Article

FINRA 2026 exam priorities: what the supervision focus means for broker-dealers

FINRA's 2026 Regulatory Oversight Report elevates Reg BI supervision and communications recordkeeping to first-tier examination focus. The rules haven't changed. Enforcement posture has.

Learn More

????

63

%

of broker-dealers cited in 2025 communications-related enforcement actions were sanctioned for supervisory failures, not for the underlying communication itself.

FINRA's 2026 Regulatory Oversight Report reads differently than the 2025 edition. The list of focus areas is similar — Regulation Best Interest, communications with the public, recordkeeping, cybersecurity, financial crimes. What changed is the language around supervision itself. Examiners are being instructed to test whether supervisory systems actually surface issues, not whether the written policies describe a system that would.

For compliance and risk leaders at broker-dealers, the practical question is narrow: what does our firm need to show an examiner in 2026 that we did not need to show in 2024? Based on the published report, recent enforcement actions, and examiner commentary at the March 2026 FINRA Annual Conference, three areas concentrate the risk.

What did FINRA prioritise for its 2026 examinations?

Answer

FINRA's 2026 Regulatory Oversight Report identifies Reg BI supervision, communications recordkeeping under SEA 17a-4, and off-channel communications as first-tier priorities, with examiners directed to test the effectiveness of supervisory systems rather than the completeness of written policies.1

The report preserves the structure of prior years: four broad categories — financial crimes, firm operations, communications and sales, and market integrity — each containing specific focus areas. Seven focus areas are flagged as elevated for 2026. Of those, three concentrate in the communications and sales category.

63%of broker-dealers cited in 2025 communications-related enforcement actions were sanctioned for supervisory failures, not for the underlying communication itself.2

The ratio matters. It tells examined firms that the examination story has moved upstream. The question is no longer "did your adviser make an improper recommendation" but "would your supervisory system have caught it if they had." A firm that cannot produce evidence of detection is treated, for enforcement purposes, as a firm without supervision.

How have Reg BI supervision expectations shifted?

Answer

Reg BI's Care Obligation now requires broker-dealers to demonstrate systematic review of recommendation suitability across the full customer base, not sample-based review. FINRA examiners are asking firms to produce documentation of how every rollover, variable annuity, and complex product recommendation was reviewed for suitability within a defined timeframe.3

The Reg BI rule text did not change. SEC Rule 15l-1 was adopted in 2019 and has been effective since June 2020. What has sharpened is the interpretation of the Care Obligation's supervisory element. A January 2026 SEC staff bulletin, cited approvingly in the FINRA report, draws a distinction between two supervisory postures:

A broker-dealer that reviews a statistically representative sample of recommendations has not satisfied the Care Obligation. The obligation runs to each retail customer. Supervision must reach each recommendation. SEC Division of Trading and Markets, Staff Bulletin, 14 January 2026

The sampling model — common at mid-tier broker-dealers — relied on human compliance analysts reviewing 3 to 5 percent of advised trades, with sampling weighted toward product categories flagged as elevated risk. That model is not defensible under the 2026 posture. Firms that continue to rely on it face two exposures: the enforcement exposure if a customer harm event occurs in the unreviewed 95 percent, and the examination exposure of being asked to produce coverage evidence they do not have.

What examiners are asking for

Based on reported exam letters from Q1 2026, examiners are now requesting:

  • A written description of the firm's method for reviewing each recommendation, including automated components
  • A sample of detection-to-remediation tickets from the prior 12 months, with the supervisory response time for each
  • Documentation of how the firm calibrates its review system — specifically, how the firm validates that its system catches the issues it is designed to catch
  • Evidence that the firm's Chief Compliance Officer reviewed the system's coverage and effectiveness during the prior examination cycle

The fourth item is the one most firms are unprepared for. CCO attestation of system effectiveness — not just existence — is a shift in evidentiary burden.4

What are the 2026 communications recordkeeping expectations?

