Broker-Dealer Regulatory Pulse

FINRA Forward: Modernizing the Regulatory Framework

Launched in spring 2025, the FINRA Forward initiative represents the most significant organizational and rulemaking overhaul by FINRA in years. Its three pillars are:

• Modernizing FINRA rules by reviewing and eliminating unnecessary burdens.
• Empowering member firm compliance programs.
• Strengthening market integrity and investor protection through cybersecurity resilience and fraud risk.

Upon launch of the initiative, FINRA issued four foundational Regulatory Notices: 25-04 (broad rule review), 25-05 (Outside Business Activities), 25-06 (Capital Formation) and 25-07 (the Modern Workplace, including Branch Office and Supervision Modernization). Rule amendments adopted under FINRA Forward became effective March 25, 2026, including updates to Capital Acquisition Broker rules and changes designed to reduce regulatory duplication. Firms should review their Written Supervisory Procedures (WSPs), particularly around branch office classification and the supervision of registered personnel in nontraditional work environments, in light of these changes.

 

Gift Rule Amendment: The $100 Limit Is History

Effective March 30, 2026, FINRA amended Rule 3220 to triple the annual gift limit from $100 to $300 per recipient, the first increase since the rule was adopted decades ago. The SEC approved the amendment on February 12, 2026.

Key operational implications for compliance programs include:

• Firms must adopt and document in their WSPs the aggregation method they will use—calendar year, fiscal year, or rolling 12-month basis—and apply it consistently.
• The amendment codifies existing FINRA guidance on gift valuation and introduces a new FINRA exemptive relief mechanism for demonstrated good cause.
• The $300 limit does not override lower caps under other regulatory frameworks; firms subject to Municipal Securities Rulemaking Board rules must still apply the more restrictive limit applicable to those activities.

Compliance teams should update gift and entertainment policies, WSPs and related attestation processes in light of the rule amendment. FINRA also raised the gift limits in Rules 2310, 2330, 2341 and 5110, which cover noncash compensation in specific products (direct participation programs, variable annuities, mutual funds and public offerings) to $300 to conform to the updated Rule 3220.

 

Projections and Targeted Returns: A Long-Overdue Alignment (Proposed)

In February 2026, FINRA filed a proposed amendment to Rule 2210 (Communications with the Public) that would, for the first time, permit broker-dealers to include projected performance and targeted returns in communications with institutional customers and, in limited circumstances, retail customers, provided firms maintain written policies and procedures reasonably designed to ensure the communication is relevant to the likely financial situation and investment objectives of the intended audience. The proposal takes a facts-and-circumstances approach rather than categorically permitting retail distribution and falls short of full alignment with the SEC Marketing Rule in several respects. Nonetheless, it represents a meaningful step toward closing a long-standing competitive imbalance between broker-dealers and investment advisers, who have operated under the more permissive SEC Marketing Rule since 2021.

The proposal is narrower than the SEC Marketing Rule and would require firms to meet three conditions before including projections:

• Written supervisory procedures confirming projections are appropriate for the intended audience.
• Reasonable basis for all assumptions and criteria used, supported by written records.
• Clear disclosures regarding whether performance is net of fees and the limitations and risks of forward-looking projections.

Notably, the proposal covers only forward-looking projections and targeted returns—it does not extend to backtested performance or hypothetical model portfolios. Compliance and business development teams should begin reviewing their supervisory frameworks and surveillance programs now, as business lines will likely move quickly to incorporate projected returns into marketing materials once the rule is finalized.

 

Outside Business Activities (OBA) and Private Securities Transactions (PST): Rule 3290 Proposal (Pending)

As part of its ongoing modernization efforts under the FINRA Forward initiative, FINRA has proposed a new consolidated Rule 3290 to replace and streamline existing Rules 3270 (Outside Business Activities of Registered Persons) and 3280 (Private Securities Transactions of an Associated Person). Filed with the SEC in January 2026, the proposed rule aims to focus firm oversight on outside activities that present a higher risk of investor harm or firm conflicts.

Key features of the proposal include:

• A risk-based framework that distinguishes between activities requiring firm supervision and those that do not.
• Elimination of duplicative reporting obligations for low-risk activities.
• Clarification of firm responsibilities for supervising compensated and uncompensated outside activities.

If adopted, Rule 3290 would require firms to revisit and revise their written supervisory procedures, employee disclosure forms and internal escalation protocols to align with the new risk-based approach. Compliance teams should begin evaluating current OBA and PST review processes in anticipation of potential rule adoption later in 2026.

 

Streamlining Bulk Account Transfers

In February 2026, FINRA issued Regulatory Notice 26‑03, which reduces regulatory burdens and consolidates guidance related to the use of negative consent for the bulk transfer or assignment of customer accounts.

