Compliance Reference — February 2026
Built for the regulatory
environment you operate in.
Presidia was designed from the ground up to satisfy the compliance requirements that govern AI tools in registered investment advisory practices. This document sets out the current regulatory framework: what FINRA's most recent guidance requires, which rules apply, and precisely how Presidia addresses each one.
Part 1
FINRA 2026 — The Governing Standard
FINRA's 2026 Annual Regulatory Oversight Report establishes the most specific and current AI governance expectations in financial services. Presidia's architecture was built to satisfy them.
The 2026 Report contains the first standalone GenAI section in FINRA's history. It defines AI agents as “systems or programs that are capable of autonomously performing and completing tasks on behalf of a user” and establishes specific governance expectations for firms deploying them. While FINRA directly regulates broker-dealers, SEC examiners and RIA compliance teams apply this framework as the industry-wide standard.
The requirements below reflect what FINRA expects of any firm or vendor operating AI agents in an advisory context.
1
Enterprise-level governance before deployment — formal review and approval processes, with written supervisory policies covering each GenAI use case. FINRA 2026 § GenAI — Pre-deployment ↗
2
Continuous prompt and output logging — all interactions logged for accountability and troubleshooting, including which model version processed each request and when. FINRA 2026 § GenAI — Monitoring ↗
3
AI interactions archived as business communications — chatbot and AI assistant exchanges are explicitly classified as supervised communications subject to the same retention requirements as any advisor communication. FINRA 2026 § GenAI — Recordkeeping ↗
4
Defined human-in-the-loop protocols — each firm must specify where human approval is required before the AI agent acts on their behalf. FINRA 2026 § GenAI — AI Agent Controls ↗
5
Configurable agent scope controls — guardrails must prevent the agent from taking actions beyond the advisor's defined authority. Scope must be explicitly bounded, not assumed. FINRA 2026 § GenAI — Scope Controls ↗
6
Vendor GenAI due diligence — RIAs must evaluate how their AI vendors use GenAI internally, with contractual limits on how client data flows through vendor AI systems. FINRA 2026 § GenAI — Third-Party Vendors ↗
7
Accurate AI disclosures — all references to AI tools in marketing and client-facing materials must describe the technology's actual capabilities and limitations. FINRA 2026 § GenAI — Disclosure ↗
Part 2
Applicable Regulations
Each rule currently in force that applies to the deployment of an AI assistant inside an RIA practice. Listed by regulatory source.
Recordkeeping
Written communications relating to advice, transactions, or performance must be retained for 5 years, the first 2 in an easily accessible location. All advisor-to-AI interactions touching client matters constitute business records. Electronic records must be stored in WORM-compliant format, with access controls and audit capability.
Privacy and Breach Notification
Vendors with access to customer information must notify the RIA within 72 hours of any unauthorized access. RIAs must notify affected individuals within 30 days. A written incident response program and vendor oversight policy are required. Compliance deadlines: December 3, 2025 for RIAs with AUM of $1.5B or more; June 3, 2026 for smaller firms.
Fiduciary Duty
Advisors bear a non-waivable duty of care — advice must reflect each client's individual circumstances. AI-generated outputs are inputs to advisor judgment, not substitutes for it. Material use of AI tools must be disclosed in Form ADV Part 2A, updated annually and delivered to clients within 120 days of each fiscal year-end.
Marketing Rule
Any communication offering advisory services sent to two or more people is an advertisement, including AI-drafted emails distributed in bulk. Communications containing performance figures must show gross and net results with equal prominence across 1-, 5-, and 10-year periods. The original AI prompt, generated output, and final sent version must each be retained for 5 years.
Compliance Program
RIAs must maintain written policies and procedures, an annually documented review, and a designated CCO. SEC FY 2026 examination priorities state that examiners will specifically review written AI supervision policies as part of routine examinations.
Meeting Transcription
AI transcription constitutes recording under applicable wiretapping statutes. Eleven or more states require all-party consent before any recording begins, including California, Florida, Illinois, Maryland, Massachusetts, Pennsylvania, and Washington. Cross-state calls are governed by the strictest applicable law. Illinois BIPA additionally requires written consent before processing voice data.
