Last reviewed: April 27, 2026
Key Takeaways
- The SEC has no AI-specific rule on the books. The 2023 Predictive Data Analytics (PDA) rule was withdrawn in June 2025. There is no replacement NPRM in the pipeline.
- The agency regulates AI in financial services through existing antifraud, disclosure, and fiduciary frameworks — primarily the Marketing Rule, Investment Advisers Act § 206, Securities Act § 17(a), Exchange Act § 10(b), Reg BI, and the books-and-records rules.
- Enforcement focus is AI washing — false or overstated claims about AI capabilities. Six named cases since March 2024 (Delphia, Global Predictions, Rockwell Capital, Rimar Capital, Presto Automation, Nate Inc.) representing more than $44 million in alleged fraud and several million in penalties.
- Two distinct SEC AI bodies operate in parallel: CETU (Cyber and Emerging Technologies Unit, Enforcement, February 2025) for external enforcement, and an internal AI Task Force (August 2025) with a Chief AI Officer focused on the SEC’s own AI use.
- The 2026 Examination Priorities (December 2025) make AI scrutiny operational. Examiners will read your Form ADV against your actual AI usage, ask about supervision of AI tools, and look for evidence that policies operate in practice.
What Is the SEC’s Posture on AI in Financial Services?
The SEC’s approach to AI in financial services is straightforward and unforgiving. The agency has not created AI-specific rules. Its proposed Predictive Data Analytics (PDA) rule was withdrawn in June 2025 alongside thirteen other Biden-era proposals. What it does instead is apply the existing antifraud, disclosure, and fiduciary statutes to AI uses — and signal through enforcement and examination priorities that misaligned AI claims will be treated as securities fraud.
The most consequential public proof: in March 2024, the SEC announced settled charges against Delphia (USA) Inc. ($225,000 penalty) and Global Predictions Inc. ($175,000 penalty) for false and misleading statements about their use of AI and machine learning. Total recovery: $400,000 (SEC Press Release 2024-36). The amounts are unremarkable. The doctrine is not. Both firms violated the Marketing Rule (Rule 206(4)-1) by including untrue statements of material fact in advertisements — and the Marketing Rule does not require AI-specific drafting to apply to AI claims.
Two structural points matter for any compliance program. First: the SEC’s “we’ll use what we have” posture is bipartisan. AI washing enforcement began under SEC Chair Gary Gensler and has continued under Chair Paul Atkins. The CETU unit was created in February 2025 — under the new administration — specifically to enforce against AI and cyber misconduct. Second: the rule withdrawals do not create a regulatory vacuum. The 2026 Examination Priorities operationalize what the PDA rule would have required, through examination practice rather than rulemaking.
For practitioners reading client-facing materials and Form ADV against the SEC’s expectations, the key question is not “is there a rule for this?” It is “what existing rule covers this AI use, and can I prove I followed it?”
How Do Existing SEC Requirements Apply to AI?
The SEC has at least seven distinct authorities it applies to AI in financial services. Each carries its own evidentiary expectations.
Marketing Rule (Rule 206(4)-1)
Adopted in 2020 and effective November 2022, the Marketing Rule prohibits any advertisement that includes an untrue statement of material fact, omits a material fact necessary to make the statement not misleading, or implies past performance the adviser cannot substantiate. The rule applies to all communications by registered investment advisers — including websites, social media, ADV filings, and pitch decks. AI claims fall squarely inside it. Both Delphia and Global Predictions were charged under this rule in addition to the antifraud statutes.
Form ADV Disclosure (Item 8)
Form ADV Part 2 — the “brochure” — must accurately describe the adviser’s investment process, methods of analysis, and material risks. The SEC’s position is that AI tools used in the investment process must be disclosed in Form ADV with enough specificity for a client to understand what AI does and what it does not do. Generic statements (“we use AI to inform our investment decisions”) are exam-period landmines. The 2026 examination staff is reading Form ADV with this filter (Wealth Management, December 2025).
Investment Advisers Act § 206 (Antifraud)
Section 206(2) prohibits investment advisers from engaging in any transaction, practice, or course of business that operates as a fraud or deceit. Section 206(4) authorizes the SEC to define and prevent fraudulent, deceptive, or manipulative acts. Every AI washing case to date has been charged under one or both subsections. The standard does not require intent — negligent misstatements about AI capabilities are actionable.
Reg BI and Standard of Conduct
Regulation Best Interest (Reg BI) requires broker-dealers to act in retail customers’ best interests. AI-driven recommendations to retail customers are subject to this standard. A broker-dealer cannot delegate the best-interest analysis to a black-box model and call the duty discharged. Documented review of AI-generated recommendations — not just outputs — is the compliance baseline.
10-K, 10-Q, and 8-K Risk Disclosure
Public companies that use AI in material business processes face securities-law risk if material AI-related risks are not disclosed. The SEC has signaled that material AI failures touching cybersecurity may fall inside the existing 8-K cyber incident disclosure framework. 10-K risk factors and MD&A sections must address AI dependence, model failure modes, regulatory exposure, and cybersecurity coupling. The InnoVirtuoso analysis of CETU’s launch is direct on this point: expect enforcement teams to push for clear AI risk disclosures in periodic filings under existing antifraud authority, not a new rule (InnoVirtuoso, February 2026).
Recordkeeping (Books and Records Rules)
Rule 17a-3 (broker-dealers) and Rule 204-2 (investment advisers) require firms to maintain communications and records sufficient to demonstrate compliance. AI-mediated client communications, investment recommendations, and compliance surveillance outputs are records. Firms that cannot reproduce the AI’s reasoning at exam time create a recordkeeping liability layered on top of the underlying conduct.
