Navigating Regulatory Risk in 2026: AI, Alternative Investments, and Enforcement Trends Webinar

0:00
I'd like to take this opportunity to thank everyone for attending our Navigating Regulatory Risk in 2026 webinar where we'll be handling AI alternative investments and some of the SEC enforcement trends.

0:13
My name is Cathy Vasilev.

0:15
I'm one of the Co founders here at Red Oak and I'm pleased to moderate today's conversation alongside my wonderful colleagues from Evershed Sutherland.

0:25
As we move into 2026, firms are continuing to rapidly face a shifting regulatory landscape.

0:35
The use of AI continues to accelerate, alternative investments continue to grow ever more complex, and enforcement activity is signaling some very clear expectations around governance, supervision and accountability.

0:51
So today, we're going to explore how firms can proactively strengthen that compliance regulatory framework while continuing to innovate as they need to.

1:02
For those of you who may not be familiar with Reddick, we're a compliance connectivity platform that has been built specifically for financial services firms.

1:11
We bring together marketing, content creation, the ad review of that content distribution and communication supervision all into one connected system.

1:23
That platform, of course, is going to be powered by compliance grade AI, just like everything nowadays is, but it was built from the ground up to make sure that it meets your regulatory requirements.

1:35
So let's kick it over to Brian and let's dig in.

1:40
I see.

1:40
I am not AI.

1:41
I'm not urban.

1:44
I am in the DC office of Evershed Sutherland.

1:48
I've been here more than 20 years.

1:50
I'm Co head of the Securities Enforcement Group and I work with firms being examined and investigated by the SEC, FINRA and states.

2:01
I was formerly with enforcement at both the SEC and at NASD FINRA.

2:08
And for those of you who don't know, our law firm, Evershed Sutherland is a global law firm with over 3500 lawyers with more than 70 offices across 30 jurisdictions in Africa, Asia, Europe, the Middle East and good old United States of America.

2:24
And in the US, we currently serve more than 1100 financial services clients.

2:30
And I will kick it over to Issa for an introduction.

2:34
Thanks, Brian.

2:35
My name is Issa Hanna.

2:36
I'm a partner on our Investment Services team sitting in our New York office.

2:44
I support broker dealers, investment advisors, insurance distributors, private fund sponsors on various regulatory matters.

2:54
And I'm happy to be here today to talk about AI and alternative investments, which seem to be top of mind for everybody these days.

3:04
Andrew, do you want to introduce yourself?

3:06
Sure.

3:07
Andrew Mount, the council in our New York office and our investment services group.

3:12
And for the sake of time, I do all of the same things for the similar clients as to what ISA does.

3:19
So we're done in heels.

3:22
No, it's an old joke.

3:25
Never mind.

3:29
So today we're going to cover artificial intelligence.

3:33
We are and all three gentlemen are going to opine on this subject because it is such an important subject.

3:39
We're going to talk about the SEC enforcement process updates, which there are quite a few that have come out and then we're going to delve a little bit into alternative investments and what's new on that realm.

3:54
Perfect.

3:55
And I, I can pick, pick it up here.

3:58
Issa and I were going to quickly sort of go over some key regulatory developments over the last a few months to set the table here.

4:06
And the first one we wanted to highlight for everyone was Finra's outside activities rule.

4:12
So the SEC is currently considering a FINRA rule proposal proposal to consolidate the Finra's Oba and PST rules into a single rule.

4:24
That would be Rule 3290.

4:27
I wanted to highlight three major impacts if this proposal does get adopted as proposed.

4:33
The first is that Oba reporting will be limited to investment related activities.

4:39
So associated persons or I'm sorry, registered persons would no longer have to report lower risk non investment related activities like refereeing sports games, trying driving for a car service or bartending.

4:53
The mechanics for actually reporting those activities and the firm's assessment those activities will be similar under the new the new rule if if adopted not identical but but similar.

5:06
The second impact, there are several exclusions to the Oba and PST rule that that will be added as a result of this proposal.

5:15
The 1st is activity on behalf of an affiliate.

5:17
So if you have an associated person who performs functions for an affiliated insurance company or bank, those of those functions performed for the affiliate would no longer be an outside business activity.

5:30
There would be an exclusion for certain real estate activities, the purchase, sale, rental, release of real estate, there's some limitations on that, but it will give more flexibility there and there will be an exclusion for the personal investment in non securities, including non security crypto assets.

5:50
And the third, the third highlight from from this proposal has to do with firm obligations related to advisory activities performed by associated persons at unaffiliated advisors.

6:04
So these would be referred to it, commonly referred to as hybrid Rias.

6:10
Under the proposal, an associated person's activity and an advisor registered with the SEC or with the state would be considered an outside activity and not an outside securities transaction.

6:23
The impact of that is that while an associated person would have to provide prior written notice of the activity, the firm would have to assess that activity upfront.

6:33
The firm would not be required to supervise or record that activity on an ongoing basis.

6:39
And that that's just that would be a significant change from existing obligations under the existing PST rule where firms have an ongoing obligation to supervising record keep hybrid RIA activities.

6:56
So that's the outside activities rule, that's what the SEC, the SEC Moving to the second item, the SEC recently approved Finner's rule proposal to amend the gift limit in Rule 3220.

7:10
The gift limit will increase to $300 per person per year from the current $100 limit.

7:18
That's a change that's about 30 years, 30 years coming.

7:21
I think the $100 limit was adopted about 30 years ago.

7:26
So that's a welcome change for firms.

7:28
There will be corresponding changes to the gifts limit in different FINRA rules.

