If your wealth management firm has an affiliated FINRA-registered broker-dealer, your AI retention problem is harder than what most compliance teams have scoped. I say that based on what I see in practice. The AI tools are not the complicated part. Microsoft Copilot, ChatGPT Enterprise, and the AI features embedded in CRM and planning platforms are now standard across the industry. The complicated part is the regulatory framework governing the records those tools create, and for dual-registrant firms, that framework is materially more complex than for any other category of financial services firm.
For a standalone registered investment adviser (most PE firms, for example) the recordkeeping analysis centers on a single rule with a narrow, four-category scope. I wrote about that framework in detail in a companion piece. For wealth management firms operating with an affiliated broker-dealer under the same holding company, two entirely distinct SEC recordkeeping regimes apply simultaneously. Determining which one governs any given AI interaction requires a compliance analysis that most firms have not formalized. Getting that analysis wrong, in either direction, carries material financial and regulatory consequences.
The stakes are escalating. Since 2021, the SEC has assessed more than $2.2 billion in combined penalties against financial firms for recordkeeping failures related to off-channel communications.11 FINRA’s 2026 Annual Regulatory Oversight Report introduced a dedicated generative AI section for the first time, explicitly naming GenAI chatbot communication retention as a regulatory focus area.3 Smarsh’s 2026 regulatory forecast predicts that the first major disciplinary case involving AI misuse at a financial services firm is likely to land in 2026.14 If your firm has not built a governance framework calibrated to your specific dual-registrant structure, you are not ahead of this curve. You are behind it.
The dual-registrant structure that characterizes most institutional wealth management firms creates the most complex compliance scenario in the industry. The typical firm operates through a holding company with at least two primary regulated entities: an SEC-registered investment adviser providing discretionary and non-discretionary investment management, financial planning, and wealth advisory services, and an affiliated FINRA-registered broker-dealer that facilitates securities transactions and enables certain compensation arrangements for dually registered financial professionals.4
Both regulatory regimes apply at the same time. This is not a situation where the firm chooses one standard. Both apply, and the standard that governs any specific AI interaction depends on the capacity in which the advisor is acting at the moment the interaction occurs. An advisor who is dually registered as both an investment adviser representative and a registered representative may pivot between the two regimes multiple times in a single day depending on which clients they are serving and in which capacity. The AI tools do not change. The regulatory standard governing the records they create does.
The SEC’s FY2026 examination priorities make this explicit. The priorities specifically identify dually registered adviser/broker-dealers as a category requiring demonstration of clear supervisory structures, conflict mitigation, and documentation supporting the separation or integration of advisory and brokerage services.5 The same priorities flag firms that have grown through acquisitions of independent RIAs as heightened exam targets, citing operational strain, integration risk, inconsistent policies, and new conflicts.5 Firms matching this profile frequently arrive at AI governance conversations carrying legacy compliance infrastructure designed for a simpler regulatory environment that has not been updated to address enterprise AI.
SEC Rule 17a-4(b)(4) under the Securities Exchange Act of 1934 is the broadest communications retention standard in U.S. securities regulation.1 It requires broker-dealers to preserve originals of all communications received and copies of all communications sent “relating to its business as such,” including inter-office memoranda. The scope is as wide as it reads: no enumerated category limitation, no exclusion for internal working documents, no carve-out for AI-generated content that was used but not transmitted. All business communications by all personnel acting in BD capacity must be retained.
The mechanics are demanding. Six-year retention, first two years immediately accessible. Non-rewriteable, non-erasable WORM format. Once a record is written, it cannot be altered or deleted during the retention period. For a wealth management firm where dozens of advisors are dually registered and using AI throughout their workday, the BD side of the retention obligation applies to a substantial portion of firm activity and leaves virtually no room for selective retention or user-level discretion.
SEC Rule 204-2(a)(7) under the Investment Advisers Act of 1940 operates on a fundamentally different principle.2 Rather than requiring retention of all business communications, it limits the obligation to four specific categories of written communications: recommendations and advice; receipt, disbursement, or delivery of funds or securities; the placing or execution of any order to purchase or sell any security; and the performance or rate of return of managed accounts or securities recommendations. Communications outside these four categories are not subject to mandatory retention.
