Building a Responsible AI Strategy for SEC-Registered Advisers and Broker-Dealers

Amber Allen  12:01:45 

I'll hand it over to Cathy and Johanna for brief introductions. 

Cathy Vasilev  12:01:50 

Hello, everyone. I'm Cathy Vasilev. I am one of the co-founders of Red Oak. And Red Oak is a provider of technology solutions for the financial services industry. 

Johanna Anders  12:02:03 

I'm Johanna Anders, head of U.S. Distribution Compliance and CCO of the Broker-Dealer at Janus Henderson. My role sits at the intersection of marketing, distribution, and regulatory oversight. So a lot of what we're going to talk about today around AI, particularly governance and communications, is very much front and center for us. 

Really looking forward to the discussion. 

Amber Allen  12:02:24 

Thank you. All right. And if you'd like CLE for today's discussion, you can scan the QR code. If we can navigate to the next slide. Thank you. And the other option, you should have received a confirmation email this morning, so you can also click through that. 

Please take notes of the passcodes and submit within 48 hours per CLE credit. 

And with that, we can go ahead and get started. So as we are all, I think, at this point, acutely aware, artificial intelligence is transforming the way that organizations operate. And for legal and compliance professionals it really raises a set of unique opportunities, challenges, and can result in needing to change and enhance governance programs. 

So today's discussion is designed to help you think practically about how to do that and how to implement AI responsibly in your organization. As AI continues to evolve, so should your legal and compliance programs. 

And that's going to be likely an ongoing and continuous effort, especially given how quickly we're seeing changes in the AI use case and just level of involvement that we're seeing organizations incorporate AI today. 

To get started, we want to set the stage with the SEC and FINRA regulatory frameworks. We think it's helpful to start there because that is really what's going to govern and control your governance program. So we've seen a regulatory shift away from the prescriptive rules that we've seen in the past, such as the withdrawn predictive data analytics rule to a more tech neutral and evolving regulatory approach that actually welcomes AI usage much more so than we saw in prior administrations. However, that does not mean that the existing regulatory framework does not apply. Still very much important and required as you think about how your firm will implement and use AI, and how to update your governance program. 

So for investment advisors, that's going to include the fiduciary duty. We're starting there because it's really such an important and critical consideration that should shape your firm's governance program. 

As fiduciaries, advisors owe a duty to clients by operation of law, given the nature of their relationship, and that's enforceable under the anti-fraud rules. The SEC does interpret this incredibly broad and it requires a fiduciary duty to be applied through all aspects of the relationship, and that applies to a firm's AI usage. 

In addition to that, there's Rule 206(4)-7, the compliance rule. Investment advisors are required to implement a compliance program that's reasonably designed to prevent violations of the Advisors Act. And that includes oversight of AI systems to align with the fiduciary obligation and to ensure that those programs are operating as expected. 

That testing program is going to look a little different likely, depending on the types of programs that you're using, how you're using AI, the data that's being stored. And again, the testing program will likely need to evolve as your use case evolves. 

Rule 204-2 of the Advisors Act, or the Books and Records Rule, establishes comprehensive records that investment advisors that are registered with the SEC need to maintain, and certain books and records requirements may apply to a firm's AI usage as well. One thing to keep in mind is how a firm uses AI can really affect the required records. So, for example, if you are maintaining an AI platform that's used for trade and research, consider how you're documenting your firm's trade recommendations, and if you need to take that AI platform into account from a books and records perspective. If it's the only place that you're actually documenting those recommendations and the rationale, chances are you will likely need to be maintaining those records. This is a very firm specific and facts and circumstances analysis though, so it's important to really take the time to walk through all of these considerations. 

Regulation SP is another factor to keep in mind, and it imposes requirements regarding safeguarding and disposal of customer information that may apply depending on your firm's usage of these AI tools. 

It also establishes certain service provider oversight requirements and incident response. Incident response is one of those areas where it's another thing to keep in mind because it can be easy to focus on testing the output and making sure that you've got the required records accounted for and maintained, but don't forget to incorporate and think through how would we actually respond to an incident if an AI tool leads to a data breach, especially as firms are becoming more and more dependent on these platforms. 

All right. And for broker-dealers, the existing and current regulatory framework applies to their operations as well. So keep in mind Rule 17 and 17 A4, which cast a broad net for the required books and records. And those records are required regardless of whether the content is generated by a person or AI. So the use of AI doesn't change those record keeping obligations and what might count as a record. Supervision under Federal Rule 3110, as well as regulatory notice 2409, FINRA has made clear that existing supervision rules apply to AI systems. So that's something that firms will want to keep in mind as part of their supervise supervision. And AI systems do evolve, and that's going to trigger changes with the supervision process as well. 