7:32
As a result of that proposal.

7:34
FINRA is incorporating a bunch of its guidance and interpretive positions as supplementary material to Rule 3220, making it a lot easier to find guidance, guidance on those points.

7:46
There'll be a certain change in valuation methodology, but and, and there will be an Ave.

7:52
for FINRA to grant exemptive relief from the rule.

7:55
And that rule is effective March 30th.

7:58
So at the end of this month.

8:01
With that, I'll kick it to ESA for the next two items.

8:04
Sure.

8:04
And I'll run through these pretty quickly just so that we can get to the main event regarding the the AI content.

8:12
So the next bullet here speaks to another Finner proposal.

8:16
Finner has been very active over the last couple of months.

8:19
This one would loosen some restrictions that currently exist under Finra's Communications with the Public rule that's been Rule 2210.

8:29
Currently, there's a flat prohibition in that rule on projecting the performance of any security.

8:37
What that has created a problem for is those situations where a broker dealer acting as a placement agent for a private fund sponsor wants to market that private fund offering, including target returns associated with that private fund or alternative investment.

8:58
And you know, you wrote then that broker dealer runs into a an issue under that prohibition in 2210 D 1F.

9:07
So what FINRA is looking to do is provide some flexibility with respect to that particular situation and generally speaking align 2210's limitations with the comparable limitations under the Advisors Act marketing rule.

9:23
So with if this kind of gets adopted as proposed, a target performance could be shown in broker dealer marketing pieces and they could do it subject to basically the same conditions that exist under the marketing rules, limitations regarding hypothetical performance.

9:43
So there would be an audience limitation that would be principles based and certain disclosure would have to be provided.

9:52
There's some key differences though compared to the marketing rule.

9:55
This only applies to target or projected returns.

9:59
It does not provide any flexibility with respect to other types of hypothetical performance like model portfolio returns or back tested returns.

10:10
It also has no impact on existing guidance and rules that are that exist with respect to similar types of returns like related performance or interactive analysis tools.

10:27
And then you know, final point, you can't use this this loosening of the limitation here to just advertise target a projected returns broadly, there is an audience limitation that you have to comply with.

10:42
Essentially you have to establish that the party receiving the target returns would be sophisticated enough to understand what they're looking at, but that is still at the proposal stage.

10:52
We'll see if the SEC approves it, but this is this has been a long time coming.

10:56
The last item on this slide relates to a recent no action letter that the SEC staff, you know provided to the industry relating to the routing of transaction based compensation through so-called personal services entities.

11:15
Essentially what, what a personal services entity is, is a, an LLC or other type of corporate entity that is usually owned by an independent registered representative and through which the registered representative, you know, manages his or her own practice, you know, in the financial services space.

11:43
So that entity is used to, for example, handle HR, employment tax matters for, you know, the, the, you know, the, the operation of the independent representative.

11:56
And historically there have been real limitations under the federal securities laws when it comes to routing transaction based compensation through such an entity.

12:05
There's a number of old no action letters that make this very difficult to do, if not impossible.

12:13
And what the new no action letter does is essentially it wipes away the old guidance, which created problems for folks and allows for a method to route this transaction based compensation through an independent, you know, registered representatives, you know, personal services entity.

12:34
There are certain conditions in the in the no action letter that you do have to comply with, but they they, from what we've heard so far, they seem to be pretty workable.

12:43
So that's a good development for the independent space.

12:46
So why don't we go ahead now and jump into the AI related content?

12:50
Andrew, do you want to get us started?

12:53
Sure.

12:53
And we can move to the next slide, The the first slide here, and we won't spend too much time on this, are use case AI use cases.

13:01
And I think people are probably pretty familiar with these at this point.

13:04
But what I would say about these use cases on this slide is they're pulled from, they're pulled from a couple different sources, but the primary source is FINRA guidance, Finra's annual regulatory oversight report, where they provided a list of use cases that they're seeing in the industry and that firms are reporting to them.

13:25
So, so this is a good catalog of the different ways that people are using AI.

13:31
What FINRA has said is that if they've noticed firms using Gen.

13:34
AI to get efficiency gains, particularly with respect to internal processes and information retrieval, their top Gen.

13:43
AI use case is probably no surprise.

13:46
Summarization and information extraction, which which is how a lot of us are, you know, using AIAI.

13:55
Beyond beyond those use cases where we've seen Gen.

13:58
AI being used by broker dealers and advisors are AI note taking applications with the ability to transcribe meetings in real time, provide auto generated summaries, draft follow up emails and flag action items.

14:13
Internal chat bots where firms leverage data, feed it to the chat bots and create systems that can help answer advisor questions, external chat box.

14:23
So that would be like a customer service type interaction.

14:28
And then and then AI used to facilitate supervisory functions, AML fraud detection.

14:35
Those are all areas that we're seeing Gen.

14:37
AI being used in firm processes.

14:41
But we can move, we can move to the next slide.

14:46
And the first topic we wanted to talk about with Gen.

14:48
AI is governance and oversight.

14:50
And I think the first point I wanted to make here is that there are the existing regulatory framework applies to firm's use of Gen.

14:59
AI.

15:00
There's not a separate rule book or separate set of rules that that are.

15:05
That's just for Gen.

15:06
AI.

15:06
You're going to have to look at what the existing regulatory obligations are and make sure that your Gen.

15:12
AI use conforms to those regulatory expectations.

15:16
With regard to governance, the way you know, what FINRA has recommended and what we've seen is firms establishing enterprise level governance through governance committees that include people from different aspects of the organization, legal, compliance, IT and business personnel.

