Trend 01

GenAI Governance Is No Longer Optional

For the first time in the history of FINRA's oversight report, artificial intelligence gets its own dedicated section, a signal that examiners will be asking hard questions about AI governance at every member firm in 2026. The SEC echoed that emphasis in its own exam priorities, citing heightened scrutiny of firms using AI in advisory, trading, compliance, and operational functions.

Regulators aren't anti-innovation. What they are demanding is accountability. Firms that deploy generative AI tools without documented governance frameworks, ongoing human monitoring, and written controls for bias and hallucinations are walking into an exam with a visible gap.

The SEC is particularly focused on explainability: can a compliance officer, or an examiner, understand and defend the outputs of your AI tools? Autonomous AI agents, robo-advisory systems, and AI-generated client communications all require supervision frameworks equivalent to those applied to any critical business technology.

• Inventory every GenAI tool deployed across your firm, including vendor-provided solutions
• Build a written governance framework covering decision-making, disclosures, and human oversight
• Establish controls that specifically address hallucinations, bias, and threat-actor misuse of AI
• Conduct firmwide training on AI risks, limitations, and compliance obligations
• Restrict system access for autonomous AI agents and log all actions taken

Trend 02

Cybersecurity Is Now a Board-Level Compliance Issue, Not Just an IT Problem

FINRA identifies cybersecurity as its single top financial crimes priority for 2026. The SEC is equally emphatic. Both regulators expect firms to have mature, documented, and testable cybersecurity programs, and they are enforcing that expectation through Regulation S-P, the most significant data protection rule update for broker-dealers in years.

The 2024 amendments to Regulation S-P require firms to maintain a written incident response program; one designed to detect, respond to, and recover from unauthorized access to customer data and to notify affected customers promptly when a breach occurs. This isn't aspirational guidance; examiners will assess whether your written program exists, whether it has been tested, and whether it matches your actual operations.

FINRA's primary cyber threat list for broker-dealers now includes ransomware, data breaches, phishing, smishing, new account fraud, account takeovers, impersonation schemes, relationship investment scams, and insider threats. Cyber risk is not a single scenario. It is a portfolio of threats that demands layered controls.

• Confirm your written incident response program satisfies Reg S-P's amended requirements
• Implement multi-factor authentication, network segmentation, and BYOD policies
• Run tabletop exercises and cross-team drills between cybersecurity and AML functions
• Inventory all cloud and vendor systems that store or access customer data
• Test both firm and third-party vendor controls for operational resiliency

Trend 03

AML and Financial Crime Prevention: Foundational Obligations, Escalating Consequences

Anti-money laundering compliance is not new. That's exactly the problem regulators are flagging. FINRA and the SEC are seeing firms fail on foundational AML obligations -written supervisory procedures, customer due diligence, and suspicious activity reporting—that have existed for decades. Meanwhile, criminal networks are evolving their tactics at speed.

For 2026, FINRA expanded its list of fraud typologies that firms must incorporate into AML monitoring programs. These now include disaster-related scams, investment club scams tied to pump-and-dump activity, gold bar courier schemes, crypto confidence fraud, and mail theft-related check fraud. If your surveillance systems were built in 2018, they may not be detecting these patterns.

On the sanctions side, both FINRA and the SEC expect real-time screening of customers, transactions, and securities against OFAC and other sanctioning authority lists, at account opening, periodically throughout the relationship, and at transaction execution. Given the pace of geopolitical developments, firms that rely on static screening schedules are at risk.

• Audit your WSPs to confirm they are reasonably designed to detect and report suspicious activity
• Update AML monitoring programs to capture 2026's evolving fraud typologies
• Verify beneficial ownership records and customer due diligence documentation
• Confirm real-time OFAC screening is in place at account opening and for each transaction
• Conduct independent AML testing and document the results

Trend 04

Third-Party Risk: Outsourcing the Work Doesn't Outsource the Responsibility

Financial firms increasingly rely on third-party vendors for cloud hosting, data storage, recordkeeping, outsourced marketing, and core operational functions. Regulators have a simple response to this trend: the outsourcing of a function does not outsource the regulatory obligation. Your firm is still responsible for what its vendors do with your data and on your behalf.

FINRA has observed a notable increase in cyberattacks and service outages at third-party providers. Because a single vendor can serve dozens or hundreds of member firms, a successful attack or outage at one vendor can cascade across the industry. This makes vendor oversight not just a firm-level compliance issue but a systemic risk concern that regulators take seriously.

The SEC's 2026 exam priorities mirror this concern, with heightened scrutiny of firms relying on external providers for critical operational functions, particularly recordkeeping, cloud services, and data migration. Examiners will assess the quality of due diligence conducted at onboarding, the frequency of ongoing reviews, and the contractual protections firms have in place.

• Maintain a complete inventory of all third-party vendors with access to firm data or systems
• Document initial and ongoing due diligence for every mission-critical vendor
• Establish contractual oversight provisions and review them annually
• Map vendors to risk categories and link them to your broader risk assessment
• Test vendor controls to confirm critical systems can maintain service during disruptions

Trend 05

Fiduciary Duty and Best Execution: The Evergreen Exam Priorities That Never Go Away

While AI and cybersecurity dominate the headlines, FINRA and the SEC are equally focused on the bedrock compliance obligations that have defined securities regulation for decades. Regulation Best Interest enforcement is intensifying. The SEC brought settled enforcement actions against a broker-dealer and registered representative for Reg BI violations as recently as August 2025, and both programs continue to prioritize complex product recommendations, particularly variable annuities, structured products, and tax-advantaged accounts.

For investment advisers, the SEC's 2026 exam priorities emphasize adherence to fiduciary duties of care and loyalty for retail investors. Examiners will assess whether advice and disclosures align with each client's objectives, risk tolerance, and financial circumstances—and whether conflicts of interest are identified, mitigated, and disclosed clearly in Form CRS.

Best execution and Rule 606 order routing disclosures remain a perennial enforcement focus at FINRA. Notable 2026 findings include firms failing to assess execution quality in competing markets—an issue that appears straightforward on paper but consistently generates examination deficiencies in practice.

• Review care obligation documentation and conflict of interest disclosures for accuracy
• Update Form CRS to reflect your current actual business practices
• Assess execution quality across competing markets and document the methodology
• Review Rule 606 order routing disclosures for completeness and timeliness
• Evaluate complex product suitability processes for variable annuities and structured products

The Bottom Line: Compliance That's Provable Is Compliance That's Defensible

The 2026 oversight landscape from FINRA and the SEC reflects a consistent regulatory philosophy: the bar for what counts as "reasonable" compliance is rising. Static documentation is no longer enough. Regulators want to see controls that are embedded into daily operations, tested regularly, and auditable on demand.

For most firms, the gap between where their compliance programs are today and where regulators expect them to be in 2026 is not about good intentions, it's about documentation, testing cadence, and governance structure. That gap is exactly where MCG Consulting works.