Historically, firms seeking to transfer customer accounts using negative consent were required to submit draft customer letters to FINRA staff and obtain a formal “no objection” before proceeding. Effective April 1, 2026, FINRA eliminated this prereview process, allowing firms to proceed without staff preclearance where negative consent is otherwise appropriate.

The notice reaffirms that negative consent remains permissible only in limited circumstances, generally tied to firm‑level operational events such as mergers, wind‑downs, changes in clearing arrangements or the exit of a line of business, not for individual registered representatives moving personal books of business. FINRA also consolidated prior guidance and outlined effective practices, including minimum disclosure elements, reasonable objection time frames and safeguards designed to ensure customers receive timely and clear notice of the transfer.

 

Cybersecurity and Regulation S-P: Deadlines Are Here

Cybersecurity remains FINRA’s top financial crimes priority for 2026, and the regulatory framework just got significantly more demanding. The 2026 Annual Regulatory Oversight Report identifies the primary cyber threats currently targeting broker-dealers: ransomware and extortion, data breaches, phishing/smishing/quishing, new account fraud, account takeovers, account impersonations, imposter sites, relationship investment scams and insider threats.

The SEC’s May 2024 amendments to Regulation S-P represent the most significant data protection compliance obligation for broker-dealers right now:

• Large entities were required to comply by December 3, 2025.
• Smaller entities must comply by June 3, 2026.

The amended rule requires firms to maintain a written incident response program designed to detect, respond to and recover from unauthorized access to customer information and to notify affected customers whose sensitive information was, or is reasonably likely to have been, compromised.

From a FINRA rule perspective, Regulation S-P compliance obligations are operationalized primarily through FINRA Rule 3110 (Supervision), which requires firms to have WSPs covering data security and customer information protection, and FINRA Rule 4370 (Business Continuity Plans), which governs incident response and operational recovery capabilities. Exchange Act Rules 17a-3 and 17a-4 (Books and Records) are also implicated.

FINRA’s effective practices guidance emphasizes multifactor authentication, network segmentation, tabletop exercises, bring your own device (BYOD) policies and cross-team communication between cybersecurity and anti-money laundering (AML) functions.

 

GenAI: A New Examination Focus Area

For the first time, the 2026 Annual Regulatory Oversight Report dedicates a stand-alone section to “Generative AI: Continuing and Emerging Trends”—a clear signal that FINRA examiners will be asking questions about artificial intelligence (AI) governance in 2026.

FINRA’s concerns cut in two directions. First, firms’ own use of Generative AI (GenAI) in compliance, surveillance and customer-facing applications must be supervised under existing frameworks. Second, threat actors are increasingly exploiting GenAI to enhance cybercrimes—including generating fake identification documents, creating deepfake selfies to bypass account verification, producing voice clones to manipulate customer service staff and deploying polymorphic malware that evades detection.

Firms should assess whether their existing WSPs and supervisory frameworks adequately address:

• Supervision and review of GenAI-generated communications with customers.
• Identity verification controls capable of detecting AI-generated fake documents and deepfakes.
• Training programs for staff on the latest GenAI-enabled fraud typologies.

 

FINRA 2026 Examination Schedule Notifications

As part of its ongoing efforts to enhance transparency and allow firms to better prepare for regulatory reviews, FINRA implemented a new 2026 Examination Schedule Notification initiative.

Under this initiative, member firms with a FINRA examination scheduled to begin on or after February 2, 2026, received an advance notification identifying the calendar quarter in which they can expect their formal exam announcement. FINRA delivered this advance notification by January 21, 2026, via email to the firm’s designated executive representative, Chief Compliance Officer (CCO) and regulatory inquiries contact, as reflected in the FINRA Contact System (FCS).

While the initiative does not alter FINRA’s examination scope, frequency, or risk‑based approach, it reflects FINRA’s broader effort to modernize regulatory processes and reduce unnecessary operational uncertainty for member firms.

 

CAB Modernization

FINRA also issued Regulatory Notice 26‑04, adopting amendments to the Capital Acquisition Broker (CAB) rules as part of its rule modernization efforts. The amendments became effective March 25, 2026, and are designed to reduce unnecessary regulatory burdens while preserving the CAB’s limited institutional business model and investor protections.

Key changes include:

• Expanded definition of “institutional investor” to include certain “eligible employees,” such as knowledgeable employees, officers and directors of issuers, while clarifying that Reg BI and Form CRS apply if such persons qualify as retail customers or retail investors.
• Expanded permissible activities, allowing CABs to act as placement agents or finders on behalf of institutional investor buyers, not just issuers, in primary offerings of unregistered securities.
• Authorization for CABs to represent buyers, sellers or both in change‑of‑control transactions involving privately held companies, subject to written disclosure and informed consent.
• New flexibility to facilitate secondary transactions in unregistered securities between institutional investors.
• Alignment of CAB private securities transaction requirements with FINRA Rule 3280 and codification of guidance permitting CABs to receive securities as compensation under defined conditions.