Five-year retention rather than six, first two years in an easily accessible location. No WORM format requirement. The narrower scope is not accidental. In February 2023, SIFMA and nine additional trade associations submitted a formal joint letter to the SEC arguing that Rule 204-2(a)(7) covers only external communications within those four categories, not all business communications.11
The practical consequence: wealth management firms must maintain two parallel retention programs simultaneously. When a dually registered advisor uses AI to prepare a securities recommendation for a brokerage client, Rule 17a-4 applies. All related communications captured and archived in WORM format for six years. When the same advisor uses AI to develop a financial plan for that same client’s advisory account, Rule 204-2 applies. Only communications within the four enumerated categories require retention, for five years, without WORM. The advisor, the client, and the AI tool may be identical. The applicable regulatory standard is not.
This is the part of the framework that creates the most operational friction for compliance teams. The SEC has stated in the context of Regulation Best Interest that whether Reg BI or the Advisers Act applies depends on the capacity in which the financial professional is acting when making the recommendation.6 The same capacity-dependent framework governs the recordkeeping analysis, and it is harder to operationalize for AI interactions than for traditional advice delivery.
Three categories of AI interaction present different compliance profiles:
BD-capacity interactions. A dually registered advisor uses AI to prepare a securities recommendation for a brokerage client, draft a Regulation Best Interest disclosure, or generate content related to a transaction executed through the affiliated broker-dealer. Rule 17a-4 applies. All communications, including internal working documents, must be captured and retained.
IA-capacity interactions. The same advisor uses AI to build a financial plan, draft an investment policy statement, or prepare retirement analysis for an advisory-only client. Rule 204-2 applies. Only transmitted communications touching the four enumerated categories require preservation.
Ambiguous-capacity interactions. This is the category that creates real exposure. The advisor is serving a client who maintains both advisory and brokerage accounts, or the nature of the recommendation is not immediately classifiable. An advisor preparing a portfolio rebalancing recommendation for a client with a blended account structure may be acting in both capacities simultaneously. A market commentary email sent to the full client list may constitute an advertisement under the Marketing Rule, an advisory communication under Rule 204-2, and a BD business communication under Rule 17a-4, each with different retention requirements. Firms must establish documented classification policies for these interactions, including clear escalation procedures when capacity cannot be determined at the time of the AI interaction.
The most significant regulatory development specifically affecting wealth management firms in 2026 is FINRA’s introduction of a dedicated generative AI section in its 2026 Annual Regulatory Oversight Report.3 This is the first time FINRA has explicitly addressed GenAI in its annual guidance, and the obligations apply to every FINRA member firm, including the affiliated broker-dealers of wealth management holding companies.
FINRA states directly that GenAI use can implicate rules regarding supervision, communications, recordkeeping, and fair dealing.3 On retention specifically, the report states that firms should capture and retain GenAI chatbot communications made on the firm’s behalf and identifies this as a regulatory focus area.8 This is not aspirational guidance. It is a compliance expectation backed by FINRA’s examination authority.
The report also places specific emphasis on supervision of AI tools under FINRA Rule 3110.3 Rule 3110 requires broker-dealers to establish a supervisory system reasonably designed to achieve compliance with applicable securities laws. FINRA’s guidance states that if a firm relies on GenAI tools as part of its supervisory system, its policies must consider the integrity, reliability, and accuracy of the AI model. This creates an obligation not only to retain AI-generated records but to build a supervisory framework around how those tools are deployed, audited, and corrected when they produce inaccurate or non-compliant outputs.
FINRA’s 2026 report also identifies shadow AI as a significant emerging compliance risk: AI tools used by advisors or staff without IT oversight, formal approval, or supervisory monitoring.3 For wealth management firms, this is not hypothetical. Advisors working with affluent clients under competitive pressure have strong incentives to adopt productivity tools quickly, and compliance infrastructure has not always kept pace. A dually registered advisor who uses a personal AI subscription to draft a client recommendation and then emails it through the firm’s systems has created a business record under Rule 17a-4 generated outside the firm’s capture infrastructure. FINRA’s examination teams are specifically looking for this.
