Deploying AI Safely Under SEC and FINRA Compliance

You now have a toolkit: meeting prep, commentary, communications, research, notes, planning narratives, marketing, onboarding, custom GPTs, advanced prompting. This final lesson zooms out to the question your compliance officer cares about: how do you put all of this into practice in a regulated advice business without creating problems? Here's a practical framework.

What You'll Learn

The regulatory expectations that govern AI use in advisory firms
A practical AI-use policy checklist for an advisory practice
How to document and supervise AI-assisted work
A go/no-go decision rule you can apply to any task

What Regulators Expect

There isn't (yet) a single "AI rule" — instead, existing obligations apply to AI-assisted work. The themes:

Supervision and procedures. Firms must supervise their personnel and have written supervisory procedures reasonably designed to achieve compliance. AI use is within scope: your firm should have (or develop) a policy on which tools are allowed, for what, by whom, and how output is reviewed.
The duty of care and fiduciary obligation. For RIAs, the fiduciary duty doesn't bend because a tool was involved. Recommendations must still be in the client's best interest, suitability still applies, and you still own the advice.
Recordkeeping. Books-and-records rules apply to communications and certain materials regardless of how they were produced. The final client communication is a record; many firms also document material AI involvement.
The Marketing Rule (Advisers Act) / FINRA communications rules. Advertising and client communications are regulated by content, not by drafting method. And the SEC has explicitly targeted "AI washing" — false or exaggerated claims about AI use or AI-driven performance.
Privacy (Reg S-P) and data protection. Safeguarding client information applies fully; putting client PII into an unvetted tool can be a violation.
Vendor oversight. Adopting an AI-powered product is a third-party relationship requiring due diligence on data handling, security, and reliability.
Disclosure, where material. If AI plays a material role in your services or process, consider whether and how that should be disclosed (e.g., in your Form ADV) — coordinate with compliance.

The throughline: AI doesn't get its own carve-out. It's a tool your firm is responsible for using properly.

An AI-Use Policy Checklist for a Practice

If your firm hasn't formalized this, here's a starting checklist to bring to compliance (and to follow personally in the meantime):

Approved tools. A defined list of permitted AI tools, ideally enterprise/business tiers with contractual data protections. Everything else is off-limits for work use.
Client data rule. No client PII (names, SSNs, account numbers, identifiable details) in any tool that isn't on the approved list. Anonymize for everything else.
Permitted uses. Clear guidance on what AI may be used for (drafting, summarizing, organizing, research-orientation) and what it may not (recommendations, suitability/KYC decisions, binding calculations, filing forms, identity verification).
Human review. Every AI-assisted client-facing communication and deliverable is reviewed and approved by a responsible person before it goes out — same standard as a junior employee's draft.
Recordkeeping. Final communications retained per policy; a notation of material AI involvement where the firm requires it.
Marketing controls. AI-drafted marketing goes through the normal review/approval; no testimonials/endorsements except as properly handled; no unsubstantiated performance claims; no AI washing.
Training. Everyone using AI knows these rules — especially anyone sharing a custom GPT.
Vendor diligence. Any AI-powered product (notetaker, planning assistant, advisor copilot) is vetted as a vendor.
Periodic review. The policy is revisited as tools, capabilities, and regulations change.

Documenting and Supervising AI-Assisted Work

Practical habits that keep you covered:

Keep the final, not the chat — but be able to explain the process. Your records should hold the communication you actually sent. If a recommendation rests on research, your file should show you verified it against primary sources (not "the AI said so").
Note material AI involvement where your firm wants it. A simple CRM tag or note ("review brief drafted with AI assistant, reviewed and edited by advisor") can satisfy a "document it" requirement.
Review like a supervisor. Whoever signs off on AI-assisted output applies the same scrutiny they'd apply to a new associate's work — accuracy, suitability, compliance, tone.
Watch for the failure modes. Hallucinated facts/figures, stale rules, individualized advice creeping into mass communications, performance claims, missing disclosures, PII exposure. These are the recurring AI-related findings — review with them in mind.

