Feb 102025

Artificial Intelligence: U.S. Securities and Commodities Guidelines for Responsible Use

W. Hardy Callcott, Nathan A. Howell, Kate Lashley, Andrew J. Sioson, Lilya Tessler and Alec J. Silvester
, ,

Despite recent focus on artificial intelligence (AI) by U.S. financial regulators, the Securities and Exchange Commission (SEC), Commodity Futures Trading Commission (CFTC), and Financial Industry Regulatory Authority (FINRA) have not yet issued new regulations specifically addressing the use of AI. Nonetheless, during the Biden administration, guidance from these agencies emphasized the necessity of responsible use of AI within existing regulatory frameworks, urging market participants to exercise additional diligence to navigate compliance risks associated with AI usage.

However, the Trump administration’s January 23, 2025, executive order (EO) on AI directs certain White House advisers, in coordination with the heads of executive agencies deemed relevant, to, “[w]ithin 180 days … develop and submit to the President an action plan” to achieve the policy goal of “sustain[ing] and enhance[ing] America’s global AI dominance.”1 Hence, we expect that Trump administration officials will thoroughly reassess and possibly update the current guidance. Nevertheless, despite AI’s uncertain regulatory future, guidance and policies enacted under the previous administration remain in effect. Thus, market participants using AI in their business operations are advised to review their AI usage and duly implement and/or update AI policies and procedures to ensure compliance with the existing regulatory framework.

SEC

The SEC has stressed the importance of continuing to comply with existing obligations, particularly because of the increased operational and regulatory risks associated with incorporating AI into business operations.2

  • The SEC Division of Examinations (Division) flagged AI as a risk area in the financial industry, noting that the Division “will, in particular, examine firms that employ certain digital engagement practices, such as digital investment advisory services, recommendations, and related tools and methods” and highlighting that the Division will assess in examinations, among other things, whether firms have implemented adequate policies and procedures to monitor and supervise AI use in such areas as trading functions, safekeeping of client records, fraud prevention and detection, back-office operations, anti-money-laundering, and integration of regulatory technology.3
  • A recent enforcement action — though not specifically focused on AI usage — indicates that the SEC could view the failure to (1) ensure the reliability of automated trading models or (2) implement written policies and procedures regarding such trading models as a breach of an investment adviser’s fiduciary duty of care.4
  • The SEC Division of Corporate Finance highlighted that additional disclosures on AI may be necessary under the current regulatory framework across various sections of disclosure forms, including risk factors and management’s discussion and analysis.5 SEC registrants should also be mindful of the accuracy of representations regarding AI’s purported roles in their businesses. Within the past year, the SEC commenced four enforcement actions against registrants for misrepresentation of AI’s purported capability, scope, and usage.6

FINRA

FINRA has identified several regulatory risks for its member firms associated with the use of AI that warrant heightened attention, including recordkeeping, customer information protection, risk management, and compliance with Reg BI.7 Moreover, on June 27, 2024, FINRA issued a regulatory notice8 reminding member firms of their obligations concerning AI usage, which specifically noted that FINRA Rule 3110 requires member firms to establish policies and procedures to, among other things, address technology governance. This governance helps appropriately tailor the use and operation of AI tools to a member firm’s business.9 The regulatory notice emphasizes that firms should evaluate their use of AI in light of their existing regulatory obligations, just as they would with the use of any other technology or tool. The notice further states that the use of AI could implicate virtually every area of a member firm’s regulatory obligations.

In January 2025, FINRA published its 2025 Annual Regulatory Oversight Report,10 which, in part, highlights several AI-related regulatory risks across multiple sections, including financial crimes prevention, fraud and ransomware attacks, and the use of AI provided by third-party vendors.11 The report reiterates that FINRA’s technologically neutral rules apply to AI in the same manner they apply to any other technology. It also advises member firms to (1) supervise AI usage at both enterprise and individual levels; (2) identify risks related to AI accuracy or bias, including concerns about data provenance; (3) mitigate cybersecurity risks, such as leakage of customer information; and (4) implement robust cybersecurity programs to combat the growing number, sophistication, and severity of cybersecurity attacks perpetrated by AI-driven malicious actors.12

CFTC

Similar to the SEC and FINRA, the CFTC has emphasized the importance of applying the CFTC’s existing, technology-neutral rules properly to the use of AI by CFTC registrants. On December 5, 2024, the CFTC released a nonbinding staff advisory addressing the use of AI by CFTC-regulated entities in the derivatives markets, describing it as a “measured first step” to engage with the marketplace and ensure ongoing compliance with the Commodity Exchange Act and CFTC regulations.13 The advisory is informed by, among other things, public comments received in response to the staff’s January 2024 Request for Comments on AI.14

The advisory provides a nonexhaustive list of current and potential AI use cases and reminds CFTC-regulated entities of their obligations under the Commodity Exchange Act and CFTC regulations, recommending that CFTC-regulated entities update their policies and procedures and generally exercise caution when using AI for risk management, recordkeeping, disclosure, and customer protection rules.15

The advisory encourages CFTC-regulated entities to engage with CFTC staff when considering any changes to risks that may arise with the deployment of AI use cases and indicates that staff may incorporate AI as a topic of discussion in their routine oversight activities, including examinations. The advisory further notes that staff will continue to evaluate the need for future regulation, guidance, or other action.