In terms of communication, Federal Rule 2210 will apply, and depending on a firm's AI usage, that rule may be applicable. So if used to communicate with the public, ensure that that content is fair and balanced and not misleading. And we'll discuss some of these considerations in more detail shortly. 

Depending on your firm's particular usage, additional regulatory requirements may apply, as well as some other legal requirements. And so those are things to note and make sure you have accounted for as part of your governance program. 

For example, firms that are subject to Rule 3170 should ensure that those AI tools aren't being used to circumvent recording and retention requirements and your surveillance frameworks. 

FINRA has released various guidance that can serve as a helpful resource, not only for broker-dealers, but also for other firms in the financial industry, including investment advisors that may choose to either voluntarily follow or just use those notices as a guide as they're thinking through how to adjust their firm's AI governance program. 

So now that we've got the regulatory framework set, let's shift now to think about exam obligations. AI was mentioned multiple times in the 2026 exam priorities and we're starting to see requests related to AI and SEC exams. 

What should firms be thinking about not only in anticipation, but to ensure that they're adjusting their compliance programs so they're structured to maintain the required records and be prepared for the next regulatory exam? I'll open it up to the panel. Cathy, any recommendations here? 

know AI washing is something that I've been hearing of recently. Previously, there was a focus on greenwashing, and now there's a new focus on AI washing or overstating a firm's usage. 

So it's helpful to hear the types of requests that we're seeing related to that. 

Johanna, anything that you're thinking of as an in-house practitioner and how to stay ahead of these types of regulatory requests? 

Johanna Anders  12:13:20 

Yes, absolutely. I think having a framework in place is key. Inventory and broad definition so everyone's on the same page as far as what is AI and then the usage and then obviously that governance framework extending off of your existing one so it's not a bolt-on, per se, but really taking a look at it for your end-to-end connectivity in your systems. 

Cathy Vasilev  12:13:43 

I would also like to point out you're going to have training requirements. And obviously different people at different levels of the organization are going to have different training requirements. So you want to make sure that you're having AI training that is specific for the individual's job function. 

Amber Allen  12:14:01 

That's a great point. And I think to just also noting the types of AI tools that each job function might use. Maybe you have a general firm tool that you're using, a broad AI tool, but then you, in addition to that, you might have very specific department tools to help with legal functions, research functions, and really specialized types of work that is occurring day to day in the business. 

Cathy Vasilev  12:14:30 

And you're going to want to have performance evaluation reports so that you can show the regulators that you are, you know testing these AI functions, and that you are reporting on them so you know exactly what's going on. And as you mentioned before, Amber, the whole incident reports, you're going to have to be able to report those incidents and report on whether there are regulatory, ethical, or legal issue, and how you resolve them. 

Amber Allen  12:14:58 

Yeah, I think that's a great point, Cathy, and something that you would want to have in hand before you need it because the last thing that a firm wants to be doing is trying to track down the appropriate contact information at a vendor, and you're also in the middle of an actual incident. So it's helpful to have that information ready to go and in your incident response program so that you can reference it when the time is needed. 

All right, so let's shift now. Cathy, I'll hand it back to you to talk through some of the requests that we're seeing. Any additional notes here on things that firms should keep in mind? 

Cathy Vasilev  12:15:48 

Make sure they are also asking for your contingency plan. So if, God forbid, the AI goes down which Claude is prone to doing, or you know the AI hallucinates or does something, you need a contingency plan on what it is that you're going to do if that happens. So not only do you have to document every time that happens, but you also are going to need a contingency plan. If you are using any type of AI for your client suitability information. You're going to have to produce that and how it is that your AI is deciding what risk tolerance this client is. 

If you are using it to run your models, you're going to have to have model validation reports to make sure that it, you know, there is no drift, there isn't anything else going on. 

And of course, you had mentioned before, not only do you have to update your policies, your compliance policies and procedures, this is going to require an update to your cybersecurity policies and procedures. So you're going to want to get your CISO involved. 

Amber Allen  12:16:54 

Great point. There's a lot of intersection between AI and various policies, whether it's privacy and data security, incident response, your overall compliance testing program. So it's important to make sure that those policies are consistent across the firm. 

All right. So we've got our first CLE code of the day, Oversight. Proper oversight is key for establishing a strong AI governance program. 

So we've talked a lot about the regulatory requirements for IAs and BDs. Firms should also consider other legal and regulatory requirements that may apply depending on their use case. These do vary widely. 