15:36
And what these what these bodies are doing or determining which AI tools and use cases are permitted within the firm.

15:43
Conducting initial and ongoing diligence of AI tools, adopting and maintaining policies and procedures that govern AI use and setting up training on AI capabilities, limitations and compliance requirements.

15:59
You know, the first part of that that I mentioned is determining which AI tools are being used.

16:04
And you know, as far as governance goes, what what firms you know, need to look at is making sure they know what, what different tools they use across the firm that have AI built into them.

16:17
And maintaining it's important to maintain a living inventory of all Gen.

16:20
AI tools and use.

16:22
And I think this may be harder than it sounds because of the way that generative AI has been incorporated into so many existing tools and vendor provided tools that firms use.

16:37
You know, the second aspect I think is some is finding a way to prevent unauthorized use of AI.

16:43
And I heard someone say recently that one of the biggest risks that firms and companies are facing from AI use isn't necessarily what is happening within the walls within their ecosystem, but what's happening outside of them.

16:57
Right, when advisors take information and instead of using the firm approved AI system, they're taking potentially proprietary or sensitive customer information and feeding it into their regular chachi PT tool or or whatever other tool they use in their personal lives, right?

17:15
So we've seen firms developing policies and procedures preventing the unauthorized deployment of unapproved AI applications.

17:25
Andrew, are there other common governance gaps that you have seen across firms in the industry?

17:33
Yeah, I mean, I, I think the other, another area that that firms want to focus on is training, right?

17:38
I mean, and, and, and building a culture because the technology governance really only works if it's embedded in the culture.

17:48
So you want to make sure that you have role specific training on, on what AI used to proved the risks of relying on AI and escalation procedures when AI output seem incorrect.

18:00
And I think 1 area is 22 areas here, 1 prompts training, right?

18:06
The better the prompts that you give to the AI, the better the output.

18:10
So training advisors on how to prompt the AI and building that into kind of in your Gov thinking about that when you're building your governance program is important.

18:20
The second is training on identifying hallucinations.

18:22
I think at least in my mind, one of the biggest risks of using these tools is that they hallucinate, right?

18:28
They want to give you, they want to please you, right?

18:30
They want to answer the question that you asked.

18:33
And you need to have training in order to show so that advisors, employees can recognize when those AI tools are hallucinating.

18:44
And also a really important part of a of a governance structure is vendor and 3rd party risk management.

18:50
Making sure that your vendor due diligence process includes evaluating model, training, data hallucination risk, data retention, security, looking at contracts that you have with vendors around confidentiality, data use and audit rights, and then making sure that that's being done on an ongoing basis and we can move to the next slide.

19:21
Books and records.

19:22
I we might have, did we skip over supervision?

19:24
We can move to books and records if OK, we can talk about books and records.

19:30
Perfect, perfect.

19:32
So this is the biggest question that I think everyone is asking with regard to generative AI.

19:38
What documents are required to be kept for broker dealers under the Exchange Act, 17 a three and 17 a four, and for advisors under the Advisors Act?

19:50
What I'll say is we don't have a lot of guidance, if any real clear guidance from the SEC on this issue as to what types of records constitute communications.

20:03
FINRA has received this question from member firms.

20:06
FINRA has noted publicly that they've gone to the SEC seeking guidance as to what types of AI generated records constitute communications under 17A4B four of the Exchange Act.

20:20
We haven't seen the SEC release anything.

20:24
One of the biggest questions that that we hear is has to do with meeting summaries.

20:30
So Zoom or Teams meeting summaries and whether those types of meeting summaries constitute a communication related to the firm's business as such under 1784 before the Exchange Act.

20:45
What I'll say is there's not a lot of clear answers on this point, but a way to think about this is what happens to the meeting summary after it's generated.

20:55
The mere fact that in summary of a meeting exists doesn't necessarily make it a required record.

21:03
However, once that transcription or the action items generated as a result of that transcription are sent out to meeting participants, that would likely constitute a communication subject TO17A4B4.

21:20
The idea, and a big open question here is what what constitutes being sent out to meeting participants?

21:25
I think if something's being sent out by e-mail, it likely constitutes a communication, right?

21:31
And probably wouldn't be a big issue for firms because they're retaining those anyway.

21:36
If something's placed in a shared folder that can be accessed by 20 different people, is that a communication?

21:42
I think that's still an open question.

21:47
You know, there's, there's also other types of record keeping questions around customer facing generative AI.

21:53
So if you have a chatbot that interacts directly with customers, is the transcript of that communication a required record?

22:01
I think that likely would constitute a communication and be required to be retained, although again, we don't have a lot of definitive guidance on this point.

22:10
And then the third bucket are a what I call AI assisted research and Productivity Tools.

22:16
So these are tools that you might have internally that allow you to pull sections of policies and procedures and other things like that.

22:24
And these tools really act like an enhanced search drafting or analysis tool.

22:28
And I think there's a pretty good argument that these may not be required records, that they're more similar to a Google search or a search of your e-mail inbox.

22:37
But there are arguments that cut the other way.

22:39
And so these are, this is still an area of, of uncertainty.

22:44
And I know Brian you have you may have some thoughts.

22:47
Yeah, no, I agree it's an area of uncertainty.

22:51
So historically if somebody just took handwritten notes of a call with a client on a Google pad, those would not be a considered a communication.

23:02
Somebody's communicating, but they're writing it down for themselves.

23:06
Similarly with CRM, if you input information into ACRM system that wasn't considered a communication and similar to what you're talking about it, it was an open issue.

