their defenses. Ultimately, this report is essential because member firm compliance protects investors and safeguards the integrity of our markets,” said Greg Ruppert, Executive Vice President and Chief Regulatory Operations Officer at FINRA.
“Whether it's about the evolving threat of cyberattacks including those powered by bad actors exploiting artificial intelligence, the increase in manipulation tactics that exploit market participants, or the need to protect senior investors from potential fraud and other threats, this report delivers useful, real-world insights from our regulatory oversight work. Our goal is simple: help firms build stronger compliance programs and more resilient operations so that investors can participate in markets with greater confidence,” Ruppert added.
Among the topics covered in the report are generative artificial intelligence (GenAI), cybersecurity and cyber-enabled fraud; manipulative trading in small-cap, exchange-listed equities; and third-party risk landscape. For each topic area covered, the report identifies the relevant rule(s); summarizes noteworthy findings from recent oversight activities involving firms; outlines firms’ effective practices that FINRA observed through its oversight activities; and provides additional resources that may be helpful to firms in reviewing their supervisory procedures and controls and fulfilling their compliance obligations.
GenAI
Through FINRA’s survey of firms and engagement with other regulators, FINRA has noted that:
- firms have started to implement GenAI solutions with a focus on efficiency gains, particularly with respect to internal processes and information retrieval; and
- the top GenAI use case among FINRA member firms is “Summarization and Information Extraction,” which refers to condensing large volumes of text and extracting specific entities, relationships or key information from unstructured documents.
The report notes that AI agents—systems or programs that are capable of autonomously performing and completing tasks on behalf of a user—can enhance GenAI capabilities by providing users with additional opportunities for task automation and the ability to interact with a wider range of data and systems faster and at a potentially lower cost than more traditional process automation.
However, the report details notable risks and challenges that could result in adverse impacts to investors, firms or the markets, which include:
- Autonomy: AI agents acting autonomously without human validation and approval
- Scope and authority: Agents may act beyond the user’s actual or intended scope and authority
- Auditability and transparency: Complicated, multi-step agent reasoning tasks can make outcomes difficult to trace or explain, complicating auditability
- Data sensitivity: Agents operating on sensitive data may unintentionally store, explore, disclose, or misuse sensitive or proprietary information
- Domain knowledge: General-purpose AI agents may lack the necessary domain knowledge to effectively and consistently carry out a complex and industry-specific tasks
- Rewards and reinforcement: Misaligned or poorly designed reward functions could result in the agent optimizing decisions that could negatively impact investors, firms, or markets
- Unique risks of GenAI: Bias, hallucinations, privacy, etc., also remain present and applicable for GenAI agents and their outputs
Cybersecurity and Cyber-Enabled Fraud
FINRA has observed a variety of sophisticated cybersecurity threats targeting member firms and their customers, including:
- Ransomware and extortion events
- Data breaches
- Phishing, smishing or quishing
- New account fraud
- Account takeovers
- Account impersonations
- Imposter sites
- Relationship investment scams
- Insider threats
Manipulative Trading—Increase in Small-Cap Fraud Involving Exchange-Listed Equities
FINRA has observed the following trends in manipulative pump-and-dump schemes involving small-cap exchange-listed equities:
- They are occurring less frequently at the time of the small-cap issuers’ initial public offerings (IPOs), and more frequently months after these IPOs.
- Suspected nominee accounts continue to be utilized to invest in small-cap IPOs to aid in bringing companies public.
- In advance of the pump-and-dump scheme, nominee accounts may “funnel,” or sell their shares in a coordinated manner to one or more foreign omnibus accounts, which result in the omnibus account(s) holding a significant portion of the public float.
- Well after the issuer’s IPO, the issuer may sell a large amount of shares in a privately placed secondary offering to select foreign investors—lacking adequate public disclosure—leading to these investors holding a large amount of the issuer’s public float.
- The use of account takeover fraud to purchase shares of small-cap companies that are the subject of pump-and-dump schemes.
- A continued increase in the use of text messaging and social media-based scams to attract victims to purchase shares of small-cap issuers subject to pump-and-dump schemes.
- The victims’ purchases occur in conjunction with—and likely cause—price increases in the targeted securities through the use of coordinated limit orders.
In October, FINRA initiated a targeted examination of firm practices regarding public and private offerings of small-cap exchange-listed issuers with business operations in foreign jurisdictions.
Third-Party Risk Landscape
FINRA has observed an increase in the reporting of cyberattacks and outages at firms’ third-party vendors. Given the financial industry’s reliance on third-party vendors to support key systems and covered functions, an attempted cyberattack or an outage at a third-party provider could potentially impact a large number of member firms. FINRA continues to monitor third-party provider risks in the interests of member firms.
The report outlines effective practices, such as conducting initial and ongoing due diligence on third-party vendors supporting mission-critical systems, maintaining an inventory of firm data types accessed or stored by the firm’s vendors, and monitoring third-party vendor services for vulnerabilities or data breaches, among other practices.
FINRA Unscripted Podcast Episode About the 2026 FINRA Regulatory Oversight Report
A FINRA Unscripted podcast episode about the 2026 FINRA Regulatory Oversight Report—featuring Ornella Bergeron, Senior Vice President, Risk Monitoring, and Acting Head of Member Supervision, Bill St. Louis Executive Vice President and Head of Enforcement, and Feral Talib, Executive Vice President and Head of Market Oversight and guest hosted by Bryan Smith, Senior Vice President and Acting Head of Strategic Intelligence—is available on FINRA’s website (a transcript is provided). In addition, the subjects covered in the report will be featured in other FINRA-related compliance and education resources throughout the year, including at the 2026 FINRA Annual Conference taking place May 12-14 in Washington, D.C.
Here is a full list of topics covered in the 2026 FINRA Regulatory Oversight Report:
-
Financial Crimes Prevention
- Cybersecurity and Cyber-Enabled Fraud
- Anti-Money Laundering, Fraud and Sanctions
- Manipulative Trading
- GenAI: Continuing and Emerging Trends
-
Firm Operations
- Third-Party Risk Landscape
- Outside Business Activities and Private Securities Transactions
- Books and Records
- Senior Investors and Trusted Contact Persons
- Member Firms’ Nexus to Crypto
-
Communications and Sales
- Communications with the Public
- Reg BI and Form CRS
- Private Placements
- Annuities Securities Products
-
Market Integrity
- Consolidated Audit Trail
- Customer Order Handling: Best Execution and Order Routing Disclosures
- Fixed Income—Fair Pricing
- Market Access Rule
- Extended Hours Trading
-
Financial Management
- Net Capital
- Liquidity Risk Management
- Protection of Customer Assets
About FINRA
FINRA is a not-for-profit organization dedicated to investor protection and market integrity. FINRA regulates one critical part of the securities industry—member brokerage firms doing business in the U.S. FINRA, overseen by the SEC, writes rules, examines for and enforces compliance with FINRA rules and federal securities laws, registers broker-dealer personnel and offers them education and training, and informs the investing public. In addition, FINRA provides surveillance and other regulatory services for equities and options markets, as well as trade reporting and other industry utilities. FINRA also administers a dispute resolution forum for investors and brokerage firms and their registered employees. For more information, visit www.finra.org.
View source version on businesswire.com: https://www.businesswire.com/news/home/20251209886837/en/