Depending on a firm's location, the data that's being stored, and how a given AI tool is being used. State and international laws may apply as well. So keep that in mind, especially as your firm may be considering or looking at expanding business operations. 

And it's helpful to know what those additional legal obligations are before the move so that you can start working through your firm's necessary updates and updating those policies and procedures, conducting training. 

Another thing to keep in mind is just that evolution. Maybe you're not moving, but you're just trying to keep up with the changes in state laws. And that's an area where reach out to your council and work closely with them to keep an eye on changes in legal requirements, and to make sure that you have insight into what you should be planning for ahead. 

International laws as well. The EU AI Act is one that's top of mind for a lot of firms with EU operations. There are also, as I mentioned, evolving state obligations and the Colorado AI Act has been one that is top of mind for firms right now. But the list is always evolving, so it's important to keep those in mind as your use case changes and as you're expanding operations. 

The data stored and accessed in a given tool can also affect what legal requirements apply. For example, we've talked some about the data privacy and cybersecurity requirements. 

There might also be employment law considerations, depending on how your firm is using a tool. So if your HR department has a tool and it's being used to process employment data, work closely with your legal counsel there to understand what requirements apply and any necessary data protections that you might need to consider. 

There are also intellectual property considerations that can become increasingly complicated, not only yours as a firm that you might have an interest in protecting, as well as the product or your vendors that are providing the firm. And so having an understanding of how you can and cannot use the program, and the steps that your firm might want or need to take in order to protect that intellectual property. Is it another thing to keep in mind and incorporate as part of your overall governance strategy. Contractual obligations may also affect your firm's use of an AI tool, and as a result the governance program as well. 

We're starting to see more questions and requests on the agreement front. So whether that's looking at how to manage vendors for an AI tool or onboarding new clients. Clients are starting to request terms to be incorporated that would govern how a firm uses AI. And there's been an evolution, I think, in some of the requests that I've seen initially there I did see a lot of flat-out prohibitions that would essentially prevent a firm from using AI. Now, especially given all that we're seeing with vendors incorporating AI increasingly, it seems like every, you know, every time that I go to log in, even personal apps. There's a new AI tool that is available. So it's a little difficult to completely restrict it, although some firms will request that but having a way to track those requests as they come in, I think, is something that firms will want to do. 

And especially as you see changes, you might not always be able to use a template AI provision. And in that case, having a way to track any variants that you've agreed to to make sure that the firm is meeting its contractual obligations is something to consider as well. 

Cathy Vasilev  12:22:04 

Yeah, Amber, and I would note on that topic that customers need to be very careful when looking at those contracts, and they should definitely involve their legal counsel, but you especially want to look around the limits of liability with especially with some of the state laws that are coming out over AI. You want to make sure that your firm is covered. 

Amber Allen  12:22:28 

Great point, Cathy. And I think too, keeping in mind the vendor due diligence obligations for registered advisors and broker-dealers, consider what you can do to help make your life a little bit easier too as you're needing to roll out or comply with amended Regulation SP. Should you be including or can you incorporate in vendor contract certain terms that would require a vendor to provide a reasonable due diligence response to help implement your program. So thinking about some of those things and incorporating them along the way hopefully help alleviate some of the work on the back end. 

Okay, if we can move to the next slide, I'll open it up to the panel for a practical discussion. Johanna, what are some of the biggest challenges that you're navigating as an in-house practitioner with AI usage? 

Johanna Anders  12:23:30 

Yeah, yeah, and taking a look at these questions, they're very interconnected. So from an in-house perspective, the biggest challenge really isn't the technology. It's operationalizing governance in a way that actually scales. 

Amber Allen  12:23:45 

Any tips for firms that are trying to do just that? 

Johanna Anders  12:23:51 

Yeah, I would say a lot of firms, especially firms going through acquisitions, mergers, really taking a look at the end-to-end connectivity as it relates to your technology, how does it connect, what are your controls. How can you leverage and scale, you know, across the board? You know, and then as you pivot, I would say, you know, taking a look through the internal and client lens, you know, internally, AI adoption, it's moving faster than the most traditional control frameworks were designed to handle. 

And we're seeing a lot of decentralized usage across the board emerge, you know, across the business. At the same time, from an industry perspective, there's still a level of uncertainty because regulation remains largely, as we've been talking, principles-based. So firms are really having to interpret how existing rules apply in real time while they're trying to keep the wheels on the bus with challenges that come every single day. 