Wealth management firms using AI to generate client-facing content operate under a third regulatory layer regardless of how the capacity determination resolves. The SEC’s Marketing Rule, Rule 206(4)-1, defines an advertisement as any direct or indirect communication offering investment advisory services to prospective or current clients.7 AI-generated content meeting that definition, including market commentary, newsletters, performance summaries, investment outlooks, and social media posts drafted or refined using AI, must be retained under Rule 204-2(a)(11) as an advertisement.
The SEC’s December 2025 Risk Alert on Marketing Rule compliance identified ongoing deficiency patterns in testimonial disclosures, endorsement disclosures, and third-party performance ratings, signaling continued examination focus in 2026.9 For firms using AI to accelerate content production, the volume of potentially regulated marketing content may have outpaced the compliance review processes designed to govern it. The question is not only whether the AI interaction was retained. It is whether the AI-generated output was reviewed for Marketing Rule compliance before distribution and whether the distributed version was captured and archived.
The 2024 amendments to Regulation S-P introduced enhanced incident response requirements for investment advisers and broker-dealers.10 Advisers managing $1.5 billion or more in AUM were required to comply by February 2, 2026. Smaller entities face the August 2, 2026 deadline. The amendments require policies for identifying, assessing, and responding to unauthorized access to or use of customer information.
For wealth management firms, the PII exposure in AI interactions is not incidental. Client names, account balances, portfolio holdings, Social Security numbers in onboarding workflows, health information in estate planning discussions, and family financial data in planning engagements may all pass through AI tools in the ordinary course of business. A compliance framework that addresses retention without addressing data handling creates a gap that regulators and plaintiffs will find.
The September 2024 Skadden Arps analysis provides the clearest framework for applying existing rules to AI interactions.16 The central principle applies equally to both Rule 17a-4 and Rule 204-2: AI-generated content that exists within an application but is not transmitted does not constitute a “written communication sent or received” under either rule. The obligation triggers at the point of transmission, not generation.
For wealth management firms, this principle has different consequences depending on which rule applies. On the Rule 17a-4 side, when a dually registered advisor emails AI-generated securities commentary to a brokerage client, that email is a required record retained for six years in WORM format. The advisor’s AI session within the drafting tool, if never transmitted, is not independently required under Rule 17a-4. On the Rule 204-2 side, the same transmission trigger applies, but the content analysis also matters: an AI-drafted financial plan emailed to an advisory client triggers retention only if the transmitted content falls within one of the four enumerated categories, which a detailed financial plan discussing recommendations typically does.
The Marketing Rule adds a third capture point. Any AI-generated content that constitutes an advertisement and is distributed must be retained under Rule 204-2(a)(11) regardless of how the capacity determination resolves and regardless of whether the transmission would otherwise have triggered retention under Rule 17a-4 or Rule 204-2(a)(7). For firms running active content marketing programs, every AI-generated market commentary, social media post, and investment newsletter requires both pre-distribution compliance review and post-distribution archival.
Wealth management firms face the same eDiscovery economics that make over-retention costly for any financial institution. In Tremblay v. OpenAI (2024), a federal court ruled that AI prompts and outputs are subject to civil discovery, treated as evidentiary records comparable to traditional documents.17 The average eDiscovery case now exceeds $2 million in total cost, with document review at $1 to $3 per document comprising approximately 70 percent of that figure.19 For a firm with 100 or more employees generating frequent AI interactions across investment research, client communications, marketing development, and operational workflows, an unrestricted retention policy creates a substantial expansion of the discoverable corpus in any client dispute, regulatory proceeding, employment matter, or fiduciary claim. Federal courts have consistently held that systematic deletion under a documented policy does not constitute spoliation, and FRCP 37(e) requires a showing of intent to deprive before the most severe sanctions apply.18
The critical distinction for wealth management firms: the scope for selective deletion is narrower than for standalone RIAs. Rule 17a-4 on the BD side does not permit selective retention. All business communications relating to the BD’s business must be captured regardless of whether any individual advisor considers them routine. The defensible deletion strategy applies primarily to two categories: IA-capacity AI interactions that fall outside the four enumerated categories of Rule 204-2(a)(7), and general productivity interactions such as AI-assisted document formatting, scheduling, research summaries not related to specific clients, and internal knowledge management, that fall outside both regulatory regimes entirely. For those categories, a documented deletion schedule is both permissible and prudent.
