Is Your AI Governance Ready for an Examiner?

Overview

Watch

Brian Rubin spent years inside SEC Enforcement and as Deputy Chief Counsel of Enforcement at NASD (now FINRA). He now represents firms in SEC and FINRA examinations as a partner at Eversheds Sutherland. In this Red Oak Fireside Chat, Brian joins Chief Supervision Evangelist James Cella for a candid conversation about where AI governance stands today in the regulated financial services industry — what firms are getting right, where exposure is forming, and why governance has to come before any AI tool goes live.

Continue the conversation with us live on July 16 — register for
Red Oak Insights | AI in Financial Services: A Legal, Regulatory, and Enterprise View

Play

Critical Questions Powered by Red Oak

CCOs don't need to wait for specific AI rules to start building defensible governance. Regulators are already applying existing supervision, recordkeeping, and communications rules to AI-generated outputs — and the firms that get caught won't be surprised by new regulations. They'll be caught by the old ones.

The immediate priorities for CCOs are governance framework documentation, defined approval processes for AI use cases across compliance, legal, IT, and business functions, and updated incident response plans that contemplate AI-specific scenarios like hallucinations and data leakage. The goal isn't perfection. It's demonstrating to a regulator, two years from now, that the firm acted reasonably before enforcement expectations were fully crystallized.

Existing rules are being applied to AI right now — and that's precisely what makes the current moment risky for firms.

Regulators have historically followed a pattern with new technology: rapid adoption by firms, a period of regulatory silence, then enforcement actions using established rules. It happened with email, social media, and off-channel communications. AI is following the same arc. Books and records requirements, supervision obligations, and anti-fraud provisions don't disappear because the underlying tool is new.

Firms don't need to wait for AI-specific rules to govern AI responsibly. The framework already exists. What's missing for most firms is the internal governance infrastructure to demonstrate compliance with it.

For marketing and distribution teams, AI introduces the same governance questions it does for compliance — just applied to content creation, review workflows, and communications at scale.

AI-generated content that goes to market without documented review creates the same kind of exposure as any other supervisory gap. The SEC has already brought AI washing cases under its marketing rules and anti-fraud provisions. Overstated AI claims, AI-generated communications distributed without adequate review, and records that weren't retained are the early patterns examiners are finding.

The right approach isn't to avoid AI — it's to build the review and documentation infrastructure before the tool goes live. Compliance-Grade AI™ supports that: it captures what was generated, how it was reviewed, and by whom, so every piece of AI-assisted content carries a defensible, auditable record.

Transcript

0:00 

Hi, my name is James Cella. I'm the chief supervision evangelist here at Red Oak. Uh, and today I'm joined by attorney Brian Rubin. Brian, great to have you here with us. Can you give us maybe just a brief introduction of yourself? 

0:14 

Sure. Uh, as you can see, I'm situated in the middle of the Title Basin in DC. 

0:18 

I am a partner with Evershed Sutherland, which is a global law firm. I'm co-head of the Securities 

0:26 

Enforcement Group. I used to work at SEC enforcement and I was also deputy chief counsel of enforcement at NASD FINRA and 

0:35  

my primary practice is representing firms being examined and investigated by the SEC FINRA and the states and AI is my friend at this point in time. 

0:47 

Awesome. And we're hoping to ex uh to dig a little deeper into your friendmy relationship uh with AI and so we're really grateful to have you join us. So 

0:55 

today we're going to be talking about AI in a regulated environment specifically with a legal perspective that uh Brian brings to the table. So uh so Brian you 

1:03 

you spent your early part of your career uh in the regulator uh regulators chair at the SEC in FINRA uh which was uh NASD 

1:12 

at the time and the last two decades on the other side of the table representing firms in enforcement. Uh so when you 

1:19 

read headlines about AI in financial services right now, what does that combined vantage point having seen both 

1:25 

sides of the equation? Uh what does that sort of mean to you and sort of like what is that uh you know sort of revealing itself certainly in these early stages of AI? 