I would say from a third-party vendor perspective, so the complexities increase when you layer that on. So, where transparency, data handling, and model behavior aren't always fully within your control. So a key focus is ensuring strong due diligence from a vendor perspective, clear accountability, and ongoing oversight. So not just at the onboarding stage, but throughout the lifecycle. 

And then pivoting to innovation and governance. The goal isn't to slow AI adoption. So I think everyone agrees AI, if we ignore it, it's not going away, right? It's really to put the right infrastructure around it so we can scale in a way that's both effective and defensible. 

So, in my opinion, the firms that are ahead aren't limiting adoption. They're building repeatable, defensible frameworks that allow innovation and control to evolve together. 

So I'm really seeing a large shift across the industry from those one-off approvals to really standardized repeatable frameworks, and that's what really enables the scale. 

Amber Allen  12:26:04 

I think vendor due diligence and corralling some of those requests. That's something that I've seen firms have questions on and also just struggle to try to find what works best for them. 

What works best might depend on the firm's size, the culture, interoperations, and it really is a matter of working to see what works best for your firm. 

I've seen a lot of success with centralizing some of those vendor requests to filter everything in. At the same time, depending on which group, oftentimes it's compliance and or legal that is either overseeing that process or participating, you might need to pull in assistance or support from other departments, from other groups, depending on the volume of requests that you're receiving. 

And then for other firms, maybe it's not practical to have that housed only in a single department. And in that case, there might be some sort of a layered approach where department heads or some other designated person is responsible from or four, conducting that initial pass on determining if the firm wants to move forward with even reviewing a vendor, and then it would go to the key group that is responsible for actually conducting that due diligence. 

Another thing that I've seen be successful in terms of vetting and implementing AI programs, making sure that you're including those key users and having them involved in the entire process because they will be the ones using the platform the most day-to-day. It's helpful to have them involved in the testing oversight and any sort of vendor changes that you might need to make in the future. 

Cathy Vasilev  12:27:59 

I know one of the biggest areas that we are helping our clients as they navigate this process. Of course, the most important one is the governance. You know, you're trying to create governance while regulations are still evolving. You know, it just makes it harder. 

And there's also concerns around, you know, there's overlapping expectations from the various regulators, depending on the firm's side. So, you've got to have a real clear governance claim framework before it's totally crystal clear what you need. So working with that, and then in working with that, you come to the data fragmentation, you know, the old adage, garbage in, garbage out. There's an issue with using AI and the AI needs a lot of data to make, you know, to make various decisions and to be implemented properly. So a lot of firms are having to do a very large data migration in order for this, you know, to work well for them. And to get you to the point where you're like, what do I want to use AI on versus what don't I. Here's the risk-reward perspective there? I want to do it, I know there is value, but looking at the risk side, and then, take a look at, you know, do the higher risk items. When I was at the FINRA conference recently, one of the FINRA regulators, compliance people, don't be afraid to put the brakes on. 

Amber Allen  12:29:33 

That's right. And, you know, speaking of slow and steady process, another recent focus that I've heard or challenge in the industry that folks are trying to solve is AI purgatory. And it's where you are implementing so many AI tools. Maybe you have some partially implemented, but you're not really actually getting fully onboarded with a given tool and how to change that and make sure that if a firm is implementing an AI tool that it's actually being used and adopted in a way that's consistent across the firm. 

I think it can be challenging when you have multiple tools that are being onboarded. And then of course, if they're not being used, in the meantime, it's creating a lot of other work for legal compliance and the other departments that are involved in getting those programs up and running. So there's a big push that I'm seeing in terms of making sure that these programs are actually being used. 

Johanna Anders  12:30:41 

And I would also add a key component going back to regulation and how do we adopt that regulation now to AI in that regard, I think it's also key to document your risk-based decisions and your risk appetite, especially when we're dealing in a framework that is very much principles based. 

Amber Allen  12:31:02 

Agreed. 

Record keeping is another question that we see a lot of these days, and I think oftentimes, you know, you want a straightforward answer a yes or a no. This is required or this isn't required. And because of some of the nuances that are required in order to determine what is required and how a firm is using it, it can often take a little bit longer and require a close review in order to determine what is actually required. So we're seeing a lot of firms take a thoughtful approach to that. And as a result, it can help reduce some of the records that a firm's maintaining. There are also concerns surrounding even the legal costs associated with maintaining and managing these, particularly if a firm's receiving an SEC request or a FINRA request or a subpoena, and some of, you know, thinking through some of the legal costs that could be incurred as a result of needing to review a ton of records, especially, you know, the AI note-taking tools come to mind. And having to review just hours on hours of records as as part of a response can can be not only expensive, but also a very big investment of time. 

