The 2026 FINRA Annual Regulatory Oversight Report provides firms with insight into findings from FINRA’s regulatory operations programs including Member Supervision, Market Regulation and Enforcement. Addressing a broad range of topics spanning conflicts of interest, artificial intelligence and financial crime, the report contains information that firms can use to strengthen their compliance programs in 2026 and beyond.
The 2026 report emphasizes FINRA's continued focus on emerging risks while maintaining vigilance over traditional compliance concerns. The priorities signal where regulators will concentrate their examination efforts and where firms should strengthen their oversight.
Bryan Smith, FINRA Senior Vice President and Acting Head of Strategic Intelligence, explained in FINRA's Unscripted podcast discussing the 2026 report that the priorities reflect both regulatory obligations and recent findings from enforcement actions and investigations. Importantly, Smith noted, the report goes beyond identifying deficiencies to highlight "those effective practices of what firms can be doing, not just what they shouldn't be doing" for better compliance across the firm.
Common Themes Across the FINRA 2026 Priorities Report
Several consistent themes run throughout FINRA's 2026 priorities:
Technology and Innovation: Artificial intelligence, particularly generative AI, continues to reshape how firms operate and serve customers. FINRA expects firms to implement comprehensive governance frameworks around AI adoption, including robust testing, monitoring, and oversight of AI-powered tools and services.
Financial Crime Prevention: Bad actors continue to exploit vulnerabilities in the financial system. FINRA emphasizes the need for enhanced anti-money laundering (AML) controls, improved fraud detection capabilities, and stronger defenses against cyber-enabled financial crimes.
Conflicts of Interest: Transparency and fairness remain paramount. Firms must ensure that compensation structures, product recommendations, and business arrangements prioritize customer interests and comply with Regulation Best Interest and other applicable standards.
Operational Resilience: As firms increasingly rely on complex technology systems and third-party vendors, maintaining operational continuity and managing vendor risk have become critical compliance imperatives.
Highlights of the report include:
FINRA continues to prioritize the detection and prevention of financial crimes, recognizing that sophisticated criminal networks constantly adapt their tactics. The 2026 report emphasizes that firms must maintain robust AML programs capable of identifying suspicious patterns and emerging schemes.
Bill St. Louis, Executive Vice President and Head of Member Supervision at FINRA, highlighted persistent deficiencies in this area during the podcast. "We're seeing firms who have failed to maintain written supervisory procedures reasonably designed to detect and report suspicious activity," St. Louis noted. "We're seeing issues around inadequate customer due diligence." He emphasized that "these requirements that I just laid out are not new. These are foundational obligations laid out in our FINRA Rule 3310 and the Bank Secrecy Act. And yet we still see AML failures and supervisory failures."
Regulatory scrutiny will focus on whether firms have implemented adequate customer due diligence processes and enhanced due diligence for high-risk customers. FINRA expects firms to leverage technology and data analytics to identify unusual transaction patterns, particularly those that may indicate money laundering, elder fraud, or other financial exploitation schemes. Examiners will assess whether firms promptly file Suspicious Activity Reports (SARs) when appropriate and whether AML surveillance systems are properly calibrated to detect evolving threats.
Read more about the importance of effective AML compliance and how MCO can help
The increasing sophistication of cyber threats demands heightened vigilance from member firms. FINRA's 2026 priorities emphasize that cybersecurity is not merely an IT issue but a fundamental compliance concern requiring board-level attention and comprehensive risk management.
Cyber-enabled fraud schemes continue to evolve, with criminals using social engineering, account takeovers, and identity theft to victimize investors. Feral Talib, Senior Vice President and Head of the Office of Financial Crime Detection Strategy at FINRA, explained during the podcast that "the flip side of that coin is account takeovers to support the pump portion of the pump and dump, which we're seeing some new sophisticated methodology." FINRA expects firms to implement multi-layered security controls, including strong authentication measures, employee training programs, and incident response procedures. Firms should regularly test their cybersecurity defenses and update protocols to address emerging threats.
In the Anti-Money Laundering, Fraud and Sanctions section, FINRA emphasizes that firms must maintain comprehensive AML programs that address evolving financial crime threats. Despite these being foundational obligations under FINRA Rule 3310 and the Bank Secrecy Act, examiners continue to find significant deficiencies.