23:18
If a number of people had access to that information, so were you then communicating it to the CRM and then it was communicating to others, so it became a communication between people.

23:30
Here we have the AI communicating.

23:34
So a lot of this still has to be defined and there's no clear answer yet.

23:40
And just before we move off books and records.

23:42
So that that's where the framework around what's required under, under the mostly under the Exchange Act, but also under the under the Advisors Act.

23:51
But there are considerations that go beyond required record keeping.

23:55
You know, what do you need to keep in order to supervise the use of the AI tool?

24:00
That's sort of the second step in the framework.

24:03
First, what is required?

24:04
Second, what do you need to keep in order to supervise?

24:08
And the big question is how do you explain a model's output without any of the back end data?

24:15
And Finner actually addressed this in their annual regulatory oversight report, where they know that an effective supervision, an effective supervision would involve the ongoing monitoring of prompts, responses and outputs to confirm that Gen.

24:29
AI solutions continue to perform as expected and result in compliant behavior.

24:35
And FINRA knows that this may include storing prompt and output logs for accountability and troubleshooting.

24:41
And I think the idea of how long those prompt and output logs are stored depends on what what you're doing with them internally, what your review process looks like, you know, and, and what your sort of reasonable supervision process looks like.

24:58
But I just wanted to highlight that point as well.

25:03
Have any of you seen any enforcement actions specifically tied to to AI?

25:12
Yeah, I mean, Brian, if you wanted to add to this, that'd be great.

25:16
But I mean, in general, the, the focus on AI from an enforcement perspective has mainly been in the AI washing space, so to speak, where, you know, marketing or other investor related communications have hyped up a firm's capabilities or a firm's AI driven services to an extent that, you know, they were not being accurate or it was misleading.

25:51
But that's, that's been the main focus the regulators to this point from an enforcement perspective is, is in connection with those so-called AI washing cases.

26:00
Brian, anything to add there?

26:02
Oh, Brian, I think you're on mute.

26:06
That's right.

26:06
And I'll talk about a couple of other areas when I go through the enforcement analysis of where we will likely see some AI related cases.

26:20
Yeah.

26:20
So in the interest of time, I'll hit three points, three kind of key points on supervision and testing.

26:26
The first being FINRA has highlighted that the supervision of generative AI use really requires 2 levels of supervision.

26:35
The first level is at the enterprise levels, having some sort of central oversight of AI tools that's adopted by the firm.

26:43
And then the second level is at the individual level, which is how are individuals using those tools, which sort of does tie back to books and records.

26:51
Because how do you supervise how someone's using a tool unless you have some record of of how they used it, what they put into the tool and what what they got out of it.

27:02
Testing is abundantly important here.

27:06
Making sure that the model that you're using is performing as expected, conducting ongoing monitoring, having and no AI presentation is complete.

27:16
Without saying human in the loop, having a human in the loop that looks at what the model is doing, whether there's been any model drift, performing regular checks for errors and bias is very important.

27:29
And I would highlight bias is one of the main things that firms need to look at here because of the underlying data, the train to model contains biases.

27:37
There's a risk that the AI tool will perpetuate or amplify those.

27:42
And if advisors don't recognize that, that can lead to results that, you know, results that are not good.

27:49
And with that, we can we can move to the next slide.

27:54
Issa.

27:56
All right.

27:57
I'm going to be covering the next couple of topics on privacy and data protection and marketing.

28:05
So the regulatory framework to think about here, you know, there, while there hasn't been definitive guidance regarding how these particular rules apply in the AI context, I think we can still, you know, think through from a principles based perspective how they should apply.

28:26
So the things to think about are obviously SE, CS, Reg, SP and Sid.

28:34
And then there's a smattering of state, federal and non-us privacy laws.

28:40
And when you mix it all together, we have a real patchwork of regulation from a, you know, privacy and data protection perspective.

28:51
So in terms of key questions to ask, I guess that's that patchwork point is a nice segue into the first question, which is, are we properly navigating the layered web of applicable privacy laws?

29:04
You know, the as I mentioned, there are not just federal laws at play, there are state laws at play.

29:12
There are potentially non-us laws at play like from the EU.

29:18
Are we, you know, properly working through all those different regulatory regimes and you know, deploying AI systems in a way that is, you know, compliant with each of them or the lowest common denominator associated with each?

29:36
Next question to ask in this respect is do our proprietary or third party AI tools train on our investors sensitive data, their non public personal information?

29:47
So if if that is occurring, you know that there's, you know, there's a, you know, a need to conduct, you know, proper vendor due diligence to the extent that it's a third party tool to ensure adequate protection of that data, implementing appropriate contractual prohibitions on the on the, you know, further use of that data.

30:13
And then over overall just conducting appropriate oversight as now required under the recently amended Reg SP.

30:20
Another question to ask is, are we equipped to handle the expanded attack surface that's resulting from our use of any new AI tools?

30:28
So AI systems, you know, connected to places where we store customer data that way that that dramatically expands the, you know, the the attack surface for malicious actors.

30:43
So what to think about here is ensuring that, you know, you're incorporating that new attack surface resulting from those AI systems into your cybersecurity risk, risk assessments, your penetration testing programs, your incident response plans as appropriate.

31:05
Next one here, how do we balance data minimization principles against leveraging AI tools for maximum effectiveness and efficiency?

31:15
You know, this really comes back to, you know, principles under Reg SP and other privacy laws.

31:23
We, you know, generally speaking, have always tried to connect, collect the only the, the minimum amount of information that we need about, about our, our customers to properly service them.