Compliance teams at wealth management firms that have read the growing body of guidance on AI retention for standalone RIAs should understand a critical caveat: those recommended architectures do not transfer to dual-registrant structures. The user-designation model, in which employees identify AI sessions containing regulated content and designate them for archival while the default is non-retention, is defensible for a standalone RIA because Rule 204-2 allows selective retention based on content category. It is not sufficient as the sole mechanism for a wealth management firm with an affiliated broker-dealer, because Rule 17a-4 on the BD side does not permit user discretion about which business communications to preserve.
All AI interactions across both the RIA and BD entities captured into the compliance archive. Smarsh and Global Relay have built dedicated integrations for ChatGPT Enterprise and Microsoft Copilot that enable configurable capture of prompts, responses, and metadata with automatic content tagging.20 Smarsh’s March 2026 launch of its AI-enabled Noise Reduction Agent reduces compliance alert volume by up to 60 percent by using machine learning to surface risk-relevant interactions for human review.21
Full capture eliminates under-retention risk on both the BD and IA sides. It is the most defensible model for firms where a significant proportion of AI activity is BD-capacity. It maximizes the discoverable corpus and creates real litigation cost exposure, but for many wealth management firms the BD-side obligation effectively requires full capture for a substantial portion of advisor activity anyway. If most of your AI use touches brokerage clients, full capture may not be over-retention; it may be the only architecture that satisfies Rule 17a-4.
AI interactions routed through separate retention tracks based on regulatory capacity. The BD-capacity track captures all AI interactions by BD-registered personnel acting in brokerage capacity and retains them for six years in WORM format, satisfying Rule 17a-4 without selective filtering. The IA-capacity track applies classification-based selective retention to advisory interactions, routing content within the four Rule 204-2(a)(7) categories to the five-year archive, holding working files for 12 to 18 months, and scheduling transitory interactions for deletion after 60 to 90 days with metadata preservation.
This model balances compliance across both frameworks with proportionate litigation risk management. It requires a capacity classification mechanism, which adds operational complexity and demands clear policies for resolving ambiguous-capacity interactions. For firms with a large advisory-only client segment and a more limited brokerage book, dual-track retention produces meaningful litigation cost reduction while fully satisfying Rule 17a-4 on the BD side.
Automated rules evaluate all AI interactions across both entities and route content to retention tiers based on a taxonomy designed to capture everything required under either Rule 17a-4 or Rule 204-2. Unlike dual-track, this model does not require a prior capacity determination. The system evaluates content characteristics and routes accordingly. The taxonomy errs on the side of retention for BD-triggering content, producing higher overall retention volume than dual-track but lower volume than full capture.
Classification-based retention is operationally simpler than capacity-based dual-track because it avoids the upstream challenge of determining advisor capacity at the time of each interaction. It is the right architecture for firms where BD and IA functions are intertwined and clean capacity determination is impractical.
Wealth management firms face implementation obligations under two supervisory frameworks simultaneously: FINRA Rule 3110 requires written supervisory procedures for the broker-dealer, and Advisers Act Rule 206(4)-7 requires written compliance policies and procedures for the investment adviser.3,22 The AI retention architecture must be documented in both the firm’s Written Supervisory Procedures and its compliance manual, with clear articulation of which retention standard applies to each category of AI interaction, how capacity determinations are made and documented, how classification rules are applied and audited, and how legal holds integrate into the retention infrastructure.
Training for dual-registrant complexity. Personnel must receive initial and recurring training addressing the specific obligations created by dual registration. This means concrete examples of Broker-Dealer versus Investment Advisor AI interactions, the rule that applies to each, and the consequences of non-compliance. Training completion must be documented for both FINRA and SEC examination purposes. The training challenge for wealth management firms is greater than for standalone RIAs precisely because the framework is more complex. Advisors need to understand not just that AI records may require retention, but that different standards apply depending on the capacity in which they are acting.