Under SEA 17a-4(b)(4), broker-dealers must retain all business-related communications for at least three years, the first two in an easily accessible location. The 2026 report clarifies that "easily accessible" requires retrieval within a reasonable period for examination purposes, and that audio recordings of customer calls fall within the recordkeeping scope when the call constitutes a business communication.5

Two elements of this are new in practice even though neither is new in rule text.

First, the scope of "business communication" is being read broadly. A call in which an adviser discusses a recommendation, a performance figure, or a fee is within scope regardless of whether the call was initiated from a firm-provisioned line. Personal-device calls discussing client business are not exempt.6

Second, retrieval expectations are being quantified. The 2025 enforcement actions referenced in the report include two matters where firms produced requested recordings within statutory timelines but in forms examiners could not efficiently use — bulk exports without call-level metadata, or audio files without timestamp alignment to trade records. Both firms were sanctioned for recordkeeping deficiencies despite having retained the underlying audio.

Communications recordkeeping: 2024 vs 2026 examination postureElement2024 posture2026 postureRetention period3 years (17a-4)3 years (unchanged)Retrieval standardWithin reasonable timeIndexed, metadata-aligned, searchable within 72 hours of requestPersonal-device callsAmbiguous scopeIn scope if business-relatedAudio-to-trade linkageNot explicitly requiredExpected; absence is flagged in examsCCO attestationNot requiredRequested in recent exams

Where do mid-tier firms typically fall short?

The pattern that recurs in enforcement actions and exam deficiency letters is narrower than the full rule space suggests. Three gaps account for the majority of cited supervisory failures among firms with 500 to 5,000 advisers:

  • Coverage gaps in review. Firms reviewing a sample and representing it as full supervision.
  • Retrieval gaps in recordkeeping. Firms that retain recordings but cannot produce the specific ones examiners request within the timeframe requested, in the format requested.
  • Remediation gaps in documentation. Firms that identify issues but cannot produce evidence of how each identified issue was addressed.

The third gap is the most consequential. Detection without documented remediation is treated as constructive knowledge of an unresolved deficiency. In two recent matters, firms that had in fact addressed the underlying issue were sanctioned because their audit trail could not prove they had.7

What does a defensible 2026 supervision response look like?

A defensible response demonstrates three capabilities to an examiner: review coverage across 100 percent of in-scope communications, retrieval within 72 hours with metadata alignment to customer and trade records, and closed-loop remediation documentation for every issue the system identified in the exam period.8

The sequence matters. A firm that has full-coverage review but weak remediation documentation is in worse shape than a firm with narrower review that fully documents what it finds. Examiners read documentation quality as an indicator of system integrity.

For most mid-tier broker-dealers, reaching full-coverage review is a technology question, not a staffing question. The volume of customer communications produced by a firm with 2,000 advisers — typically 40,000 to 80,000 calls per month, plus emails and chat — exceeds what any human-sampling model can review in meaningful depth. The firms producing defensible coverage evidence are doing so through automated review of 100 percent of calls with human escalation for flagged items, not through larger compliance teams.

Spoke's compliance teams prepare a mock examination response using your firm's policy framework and 30 days of real call volume. 45 minutes. No product demo required in the first session.

See what 100% call review produces in an actual FINRA response window

Request a mock exam response

Spoke Phone

OverviewBook Sales CallCustomer LoginCustomer SupportDownload AppDownload Guides

Solutions

Compliant Mobile BrokersField TeamsFrontline RetailHIPAA Compliant HealthcareCall QA & CoachingIncrease Sales Win RatesCorporate Phone System2-Way Business Messaging

Spoke Enlighten

OverviewBook Sales CallCustomer LoginCustomer Support

Industries

InsuranceFinance & BankingRetailHealthcare

Key Resources

Security & Compliance

Legal

Terms of UsePrivacy & GDPRData Processing AddendumList of Sub-ProcessorsGDPR Compliance CertificateCookie Policy

Technical Resources

Developer APIChange LogSystem Status Page

Contact Spoke

Book Sales CallUSA: (650) 822 1060UK: (20) 3322 1971AU: (02) 8776-3322Get Support