31:36
Well, sometimes the AI tools that are out in the market can work much better to the extent that you know, more than that is collected.

31:46
So it's a delicate, you know, dance that you have to do to ensure that you're only, you know, collecting enough to make, make your IAI tools, you know, as as effective as possible, but without running afoul of what you've told consumers about what you're collecting and what you're sharing.

32:07
And then, you know, finally, how how have we developed and are we following our data governance framework and mechanisms before deploying or updating an AI tool?

32:17
So firms are, you know, expected to implement comprehensive AI specific data governance frameworks before deployment and use.

32:29
So should be thinking about privacy impact assessments, making appropriate updates to your privacy notices that are provided to customers, establishing acceptable use policies for your employees and getting them appropriate training, conducting appropriate audits to ensure compliance with your own policies and so on and so forth.

32:52
So these are the things to think about from a privacy and data protection perspective.

32:58
Can we move on to the next slide, please?

33:01
All right, marketing, everybody's favorite topic.

33:03
So there's a, a real overlap, I'd say between, you know, AI and marketing.

33:12
You know, this is, this is I think the area that I find most interesting and where you, where you, you see, you know, the most, most novel issues.

33:22
You know, there's a lot of different, you know, regulatory requirements that come into play here at this intersection.

33:30
You've obviously got, you know, Rule 2O641, the marketing rule under the Advisors Act and the associated provisions under Rule 2O42, the books and records records rule, final rule 2210, which I mentioned earlier.

33:45
That's the final rule regarding communications with the public, but also their supervision rule and associated books and records rule.

33:53
And then you've got FINRA, I guess technically NASD guidance and other guidance around the use of the term, sorry around the, the term recommendation, what is and is not a recommendation that comes into play.

34:05
And if you do have a recommendation in any of your AI tools, you know, you have Reg BI advisors act, fiduciary duty, those standard of conduct issues that come into play.

34:17
So, you know, working into the the questions to ask here, you know which AI generated communications should be scoped into our advertising policies and procedures.

34:28
So one way that you know firms can get into trouble under applicable marketing rules is not knowing that a given communication was subject to those rules in the 1st place.

34:43
So if you're using an AI tool to communicate with the public in any way, a key question to ask is, does this trigger applicable requirements under the marketing rule under Finner Rule 2210?

34:57
And So what are the requirements and what, what other hoops do we have to jump through in order for, you know, this tool to communicate with the public as we intend it to communicate?

35:09
So that's, that's a key question.

35:10
Just getting your arms around what the implications are.

35:13
Is it an ad?

35:14
Is it a, you know, is it correspondence?

35:17
Is it, you know, retail communication, whatever it is next, next item relates to essentially content standards.

35:26
Is our you know, AI chatbot or AI tool generating confident but inaccurate or inconsistent information, making exaggerated or hyperbolic claims or basing its content on outdated information, thereby creating problems under applicable content standards?

35:44
The Advisors Act marketing rule has a number of general prohibitions that are designed to prevent, you know, misleading, inaccurate claims in advertisements made by investment advisors.

35:57
There are similar general content standards under Rule 2210 for broker dealers.

36:03
And you know, one thing that you know, AI tools have gotten an unfortunate reputation for is providing these, you know, seemingly confident but actually inaccurate claims in the, you know, the other content that they produce.

36:18
So there is a need to take care here to ensure that whatever is going on in in these tools comply with those those applicable content standards.

36:29
Next question to ask is, are we able to supervise and make a record of our AI generated communications and other communications in accordance with applicable supervision and books and records rules and our policies and procedures?

36:43
So the, you know, main point to to emphasize here is that the same supervisory and record keeping obligations that exist with respect to manually drafted communications are going to apply here.

36:59
And, and Brian and, and, and Andrew mentioned a few words about that earlier.

37:04
I would just refer back to that to say, you know, those are the things that you should be keeping and keeping tabs on from a supervisory perspective.

37:15
But you do have to make sure that to the extent that you do have something that's that's required to be kept, that you have a mechanism to apply your supervisory processes, whether their principal previous approval for an advertisement, you know, electronic communications review processes, you know, etcetera.

37:36
And then to the extent that you are required to keep it, you have to ensure that you can capture it in the right format, whether that's a write once read many format or otherwise.

37:46
If we can move to the next slide, please.

37:49
Next question to ask is, are we able to create and keep an audit trail for each communication that includes all the information necessary to meet our supervisory obligations and the expectations of examiner?

38:02
So what you want to think about here is, you know, do we have, you know, a, a way to, you know, show a regulator how a communication was put together from beginning to end to the extent that it came from some sort of AI tool, including initial prompts, intermediate drafts, human edits, so on and so forth.

38:22
Do you have an ability to establish that that audit trail if it is our chatbot or tool providing individualized advice or recommendations, that's a a big one.

38:34
What you'd want to look at there is that NASD noticed in members I mentioned up at the top that speaks to, you know, the types of communications that trigger, you know, those standards of conduct because they are deemed recommendations under the federal securities laws.

38:50
In general, the take away from that notice is that the more individually tailored a communication is, the more likely it is to be a recommendation.

38:59
So if you've, if you've got an AI chat bot or some other tool that is providing some sort of individualized advice or recommendation that's tailored to what the individual needs of the user are you got you got something to think about from a standard of conduct perspective?

39:16
Next one, does our chatbot or tool generate hypothetical performance?

39:20
Obviously under the marketing rule, there are real limitations relating to the use of hypothetical performance in advertisement advertisements.

39:29
And then under FIN rules, there are even more stringent requirements relating to the use of, you know, projected performance, other types of, you know, things that try to predict the performance of the security.