Prospect Outreach
Automated text outreach requires prior express written consent specifying the recipient's phone number. Opt-outs must be honored within 10 days. CAN-SPAM governs all commercial email: accurate sender identification, a functioning opt-out mechanism, and a physical mailing address are required on every message.
AI Representations
All statements about AI capabilities in marketing materials, Form ADV disclosures, or client conversations must be accurate and substantiated. The SEC's Cyber and Emerging Technologies Unit treats misrepresentation of AI functionality as a securities fraud matter.
Part 3
How Presidia Addresses Each
A direct response to each requirement above, mapped to the rule it satisfies.
Rule 204-2Recordkeeping and Archival
- Every prompt, output, and action is logged with a timestamp and model version identifier, satisfying FINRA’s 2026 requirement to record which model processed each interaction and when.
- All logs are stored in WORM-compliant format and are accessible to SEC examiners on request.
Reg S-PBreach Notification and Data Privacy
- Presidia’s data processing agreement commits to notifying the RIA within 72 hours of any unauthorized access to customer information.
- Client data is never used for model training or shared with undisclosed sub-processors.
- A current SOC 2 Type II report covering Security, Confidentiality, and Privacy Trust Services Criteria is available to compliance teams on request.
- The DPA documents data retention schedules, disposal procedures, and the full sub-processor list required for Reg S-P vendor oversight.
§206 FiduciaryAdvice Framing and Form ADV Support
- All Presidia outputs, including talking points, opportunity flags, and meeting briefs, are presented as items for advisor review rather than recommendations.
- The platform does not communicate directly with clients. Every output passes through the advisor’s independent judgment before reaching a client.
- Standardized Form ADV Part 2A disclosure language describing Presidia’s role can be provided on request for inclusion in the next annual update.
Rule 206(4)-1Marketing Rule Compliance
- Outputs containing performance figures are flagged separately for enhanced review.
- The platform retains the original prompt and the generated draft, maintaining the complete substantiation record required for advertisements under Rule 206(4)-1.
Rule 206(4)-7Written AI Governance Policies
- A template AI governance policy covering supervisory obligations, acceptable use boundaries, human-in-the-loop requirements, and recordkeeping procedures can be provided on request.
- Policy language aligned with SEC examination expectations for written AI supervision documentation and FINRA’s pre-deployment governance framework can be prepared on request.
- Annual compliance review templates are available on request.
State Wiretapping / BIPAMeeting Transcription Consent
- Presidia requires documented all-party consent before initiating any recording or transcription, with verbal acknowledgment at meeting start.
- Any participant may decline recording at any time.
- Both the raw audio and the AI-generated transcript are retained, providing a complete record for compliance purposes.
- Assistance can be provided in preparing standard engagement letter language covering AI transcription for use with clients.
FINRA 2026Agent Scope Controls and Human-in-the-Loop
- Each RIA configures precisely what Presidia may do autonomously and what requires human approval, covering CRM writes, outbound communications, and client-facing outputs.
- Default settings require advisor sign-off before any client-facing action is taken.
- Scope configurations are logged, auditable, and adjustable by the firm’s CCO at any time.
- This directly satisfies FINRA’s 2026 requirement for configurable guardrails that limit AI agent behaviors to advisor-defined authority.
TCPA / CAN-SPAMProspect Outreach Controls
- Automated text sequences require documented prior express written consent before initiation, with scrubbing against the National Do Not Call Registry and Reassigned Numbers Database before each send.
- Opt-out requests halt all sequences immediately and are honored within the required 10-day window.
- All AI-drafted email campaigns include required sender identification, a functioning opt-out mechanism, and physical address, enforced at the platform level before transmission.
On the horizon
Effective June 30, 2026
Colorado AI Act
Requires impact assessments, consumer disclosures, and risk management programs for high-risk AI in financial services. Presidia will provide deployment-ready documentation to all firms ahead of the effective date. View rule ↗
Effective January 1, 2028
AML / CFT for Investment Advisers
SEC-registered RIAs will require written AML and CFT programs and SAR filing obligations. State-registered advisers currently excluded. Presidia will publish updated guidance when the final rule is confirmed. View rule ↗