FINRA 2026 Puts AI Agents and Deepfake ID Risk in Writing
Bindingness: Regulatory Guidance · Scope: Federal · Finance
Two AI risks hit finance at once, and FINRA just put both in the same report. Here is what the regulator now expects.
FINRA's 2026 Annual Regulatory Oversight Report, published in December 2025 and operative across all of 2026, does something the report has not done before. For the first time it carries dedicated guidance on AI agents, the autonomous task-runners that can take actions on their own rather than just answer a prompt. In the same document, FINRA warns that fraudsters are using generative AI to defeat the identity checks that sit at the front door of every brokerage account. One report, two AI problems, both now in writing for member firms to read.
If you advise clients or run compliance at a member firm, this is the regulatory-news read you need. It is not the step-by-step wire procedure. That lives in a companion workflow piece linked below. This page covers what FINRA now expects on the two fronts it named: keeping a human in control of AI agents, and defending customer identity verification against deepfakes.
Key takeaways
- AI agents are now named in the report. FINRA's 2026 oversight report tells member firms that autonomous AI agents require human-in-the-loop oversight, tracking, and controls. An agent acting on its own is not a reason the firm gets to step back from supervision.
- The duty is supervision, not a new rule. FINRA is signaling expectations through its oversight report, not writing a fresh rulebook. Existing supervision and recordkeeping duties already cover what an agent does on the firm's behalf.
- Deepfakes are an identity-verification threat, not a sci-fi one. The same report warns that fraudsters use GenAI voices, deepfakes, and AI-augmented IDs to beat customer identity checks. The widely reported example is the roughly $25 million deepfake video-call fraud at engineering firm Arup, an illustrative case, not one cited in the FINRA report itself.
- The fix is a control set, not a tool. For agents, that means approval gates, logging, scope limits, and a kill switch. For deepfakes, it means out-of-band verification that does not trust a voice or a face alone. The procedure lives in our companion workflow piece.
What FINRA's 2026 report actually says
FINRA publishes its Annual Regulatory Oversight Report each year to tell member firms where it is looking and what it expects. The report does not carry the force of a new rule by itself. It re-anchors duties that are already enforceable, and it tells firms which fact patterns examiners will focus on. So when the 2026 report adds a dedicated section on AI agents, the message is not that a new law arrived. The message is that FINRA now expects firms to apply existing supervision, recordkeeping, and controls to a category of software that can act on its own.
That distinction matters. An AI agent is different from a chatbot. A chatbot drafts text and waits. An agent can take steps: pull data, move between systems, initiate a task, sometimes complete one. FINRA's guidance lands on exactly that capability. Its instruction to member firms is to keep human-in-the-loop oversight, tracking, and controls over what these agents do. The autonomy of the tool does not reduce the firm's accountability for the outcome.
The AI-agent control set FINRA wants
The report does not hand firms a checklist, so here is the control set that satisfies the human-in-the-loop expectation in plain terms. Each control answers a question an examiner can ask: who approved this, what did it do, what was it allowed to touch, and how do you stop it.
| Control | What it means | Why FINRA wants it |
|---|---|---|
| Approval gate | A person reviews and authorizes before the agent takes a consequential action, such as moving money, sending client communications, or changing records. | Keeps a human in the loop on the decisions that carry risk, which is the core of the supervision duty. |
| Logging and tracking | Every action the agent takes is recorded: what it did, on what input, and when. Logs are retained and reviewable. | Supervision and recordkeeping require that the firm can reconstruct what happened. An unlogged agent action is an unsupervised one. |
| Scope limits | The agent is restricted to defined tasks, systems, and data. It cannot reach accounts or actions outside its assigned lane. | Limits the blast radius if the agent fails or is manipulated, and makes oversight tractable. |
| Kill switch | A clear, fast way to halt the agent and revoke its access if it behaves unexpectedly. | Control means the ability to stop. A firm that cannot quickly turn an agent off does not control it. |
| Human review of output | Work the agent produces is checked by a qualified person before it reaches a client or a record. | The output still carries the firm's name. Due care does not transfer to software. |
A small advisory practice can stand this up without an enterprise compliance department. Write down which agents you use, what each is allowed to do, where the approval gate sits, and how you would stop it. That single page is the documentation that turns "we supervise our AI" into something you can show an examiner.
The other half: deepfakes versus identity verification
The same 2026 report flags a threat coming from the opposite direction. Fraudsters are now using generative AI to defeat the customer identity checks that protect every account. FINRA names three vectors: cloned or synthetic GenAI voices, deepfake video, and AI-augmented identity documents. The common thread is that the thing your verification step used to trust, a familiar voice, a face on a call, a scan of an ID, can now be fabricated convincingly.