All right, well, let's shift now to the next slide. And I'll hand it back to Cathy to discuss strategic implementation of third-party solutions. 

Cathy Vasilev  12:32:45 

Thank you. So what is your firm going to use AI? There are so many use cases and strategies that are currently available in the marketplace. And ones that are currently in development. 

In our industry, I'm seeing an awful lot of it being used in marketing review, email review is very popular. You know, at the FINRA conference, I watched as a vendor rolled out their new AI, which was actually was quite popular. I can speak at least in the adopting release of Reg SP, there is a discussion about the call transcriptions, you know, using it for videos, for summaries of information. Also, there's the use of it for a vision, and vision is when it's examining your charts and graphs and looking at the images and the different things that are in there, making sure disclosures are there. The images are proper. 

You've got your trading and portfolio management and support and surveillance systems. I mean, anything that you've ever thought about is probably covered. I've actually seen, you know, DDQs and RFPs being used very frequently with this as well. 

Amber Allen  12:33:53 

Thanks, Cathy. And I see we've got a question from the audience on whether FINRA or the SEC has considered making use of federal and state non-US regulatory frameworks governing AI use as well as on state law considerations that come into play, and as we discussed, you know, we're applying the existing regulatory frameworks. And so just because you're required to apply Regulation SP and your fiduciary duty and some of the other regulatory requirements that we discussed does not mean that you are relieved from your state obligations or international obligations that might apply in addition to these requirements that we're discussing. 

Cathy Vasilev  12:36:02 

Okay, so do you handle governance and oversight? Very big question going to be paired into a very small summary. Just remember there's more than this. So you've got your legal and regulatory considerations. You know, the AI use and financial services. 

Amber Allen  12:36:02 

All right, back to you, Cathy. 

Cathy Vasilev  12:35:18 

It sits square at the intersection of multiple regulatory frameworks. You know, you've got the SEC and FINRA, the OCC, the CFP. You've even got the EU AI Act, you know, and if you're a European, you know, firm, this is going to be applicable to you. So you have to take all of these into consideration when you are putting together your regulatory considerations for your different policies for governance. 

Regulators are going to expect firms to monitor for disparate impact risk. They are going to make you, they're going to expect you to look for biases that produce some type of a discriminatory output, especially in the HR tools. 

You need to know who owns your AI-generated content. You need to, you know, they need to be specifically in your governance documents listed as the person who's responsible for it. You're going to have to review your vendor contracts to make sure you know what the data rights are, and that you are taking care of. You're going to need to look at the indemnification clauses and the restrictions, especially if you're using, you know, sensitive data input, your PIA. 

There are cross-border data transfer obligations which may be triggered by using AI. So you need to look into that. The governance process itself is, you know. 

It is probably a best practice already to make sure that you have some type of an AI governance committee or working group that's been set up that represents legal, compliance, IT and security, risk and operations, and any other relevant business lines that you think should be involved in it. 

You need to define a clear life cycle for your AI tools. You know, it's like, there's an intake, a risk assessment, a legal and regulatory review. You've got your CISO review, you run a pilot, pilot is successful, hopefully it goes into production, but now you're going to need a periodic re-evaluation. An AI tool that you just put out there and publish and never touch again will be out of date within 6 months, and you'll be in big trouble. 

And then you need a decommission policy on how to decommission it when you've decided either you no longer want it or you want to replace it with something else. As we mentioned earlier, you need to create and maintain an AI inventory. So that's a living registry of every AI tool that's being used in your firm. Your policy should state the ones that you approve, and you should be monitoring to see if anybody is using ones that have not been approved, because they keep changing on such a rapid basis. That includes any internally developed systems that you have, and you need to pin a risk to each of these so that you know whether they're low, medium, or high, and you can spend the appropriate amount of time testing them, depending on that risk. 

As I mentioned before, you make sure that you give explicit ownership of the AI tool to an individual and hold them responsible. 

Again, risk classifications belong to all of those. You need to set thresholds that trigger when an escalation should happen. So if something goes wrong with the tool, it hallucinates, it does something else. What is your escalation in enhanced review policy so that you can make sure what needs to be elevated for senior level risk mitigation and you know what you can mitigate yourself. 

