AI for Financial Advisors: What FINRA's 2026 Rules Allow

12 min read By FindSkill Team

FINRA's 2026 report added an AI section. Here's how financial advisors can use AI for client notes and emails—what's allowed, what's banned, and the safe steps.

Table of Contents

Last updated: May 30, 2026

Picture the moment an advisor is one click from sending a client a follow-up email drafted by AI. The summary is great — and then a line near the bottom promises the strategy will “guarantee you’ll beat the market.” The AI has no idea it just wrote a Marketing Rule violation. The advisor does, deletes the line, and hits send.

That’s the whole game in 2026, in one moment. The tool writes something polished and confident, and it has no idea which sentences could put you in front of an examiner. You do. The good news: the rules for using AI as a financial advisor are no longer a gray area you have to guess at. As of this year, FINRA has written them down.

What just changed

For the first time, FINRA’s 2026 Annual Regulatory Oversight Report (released December 2025) includes a dedicated, expanded section on generative AI. It didn’t invent new rules. It said something more useful: your existing obligations already cover AI. Supervision, recordkeeping, communications standards, fiduciary duty — they all apply to a chatbot’s output exactly as they apply to anything you write yourself. The SEC echoed it, keeping adviser AI use on its exam priorities and, in a December 2025 Marketing Rule risk alert, flagging missing disclosures on testimonials, endorsements, and third-party ratings.

So the question advisors kept asking — “Am I even allowed to use this?” — finally has an answer. Yes, with a process. Here’s what regulators actually expect:

  • Supervision (FINRA Rule 3110). A reasonable system to oversee AI tools, including model and “hallucination” risk, with human review of customer-facing output.
  • Recordkeeping (SEA 17a-4 / FINRA 4511, Advisers Act 204-2). An AI-generated client communication is a record. Retain it, log prompts and outputs, and supervise it like anything else.
  • Communications (FINRA Rule 2210 + SEC Marketing Rule 206(4)-1). Anything client-facing must be fair, balanced, and not misleading. No guarantees, no cherry-picked performance, no testimonial-style language.
  • Vendor responsibility. Using a third-party tool doesn’t outsource the liability. You still own the output.

The single biggest trap, by a wide margin, is that Marketing Rule. AI writing leans optimistic by default — “maximize,” “guarantee,” “beat the market” — and every one of those is a problem. Which is why the rule that matters most isn’t a rule at all. It’s a habit: never auto-send.

The compliant workflow, start to finish

The advisors who use AI well aren’t doing anything clever. They’ve turned the regulators’ expectations into a five-step routine they run every time.

Using AI for client notes and emails, compliantly
1. Disclose & consent recording the meeting
2. Use a vetted tool not consumer ChatGPT
3. Generate draft
4. Review & screen kill any guarantee
5. Archive books & records

Step 4 is where compliance lives. To make it fast and repeatable, keep a screening prompt on hand and run every draft through it before you even read it. Paste your draft in (with the client’s name and account number removed) and let AI flag its own risky language:

You are a compliance reviewer for a US financial advisor (RIA).
Review the draft client message below against the SEC Marketing Rule.

Draft:
"""
[PASTE YOUR AI-DRAFTED EMAIL OR SUMMARY — remove the client name and account number first]
"""

Flag any language that:
- Promises or implies guaranteed returns ("guarantee", "will beat", "maximize")
- Makes an unsubstantiated performance claim
- Reads like a testimonial or endorsement
- States a recommendation without suitability context

For each flag: quote the phrase, explain the risk, and suggest compliant wording.
Add no new advice. If nothing is flagged, reply "No issues found."

It’s not a substitute for your judgment or your compliance team — it’s a first pass that catches the obvious “beat the market” landmines before they reach a human, let alone a client.

The two things AI can and can’t touch

🟢 Fair game for AI
Meeting summaries from a transcript, first drafts of follow-up emails, plain-English explanations, and reformatting your own notes into a CRM entry — all with your review.
🔴 Off-limits
Client PII in a consumer chatbot, auto-sending without review, recommendations the AI makes on its own (Reg BI), and any 'guaranteed returns' or testimonial language.

A note on tools: most advisors who do this well don’t use consumer ChatGPT for anything client-identifying. They use advisor-specific assistants (the category includes Jump, Zocks, Zeplyn and similar) that come with data agreements and archiving built for the regulated context. Interestingly, the loudest AI-compliance warnings online come from compliance vendors, not from advisors posting war stories — which tells you the real risk is quiet “shadow AI,” not the advisors being careful enough to talk about it.

What this means for you

If you’re a solo RIA: This is the highest-leverage place to start. Meeting notes and follow-ups eat your evenings, and they’re exactly what the compliant workflow is built for. Pick one advisor-specific tool, write a one-page AI-use policy for yourself, and you’ve covered most of what an examiner would ask.

If you’re at a broker-dealer or wirehouse: Your firm almost certainly has an approved-tools list and archiving already. Use them. The fast way into trouble is shadow AI — pasting client details into a personal ChatGPT account that sits outside the firm’s supervision and recordkeeping.

If you’re a paraplanner or support staff: Drafting is your sweet spot, and the review step protects you. Generate the summary, hand it up for advisor approval, and never be the person who hit send.

If you’ve been avoiding AI entirely out of fear: That caution is costing more than it saves. The compliant path is well-trodden now. Avoiding the tool doesn’t reduce your risk — it hands the time savings to the advisor down the street who read the rules.

What this won’t fix

  • It won’t make you compliant by itself. The tool is never the compliance system. Your process — consent, review, archive — is.
  • It can’t be trusted with recommendations. Suitability and fiduciary duty are yours. AI can summarize; it can’t decide what’s right for a client.
  • It won’t keep you safe on a consumer plan. Client data belongs in a tool with a data agreement, not a free chatbot that trains on inputs.
  • It won’t replace your compliance officer. The screening prompt is a first pass, not sign-off.
  • It won’t catch every subtle claim. AI screening reduces risk; it doesn’t eliminate it. The human read is still the one that counts.

The bottom line

The story isn’t “regulators are cracking down on AI.” It’s the opposite: FINRA and the SEC just told you, in writing, how to use it. The advisors who win the next few years won’t be the ones who avoided AI out of fear or the ones who let it auto-send. They’ll be the ones who built the boring, repeatable loop — disclose, draft, review, archive — and got their evenings back.

Want to build that workflow without guessing? Our AI Finance: Agents, Controllers & Compliance course covers safe, practical AI use for finance professionals, including the review-and-document habits that keep you on the right side of the line.

Sources

Build Real AI Skills

Step-by-step courses with quizzes and certificates for your resume