39:43
If you got something that that generates A hypothetical performance presentation, want to think through the implications there.

39:51
And then last couple of points, do our outputs include the necessary disclosures?

39:55
So if you're, you know, if you've got some sort of AI tool that you think should fit within interactive analysis tool exception.

40:04
You have to make sure that it's accompanied by the necessary disclosures that are required by the applicable rules, whether that's the marketing rule or rule 2214 in the FINRA rule book.

40:14
And then finally, are we overstating the capabilities of our AI based AI enhanced services and is there a mismatch between our regulatory disclosures and our marketing materials?

40:25
Do our marketing materials include lots of glowing statements about what we can do with AI?

40:30
But then you know, do we have regulatory disclosures that are more hedged and careful about what we say about our capabilities.

40:39
If that's the case, you got a mismatch and one of those is just not, not appropriate and it's going to be subject most likely to some regulatory scrutiny.

40:47
So that's all I had to say on marketing and I'm going to pass it off to Brian to talk about SEC enforcement.

40:54
OK.

40:55
Thank you, Isa.

40:56
So there's been a lot going on policy wise with regard to both the SEC and Finner over the past few weeks.

41:03
So we have a fair amount to cover.

41:05
First, the head of SEC Enforcement is Judge Margaret Meg Ryan and she became the head of SEC Enforcement in September and then in February she gave her first public address on the divisions priorities, enforcement philosophy and procedural expectations.

41:25
So we'll talk about that.

41:26
As an aside, we recently wrote an article using a Meg Ryan theme, not that Meg Ryan, the other Meg Ryan called You've Got Mail and a FINRA disciplinary action and it's about FINRA cases against individuals for off channel communication.

41:41
So if anybody wants to receive a copy of that, let me know.

41:44
She made five points basically, or 6 points in her speech.

41:48
First, she made clear that SEC enforcement is alive and well.

41:53
She said reports that enforcement work at the SEC has been tossed to the wayside are not only greatly exaggerated, but flat out wrong.

42:02
And she said she's more concerned about the quality and an impact of cases as opposed to chasing numbers.

42:09
2nd, we will expect to see fewer actions for routine violations such as reporting, record keeping, internal controls.

42:19
Those won't necessarily result in enforcement actions.

42:22
It depends on the type of case.

42:24
3rd, she talked about back to basics enforcement priorities dealing with retail investors and market integrity, focusing on issues like Ponzi schemes, affinity frauds, accounting fraud, insider trading and market manipulation.

42:41
As Chair Atkins previously said, their focus is liars, cheats and thieves.

42:48
No one on today's webinar I'm sure.

42:51
And then anecdotally, I'd say that the SEC is being aggressive when they are dealing with enforcement investigations.

43:00
I'm involved in the sales practice case right now and they are being very aggressive in terms of taking testimony and even contacting customers of the firm without prior notification to the firm.

43:11
The 4th point she made was that core compliance failures can still result in enforcement actions even if there's no fraud.

43:20
And again, the issues here are posing risks to investors or the markets.

43:26
And she talked about broker deal or financial responsibility like net capital and custody, IA fiduciary duties like conflicts, disclosures, fair fees and client loyalties.

43:39
And then the 5th and 6th issues are the Wells process and credit for cooperation.

43:44
Those were addressed more completely in the revisions to the SEC Enforcement Manual which came out just a couple of weeks ago.

43:53
It was an update.

43:54
It was the first update to the SEC Enforcement Manual since 2017.

43:59
And going forward, they will be updating it annually, signaling that they are looking at enforcement constantly and evolving.

44:10
The first issue that I want to focus on the, the main take away that is really going to affect firms is cooperation.

44:17
Cooperation, Credit cooperation is going to be viewed case by case and merely complying with subpoenas isn't cooperation.

44:27
And you could think about it as 5C's.

44:30
So the first C is culture, so self policing, tone at the top, training, controls, monitoring, that sort of thing.

44:36
That's going to be important as part of the story.

44:39
The second C is confessing or copping to a plea if you prefer, and that's self reporting, promptly reporting to the SEC staff before the SEC staff finds out about issues, before it's publicly out there.

44:54
Third issue is curing or remediation disciplinary wrong, disciplining wrongdoers, strengthening controls, compensating victims, that sort of thing.

45:06
The next issue is collaborating or active cooperation, so proactively helping the staff, saying these are witnesses you want to speak to, providing factual summaries, suggesting areas that they want to look at.

45:21
So more than just complying with subpoenas that I talked about.

45:24
And then the last issue is hopefully at the end of the day, credit, whatever that means.

45:31
It could mean no enforcement action, it could mean reduced charges, it could mean reduced sanctions.

45:38
So the open issues is going to be whether companies will trust the SEC enough to go down this path and will the SEC earn that trust by consistently delivering credit.

45:51
Previously firms used to say, well, if the SEC is not going to find out about it, I'm not going to tell them.

45:57
So that may not be the calculus anymore.

45:59
And it is important to note that this issue is separate from Finra's 4530, which does require self reporting in certain circumstances and which we'll talk about in a couple of minutes.

46:11
The second important issue from the manual is that they they focused on the Wells process and instituted a number of changes.

46:22
For those of you who don't know, a Wells notice is after an investigation when the staff has preliminarily determined that there are violations and you have an opportunity to convince them that they're wrong.

46:35
From here on out, Wells notices are going to go up through the chain to the associate director or unit chief.

46:42
So it's not just the staff or the team that works in the case.