You should build checkpoints into your vendor onboarding process, so have a standard due diligence. I mean, everybody has a standard due diligence process for vendors. It's just going to be enhanced for AI. And you want to have regular meetings with this governance committee that you have established. At a minimum annually, or anytime something changes with your model, your data, a regulation changes, so you want to make sure that you've set that up. Some of the larger firms are actually considering adding a chief AI officer to, you know, their staff, but in the absence of that, you're going to have to assign that AI oversight responsibility to some other somebody else in the C-suite. And I wouldn't be surprised if that lands in the CCO suite. 

The tone for AI has to be set at the top, just like the tone for compliance has to be set at the top. So you need all your senior level leaders doing exactly what the policy says, promoting exactly what the policy has, and you need to make sure that you have a non penalty enforcing type of a system where people without fear of penalty can come forward and say, hey I've seen this, or hey, this isn't good, or hey, did you know that this is happening? So you need to have kind of a whistleblower type thing. 

You're going to need succession planning and business continuity planning. Because what happens if all you have on your staff is one AI person and that person leaves, you need a contingency plan for that. 

And you have to understand that any place that you use AI throughout your organization for any compliance or operational functions and tasks, all of that's going to have to be covered by the by the by the rule. 

You need a human in the loop. Everybody says it at FINRA. They must have said it 100 times at their conference. You need a human in the loop because you need meaningful human oversight for, you know, especially for high stake AI decisions, because you can't just rubber stamp things. So you're going to want to put together your low risk, medium risk, high risk of when an individual human gets involved as opposed to when you just let the AI tool, you know, do its thing. 

I mentioned earlier, you need training for all of these personnel. 

You need to make this human in the loop part easy. If you make it hard for people, they tend not to want to participate, and things fall through the cracks. 

And we've seen this already, where even attorneys have been like, oh, I put it through AI and here's what I got. And I'm just going to produce it. I'm not even going to review it. And it's wrong. So do not get overconfident that this AI is wonderful because while it has a lot of efficiencies, it also has errors, and you as the human in the loop are the person responsible for catching them and helping to make it a smarter tool. 

You need an AI use policy. You need an AI governance policy, you know, you need to identify what those prohibited things are that you will not allow, as well as those things that you will allow. You need to make sure that people are trained, that they acknowledge that they've been trained, and that you're tracking that they're training. So you need to treat it more like probably most firms do social media as far as assessing it and getting it going. 

Policies should be a living document. I believe all compliance policies should be a living document, and it needs to be updated in real time as things happen. And you need to make sure that you are involving all the employees in this process because otherwise you run the risk of missing something that's important that would be important to them. 

You're going to have to conduct formal AI risk assessments. When you first adopt it and then at some periodic basis thereafter, I would recommend more frequently in the beginning, and once you have a comfort level, maybe it's less frequently. But you're going to want to integrate this AI risk assessment into whatever enterprise risk management framework that you have. 

And yeah, you're going to train, you're going to test, you're going to retrain, you're going to test. It's kind of a rinse and repeat kind of thing. And you want to document all the testing results, all the training, all the everything that you do. That's all parts you know, of your documentation and record keeping, because let's face it, in this industry, if you didn't document it, it didn't happen. Period. That's what that's the maxim that we all live by. So make sure that you are keeping records of everything. 

You know, every risk assessment, every human-in-the-loop decision, all the audit logs. Audit logs are crucial. You know, all the communications that you do, you know, employees to make sure things are working appropriately, make sure that you are following your record retention policies for 17A. 

3 or 4. And you, you're going to have to answer yourself certain questions. How could your firm be impacted or disrupted by AI? 

Depending on your answer to that, that helps you with your policies and procedures. Do we have a comprehensive list of all the AI tools being used? If you don't, you need one and you can't just assume they're not being used because I would recommend that a client go out and ask all of their employees what they're actually using, they're stunned. 

How can we monitor and enforce our policies? Are we updating our policies as AI use evolves? And in the meantime, things are evolving so quickly, you may be actually doing your policies and procedures on a monthly basis, it would not surprise me. 

Amber Allen  12:44:54 

We received a question on AI testing and what is AI testing? 

And I'll open this up to the panel as well. I've seen a variety of testing and it really does depend on the AI tool that's being used. Some tools you might be able to test in the normal course of business. An example of that would be if you are using AI to conduct some research, and the tool provides links to the resources, and you would be going to those resources to validate the information and validate the conclusion. 

In addition to that, at the firm level, you also want to have some controls in place to ensure that people are actually doing this and that the program is working as intended and that people aren't using these AI tools without oversight. And as part of that process, you might have either as part of your steering committee or AI governance committee, there might be either a subset of people or a designee that conducts sample testing to see how these tools are being used. As I think we've all really seen at this point in our AI journey, the output can be very dependent on how you're prompting the question, and so looking at how information is being prompted, what the results are. And also using that for training can be really helpful and can promote adoption as well. 