1:35 

Yeah, I think the big point is that regulators have been applying and will apply 

1:41 

existing rules to AI. So having sat on both sides, I can see the enforcement cycle is already forming. Someone only 

on the regulatory side might not fully appreciate how quickly firms are adopting and using AI. And somebody 

1:58 

who's only been on the industry side might not grasp how the regulators going to sort of dust off their old traditional rules, supervision, 

2:06  

recordkeeping, and communication requirements and hold firms accountable. 

2:11 

And the lack of regulatory issues or rules at this point could be a trap for some people. But just because there's no 

2:19 

specific AI rules doesn't mean that enforcement isn't coming. And off-ch communications is a perfect example. You 

2:28 

had new technology like texting and WhatsApp and firms were being penalized using the old existing recordkeeping 

2:36 

rules. So I expect we'll be seeing similar kinds of things. 

2:40 

So, you know, kind of digging into that a little bit more. Uh, it seems very clear that regulators are still using in 

2:47 

some cases paperbased or or rules that were based upon paper or memo communications or letter communications. 

2:53 

Uh, certainly non-digital communications when it comes to AI. Is that what you're you're you're seeing not only on the regulatory side, but as far as how uh firms are trying to react to AI? 

3:06 Yeah, I think that's fair. and the books and records requirements are a perfect example of that. Um, but as I said, I 

3:13 

think from the regulators perspective, they are seeing that their existing rules still apply to AI to digital issues and firms should be aware of that. 

3:23 

Yeah. So, there's a longunning pattern in financial services where regulators don't often write the rules to keep up with new technology. uh though we've 

3:30 

seen uh recently that FINRA is really trying to uh make those updates with some of the announcements they made last year. Uh but uh so 

3:40 

uh sometimes we see these rules they won't be applied until years after the after the fact. Uh so where do you think AI sits in the cycle right now? Uh and 

3:48 

what would you tell a CCO who is trying to plan around that sort of level of uncertainty? uh especially you know uh 

3:56 

considering the the broad scope that that AI now brings uh to our environment right at this point AI is firmly in the 

4:04 

existing rules apply phase which is historically potentially risky for firms AI tools are widely adopted but there 

4:14 

aren't specific AI rules and as we talked about in the past when there have been technological changes like with 

4:22 

email social media texting, that sort of thing. There was rapid adoption, a period of regulatory silence, and then enforcement actions using the old rules. 

4:33 

And I think that's what we're going to be seeing now. So that means CCOs should not wait for bespoke AI rules. Both the 

4:41 

SEC and FINRA, as you mentioned, have been signaling attention through exams and guidance, and that's what we'll see. 

4:49 And the final point for CCOs is the firm's mantra for AI should really be governance, governance, governance 

4:57 

because you've got to build the AI oversight framework right now. And I know we'll get into a lot of those 

5:04 

issues, but you need the processes in place before you adopt the AI. And also, you shouldn't overlook things that you 

5:12 

already have like your incident response plans. They should contemplate AI specific scenarios like hallucinations, 

5:20 

data leakage, that sort of thing. And the goal is to show the regulators that the firm acted reasonable reasonably 

5:28 

before enforcement expectations are ultimately fully crystallized. 

5:32 

So you co-authored the NCP firm and CCO liability framework. Can you tell us a little bit about that? 

5:39 

Yeah. So the framework was meant to help the regulators and the SEC and FINRA have been using it to focus on what CCOs 

5:47 

are and what they aren't and in general they're not supervisors they provide 

5:53 

advice. So, in this context and and I think we'll talk about it, although CCOs are going to be intimately involved with 

6:03 

their firms, they're going to be part of a management team and they likely won't have the power of the purse. They likely 

6:11 

won't be able to hire and fire at will, but they will be playing an important role in providing the compliance advice. 