46:45
Directly during the Wells notification calls, the staff is going to identify probative salient evidence, including evidence that the recipient may not know about.

46:57
So I was involved in a recent Wells call and they talked about testimony they took from an unrelated party, which we certainly didn't know about.

47:05
They said this witness said XY and Z and it was news to us and it was helpful for us assessing the case.

47:12
Generally, you'll receive 4 weeks to submit a Wells response.

47:17
In the past, it's been anywhere from 2:00 to 4:00.

47:19
It's been somewhat inconsistent.

47:22
The senior leadership previously at the SEC had made an assessment that if their staff knew about issues, there was no need for senior enforcement staff to meet with the proposed respondents after a Wells submission.

47:37
From here on out, senior enforcement staff will meet with proposed respondents and the meeting will is supposed to occur within four weeks of the Wells submission.

47:50
The third issue is settlements and waivers.

47:55
When companies settle to certain charges like fraud, it could impact how they do business going forward.

48:01
If they're a bad actor, they could lose certain status for reggae or Reg D offerings and also other other ways that they can do offerings.

48:12
In 2019, the Commission decided to consider settlement offers and waiver requests the site at the same time.

48:20
Change of administration, 2021, they said no.

48:23
We're going to look at them separately.

48:25
Now back to simultaneous consideration of the settlements and the waiver requests.

48:30
The 4th issue is individual liability.

48:34
When Paul Atkins became chair, there's a lot of discussion about individual accountability in the saying is that Companies Act through individuals.

48:44
So we quickly reviewed cases from December 2025 through February 2026 and the data shows that individuals are being pursued.

48:54
So there were 62 administrative proceedings, 40% of them were against individuals loan, 22% against companies and the rest against companies and individuals.

49:05
With litigated cases, it's even more so.

49:08
57% were against, 58% were against individuals, only 38% were against both.

49:16
Now, to be clear, these are not just BD and IA cases, they're also public company cases.

49:22
But if you're an individual and I think everybody on the call is an individual, you should pay attention to this issue.

49:30
The next thing I want to talk about is possible enforcement areas.

49:34
So first, we already talked about AIAI washing false marketing of the AI capabilities.

49:41
There have already been cases.

49:42
We expect there will be more similarly fiduciary Reg BI violations where firms use AI tools that generate unsuitable recommendations or have undisclosed conflicts.

49:55
I think we'll see cases in those areas.

49:58
Second, cybersecurity and data protection.

50:01
Reg SP just became required for larger firms in terms of the written notification of the 30 day breach.

50:09
So now we're in exam and enforcement territory.

50:12
Also inadequate cyber policies.

50:15
They're looking for lack of robust policies, not responding to red flags, vendor oversight, 3rd marketing rule compliance.

50:24
And Issa talked about some of those issues, so we'll skip those.

50:27
Fourth, conflict of interest and fee transparency, so undisclosed comp incentives.

50:33
So we've seen some cases targeting that already.

50:36
Dual registration conflicts.

50:39
So it's an issue about disclosing which reps are acting in what capacity and also account allocation, brokerage versus advisory.

50:48
And Finner's looking at those issues also.

50:52
All right, the next thing that we'll talk about is FINRA.

50:56
There was an update on Monday.

50:59
Bill Saint Louis, the head of FINRA enforcement, had a blog about changes in the enforcement process and nobody has written about it yet.

51:07
So this may be the first you've heard of that it.

51:09
We are putting out an alert hopefully tomorrow.

51:12
He's framing 3 issues about changes.

51:15
Three goals, 1 is more transparency, 2nd is approving efficiency, and then third is giving firms more of an opportunity to be heard.

51:25
First, there's an update on the external review.

51:29
So FINRA hired a former SEC commissioner and a law professor who are conducting an external review of FINRA enforcement to look at governance, coordination, perceptions, things like that.

51:42
He met with a number of BDS.

51:45
They met with a number of law firms.

51:47
I spoke to them and submitted 3 pages of suggestions to them in writing.

51:52
Their final assessment is going to be in next quarter or the second quarter of 2026.

51:57
But from the blog, FINRA has already implemented some of the changes that they've been talking about.

52:04
So the the second issue, and it's a big umbrella, FINRA is instituting a no surprises enforcement model.

52:11
So at the start, when a matter is referred to enforcement, FINRA is going to be sending an initial notification letter and offering an introductory meeting so that the staff will provide an overview and talk about the areas of focus.

52:26
And this is great news because in the past if you said to the staff, what are you investigating, they would say, oh, we're just doing fact finding.

52:32
We can't tell you what we're investigating.

52:34
So that's a great step.

52:36
Next with in terms of investigative steps in general, they're going to reach out before issuing 80 to 10 requests.

52:44
So it gives the firm an opportunity to discuss the scope, ask questions, things like that.

52:48
Again, that's a great change.

52:50
And then before their formal charges, they're going to have a pre Wells investigative findings meeting where they're going to share their findings and the evidence.

53:00
It's separate from a Wells process, but it's a good opportunity for firms to push back and say, no, you got the facts wrong, you're not looking at it, you didn't take into account this piece of evidence, that sort of thing.

53:13
And then with the Wells submissions 30 calendar days close to the four weeks that the SEC has.

53:20
The third issue is Rule 4530 self reporting.

53:24
There's a pilot inappropriate cases.

53:27
Firms that self report can conduct their own internal investigation and remediation before FINRA issues a document or request and potentially there may not be an enforcement investigation.

53:39
I just went through this with a firm.

53:41
We self reported, we followed up with monthly status updates and at the end FINRA asked for final reports and that's all that has happened.

