FINRA’s 2026 Regulatory Oversight Report: What Five Years of Priorities Reveal About Your Compliance Risk

At 85-plus pages, FINRA’s 2026 Annual Regulatory Oversight Report is not a priorities letter. It is a detailed operating manual for what examiners will look for, what they have already found, and what effective compliance programs do differently. Every topic area includes specific findings from recent oversight activities and recommended effective practices. For member firms, the Report is the single most useful document FINRA publishes each year.

But even the best single-year review misses something important. When you stack FINRA’s oversight reports from 2022 through 2026 side by side, as we have in our annual Comparison Chart, patterns emerge that reshape how you should allocate compliance resources. You can see which topic areas FINRA has examined for five straight years (and where examiners now have a deep baseline of findings), which areas arrived recently and are coming under increased scrutiny, and where entirely new risks like generative AI have entered the picture for the first time.

Here is what the data shows.

Get the Full Comparison Chart Here

Recurring Priorities: The Standing Program Expectations

A core group of topic areas has appeared in every FINRA oversight report since 2022. That group includes:

• Anti-Money Laundering (AML), fraud, and sanctions compliance
• Cybersecurity and technology governance
• Reg BI and Form CRS
• Communications with the public (FINRA Rule 2210)
• Books and records / electronic communications retention
• Net capital and financial reporting
• Customer protection and reserve formula compliance
• Best execution and order routing
• Outside business activities and private securities transactions

Five consecutive years means these are not emerging trends. They represent standing program expectations where examiners have developed detailed testing methodologies and a clear benchmark for what “adequate” looks like. Firms that treat any of these areas as background compliance are the ones most likely to generate avoidable findings.

What Is New and Elevated in 2026

This year’s Report introduces several new topic areas and significantly expands others. Each warrants attention from firms now.

Generative AI: Continuing and Emerging Trends. This is the headline addition for 2026: a fully dedicated section covering how member firms use GenAI across 14 defined use cases, the risks of hallucinations and bias, and an emerging discussion of autonomous AI agents. FINRA’s rules remain “technologically neutral,” but the Report makes clear that firms deploying GenAI tools must address supervision, governance, testing, and ongoing monitoring. If your firm uses, or plans to use, AI-assisted tools for compliance, communications, or customer-facing functions, governance documentation and "human-in-the-loop" protocols should be in place now.

FINRA Forward. Launched in spring 2025, FINRA Forward drives much of this year’s Report. The initiative has three pillars: modernizing FINRA rules to eliminate unnecessary burdens, empowering member firm compliance with more tools and resources, and combating cybersecurity and fraud risks. Organizationally, FINRA is integrating Member Supervision, Market Oversight, and Enforcement into a unified Regulatory Operations function. The 2026 Report reflects that integration, drawing on insights from across all three programs. Member firms should expect more coordinated, cross-program supervision and enforcement going forward. Proposed Rule 3290 (streamlining outside activities requirements) is a direct FINRA Forward product currently awaiting SEC approval.

Expanded Cybersecurity and External Fraud Coverage. The 2026 Report significantly expands its treatment of cyber-enabled fraud threats, including GenAI-enabled fraud (deepfakes, voice clones, polymorphic malware), relationship investment scams, cybercrime-as-a-service, and several newly detailed fraud typologies: disaster-related donation scams, investment club pump-and-dump schemes conducted via encrypted messaging apps, gold bar courier scams, crypto confidence frauds, and mail theft-related check fraud. FINRA also launched CORE (Cyber & Operational REsilience) as a new intelligence-sharing program under FINRA Forward. Firms should evaluate whether their cybersecurity and AML programs address these evolving threat vectors.

Crypto: Legislative and Regulatory Clarity. Unlike the SEC’s de-prioritization of crypto in its 2026 Exam Priorities, FINRA’s treatment of member firms’ crypto activities remains robust. The 2026 Report reflects a rapidly evolving landscape: the enactment of the GENIUS Act (July 2025) establishing a stablecoin regulatory framework, multiple SEC Division staff statements on crypto ETPs, stablecoins, and proof-of-work mining, and the withdrawal of the 2019 Joint Staff Statement on broker-dealer custody of digital asset securities. FINRA continues to find deficiencies in firms’ crypto-related communications, due diligence on crypto private placements, and AML programs. On-chain analytics are now positioned as an effective practice for AML and fraud monitoring.

Escalating Small-Cap Fraud. FINRA details an evolving pattern of pump-and-dump schemes targeting exchange-listed small-cap issuers, now occurring months after IPOs rather than at the time of offering. The schemes increasingly involve nominee accounts, foreign omnibus accounts, account takeover fraud, and social media-based investment club scams. In October 2025, FINRA initiated targeted examinations of firm practices in this area.