A Go / No-Go Rule for Any Task

When you're deciding whether to use AI for something, run it through this quick test:

Is the tool approved (or am I using only anonymized, non-sensitive input)? If no — stop.
Is this a task AI should do (draft / summarize / organize / orient), not one reserved for me or my systems (recommend / decide suitability / calculate binding numbers / file forms / verify identity)? If it's reserved — stop, or use AI only for the language around your work.
Will a responsible human review the output before it has any effect? If no — stop.
Could I comfortably explain exactly how I used AI here to my compliance officer and, if asked, an examiner? If you hesitate — that hesitation is your answer.

Pass all four and you're on solid ground. It takes ten seconds and it keeps "fast and easy" from quietly becoming "fast and a problem."

Bringing It All Together

The advisors who win with AI over the next few years won't be the ones who use it the most recklessly — they'll be the ones who use it the most deliberately: approved tools, anonymized inputs, AI for the language-shaped work, humans for the judgment, review on everything, honest descriptions of how it's used. That's not a constraint on the value — it is the value, because it's what lets you actually rely on the time AI gives back.

You've got the toolkit. Use it well.

Key Takeaways

There's no separate "AI rule" — existing obligations (supervision, fiduciary duty, recordkeeping, the Marketing Rule, Reg S-P, vendor oversight, disclosure where material) all apply to AI-assisted work.
Bring an AI-use policy checklist to compliance (and follow it personally): approved tools only, no client PII in unvetted tools, defined permitted/prohibited uses, mandatory human review, recordkeeping, marketing controls, training, vendor diligence, periodic review.
Document material AI involvement where your firm requires it, keep the final communications as records, show you verified facts against primary sources, supervise AI output like a junior employee's work, and watch for the recurring failure modes.
Apply the four-part go/no-go test before any AI task — approved tool/anonymized input; appropriate task; human review; and "could I explain this to an examiner?" — and remember the discipline is what makes the time savings real.

Deploying AI Safely Under SEC and FINRA Compliance

What You'll Learn

The regulatory expectations that govern AI use in advisory firms
A practical AI-use policy checklist for an advisory practice
How to document and supervise AI-assisted work
A go/no-go decision rule you can apply to any task

What Regulators Expect

There isn't (yet) a single "AI rule" — instead, existing obligations apply to AI-assisted work. The themes:

Supervision and procedures. Firms must supervise their personnel and have written supervisory procedures reasonably designed to achieve compliance. AI use is within scope: your firm should have (or develop) a policy on which tools are allowed, for what, by whom, and how output is reviewed.
The duty of care and fiduciary obligation. For RIAs, the fiduciary duty doesn't bend because a tool was involved. Recommendations must still be in the client's best interest, suitability still applies, and you still own the advice.
Recordkeeping. Books-and-records rules apply to communications and certain materials regardless of how they were produced. The final client communication is a record; many firms also document material AI involvement.
The Marketing Rule (Advisers Act) / FINRA communications rules. Advertising and client communications are regulated by content, not by drafting method. And the SEC has explicitly targeted "AI washing" — false or exaggerated claims about AI use or AI-driven performance.
Privacy (Reg S-P) and data protection. Safeguarding client information applies fully; putting client PII into an unvetted tool can be a violation.
Vendor oversight. Adopting an AI-powered product is a third-party relationship requiring due diligence on data handling, security, and reliability.
Disclosure, where material. If AI plays a material role in your services or process, consider whether and how that should be disclosed (e.g., in your Form ADV) — coordinate with compliance.

The throughline: AI doesn't get its own carve-out. It's a tool your firm is responsible for using properly.