53:50
4th, in terms of what's coming next from Bill's blog, they will be also focusing on cooperation and remediation credits.

53:59
So same kind of thing that we talked about from the SEC, they will be exploring alternatives to on the record testimony.

54:06
Sometimes testimony just doesn't make sense.

54:08
In the past they've done it anywhere.

54:10
And then the next issue is they will eventually be publishing A thinner enforcement manual.

54:15
So similar to what we talked about with the SEC then running out of time here, but enforcement where it's been and where it's going.

54:26
So for those of you who don't know, every year we do an annual study about FINRA enforcement activities, looking to past year trends, things like that.

54:34
Our full report will come out probably next week.

54:38
And I have some preliminary stats and don't fold me to any of this, but it looks like the number of cases reported by FINRA in 2025 decreased by about 20%.

54:50
The fines decreased by about 10%.

54:54
The top areas of FINRA enforcement in terms of number of fines generator, amount of fines generated, the top one is AML and that happens a lot because there are often high dollar values for AML cases.

55:08
The second is trade reporting and then the third is books and records, which includes net capital customer reserves in addition to the retention and review issues that we normally talk about.

55:22
All right.

55:22
So the the next thing I wanted to talk about was some areas where we'll likely see enforcement activities.

55:29
And I'll just quickly give the headnotes 1 area Reg BI suitability, looking at basic issues that that we can imagine care obligation account type recommendations, rollover retirement recommendations.

55:42
Second area complex products including variable annuities, Rilas, non traditional ETF structured products, Third area third party and vendor oversight.

55:55
And then the last thing I wanted to talk about was states, because the federal regulators aren't being as aggressive as they've been in the past.

56:03
I think states view this as an opportunity and we have seen a number of states follow up more than they have in the past with regard to U fives or customer complaints.

56:14
In September of 2025, NASA announced A broker dealer inspection and compliance initiative where it's a group focused on multi state investigations.

56:25
And again, just highlighting some of the areas the states were looking at, seniors, vulnerable investors, digital assets and crypto, particularly given how the SEC is looking at them now.

56:36
AI washing, which we talked about and then other just broker dealer sales practice type issues.

56:43
So that's enforcement.

56:49
OK.

56:50
Well, in the last few minutes, we're just going to say a few words about alts.

56:56
If we could actually skip ahead to the bottom lines slide, I think that'll serve us well.

57:03
There we go.

57:04
OK.

57:05
So there's some content there for you all to review if you'd like on your own, but I thought we would just kind of go through this because it sums it all up.

57:14
You know the democratization say that 10 times fast of alternative investments is coming if not already upon us.

57:21
So that makes you know, the heightened fiduciary implications, the standard of conduct issues under Reg BI associated with serving these retail clients who are going to have access to these products in the near future that just that much more timely and important.

57:39
So when dealing with a retail client who is looking to invest in an alternative investment, you know they are just generally speaking going to have very limited ability to evaluate those products and the managers who sponsor them, assess the complex restructures, understand the implications of an extended lock up.

58:01
The lack of liquidity so that just place a great places a greater burden on the IA or the BD to ensure that all recommendations are genuinely in clients best interest.

58:13
Well advised to document the basis for any advice that you provide in this space.

58:19
And you know that runs from any due diligence findings to steps that you take to manage conflicts.

58:26
And then of course, you know the basis for any investment advice that you provide just to demonstrate compliance with applicable standards and address any regulatory inquiries that might amount to, you know, Monday morning quarterbacking.

58:39
When does it not do that after the fact?

58:41
So that's kind of like our our bottom line take away here.

58:47
I see that we're at the top of the hour.

58:49
Andrew, is there anything that you wanted to say from a BD perspective that would, that would amplify any of the content here or expand upon it?

58:59
One thing I'll highlight in 30 seconds is that for broker dealers putting alts on their platform, a big focus is on the diligence provided before those investments make it onto the platform.

59:11
And in order to comply with Reg BI and the care obligation that you know that there's certain requirements around understanding the investment and its risks before that product makes it on it's on your platform.

59:23
And that the one point to highlight there is that Finner has been very clear that you can't.

59:28
A firm can't simply rely on the issuer for information about an investment.

59:33
Your due diligence has to go beyond that.

59:36
Similarly, A broker dealer can't rely on a third party for, for that type of diligence.

59:42
Your, your diligence has to go beyond that too.

59:45
And that's particularly important because a lot of firms have signed up to get alts onto their platform through certain third party vendors that do provide some level of diligence.

59:55
But the broker dealers need to think broader than that.

59:59
They need to have their own diligence process before onboarding these types of investments.

1:00:04
But that's that's that's my all alts content in 30 seconds, maybe 45.

1:00:11
Thanks, Andrew.

1:00:14
Oh, Cathy, I think you might be on mute.

1:00:20
Cathy, you're on mute.

1:00:21
There you go.

1:00:27
Thank you for that.

1:00:28
So thank you gentlemen, for your insights and practical guidance.

1:00:31
Much appreciated to our audience.

1:00:33
Want to make sure everyone understands that innovation is not going to slow down anytime soon and neither is regulatory scrutiny.

1:00:41
So the firms that win this year are going to be the ones that treat their governance documentation and supervision as strategic assets, not just regulatory obligations.

1:00:54
Very wise point.

1:00:59
I will say we will take your questions, we will put them together and answer them in APDF and make sure that we get them out of you, you know out to you because we have run out of time.

1:01:15
So thank you everybody.

1:01:17
Thank you everyone.

1:01:18
Thank you.