Quarterly supervisory review and annual compliance assessment. Periodic random-sample reviews of AI interactions should validate classification accuracy and identify patterns of misuse, shadow AI adoption, or under-retention. The annual compliance review required under Rule 206(4)-7 must include a documented assessment of the AI retention framework covering classification accuracy, regulatory developments, and gaps identified through supervisory sampling. For the broker-dealer, FINRA Rule 3110 examination protocols require evidence of an active supervisory system, not merely a written policy.
Legal hold integration. When litigation is reasonably anticipated, all AI interaction data for relevant custodians must be placed on legal hold, suspending scheduled deletion regardless of retention tier. The retention platform must support custodian-level hold capabilities operating consistently across both the BD and IA retention tracks.18
Documentation of your reasoning. The analysis behind the firm’s retention model selection should be documented and preserved: legal memoranda, outside counsel opinions, regulatory guidance reviewed, and the rationale for the architecture chosen. For dual-registrant wealth management firms facing compounding exam risk factors in 2026, documented evidence of a deliberate, informed compliance decision is a meaningful defense when examiners arrive.
The SEC’s FY2026 examination priorities call out dual registrants by name.5 FINRA has introduced GenAI-specific oversight expectations for the first time.3 The Marketing Rule examination focus continues to sharpen.9 Smarsh’s forecast that the first major AI disciplinary case in financial services lands in 2026 reflects the trajectory of a regulatory environment that has watched off-channel enforcement mature over five years and is now applying the same logic to AI-generated content.14
The SEC’s posture under Chair Paul Atkins, who has stated that examinations should enable constructive dialogue rather than function as enforcement traps, suggests a shift toward engagement.13 But the SIFMA October 2025 petition requesting the SEC narrow the scope of retained communications and provide safe harbors for good-faith compliance has not received a formal response.11 The current rules, in their full breadth, remain operative and enforceable as of March 2026.
The compliance question for wealth management firms is not whether AI records need to be retained. It is whether the retention framework you have built, or are about to build, reflects the actual dual-regulatory structure in which your firm operates. A framework designed for a standalone RIA will satisfy Rule 204-2 and leave Rule 17a-4 unaddressed. A framework designed for a pure broker-dealer will over-retain on the IA side and create unnecessary litigation exposure. The correct framework accounts for both standards, with a clear mechanism for determining which applies to each AI interaction, documented policies, trained personnel, and supervisory review demonstrating its functions in practice.
The firms that get this right are the ones that mapped both Rule 17a-4 and Rule 204-2 to their specific operating structure, built a retention architecture calibrated to the dual-framework reality, addressed FINRA’s 2026 GenAI supervision expectations in their Written Supervisory Procedures, and documented the analysis. Qualified legal counsel is essential. The regulatory complexity is genuine, and the cost of getting it wrong, whether measured in SEC penalties, FINRA sanctions, litigation exposure, or reputational damage with the high-net-worth client base these firms serve, is substantial. The time to build the right framework is before the examination notice arrives.