Another thing to keep in mind, we talked a little bit about discriminatory practices, and I wanted to raise the issue of a fiduciary responsibility with respect to client account treatment. Especially if you're using AI tools to manage or make trading decisions. Keep that in mind because just because you're using an AI tool does not mean that you don't have a fiduciary duty to place your client's interests first. And so there needs to be a review process to make sure that that's actually being implemented and to check for potential bias, especially if the firm is managing internally owned accounts and looking to ensure that those accounts aren't being favored over client accounts, and also to check, to evaluate whether certain clients are being prioritized over another, or if certain securities are being prioritized over another without adequate rationale or research to support those decisions. 

So those are just a few considerations for part of your AI testing program. And actually one more point in terms of the communication piece for output, one one, I think heavy lift that I've seen firms need to navigate is how do you oversee those outputs of the AI note taking tools? If you're maintaining them, you want the notes to be accurate. And typically that would involve including the participants in the call and making sure that there's a process to review the notes and to the extent there's any inaccurate information, having a process to then document, actually, this is what was said. Maybe it's sent via email to correct the record, but so that you have something on file. That way, if the record's requested later and it's inaccurate, you do have that trail to show what needed to be corrected. 

That's not to say if you do have a required record, you want to maintain it. You do want to maintain that required record to the extent you're required to but you also want to have a correction process in place. 

Johanna Anders  12:48:44 

Amber, I'd also add, I know one of the big use cases we talked about is marketing, communications, financial promotions. As part of that testing and oversight, a couple of key things to look at is the AI guidance cross-referencing a particular rule, you know, and has that morphed. Themes, you know, review themes, are they consistent? In that regard? So those are a couple of things to think about with that use case as well. 

Amber Allen  12:49:12 

Definitely. 

All right. Let's advance to the next slide, please. And we've got, I believe our second CLE code. 

Oh, anything else to add to the last slide, Cathy? I think we might have covered it. 

Cathy Vasilev  12:49:30 

I think we covered it all. I mean, I would just say you have an existing framework for your policies and procedures and how things are put together. You have an existing framework for what you consider low, medium, and high risk. Follow that same framework with AI to determine, you know, if I'm going to use AI and AML, have I already considered this to be a high-risk area? Okay, AI in it makes it even higher risk. And so you're going to test it accordingly. 

Amber Allen  12:49:32 

Okay, excellent. 

That's right. And I think too, depending on how you're using it, whether it's AML or trading, looking at the inputs as well as the outputs and evaluating if the outputs are as expected and if they make sense, if they're accurate, those are important things to include as part of your overall governance approach and strategy. 

All right, we've got our next CLE code of the day, regulatory. CLE code number two is regulatory. 

So I see we've received a few specific questions in terms of what's required, and I think it'll segue nicely into our marketing and communications segment of today's discussion, as well as the AI note taking segment that will follow shortly. So without any further delay, I'll pass it over to Johanna to talk through marketing and communications. 

Johanna Anders  12:50:53 

Okay, thanks, Amber. So when we think about AI in marketing and communications, and more broadly globally financial promotions, this is one of the areas where regulatory expectations are already well established and where we're seeing immediate practical impact. 

So, from a regulatory perspective, the existing framework still fully applies. So whether it's books and records under 2042, the marketing rule, Regulation SP, or FINRA requirements around communications and supervision. In particular, you know, there's a FINRA regulatory notice, 2409. So FINRA has reinforced this in recent guidance, making it clear that AI-generated content is subject to the same supervisory and communication standards as any other firm communication. 

So FINRA has been very clear through recent guidance that AI doesn't create a different supervisory standard. If anything, it raises the bar in terms of understanding how these tools operate and ensuring appropriate oversight. 

And in particular, I know a lot of the AI-generated content, it is getting really good and very hard to distinguish between what's real, what's AI-generated. So going back to some of those key points that Cathy mentioned with disclosures and really understanding the input and the output are very key. So, those AI-generated communications must be supervised. We must understand model behavior and also ensure systems are reasonably designed to comply with these existing rules. 

So AI doesn't necessarily change the rules, but it does increase the need to apply them consistently at scale. 

So where AI is, it really changes the speed, volume, and variability of content creation. It means risk can escalate much more quickly if these controls aren't embedded in the process. 

So really taking a look at some of the key questions and with that, introducing a framework. So the way we're approaching this and a lot of industry across the board is through core questions, focusing on how these tools operate in practice. 