The report highlights common failures in written supervisory procedures designed to detect and report suspicious activity, as well as inadequate customer due diligence processes. Firms must implement risk-based approaches that include verifying customer identities, understanding the nature and purpose of customer relationships, and conducting ongoing monitoring to identify transactions inconsistent with known customer profiles. Enhanced due diligence is required for higher-risk customers, including politically exposed persons and those conducting business in high-risk jurisdictions.
Transaction monitoring systems must be calibrated to detect red flags associated with money laundering, including structuring, rapid movement of funds, and transactions lacking economic rationale. When alerts are generated, firms must conduct thorough investigations and document their findings.
Sanctions compliance has taken on heightened importance as geopolitical tensions evolve. Firms must screen customers, transactions, and securities against Office of Foreign Assets Control (OFAC) and other sanctioning authority lists at account opening, periodically during the customer relationship, and in real-time for transactions. Given the dynamic nature of sanctions programs, firms should monitor regulatory updates and adjust screening processes accordingly.
Read about the importance of taking a risk-based approach to AML/KYC compliance.
FINRA maintains its focus on detecting and deterring manipulative trading practices that undermine market integrity. The 2026 report highlights the regulator's commitment to identifying schemes such as layering, spoofing, pump-and-dump schemes, and other forms of market manipulation.
St. Louis noted during the podcast that "threats evolve over time, including ramp-and-dump and pump-and-dump schemes, targeting exchange listed issuers operating outside of the United States."
Talib provided additional context on emerging patterns: "The primary risk we're seeing right now is market manipulation and low price securities, which are experiencing a reemergence." FINRA continues to "monitor the market for real-time intelligence, so we can see and notice red flags in real time where low float, high price changes, and foreign securities listed in U.S. markets when they start moving."
Talib also highlighted emerging risks: "Crypto treasuries we are reviewing with a close eye. There's manipulation and insider trading in these new, in new asset classes."
Firms must maintain surveillance systems capable of detecting potentially manipulative trading patterns across multiple asset classes and trading venues. These systems should be regularly reviewed and updated to address new manipulation techniques, including those that may involve algorithmic or high-frequency trading strategies.
Talib noted that technology has amplified traditional threats: "What's old is new again, because of technological advancements. Vulnerable investors in different subgroups have always been targeted. But the targeting was not as effective. Whereas now with advanced technology, it's easier to isolate these vulnerable investors and focus efforts on harming them by fraudsters." He emphasized that "technology is making all of these old frauds much more risky."
Read about the many ways fraudsters and bad actors can manipulate technology and insider information
Generative artificial intelligence represents both significant opportunity and substantial risk for the securities industry. FINRA's 2026 priorities reflect the regulator's recognition that AI adoption is accelerating while governance frameworks are still maturing.
Ornella Bergeron, Senior Vice President and Head of Technology Risk and Cyber Threat Intelligence at FINRA, emphasized the dual nature of this technology during the podcast. "With all the benefits that GenAI has, firms really do need to understand that this transformative technology could cause significant operational and compliance risks," Bergeron explained. "Effective practices include having robust governance frameworks, continuous monitoring, proactive risk management in the space. And obviously, supervision and testing are key."
Firms deploying generative AI tools for customer-facing communications, research, trading, or other purposes must establish comprehensive oversight. This includes conducting risk assessments before implementation, maintaining human supervision of AI-generated outputs, and implementing testing protocols to identify potential errors, biases, or compliance failures. FINRA expects firms to document how AI tools function, what data they use, and how outputs are reviewed before distribution to customers or use in business decisions.
Read about staying ahead of conflicts of interest in the age of Agentic AI
Operational effectiveness underpins all compliance efforts. FINRA's 2026 priorities emphasize that firms must maintain robust infrastructure, controls, and procedures to support business activities while protecting customers and maintaining regulatory compliance.
Business continuity and disaster recovery planning remain essential, particularly as firms rely increasingly on technology and complex operational arrangements. FINRA expects firms to regularly test these plans and update them to reflect changes in business operations, technology dependencies, and potential disruption scenarios.
Books and records remain fundamental to regulatory oversight and customer protection. Firms must maintain complete, accurate records that comply with SEC and FINRA requirements, with systems capable of producing records promptly for regulatory examinations and customer inquiries.
As firms increasingly outsource critical functions to vendors and service providers, managing third-party risk has become a top regulatory priority. FINRA's 2026 report emphasizes that while firms may delegate tasks, they cannot delegate their compliance obligations or supervisory responsibilities.