1. "17 CFR § 240.17a-4, Records to Be Preserved by Certain Exchange Members, Brokers and Dealers." U.S. Securities and Exchange Commission, Code of Federal Regulations. https://www.law.cornell.edu/cfr/text/17/240.17a-4
2. "17 CFR § 275.204-2, Books and Records to Be Maintained by Investment Advisers." U.S. Securities and Exchange Commission, Code of Federal Regulations. https://www.law.cornell.edu/cfr/text/17/275.204-2
3. "GenAI: Continuing and Emerging Trends." FINRA, 2026 Annual Regulatory Oversight Report. https://www.finra.org/rules-guidance/guidance/reports/2026-finra-annual-regulatory-oversight-report/gen-ai
4. "Form CRS." Robertson Stephens Wealth Management, LLC, SEC Investment Adviser Public Disclosure, CRD #289977. https://reports.adviserinfo.sec.gov/crs/crs_289977.pdf
5. "From Forecast to Reality: Practical Interpretation of the SEC’s 2026 Exam Priorities for RIAs and Broker-Dealers." Compliance Risk Concepts, 2026. https://compliance-risk.com/from-forecast-to-reality-practical-interpretation-of-the-secs-2026-exam-priorities-for-rias-and-broker-dealers/
6. "Regulation Best Interest: Small Entity Compliance Guide." U.S. Securities and Exchange Commission, 2019. https://www.sec.gov/resources-small-businesses/small-business-compliance-guides/regulation-best-interest
7. "Investment Adviser Marketing: Compliance Guide (Rule 206(4)-1)." U.S. Securities and Exchange Commission. https://www.sec.gov/resources-small-businesses/small-business-compliance-guides/investment-adviser-marketing
8. "FINRA’s 2026 Annual Regulatory Oversight Report: Same Priorities, New Focus on AI and Cybersecurity." McGuireWoods Client Resources, December 2025. https://www.mcguirewoods.com/client-resources/alerts/2025/12/finras-2026-annual-regulatory-oversight-report-same-priorities-new-focus-on-ai-and-cybersecurity/
9. "Dual Registrant Regulatory Roundup: January 2026." Lexology (SEC Marketing Rule Risk Alert, December 2025). https://www.lexology.com/library/detail.aspx?g=c1b84e0e-c522-46a9-b65b-e44aeccd2223
10. "SEC Releases FY 2026 Examinations Priorities for RIAs." Shulman Rogers Legal Alert (Regulation S-P Amendments). https://www.shulmanrogers.com/legal-alert-sec-releases-fy-2026-examinations-priorities-for-rias-and-others/
11. "Modernizing Communications and Record Retention Rules for Broker-Dealers, Investment Advisers, and Security-Based Swap Dealers." SIFMA, October 2025. https://www.sifma.org/advocacy/letters/modernizing-communications-and-record-retention-rules-for-broker-dealersinvestment-advisers-and-security-based-swap-dealers-sifma-and-sifma-amg
12. "SEC Files First Charges Against Standalone Investment Adviser for Off-Channel Communication Recordkeeping Failures." Sidley Austin, April 2024. https://www.sidley.com/en/insights/newsupdates/2024/04/sec-files-first-charges-against-standalone-investment-adviser
13. "Division of Examinations Announces 2026 Priorities." U.S. SEC Division of Examinations, November 2025. https://www.sec.gov/newsroom/press-releases/2025-132-sec-division-examinations-announces-2026-priorities
14. "2026 Regulatory and Compliance Predictions: From Recalibration to Execution." Smarsh Thought Leadership, 2026. https://www.smarsh.com/blog/thought-leadership/2026-regulatory-compliance-predictions
16. "How and When SEC Recordkeeping Rules May Apply to AI-Generated Content." Skadden Arps, September 2024. https://www.skadden.com/insights/publications/2024/09/how-and-when-sec-recordkeeping-rules-may-apply
17. "GenAI Prompt Retention: Preparing for Mandatory Compliance." Portal26 Resources (citing Tremblay v. OpenAI, 2024). https://portal26.ai/genai-prompt-retention/
18. "Act Now or Pay Later: The Case for Defensible Disposition of Data." Redgrave LLP, April 2025. https://www.redgravellp.com/publication/act-now-or-pay-later-case-defensible-disposition-data-0
19. "The Hidden Compliance Cost of Poor Records Retention." Society of Corporate Compliance and Ethics, January 2026. https://complianceandethics.org/the-hidden-compliance-cost-of-poor-records-retention/
20. "Capture for ChatGPT Enterprise Compliance API." Smarsh Platform Overview, 2025. https://www.smarsh.com/channel/chatgpt-enterprise/
21. "Smarsh Launches AI-Enabled Communication Surveillance for Small to Medium Businesses." Smarsh Press Release, March 2026. https://www.smarsh.com/press-release/smarsh-launches-ai-enabled-communication-surveillance-for-small-to-medium-businesses
22. "Compliance Programs of Investment Companies and Investment Advisers." U.S. SEC, Rule 206(4)-7 Adopting Release, December 2003. https://www.sec.gov/rules-regulations/2003/12/compliance-programs-investment-companies-investment-advisers