So I know you've heard a lot today about books and records, you know, so this is first, how are we maintaining these books and records? If AI-generated content is being used or relied upon, we need to ensure it's appropriately captured, retained, and supervised. So it's not a one and done, you can leave it but really, you know, I bring it back to the three R's. So you retain it, you retrieve it, and you have to reproduce it, you know, for regulatory purposes. 

Data vendor risk. So second, what are the data transfer terms? And what's happening to the data be an input into these tools. So that is very critical to think through from both a privacy and a third party risk perspective. 

Third, data minimization. So what data is actually being used, and how are we minimizing that data appropriately? So AI can quickly expand the amount of information being processed if it's not properly constrained. You know, as it relates to marketing communications, you'll usually see, and this is where some firms are still struggling with substantiation libraries and key how do we material statements of fact, usually when you see one piece of marketing on the website, you may see it downstream in a press release, in a fact sheet, in a commentary. You know, so really taking a look at if it's wrong in one place, how big that can be proportional. So making sure that that is understood, how that is being used across your collateral. 

And then finally, model risk and drift. So what controls do we have in place to monitor for that drift and ensuring those outputs remain consistent and compliant over time. 

So really, from a practical standpoint, the focus is on betting controls into the workflow, not layering them on after the fact. 

So, 3 key things, you know, human in the loop review for client communications, clear guardrail around where AI can and cannot be used, going back to some of the things we discussed with the governance, with our policies. And then last supervisory frameworks aligned to that existing regulatory expectations. So whether that is I'm seeing a lot of firms as well, especially asset managers who are global, taking into account all of your different regulations and coming up with global baseline standards and how to apply that consistently across the board. 

To be able to leverage and scale. Time to market expectations and whatnot. So, it really comes back to balancing enablement and control, and making sure we're supporting the business while maintaining defensible oversight. 

In particular, whether there's a regulatory exam, lawsuit, investigation, you have your documentation of all the items we had discussed, you know, in particular as part of that governance. 

So really thinking about AI is a force multiplier. Both were efficiency and for risk. So our role is to ensure those scale together responsibly. 

And I'll leave you with this thought as part of marketing communication. So it's not about replacing human judgment, especially as we deal in the gray every single day. It's about augmenting it and scaling it in a controlled, defensible way. 

And that's where standardized, repeatable frameworks become critical. So decisions remain consistent and auditable in that regard. Just as a human. So think about whether you're filing marketing content with FINRA, or you have a team of 20 folks that do review and approval of content, how do you maintain consistency across the board and that oversight to be able to leverage and scale? 

Amber Allen  12:57:02 

Thanks, Johanna. 

Great points, and I think leveraging and scaling, as we discussed earlier, really getting buy-in across the board can be something that's easier said than done. Having a process to promote usage firm-wide, I think can be a helpful way to incorporate these tools. 

Let's shift now to talk a little bit quickly about AI note-taking. And we've got a poll here. Please, if you're an RAA, let us know what you think about AI note-taking tools and we will, on the next slide, check in to see what thoughts are in terms of our AI note-taking tools producing required records for RAAs and broker-dealers. And while we're collecting the polling information, I'll just talk through some of the considerations that firms should keep in mind. 

The same regulatory framework that we discussed earlier today applies. So think about how the AI note taking is storing, producing, and how that information is being shared and maintained. 

If it's not distributed, at least for broker-dealers, there is an argument that it's not a required record. There's a thought that the communication is occurring during the call, not necessarily once the notes are being produced. That said, it depends on how those records are used after the call. That can affect this analysis. So, for example, let's say that you're maintaining a transcript of a call, and one of your colleagues isn't able to make it, you send those notes to your colleagues so that they can see what happened during the meeting that would likely be viewed as communication. And so the not only how the tool is being used, the way that it's being used after the fact can also affect this analysis. 

And that's why, as we mentioned earlier, there's not a one-size-fits-all approach to some of these record-keeping requirements. It really does require a careful review of how the firm's using these tools and how they're maintaining it. Some firms might store the records off system, while other firms might store these records on teams, and they'll direct people, you know, go check in on the summary here. And so that use case can change and affect a firm. 

Required records, and that's something to keep in mind. Some platforms will also, as part of these note taking tools output, they will automatically send an email to all of the participants with the recording and the transcript. In that case, the communication is, of course, maintained or should be maintained as part of the firm's email retention process. 

And then lastly, depending on how you're using a tool, if maybe it's the only place that you're maintaining certain required records, whether it's related to research or certain other communications. So keep those considerations in mind as you're thinking through whether or not these records are actually required.