This is not theoretical. The widely reported case is the roughly $25 million wire fraud at engineering firm Arup, where a finance employee in Hong Kong was deceived by a deepfake video call that impersonated company executives. We cite Arup as an illustrative example of the risk FINRA's guidance addresses, not as a case named in the report itself. FINRA's decision to add dedicated deepfake guidance is the signal that matters here: member firms are encountering these threats in practice, and the report puts the expectation in writing.
The verification principle, in brief. Do not trust a voice or a face alone to authorize a high-value or unusual action. Confirm the request through a second, independent channel that the requester did not choose, using a contact method you already have on file. A deepfake can imitate a person. It cannot, on its own, answer a callback to a number it does not control.
That principle is the whole of what FINRA's identity warning asks of you at the policy level. The step-by-step procedure for verifying a wire or an unusual money-movement request lives in our companion workflow piece, the deepfake and CFO wire-verification SOP. This page stays on the regulatory expectation. That one gives you the checklist.
Why FINRA put both in one report
The two risks look unrelated until you see what connects them. AI agents are AI acting for you, and the danger is that the firm loses control of its own automation. Deepfakes are AI acting against you, and the danger is that the firm trusts a fabricated identity. FINRA put them in the same document because both turn on the same discipline: a human in the loop who verifies before the firm acts. On the agent side, that human approves and logs. On the deepfake side, that human confirms identity out of band. Remove the human checkpoint in either place and the firm is exposed.
For finance and controller readers who sit closer to the books than to the brokerage account, the same supervision logic applies to your AI use, and we cover the accounting-side version in The Leveraged CPA and Finance program. The principle does not change by department. Verify before you act, and keep a record that you did.
What AI does not replace
The report is a useful reminder of where the machine stops. An AI agent does not hold the firm's registration, does not owe a duty to the customer, and cannot be the supervisor of record. A deepfake detector, however good, does not authorize a wire on its own. FINRA's expectation lands on a person every time: someone who approves the agent's consequential action, someone who reads the log, someone who picks up the phone and confirms the request through a channel the fraudster does not control. Used well, AI gives advisors and finance teams back hours on routine work. The judgment, the approval, and the verification stay with the human in the chair.
- The Deepfake and CFO Wire-Verification SOP. The step-by-step procedure for verifying an unusual money-movement request.
- The AI Oversight Gap for Advisors. Where supervision of AI most often breaks down in advisory practice.
- Shadow AI and the First SEC 8-K. How an undisclosed AI failure became a public disclosure event.
Frequently asked questions
Does FINRA's 2026 report ban member firms from using AI agents?
No. The 2026 Annual Regulatory Oversight Report does not prohibit AI agents. It tells firms to keep human-in-the-loop oversight, tracking, and controls over what those agents do. You may deploy agents as long as a person approves consequential actions, the firm logs what the agent does, the agent's scope is limited, and you can stop it.
What deepfake fraud threat does the FINRA report flag?
The report warns that fraudsters use generative AI voices, deepfake video, and AI-augmented identity documents to defeat customer identity verification. The widely reported example is the roughly $25 million deepfake video-call fraud at engineering firm Arup, an illustrative case rather than one named in the FINRA report. The defense is out-of-band verification that does not trust a voice or a face alone.
What is the difference between this page and the wire-verification SOP?
This page is the regulatory-news read of what FINRA expects: human control of AI agents and defending identity verification against deepfakes. The companion workflow piece, the deepfake and CFO wire-verification SOP, gives you the step-by-step procedure for confirming an unusual money-movement request. Read this for the expectations, that for the checklist.
Is the firm still responsible if an AI agent took the action?
Yes. FINRA's supervision and recordkeeping expectations apply to what an agent does on the firm's behalf. The autonomy of the tool does not transfer accountability away from the firm. That is why approval gates, logging, and a human review of output are the core of the control set.
Sources: FINRA, "GenAI: Continuing and Emerging Trends," 2026 Annual Regulatory Oversight Report, published December 2025 (https://www.finra.org/rules-guidance/guidance/reports/2026-finra-annual-regulatory-oversight-report/gen-ai). Corroborating summaries: ACA Group, FINRA 2026 Annual Regulatory Oversight Report summary; McGuireWoods, FINRA 2026 report alert. The roughly $25 million Arup deepfake fraud (Hong Kong, 2024) is widely reported in global news media as an illustrative example and is not cited in the FINRA report itself.