Q&A with FINRA’s Greg Ruppert on the organization’s use of Artificial Intelligence

Ruppert leads FINRA’s efforts to strengthen regulatory coordination, expand intelligence sharing, and enhance its regulatory processes and technology – protecting investors and upholding market integrity. What follows is an edited conversation between Ruppert and Aaron Nicodemus, Compliance Week’s Editor-in-Chief.

Q: Greg, tell me a little bit about what you do at FINRA.

A: I am the Chief Regulatory Operations Officer at FINRA, a self-regulatory organization established for about 85 years with a mission to protect investors and safeguard U.S. capital markets. We recently brought together three different groups that are focused on the operational aspects of our regulatory oversight: Member Supervision, Market Oversight, and Enforcement. We’ve combined these three programs into one organization, called Regulatory Operations. With that, we’re able to surveil the markets, investigate allegations of any wrongdoing, conduct exams, and bring enforcement actions. But we can also share intelligence and information with member firms through our Risk Monitoring Program, as well as learn from them. That is a great advantage of us being a self-regulatory organization sitting in between government and the securities industry.

Q: How is FINRA using Artificial Intelligence (AI) tools in the oversight of its member firms?

(You can listen to the entire conversation about AI tools here)

A: AI enhances our ability to safeguard the integrity of U.S. capital markets and protect investors. FINRA has been an early adopter of technology and AI since the early 2000s, specifically to enhance our market surveillance capabilities. We started using AI and algorithms to identify various patterns and help surveil hundreds of billions of market events generated every day. That enables us to focus on aspects of potential fraud, manipulation, or misconduct that can harm investors.

We’ve more recently been leveraging advanced analytics in our centralized intake function. We have a centralized repository that receives complaints from investors, regulatory tips from our member firms, and others in the industry. We have been able to leverage the machine reading capabilities of AI, so that we can get to various areas of risk faster, and then assess whether we’re already aware of it, or determine if this is a new matter we should be investigating.

And now we’re also looking for ways we can leverage AI in our exam programs. Specifically, one of the use cases we’re looking at is sentiment analysis, where we review large sets of unstructured data. For example, investor complaint data analysis: We can quickly discern whether something might or might not be a significant complaint regarding a violation of securities rules or laws or misconduct. This allows our examiners to focus efforts and get to reviews faster.

We are also providing resources for our member firms through a standardized AI use case document. We found there wasn’t common nomenclature for AI use cases, so we created it, and we’re now up to 14 different use cases. One of the great things I’ve been hearing from our firms since we published it is they’re using that internally as a resource document to have discussions within their firms, so they can see how they’re using it, how other firms are using AI, specifically generative AI. This can aid in compliance discussions and help avoid confusion and misunderstandings if they’re using similar language to what other regulators are using, and with us as well.

Q: How is FINRA working to enable compliance through FINRA Forward?

A: FINRA Forward is our new initiative focused on strengthening support for member firms through empowering compliance, modernizing our rule set, as well as finding tools that can help combat fraud and cybersecurity risks that firms are facing. It’s incumbent upon us to look at everything we can do to continuously improve, and that’s really why we launched FINRA Forward.

We’re looking to engage with firms on policy, we’re looking to engage with the investing public, and we’re really setting the stage for modernization and transformation that will better enable member firm compliance and allow us to deliver on our mission with even greater impact.

We are enhancing our data insights. We asked ourselves, “How do we provide more proactive data insights to our members? How can we help them to identify issues before an examination or investigation even begins?” We’re issuing report cards, and sharing information out proactively with our membership from our oversight activities, like with our annual Regulatory Oversight Report.

We’ve also been really focused on streamlining and reducing our data requests as we continue to find more ways to leverage the data that we already have. We’ve heard members loud and clear in about ways we can save them time and resources so they can focus on their day-to-day compliance efforts. We’re enhancing filing processes across the board and our exams to strengthen efficiency and effectiveness for them as well as for us.

Q: What are some regulatory trends FINRA has identified, and how can firms strengthen their compliance programs in response to those trends?

A: One thing our annual Regulatory Oversight Report focuses on this year is our collaboration with member firms around third-party vendor risk. We created a new Cyber and Operational Resilience Program to enable us to quickly share information with our members about cyber and fraud risks and threats. We worked with our member firms to gather information on who their critical vendors are, and we took that list of vendors and third-party providers and we are actively monitoring the vendors for cyber and fraud risks. We look for shifts in risk, additional threats or attacks happening to those vendors. Then we directly and proactively inform our member firms about the particular risk or threat, how to identify it, how to mitigate it, and who they can follow up with at FINRA if they need assistance. We’ve issued over 11,000 notifications to more than 3,400 unique recipients in the short time we’ve set this up.

The other emerging trend is the use of generative AI. It’s not so much about how firms are using it, but how organized crime groups and other criminal elements are leveraging generative AI to attack investors and attack firms.

FINRA created a Threat Intelligence Product, or TIPs, in which we can send actionable intelligence about these criminal threats to our firms in a secure manner. These threats are not published on our website.

The TIPs contain specific steps on how firms can help protect their organizations and customers from these threats. Threats include how criminals are using AI to manipulate markets, all the way down to how they impersonate individuals or clients of the firm.

Another big threat we’ve seen develop is how criminals are impersonating executives of firms or, in some cases, financial luminaries that you see on Bloomberg or CNBC, all the way to big hedge funds. The criminals are pretending to be those individuals to lure potential investors into fake investment clubs or chat rooms, and then start pitching them on low-priced securities. It’s a new twist on the old-fashioned pump-and-dump schemes, or ramp-and-dump schemes.

We also started educating investors directly through the FINRA Foundation, and we’ve started working with third-party social media providers, other regulators, and the exchanges. FINRA decided to take action and provide intelligence on these threats to anyone that could be affected. Those tips have been very successful in protecting investors, as well as safeguarding the markets through arming our member firms with the information they need.

Q: What challenges and opportunities do you see that technology is bringing to compliance?

A: The speed of technology, particularly with AI and generative AI, will force us to react much, much quicker to what we’re seeing. But no one should do this by themselves. You have peers in the industry and other resources that you can engage with to learn and share best practices. If you’re a FINRA member firm, you have FINRA that you can contact as well.

The real question is, how do you leverage your network so that you’re able to assess the situation in terms of what’s coming, what the issues are, and where you should be positioning? My advice to compliance officers is learn everything you can about what’s happening inside your firm. Get yourself assigned to your firm’s new product committee so that you’re at the front end of helping onboard new products, while thinking through risks.

We call it future-proofing. As you develop contracts, as you onboard new vendors, ask simple questions, like, how are you using AI? What is your intended use for AI? Where are you storing the data? Add a clause to the contract requiring vendors to tell you proactively before they turn on a new AI tool.

All of the basic questions you’ve asked from a technology standpoint throughout the years, ask them of your vendors. Ask the vendor about their vendors’ use of AI. You’ve got to pay attention to fourth-party risk, in addition to your third-party risk.

Compliance officers should also build their networks inside their organizations so they have a relationship with people from technology or your chief information security officer. Get to know your fraud investigators and your (anti-money laundering) AML officer.

Bring everyone together so that you’re all at the table considering what the governance is around your use of new technology, your vendors’ use of technology, as well as the risks and challenges you’re seeing.

Develop a centralized capability to respond to and address the risks. That way, as a compliance officer, you’re better prepared when something happens. It’s about being proactive, rather than reactive.

As a compliance officer, you want to be the person people run to when there’s an issue, not run from.