Logo
Logo
Contact Us

FINRA’s 2026 Report: A New Era for GenAI Compliance

Every December, the SEC’s Division of Examinations publishes its priorities for the coming year. Compliance teams read these documents carefully, looking for signals about where regulatory focus will be directed.

The 2026 SEC Exam Priorities, released in late 2025, mention AI governance and algorithmic transparencyextensively. They discuss cybersecurity, operational resilience, and Regulation S-P amendments. They reference fiduciary duty, standards of conduct, and custody rules.

What they don’t mention—anywhere in the document—is WhatsApp. Or Signal, Telegram, or iMessage.

This absence is not an oversight. It is a signal of “Settled Law.”

Key Takeaways:

  • Technology Neutrality: The SEC enforces outcome-based standards; recordkeeping rules apply to all business communications, regardless of the app used.
  • Program Effectiveness: Examiners are shifting from reviewing “paper policies” to testing the real-world functionality of capture solutions.
  • The $4 Billion Precedent: Enforcement actions have proven that using consumer apps for business without archiving is a violation of SEC Rule 17a-4.

 

The Challenge of Technology-Neutral SEC Regulations

Technology-neutral regulation sounds elegant in theory, but in practice, it creates operational ambiguity.

If the SEC published a list of “approved communication platforms,” firms would have a finish line. Instead, the regulatory framework operates on a principle of comprehensive coverage: whatever platforms employees use for business, those platforms must be captured and archived.

This shifts the compliance burden entirely onto firms. To stay compliant in 2026, firms must:

  • Identify Shadow Channels: Discover which apps employees are actually using, not just what is officially sanctioned.
  • Solve the BYOD Puzzle: Isolate business-related communications on personal devices without infringing on privacy.
  • Continuous Verification: Ensure capture technology works across OS updates and device changes.

 

The $4 Billion Off-Channel Communication Lesson

Between 2021 and 2025, the SEC and CFTC issued more than $4 billion in penalties for off-channel communication violations. Firms—from global banks to boutique advisory firms—were fined for failing to capture business communications on WhatsApp, Signal, personal email, and SMS.

None of these enforcement actions cited new regulations. They all enforced existing recordkeeping rules—specifically SEC Rule 17a-4 and Investment Advisers Act Rule 204-2—that have been on the books for decades.

The firms that paid those penalties made a fundamental error: they assumed that because the SEC hadn’t explicitly named “WhatsApp archiving” in their exam priorities, they weren’t obligated to do it. They were wrong.

 

Why 2026 Priorities Focus on Effectiveness, Not Channels

The 2026 examination priorities don’t need to list WhatsApp because the focus has shifted to Compliance Program Effectiveness. The SEC is no longer satisfied with a policy that simply “prohibits” WhatsApp.

Examiners are now trained to ask:

  1. Does the firm’s capture solution actually work across all channels in use?
  2. Can the firm produce a complete archive during an audit, or are there gaps?
  3. How does the firm verify that coverage remains active as employees join or leave?
  4. Is the firm performing substantive auditing and testing of its own records?

The AI Governance Parallel

The 2026 priorities dedicate substantial attention to AI governance, marking a major focus on algorithmic decision-making.

Even here, the SEC doesn’t prescribe specific tools. Instead, it emphasizes explainability, oversight, and risk management. The parallel is clear: regulators are technology-agnostic. They set the standard—maintain accurate records, ensure fiduciary compliance—and expect firms to implement the technology to meet it.

Action Plan: Modernizing Compliance Strategy

Firms building a resilient 2026 compliance strategy should focus on three principles:

  1. Assume Every Platform is Subject to Recordkeeping: If it’s used for business, it must be archived—including SMS, WhatsApp, and LinkedIn messages.
  2. Consolidate Capture Solutions: Fragmented tools create complexity. Firms are moving toward platform-agnostic solutions, like DeepView ChatGuard, which centralize multiple channels into a single, immutable archive.
  3. Verify Coverage Continuously: Compliance is an ongoing operational requirement, not a one-time project.

The International Context: FCA and FINRA

The global landscape is mirroring the SEC. The UK’s Financial Conduct Authority (FCA) recently updated its social media guidance to be principles-based, applying to “all platforms,” even those not yet invented. Meanwhile, FINRA Regulatory Notice 25-07 signals a potential modernization of recordkeeping rules—but as a reinforcement of existing obligations, not a reprieve.

About DeepView

DeepView’s ChatGuard provides platform-agnostic communication capture across WhatsApp, iMessage, Telegram, and SMS. We ensure your firm meets the SEC’s “Effectiveness” standard by providing a unified, secure archive that adapts as your team’s communication habits evolve.

Request a Demo at deepview.com

 

DeepView Img

Welcome to DeepView
Come dive with us

Request Demo