Firms operating under the CAB framework should review their supervisory procedures, compensation structures and disclosure practices to ensure alignment with the amended rules and to confirm that expanded activities remain within CAB eligibility boundaries.

 

AML: Fraud Typologies Are Evolving

FINRA Rule 3310 (AML Compliance Program) remains a top examination area, with examiners focused on whether programs are sufficiently tailored to each firm’s specific business model and risk profile. Common findings in recent examinations include:

• Failing to reasonably detect and investigate red flags in omnibus accounts and small-cap public offerings.
• Auto-approving account openings despite red flags such as invalid or mismatched Social Security numbers.
• Inadequate independent testing, including failure to test critical areas like suspicious activity detection following material business changes.
• Not escalating cybersecurity events (e.g., account takeovers) through AML channels for potential Suspicious Activity Report filing.

The 2026 report also highlights several new and evolving external fraud typologies firms must incorporate into their AML monitoring programs: disaster-related scams, investment club scams tied to pump-and-dump schemes, gold bar courier scams, crypto confidence fraud and mail theft-related check fraud.

 

Regulation Best Interest: Enforcement Continues

Reg BI enforcement shows no signs of slowing. The SEC brought settled enforcement actions against a broker-dealer and registered representative for Reg BI violations in August 2025, and both SEC and FINRA examination programs continue to prioritize complex product recommendations—particularly variable annuities, structured products and tax-advantaged accounts. Firms should ensure their care obligation documentation, conflict of interest disclosures and Form CRS are current and accurately reflect their actual business practices.

 

Digital Assets: Clarifications and Ongoing Obligations

Broker-dealers with crypto asset exposure face layered obligations across both FINRA and SEC frameworks. The SEC’s crypto FAQs clarified that non-special-purpose digital asset broker-dealers may hold customer digital assets in locations qualifying as “good control locations” under Rule 15c3-3, provided firms maintain contemporaneous documentation. The 2026 report separately requires that firms affiliated with crypto platforms:

• Conduct risk-based, on-chain AML and fraud reviews.
• Maintain written procedures documenting those reviews.
• Inform customers about differences between brokerage accounts and affiliated crypto accounts, including the distinction in Securities Investor Protection Corporation (SIPC) protections.

 

Equity Trade Reporting: Temporary Exception for Overnight Transactions

On March 9, 2026, FINRA issued Regulatory Notice 26-07, adopting a limited, temporary exception to the equity trade reporting rules for qualifying overnight transactions. Effective March 30, 2026, this exception coincides with the expansion of Trade Reporting Facility (TRF) operating hours to begin at 4:00 a.m. ET. Under the new rule:

• Trades executed between 12:00 a.m. and 8:00 a.m. ET that meet specific criteria (e.g., overnight batch processes or exchange-traded funds [ETF] trades based on post-close net asset values [NAVs]) may be reported by 8:15 a.m. ET on trade date.
• Such trades must be designated with a unique trade report modifier to indicate execution outside normal market hours.
• The exception is temporary and will expire upon further TRF operating hour extensions or on December 31, 2027, whichever comes first.

Firms should update trade reporting systems and written supervisory procedures to accommodate the new modifier and ensure timely reporting of qualifying transactions. Surveillance and compliance teams should also review internal controls to confirm alignment with the updated reporting framework.

 

Financial Responsibility: Key Dates and CAT Updates

The SEC extended the compliance date for daily reserve formula computation under the Customer Protection Rule (Rule 15c3-3) to June 30, 2026, for firms required to compute on a daily basis as of December 31, 2025. Firms should be actively preparing systems and operational workflows to meet this deadline.

On the Consolidated Audit Trail (CAT), the current administration has signaled a deregulatory posture aimed at reducing cost burdens, and further modifications to CAT obligations are expected. Firms should monitor developments but maintain current compliance posture until formal amendments are adopted.

FINRA Conference: May 12–14, 2026

We look forward to attending FINRA’s Annual Conference May 12–14 in Washington, D.C. Kroll experts Ginny Voos and Yulia Kalk will be on-site and welcome the opportunity to connect with you during the conference. Please feel free to reach out to schedule time to meet. https://www.finra.org/events-training/conferences-events/2026-annual-conference

For more information on how Kroll’s Financial Services Compliance and Regulation practice can assist your firm with FINRA new membership applications, examination support, ongoing compliance, written supervisory procedure updates, annual testing or regulatory change navigation, please contact our team.