An AI-Use Policy Checklist for a Practice

If your firm hasn't formalized this, here's a starting checklist to bring to compliance (and to follow personally in the meantime):

Approved tools. A defined list of permitted AI tools, ideally enterprise/business tiers with contractual data protections. Everything else is off-limits for work use.
Client data rule. No client PII (names, SSNs, account numbers, identifiable details) in any tool that isn't on the approved list. Anonymize for everything else.
Permitted uses. Clear guidance on what AI may be used for (drafting, summarizing, organizing, research-orientation) and what it may not (recommendations, suitability/KYC decisions, binding calculations, filing forms, identity verification).
Human review. Every AI-assisted client-facing communication and deliverable is reviewed and approved by a responsible person before it goes out — same standard as a junior employee's draft.
Recordkeeping. Final communications retained per policy; a notation of material AI involvement where the firm requires it.
Marketing controls. AI-drafted marketing goes through the normal review/approval; no testimonials/endorsements except as properly handled; no unsubstantiated performance claims; no AI washing.
Training. Everyone using AI knows these rules — especially anyone sharing a custom GPT.
Vendor diligence. Any AI-powered product (notetaker, planning assistant, advisor copilot) is vetted as a vendor.
Periodic review. The policy is revisited as tools, capabilities, and regulations change.

Documenting and Supervising AI-Assisted Work

Practical habits that keep you covered:

Keep the final, not the chat — but be able to explain the process. Your records should hold the communication you actually sent. If a recommendation rests on research, your file should show you verified it against primary sources (not "the AI said so").
Note material AI involvement where your firm wants it. A simple CRM tag or note ("review brief drafted with AI assistant, reviewed and edited by advisor") can satisfy a "document it" requirement.
Review like a supervisor. Whoever signs off on AI-assisted output applies the same scrutiny they'd apply to a new associate's work — accuracy, suitability, compliance, tone.
Watch for the failure modes. Hallucinated facts/figures, stale rules, individualized advice creeping into mass communications, performance claims, missing disclosures, PII exposure. These are the recurring AI-related findings — review with them in mind.

A Go / No-Go Rule for Any Task

When you're deciding whether to use AI for something, run it through this quick test:

Is the tool approved (or am I using only anonymized, non-sensitive input)? If no — stop.
Is this a task AI should do (draft / summarize / organize / orient), not one reserved for me or my systems (recommend / decide suitability / calculate binding numbers / file forms / verify identity)? If it's reserved — stop, or use AI only for the language around your work.
Will a responsible human review the output before it has any effect? If no — stop.
Could I comfortably explain exactly how I used AI here to my compliance officer and, if asked, an examiner? If you hesitate — that hesitation is your answer.

Pass all four and you're on solid ground. It takes ten seconds and it keeps "fast and easy" from quietly becoming "fast and a problem."

Bringing It All Together

You've got the toolkit. Use it well.

Key Takeaways

There's no separate "AI rule" — existing obligations (supervision, fiduciary duty, recordkeeping, the Marketing Rule, Reg S-P, vendor oversight, disclosure where material) all apply to AI-assisted work.
Bring an AI-use policy checklist to compliance (and follow it personally): approved tools only, no client PII in unvetted tools, defined permitted/prohibited uses, mandatory human review, recordkeeping, marketing controls, training, vendor diligence, periodic review.
Document material AI involvement where your firm requires it, keep the final communications as records, show you verified facts against primary sources, supervise AI output like a junior employee's work, and watch for the recurring failure modes.
Apply the four-part go/no-go test before any AI task — approved tool/anonymized input; appropriate task; human review; and "could I explain this to an examiner?" — and remember the discipline is what makes the time savings real.

Deploying AI Safely Under SEC and FINRA Compliance

What You'll Learn

What Regulators Expect

An AI-Use Policy Checklist for a Practice

Documenting and Supervising AI-Assisted Work

A Go / No-Go Rule for Any Task

Bringing It All Together

Key Takeaways

Quiz

Deploying AI Safely Under SEC and FINRA Compliance

What You'll Learn

What Regulators Expect

An AI-Use Policy Checklist for a Practice

Documenting and Supervising AI-Assisted Work

A Go / No-Go Rule for Any Task

Bringing It All Together

Key Takeaways

Quiz