Notably, the advisory was explicitly inspired by EO 14110 (Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence) issued by the Biden administration,16 which the current administration’s January 23, 2025, EO revoked.17 The current administration’s EO on AI, described above, directs heads of agencies to “suspend, revise, or rescind” actions that are “inconsistent” with the EO’s stated polices, such as “sustain[ing] and enhanc[ing] America’s global AI dominance.”18 Therefore, CFTC-regulated entities should watch carefully for any change in AI guidance stemming from the directives of the new EO.

***

U.S. regulated institutions should cautiously evaluate how AI is used in their respective businesses and promptly implement and update AI policies that align with the regulators’ expectations and perspectives. It is also crucial that firms prevent individual personnel from accessing unapproved or unmonitored AI tools from the web. When discussing AI use cases, regulators generally presuppose that firms maintain an inventory of AI tools and implement standard risk-management processes for their adoption. However, many publicly accessible AI tools train their models on user data, which can lead to uncontrollable cyber and privacy risks, exposing firms to potential penalties from regulators.

Currently, governing the use of AI is a top priority for financial regulators. However, the new presidential administration’s policies are uncertain and rapidly developing. Therefore, registrants should remain vigilant for any future changes in the regulatory landscape.

1See The White House, Removing Barriers to American Leadership in Artificial Intelligence, Exec. Order No. 14,179, 90 C.F.R. 874 (2025), available at https://www.whitehouse.gov/presidential-actions/2025/01/removing-barriers-to-american-leadership-in-artificial-intelligence/. The EO does not create any new policies or direct the SEC, CFTC, or FINRA to create new rules. Instead, the EO instructs officials to develop an action plan to “retain global leadership in artificial intelligence.” Id.
2See Erik Gerding, The State of Disclosure Review, June 24, 2024, available at https://www.sec.gov/newsroom/speeches-statements/gerding-statement-state-disclosure-review-062424#_ftnref10 (“[a]s companies incorporate the use of artificial intelligence into their business operations, they are exposed to additional operational and regulatory risks”).
3SEC Department of Examinations, Fiscal Year 2025 Examination Priorities, at 13-14, available at https://www.sec.gov/files/2025-exam-priorities.pdf.
4See, e.g., In the Matter of Two Sigma Investments, LP, SEC Release No. 102207, Jan. 16, 2025, available at https://www.sec.gov/newsroom/press-releases/2025-15?utm_medium=email&utm_source=govdelivery (enforcement action against investment advisers who failed to, among others, (1) cure known material vulnerabilities in their trading models and (2) implement written policies to prevent such violations for breach of their fiduciary duty of care).
5See Gerding, supra note 2.
6See In the Matter of Delphia (USA) Inc., Release No. 6573, Mar. 18, 2024, available at https://www.sec.gov/files/litigation/admin/2024/ia-6573.pdfIn the Matter of Global Predictions, Inc., Release No. 6547, Mar. 18, 2024, available at https://www.sec.gov/files/litigation/admin/2024/ia-6574.pdfSEC v. QZ Global Limited, Case No. 4:24-cv-4153, (D.S.D. Aug. 27, 2024), available at https://www.sec.gov/files/litigation/complaints/2024/comp-pr2024-109.pdfIn the Matter of Presto Automation Inc., available at https://www.sec.gov/files/litigation/admin/2025/33-11352.pdf; Release No. 11352, Jan. 14, 2025, available at https://www.sec.gov/files/litigation/admin/2025/33-11352.pdf. See also Gary Gensler, Chair Gary Gensler on AI Washing, Mar. 18, 2024, available at https://www.sec.gov/newsroom/speeches-statements/sec-chair-gary-gensler-ai-washing; SEC Department of Examinations, supra note 3, at 13.
7See 2024 FINRA Annual Regulatory Oversight Report, Jan. 2024, at 10, available at https://www.finra.org/sites/default/files/2024-01/2024-annual-regulatory-oversight-report.pdf.
8See FINRA Regulatory Notice 24-09, June 27, 2004, available at https://www.finra.org/rules-guidance/notices/24-09; see also FINRA Rule 3110, available at https://www.finra.org/rules-guidance/rulebooks/finra-rules/3110.
9For example, if a member firm is using AI tools to assist with analyzing market conditions prior to routing orders, it should ensure appropriate application of these tools when executing orders. A firm executing both its own proprietary trades and customer trades may have to consider whether it is appropriate to apply AI tools similarly across all types of trades. In the past, FINRA has provided guidance that selective application of technological tools or data may conjure regulatory issues. See, e.g., FINRA Regulatory Notice 15-46, Nov. 20, 2015, at n.12, available at https://www.finra.org/rules-guidance/notices/15-46.
10See 2025 FINRA Annual Regulatory Report, Jan. 2025, at 19, available at https://www.finra.org/rules-guidance/guidance/reports/2025-finra-annual-regulatory-oversight-report/third-party-risk#_ai-trends.
11Id. at 4, 12, 18-20.
12Id. at 19.
13See CFTC Letter 24-17, Dec. 5, 2024, available at https://www.cftc.gov/csl/24-17/download; see also Statement of Chairman Rostin Behnam on the Staff Advisory Related to the Use of Artificial Intelligence by CFTC-Registered Entities and Registrants, Dec. 2, 2024, available at https://www.cftc.gov/PressRoom/SpeechesTestimony/behnamstatement120524.
14See Sidley Update, U.S. CFTC Seeks Public Input on Use of Artificial Intelligence in Commodity Markets and Simultaneously Warns of AI Scams, Feb. 7, 2024, available at https://www.sidley.com/en/insights/newsupdates/2024/02/us-cftc-seeks-public-input-on-use-of-artificial-intelligence.
15See CFTC Letter No. 24-17, supra note 13 at 5.
16See CFTC Letter 24-17, supra note 13 at 1 n.1.
17See Exec. Order No. 14,179, 90 C.F.R. 874, supra note 1. The EO further directs certain White House advisers to “immediately review, in coordination with the heads of all agencies as they deem relevant, all policies, directives, regulations, orders, and other actions taken pursuant to the revoked Executive Order 14110.” Id.
18Id.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