Examiners will assess whether firms conduct appropriate due diligence before engaging vendors, particularly those that will handle customer data, execute trades, maintain books and records, or perform other critical functions. This due diligence should evaluate the vendor's capabilities, financial stability, regulatory history, cybersecurity controls, and business continuity planning.
Ongoing monitoring is equally important. Firms should regularly review vendor performance, conduct periodic risk assessments, and maintain contractual rights to audit vendor compliance with service agreements and regulatory requirements. FINRA expects firms to be able to demonstrate that they maintain adequate oversight of all material vendor relationships and can identify and mitigate risks these relationships create.
Centralized compliance management systems provide firms with structured workflows for vendor due diligence, automated reminders for periodic reviews, and consolidated repositories for vendor contracts and risk assessments that facilitate both ongoing oversight and examination preparation.
See how MCO enables firms to effectively manage third-party risk in line with FINRA expectations
FINRA continues to focus on associated persons' activities outside their relationship with member firms, which can create conflicts of interest, supervision gaps, and customer protection concerns. The 2026 priorities emphasize that firms must maintain effective systems to identify and supervise outside business activities (OBAs) and private securities transactions (PSTs).
St. Louis highlighted the persistent challenges in this area during the podcast: "Another area that we continue to see crypto raise its head is around undisclosed outside business activities and private securities transactions. And yes, the report has a robust section on that. That's definitely an evergreen section. It's one of the areas that generates the most number of disciplinary action." He noted that FINRA sees "registered individuals working as fundraisers, promoters, investors in crypto, all unbeknownst to their member firms."
Firms should have clear policies requiring associated persons to report OBAs and PSTs promptly and completely. These policies should define what activities require disclosure, establish approval processes, and specify ongoing reporting obligations under FINRA Rule 3270 (Outside Business Activities) and FINRA Rule 3280 (Private Securities Transactions). Supervisors must actively review these activities to identify potential conflicts, regulatory violations, or risks to customers.
Red flags requiring heightened scrutiny include associated persons serving in roles at entities that engage in securities-related activities, undisclosed compensation arrangements, involvement with entities that have regulatory issues, or patterns of incomplete or delayed disclosures. FINRA expects firms to investigate thoroughly when OBAs or PSTs present heightened risk and to maintain documentation of their review and approval decisions.
Read how Optimal OBA Compliance Goes Beyond Just Disclosures
Accurate and complete books and records are foundational to regulatory oversight, customer protection, and firm operations. FINRA's 2026 priorities emphasize that firms must maintain records that comply with all applicable SEC and FINRA requirements and implement systems and controls to ensure record-keeping obligations are met.
Examiners will assess whether firms maintain required records, including customer account documentation, communications, trading records, financial records, and supervisory documentation under SEC Rule 17a-4 and FINRA Rule 4511. Records must be maintained in the required format, for the required retention period, and in a manner that allows prompt production for regulatory examinations and customer inquiries.
Off-channel communications remain a significant concern. FINRA continues to emphasize that business-related communications via text messages, messaging apps, personal email, or other non-firm channels must be captured and retained in accordance with regulatory requirements. Firms should implement policies prohibiting business communications through unapproved channels, provide authorized communication methods, and conduct surveillance to detect potential violations.
Read a white paper on the importance of easily providing proof of compliance
Across all areas of the report, there are common themes regarding proactive steps that firms can take to stay compliant with the many areas of regulatory concern outlined in the report. These include:
In the report, FINRA also reminds member firms to stay apprised of new or amended laws, rules and regulations, and update their written supervisory procedures (WSPs) and compliance programs on an ongoing basis.
The 2026 Annual Regulatory Oversight Report provides valuable guidance for compliance professionals navigating an increasingly complex regulatory environment. By understanding FINRA's priorities and aligning compliance programs accordingly, firms can better protect customers, maintain market integrity, and demonstrate their commitment to regulatory excellence. Compliance officers should review the full report and assess whether their firms' policies, procedures, and resources adequately address these priority areas.
See how MCO helps firms effectively manage compliance obligations
Let MCO help you meet the heightened expectations of FINRA and regulators across the globe in 2026 and beyond. Our integrated solution lets compliance professionals efficiently and cost-effectively demonstrate they are proactively managing the regulated activities of the company, employees and third-party relationships and easily provide proof of regulatory compliance. MCO can help you streamline compliance across your organization and be ready to stand up to regulatory scrutiny.