Financial Industry Regulatory Authority publishes 2026 Regulatory Oversight Report highlighting GenAI, cyber-enabled fraud and small-cap manipulation trends

The Financial Industry Regulatory Authority has published the 2026 FINRA Regulatory Oversight Report, releasing it earlier than usual to support member firms’ annual compliance planning as part of its FINRA Forward initiative. The report distils insights from FINRA’s regulatory programs into observed findings, effective practices and resources across key risk and supervisory topics. Across each topic area, the report links to relevant rules, summarises notable observations from recent oversight activities and outlines practices FINRA has seen firms use to strengthen controls. On generative artificial intelligence (GenAI), FINRA notes firms’ early deployments focused on internal efficiency and information retrieval, with “summarization and information extraction” identified as the leading use case, and flags added risks from AI agents including autonomy without human validation, acting beyond intended scope, limited auditability, data sensitivity, insufficient domain knowledge and misaligned incentives alongside existing GenAI risks such as bias and hallucinations. On cybersecurity and cyber-enabled fraud, FINRA highlights threats including ransomware and extortion, data breaches, phishing and similar messaging-based attacks, new account fraud, account takeovers, impersonations and imposter sites. On manipulative trading in small-cap exchange-listed equities, FINRA describes pump-and-dump activity shifting to months after IPOs, continued use of nominee accounts and foreign omnibus accounts to concentrate the public float, secondary offerings to select foreign investors with inadequate public disclosure, greater use of account takeover fraud and growing reliance on text and social media scams and coordinated limit orders, and notes it initiated a targeted examination in October covering firm practices in public and private offerings for small-cap exchange-listed issuers with operations in foreign jurisdictions. On third-party risk, FINRA points to increased reporting of vendor cyberattacks and outages and highlights practices such as ongoing due diligence for mission-critical providers, maintaining inventories of vendor-accessed data types and monitoring for vulnerabilities and breaches. FINRA said the report’s topics will also be covered through additional compliance and education resources during the year, including a FINRA Unscripted podcast episode and the 2026 FINRA Annual Conference on May 12-14 in Washington, D.C.