6:19 

uh and ultimately they should be able to distance themselves and say I wasn't managing the process but I was involved with it 

6:27 

and so AI does really sort of intensify that level of exposure or potentially uh intensify that level of exposure then. 

6:35 

Sure. Yeah. Whenever you're dealing with new technology or new issues and in particular AI because it's so fastm 

6:42 

moving and so vast in terms of what it's able to do, there are potential firm and possibly individual liability issues. 

6:51 

Uh have you had CCOs approach you and talk to you about some of the the uh uh concerns about personal liability when it comes to AI systems and having humans 

6:59 

in the loop or what sort of advice are you giving them, I guess? Yeah. So, a little bit. I mean, I think CCOs's are 

7:06 

mainly interested in the governance type issues setting things up. I think at this point, we haven't seen any cases. I 

7:14 

don't think they're that concerned about CCO liability. But, you know, obviously the CCOs don't have to be coders. 

7:23 

They're part of a team. The members of the team have various expertise. So the teams are going to involve compliance, 

7:29 

legal, IT, business leaders to review and approve the uses of it. And CCOs are going to play a fundamental role like they always do in asking key questions. 

7:41 

The the liability could increase if there's a material problem and they know about it and they fail to act and the 

7:49 

best protection for them like in all scenarios is to document what's happened. 

7:54 

Right? So without naming names of course what kind of AI related compliance failures are starting to show up uh in 

8:02 

your scope in your purview you know what are the some of the matters and things that you or your colleagues are asked to defend 

8:09 

well we haven't defended yet but in terms of what the examiners have been looking at the first issue is 

8:16 

exaggerated AI claims and then related operational governance so things like AI washing bad content overstating what AI 

8:25 

does or how central it is, overly optimistic language, um that sort of thing. And it's worth noting that the 

8:33 

SEC has brought AI washing cases using its marketing rules and the anti-fraud provisions. And then the related 

8:41 

operational failures include um AI generated communications going out without reviews, records not being 

8:49 

retained, surveillance outputs being ignored. Um, we're also seeing analogies to prior enforcement issues. So, one 

8:57 

example is books and records. Firms use AI meeting assistance to record, transcribe, summarize calls. 

9:05 

And then firms may not have adequately considered recordkeeping and supervision issues. Another issue again analogous is 

9:13 

unauthorized use like with the off channel cases. So employers may be using public employees may be using public AI 

9:22 

because they may not like what their firm has or their firm doesn't have sufficient tools. So they're plugging in client data into public chat box 

9:30

creating confidentiality issues, books and records issues, that sort of thing. 

9:35 

And the last issue is MNPI and PII. Um AI has access for example to internal 

9:43 

research, deal information, client trading, confidential information. And the problem is if there's leakage or the 

9:51 

information is moving from one channel to another channel. And again, all of this is consistent with issues that we've seen before. The new the 

10:00 

technology is new, but the compliance risks aren't really that new. Do you feel like regulators have done an ample 

10:07 

job of sort of warning what uh are you know warning your clients as far as what they should be looking out for uh when it comes to these sorts of things? 

10:15 

Yeah, I there's not going to be any goncha issues. I think the regulators are grappling with the same issues that the firms are. The regulators have been 

10:23 

putting out guidance, making speeches, that sort of thing. So I I think for the most part the regulators and firms are 

10:31 

on the same page with regard to what kind of potential issues there are. No doubt the regulators will end up focusing on something that hasn't gotten 

10:40 

a lot of publicity at some point in time. Um but that's just natural and that's going to be expected. 

10:45 

Yeah, for sure. So, so I guess uh you know as we we kind of wrap up a little bit here, you know, if a CEO came to you tomorrow and said, “Hey, our firm is 

10:54 

about to uh our firm is about to roll out an an AI system and part of our as part of our new business initiative uh 

11:01 

that that does touch compliance. Um what do I need to do uh to protect myself, the firm, and our clients when it comes to this?” What what sort of advice would you give them? 