W. Hardy Callcott

San Francisco

wcallcott@sidley.com

Nathan A. Howell

Chicago

nhowell@sidley.com

Kate Lashley

Miami, New York

klashley@sidley.com

Andrew J. Sioson

Washington, D.C.

asioson@sidley.com

Lilya Tessler

Dallas, Miami

ltessler@sidley.com

Alec J. Silvester

Miami

asilvester@sidley.com

You might also like
U.S. Copyright Office Issues Report on Artificial Intelligence and Copyrightability

On January 29, 2025, the U.S. Copyright Office issued the second part of its Report on Copyright and Artificial Intelligence, following a Notice of Inquiry (NOI) the Office issued in 2023. The first part of the Office’s Report, released in July 2024, addressed digital replicas. This second part addresses copyrightability, an issue that attracted considerable interest from authors, artists, and the media and technology industries — approximately half of the more than 10,000 comments that the Office received in response to the NOI addressed copyrightability questions.

With New Technologies Come New Risks: FINRA Issues 2025 Regulatory Oversight Report

Last week, the Financial Industry Regulatory Authority (FINRA) published its 2025 Annual Regulatory Oversight Report. The 80-page report hits on a number of familiar themes and subjects and includes two new areas of focus: 1) risks arising from the use of third-party vendors, including cybersecurity and data privacy risks, and 2) extended-hours trading services, which have become increasingly common across the industry. FINRA offers new observations regarding registered index-linked annuities (RILAs) in the context of Reg BI obligations. The report also reflects FINRA’s increased scrutiny of risks associated with emerging technologies, with a particular focus on generative artificial intelligence (AI) tools. Additionally, although much of the report repeats items included in prior years, it provides useful, comprehensive checklists reflecting FINRA’s views on the various topics and risk areas covered. Efforts to operationalize some of the items raised can present unique challenges, and we encourage you to reach out to a Sidley contact to talk further about particular concerns raised in the report.

CMS Seeks Comments on Proposed Guidance Addressing Study Protocols That Use Real-World Data

On January 17, 2025, the Centers for Medicare & Medicaid Services (CMS) issued a proposed guidance document on study protocols that use real-world data (RWD). The proposed guidance focuses on studies with RWD sources in the context of Medicare National Coverage Determinations (NCDs) using CMS’s Coverage with Evidence Development (CED) paradigm. It presents a proposed standardized template for manufacturers or other sponsors to use when developing CED study protocols using RWD. The proposed guidance could also have broader implications with respect to RWD studies and coverage considerations. Comments on the proposed guidance are due by March 18, 2025.