FINRA has released its 2026 Annual Regulatory Oversight Report earlier than in prior years, an acknowledgment of how quickly risks are evolving and how much lead time firms now need to strengthen their programs. Published under the FINRA Forward initiative, the Report offers one of the most detailed views yet into the risks shaping examinations in 2026 and the supervisory expectations member firms must be prepared to meet.

This year’s themes reflect a market influenced by new technologies, escalating fraud threats, operational dependencies, and increasingly complex investment products. For compliance leaders, the 2026 Report is not merely a look back at what FINRA observed; it is a roadmap for building a resilient program in the year ahead.

1. Financial Crimes & Cyber-Enabled Fraud

FINRA continues to identify financial crime prevention as one of the most urgent areas of regulatory attention. The 2026 Report highlights persistent and evolving threats, including:

  • Ransomware attacks
  • Phishing, smishing, and quishing (QR code–based attacks)
  • Account takeover attempts
  • Imposter websites and impersonation schemes
  • Breaches originating from compromised vendors

FINRA emphasizes that cyber events involving third parties can be just as damaging as direct attacks, reinforcing the need for strong vendor oversight and incident response coordination.

Manipulative trading activity, particularly in small-cap and micro-cap equities, also remains a concern. FINRA notes increasingly complex schemes involving nominee accounts, foreign jurisdictions, and coordinated trading designed to influence market perception. Enhanced surveillance and escalation processes are critical for firms exposed to these markets.

2. Generative AI & Emerging Technology Risks

For the first time, FINRA has introduced a dedicated section on generative AI, signaling its importance as an emerging supervisory risk. The Report makes clear that while firms may adopt AI tools, all existing rules still apply, and supervisory systems must evolve to address the unique challenges AI presents.

Key risks include:

  • Hallucinations: AI producing inaccurate or misleading outputs
  • Bias: Outputs influenced by incomplete or skewed training data
  • Vendor risk: Dependence on models firms did not build or fully control

Effective practices highlighted by FINRA include:

  • Human review of AI-generated content prior to client use
  • Logging prompts and outputs
  • Version tracking when models change
  • Independent validation of accuracy, privacy, and security controls

FINRA’s position is not anti-AI, it is pro-governance. Firms must ensure AI is implemented within a documented, supervised, and testable framework.

3. Firm Operations & Core Supervisory Controls

Key operational risks highlighted in the 2026 Report include:

Vendor Risk Management

Firms are expected to maintain an up-to-date inventory of all vendors and understand what data or systems each vendor can access. Contracts should clearly define expectations for cybersecurity, incident notification, and continuity planning. Ongoing monitoring must include performance reviews and security assessments.

Books and Records

As communication channels and technologies expand, FINRA continues to identify deficiencies in recordkeeping practices, particularly around digital communications, electronic messaging tools, and third-party platforms.

Senior Investor Protections

With demographic shifts and rising financial exploitation attempts, FINRA stresses the importance of:

  • Prompt collection of trusted contact information
  • Monitoring for unusual withdrawal or transaction patterns
  • Staff training on identifying exploitation or cognitive decline
  • Clear escalation pathways when concerns arise

Outside Business Activities (OBA) & Private Securities Transactions (PST)

FINRA reiterates that firms must maintain effective systems to review, supervise, and document OBA and PST activity. Inadequate oversight continues to result in regulatory findings.

4. Crypto-Related Activities

Crypto-related business lines, no matter how limited, remain on FINRA’s radar. Even firms that do not custody digital assets may be exposed if customer interactions, partnerships, marketing activities, or revenue streams intersect with crypto products.

FINRA expects firms to:

  • Conduct thorough due diligence on crypto partners or offerings
  • Implement clear supervisory controls
  • Ensure marketing and disclosures are fair, balanced, and not misleading
  • Maintain documentation showing how crypto-related activities integrate with regulated business lines

Traditional securities rules still apply, regardless of the underlying technology.

5. Communications, Sales Practices & Recordkeeping

FINRA continues to observe deficiencies in core communication and sales practice areas, including:

  • Misleading or inaccurate public communications
  • Incomplete or outdated disclosures
  • Weak supervision of outside business activities
  • Inadequate controls for digital communications and messaging platforms

Firms must ensure that supervisory systems, pre-use approvals, and books-and-records processes reflect modern communication behaviors and emerging technologies, including the use of AI-generated content.

What This Means for Compliance Teams in 2026

The 2026 Oversight Report makes one message clear: risks are evolving faster than many firms’ controls. Compliance teams should use this Report as a strategic guide—not just an exam checklist, to modernize oversight across technology, fraud prevention, communications, and senior investor protection.

Key priorities for the year ahead include:

  • Strengthening vendor oversight, including contract expectations, ongoing monitoring, and alignment with cybersecurity and continuity planning.
  • Formalizing AI governance, ensuring human review, documentation, and model oversight as generative tools enter workflows.
  • Modernizing communication and recordkeeping controls to address digital channels, AI-generated content, and third-party platforms.
  • Enhancing fraud and cyber readiness, including incident response planning and monitoring for account takeover and impersonation schemes.
  • Embedding senior investor protections into daily supervision and escalation practices.

Looking ahead, firms that treat these themes as opportunities to reinforce their controls, and document how they supervise emerging risks, will be best positioned for upcoming examinations. FINRA’s expectations are shifting, and proactive adaptation is essential to maintaining a resilient, exam-ready compliance program in 2026.