11:10 

First, I need an engagement letter and big retention from them. But assuming assuming that's already in place, uh the 

11:16 

the first issue is that various parts of management and compliance are going to have to get involved before there's launch at all. So AI isn't just an IT 

11:26 

project. You need governance. So you need compliance, legal, technology, business. Um all with a documented 

11:33 

approval process for use cases. And since we're talking about CCOs and we talked about CCOs before, the message 

11:41 

for CCOs is there, they should be providing advice, not supervising. The second issue is building the process 

11:50

before the tool goes live. So you want written policies, approval, use, diligence, testing, training, auditing, 

11:58

monitoring, all of that stuff. Um, for CCOs, the question that CCOs's may not 

12:05 

be thinking about right now is what am I going to tell an examiner and show an 

12:12 

examiner 2 years from now when I get examined? So, the roll out really has to have a clear record of who was involved, 

12:21 

who approved it, how it was tested, how the outputs were were reviewed, how issues are escalating, all of that 

12:28 

stuff. And then the final advice that I would give that I talk to compliance and executives at firms all the time is champion championing the right culture. 

12:41 

So you've got to train the employees about what AI can do and what it can't do. So emphasizing that AI is really a 

12:50 

helper, not a decision maker. It's not infallible. It shouldn't be used as a crutch. You have to foster a culture 

12:58 

that views technology through a compliance conscious lens. 

13:05 

And uh are you finding that CCOs's and infosc and IT folks are coming closer and closer together with with a lot of these things? 

13:14 

Yeah, I think interact a lot more. 

13:17 

Right. I I think they are and when we've been dealing with you know cyber security issues in the past they've also 

13:26 

been working closely. So I think this is just a continuation of how technology is impacting firms and the firms are should 

13:35 

be working together as a unit or as a group trying to deal with these issues. 

13:40 

Absolutely. Well thank you so much Brian. This has been uh very interesting and thank you so much for the wonderful conversation as we've gone through this. 

13:47 

Uh so we're going to wrap up here but we will be having a deeper dive into into this topic with a few other panelists in an upcoming webinar and uh we look 

13:54 

forward to seeing everyone soon and again Brian thank you so much for joining us today. Thanks James. Thank you. 

Read the Blog Post

Governance First. Everything Else Follows.

AI governance in financial services isn't a future problem. According to Brian Rubin, it's a present one — and the firms navigating it well are the ones that understood that before they touched a single AI tool.

Rubin, a partner at Eversheds Sutherland, spent the early part of his career inside SEC Enforcement and as Deputy Chief Counsel of Enforcement at NASD (now FINRA). He now spends his days on the other side of that table, representing firms in examinations and investigations. That combined vantage point — regulator and defender — shapes everything about how he reads the current regulatory landscape.

“The enforcement cycle is already forming,” Rubin told Red Oak Chief Supervision Evangelist James Cella in a recent fireside conversation. “Someone only on the regulatory side might not fully appreciate how quickly firms are adopting AI. And somebody who's only been on the industry side might not grasp how regulators are going to dust off their old traditional rules — supervision, record-keeping, communications requirements — and hold firms accountable.”

That dynamic, more than any specific regulatory announcement, is what defines the current state of AI in financial services compliance.

The Pattern Is Familiar

Rubin draws a direct line from AI to prior enforcement cycles that reshaped how financial firms operate. Email. Social media. Off-channel communications via text and WhatsApp. In each case, the sequence was the same: rapid adoption, regulatory silence, enforcement using rules that were already on the books.

“Just because there are no specific AI rules doesn't mean enforcement isn't coming,” Rubin said. “Off-channel communications is a perfect example. Firms were penalized for texting using old record-keeping rules. I expect we'll be seeing the same kinds of things with AI.”

In Rubin's assessment, “AI is firmly in the existing rules apply phase.” Supervision obligations still apply to AI-generated communications. Books and records requirements still apply to AI outputs. Anti-fraud provisions still apply to AI-assisted marketing content. The technology is new. The compliance obligations are not.