Regulation S-P Compliance. The amended Regulation S-P requires firms to implement updated customer information safeguards, including incident response and notification procedures. Larger entities’ compliance date passed in December 2025. For smaller entities, that date was June 3, 2026.

Areas Generating the Most Findings Right Now

Based on our five-year analysis and our practitioners’ direct experience supporting firms through FINRA examinations and investigations, these areas are generating the highest volume and most significant findings in the current cycle.

AML Program Design and Suspicious Activity Detection. The 2026 findings detail failures across the full AML lifecycle: programs not tailored to the firm’s business, inadequate detection of red flags in omnibus accounts and small-cap offerings, insufficient staffing following business expansions, failure to escalate suspicious activity detected by teams outside AML compliance (such as cybersecurity), and unreasonable customer identification and due diligence practices (including failure to detect synthetic identity fraud). If your AML program has not been reassessed since your last business expansion or significant change in product mix, it likely needs attention.

Reg BI Compliance. FINRA’s 2026 findings now explicitly cover registered index-linked annuities (RILAs) alongside variable annuities, with detailed findings on failures to consider interim value risk, inadequate cost comparisons, and generic or insufficient exchange rationales. The Report also significantly expands findings on account-type recommendations, including transfers between brokerage and advisory accounts and rollover recommendations. Firms that have not updated their Reg BI policies and procedures to address RILAs, account-type recommendations, and the cost/alternatives analysis should do so promptly.

Books, Records, and Off-Channel Communications. FINRA continues to find firms failing to retain business-related text messages, not capturing communications from part-time CCOs or FINOPs using third-party email, and relying on overly general policies that do not specify permitted and prohibited communication platforms or the consequences for violations. The SEC and FINRA enforcement environment around off-channel communications has produced significant fines across the industry. Firms should treat this as a standing examination and enforcement priority with zero tolerance for gaps.

Cybersecurity and Third-Party Vendor Risk. The 2026 Report dedicates significantly more space to both internal cybersecurity controls and vendor risk management. FINRA has observed increased cyberattacks and outages at third-party vendors and expects firms to conduct initial and ongoing due diligence on vendors supporting mission-critical systems, which should include assessing vendors’ use of GenAI. The new FINRA CORE program signals that cybersecurity intelligence-sharing between FINRA and its member firms will continue to expand.
 

From the Floor: Bates Group at the 2026 FINRA Annual Conference

Bates Group attended the 2026 FINRA Annual Conference in Washington, D.C. (May 12–14), where many of this Report’s priority themes took center stage in discussions between regulators, member firms, and industry practitioners. Our team attended sessions across several priority areas and identified specific signals that member firm compliance officers should factor into their planning for the second half of 2026.

Two topics generated the most significant discussion. On Reg BI, FINRA disclosed 49 formal actions in 2025, with churning and excessive trading appearing more frequently in those cases than FINRA had anticipated. Firms with active trading programs and commission-based compensation should review their Reg BI supervision specifically for excessive trading indicators, not only documentation quality. On generative AI, the key conference focus was on operational maturity: moving AI from experimentation into operational workflows, with continued emphasis on governance, supervision, testing, documentation, data privacy, and human review.

Three additional examiner observations warrant attention. On AML and customer identification, FINRA is flagging instances where unrelated customers share the same phone number, email address, or physical address in firm records; firms are expected to detect and correct these anomalies as a standing CIP obligation. On best execution, FINRA raised concerns about routing to affiliated market makers through dark pools; firms must document rationale showing those decisions satisfy the best execution standard. On trade reporting, FINRA identified option origin code errors where professional customers are not being tagged correctly, so they receive order priority and fees reserved for non-professional participants.

Our BD/RIA Compliance and Regulatory practitioners support broker-dealers at every stage of the FINRA examination and enforcement cycle: from pre-exam preparation and mock examinations through response, investigation defense, and remediation.

For the 2026 priorities specifically, we offer:

• Compliance gap assessments mapping the 2026 FINRA oversight priorities against your firm’s specific business lines, products, and risk profile
• AML program reviews and independent testing, including model and system validations tailored to your firm’s transaction monitoring, CIP/CDD, and SAR processes
• Reg BI compliance assessments, including annuity exchange reviews, account-type recommendation documentation, and cost/alternatives analysis
• Cybersecurity program and Regulation S-P compliance reviews, including vendor oversight assessment and incident response plan development
• GenAI governance support, including policy development, risk assessments, and supervisory framework design for firms deploying AI tools
• Off-channel communications compliance reviews, including policy assessment, surveillance program evaluation, and remediation support
• Mock FINRA examinations simulating the document request and examination process to identify gaps before examiners do
• Outsourced CCO services and regulatory investigation support when examinations escalate

Contact Bates Group today to discuss your 2026 FINRA compliance readiness.