For compliance, supervision, and marketing teams alike, that's the operational reality.

What Regulators Are Looking For

Rubin is direct about what's already showing up in examinations. The first pattern is exaggerated AI claims — AI washing, overstated capabilities, overly optimistic language about what an AI tool does or how central it is to firm operations. The SEC has brought cases on this using its marketing rules and anti-fraud provisions. It isn't theoretical.

The second pattern is operational gaps: AI-generated communications going out without review, records not being retained, surveillance outputs being ignored. These aren't new failure modes. They're familiar compliance breakdowns attached to a new technology.

“The technology is new,” Rubin observed, “but the compliance risks aren't really that new.”

A third area getting examiner attention is unauthorized AI use — employees plugging client data into public AI tools because their firm's internal options are insufficient, creating confidentiality, record-keeping, and data security exposure simultaneously. The analogy to off-channel communication enforcement is direct and intentional.

The Governance Mandate

For CCOs, Rubin's advice is unambiguous: governance, governance, governance — and it has to come before any AI tool goes live.

“AI isn't just an IT project,” he said. “You need governance, you need compliance, legal, technology, and business, all with a documented approval process for use cases.”

That governance infrastructure serves a specific purpose: demonstrating to an examiner, two years after deployment, that the firm acted reasonably — that the right people were involved, that the process was documented, that outputs were reviewed, and that issues had a clear escalation path. The standard regulators apply is reasonableness, not perfection. But reasonableness still has to be evidenced.

Rubin also addressed the question of CCO personal liability directly. The NSCP firm and CCO liability framework he co-authored was designed to clarify what CCOs are — and aren't—doing. CCOs provide compliance advice. They are not supervisors in the operational sense. The risk of personal liability increases when there is a material problem, the CCO knows about it, and fails to act. Documentation is the primary protection — not just for the firm, but for the individual.

What This Means Across the Organization

The governance conversation isn't only a compliance conversation. For supervision teams, the questions are operational: are AI-generated communications being captured, archived, and reviewed before they leave the firm? Are surveillance workflows built to catch what AI produces, not just what humans write?

For marketing and distribution teams, the stakes are equally concrete. AI that accelerates content production without a compliant review workflow doesn't reduce the compliance burden — it increases it. The same examiners reviewing supervision gaps are the ones reviewing AI washing cases. The documentation requirements are the same whether the content was drafted by a person or generated by a model.

The Firms That Get This Right

In Rubin's view, firms should treat AI governance as a cultural and organizational commitment, not a technical checkbox.

“You've got to train employees about what AI can do and what it can't do,” he said. “Emphasizing that AI is a helper, not a decision maker. It's not infallible. You have to foster a culture that views technology through a compliance-conscious lens.”

The goal isn't to be afraid of AI. It's to be ready for it.

A Note from Red Oak

On July 16, we're hosting a live webinar — Red Oak Insights | AI in Financial Services: A Legal, Regulatory, and Enterprise View — where panelists will share legal, regulatory, enterprise, and technology perspectives on one question: what does responsible AI require? The conversation will explore the accountability gap between AI adoption and compliance oversight, where regulatory expectations are heading.  

The views expressed by Brian Rubin in this conversation are his own and do not constitute an endorsement of Red Oak or any of its products.

Contributors

Brian Rubin is a partner at Eversheds Sutherland and Co-Head of the Securities Enforcement Group. He previously served in SEC Enforcement and as Deputy Chief Counsel of Enforcement at NASD (now FINRA), and now represents firms in examinations and investigations by the SEC, FINRA, and state regulators. Connect with Brian on LinkedIn. The views expressed by Brian Rubin in this conversation are his own and do not constitute an endorsement of Red Oak or any of its products.

James Cella is Chief Supervision Evangelist at Red Oak, bringing more than 20 years of experience building compliance and supervision technology for financial institutions. Connect with James on LinkedIn.

Related Content