Fiduciary Duty and Supervision
Investment advisers owe a fiduciary duty under federal securities law. Broker-dealers owe supervisory duties. Both translate into a requirement to evaluate AI tools before deployment, monitor outputs for accuracy and bias, maintain human oversight of material decisions, and document each step. CETU’s mandate explicitly includes “advisers/fiduciary duties: using black-box tools without sufficient diligence or monitoring.”
What Happened to the Predictive Data Analytics Rule?
In July 2023, the SEC proposed rules addressing conflicts of interest from broker-dealers’ and investment advisers’ use of predictive data analytics. The proposal would have required firms to eliminate or neutralize conflicts arising from AI/ML systems that interact with investors. Industry response was sharply negative — commentators argued the rule was unworkably broad, applying not only to AI but to any technology that “predicts” investor behavior, including basic spreadsheets (Corporate Compliance Insights, April 2026).
In June 2025, between June 12 and June 17, the SEC withdrew the PDA rule along with thirteen other proposed rulemakings. The withdrawal was not a deferral. The SEC explicitly stated its intention not to issue a final rule, and any future PDA-style action would require a fresh notice of proposed rulemaking. As of late April 2026, no NPRM is pending.
What replaced the rule, in operational terms, is the 2026 Examination Priorities. Section VII.B of the Division of Examinations’ priorities released in December 2025 directs examiners to assess three things (SEC FY 2026 Exam Priorities PDF):
- Accuracy of AI representations. Examiners will review for accuracy of registrant representations regarding AI capabilities. This is the AI-washing exam thread, made explicit.
- Adequate policies and procedures. Examiners will assess whether firms have implemented policies to monitor and supervise AI across fraud detection, back-office operations, AML compliance, trading functions, portfolio management, and customer service.
- Operations aligned with disclosures. Firms claiming AI for portfolio management must demonstrate AI tools genuinely influence investment decisions, not serve only as supplemental research.
The PDA rule would have required firms to act. The 2026 Exam Priorities require firms to prove they acted. The evidentiary burden is similar; the legal mechanism is examination rather than rulemaking.
What Does SEC AI Enforcement Actually Look Like?
Six named AI-related enforcement actions sit on the public record, each charged under existing antifraud or Marketing Rule authority. The pattern across all six is the same: AI claims that did not match operational reality.
| # | Date | Target | Allegation | Resolution |
|---|---|---|---|---|
| 1 | Feb 2024 | Rockwell Capital / Brian Sewell | Raised $1.2M from 15 students for purported AI crypto trading fund that never existed | $1.6M disgorgement + $223,000 civil penalty (Sewell) (SEC LR-25936) |
| 2 | Mar 2024 | Delphia (USA) Inc. | Falsely claimed AI/ML incorporated client data to predict investments | $225,000 civil penalty under Marketing Rule + Investment Advisers Act § 206 |
| 3 | Mar 2024 | Global Predictions Inc. | Falsely marketed as the “first regulated AI financial advisor” | $175,000 civil penalty under same authorities |
| 4 | Oct 2024 (settled Mar 2025) | Rimar Capital / Liptz / Boro | Raised ~$4M from 45 investors with false claims about an AI-driven automated trading platform; misrepresented AUM and returns | $310,000 civil penalties + $213,611 disgorgement + 5-year prohibition (SEC PR 2024-167) |
| 5 | Jan 2025 | Presto Automation Inc. | Restaurant AI drive-through product relied on third-party tech and human workers; failed to disclose to investors. First AI washing case against a public company. | No monetary penalty (cooperation credit); cease-and-desist order |
| 6 | Apr 2025 | Nate Inc. / Albert Saniger (CEO) | Shopping app claimed 90%+ AI automation rate; actual rate ~0% (used foreign manual workers). $42M+ raised. | SEC + DOJ parallel charges. DOJ: 1 count securities fraud + 1 count wire fraud (max 20 years each) (SEC LR-26282) |
Pattern across all six. Every case alleges a mismatch between what the firm said about AI and what the firm actually did. The Marketing Rule and § 206(2) reach the negligent end of the spectrum; § 17(a) and § 10(b) reach the intentional end. The Nate Inc. parallel DOJ filing shows the criminal extension when intent and scale align.
Scale of the commitment. Both political administrations have continued AI washing enforcement. As Morgan Lewis put it in its February 2026 enforcement-trends report: the SEC has refocused on “traditional investor fraud and conduct affecting retail investors,” and AI-related representations remain a top-tier priority alongside cybersecurity and digital assets (Morgan Lewis).
CETU’s mandate operationalizes the next round. The Cyber and Emerging Technologies Unit, established February 2025 in the Enforcement Division, is tasked with: (a) investigating AI-driven market manipulation, (b) examining algorithmic and model-driven trading failures, (c) scrutinizing 10-K / 10-Q / 8-K AI disclosures, (d) policing misleading AI investor communications, (e) coordinating with Examinations on advanced analytics. CETU represents an institutional bet that AI enforcement is a permanent unit, not a one-off priority. For the broader US enforcement landscape — including how this fits with state AGs and the Colorado AI Act — see our AI liability in the United States overview.
State coordination is rising. The North American Securities Administrators Association (NASAA) has flagged AI marketing as a 2026 priority area for state-registered advisers and is coordinating with the SEC on AI-washing matters. Federal-only firms still face state exposure indirectly through coordinated investigations.
How Does the SEC Compare to the UK FCA on AI?
For dual-jurisdiction practitioners, the SEC and the UK Financial Conduct Authority are the two most consequential securities regulators on AI. Their architectures are similar — both decline to issue AI-specific rules — but the enforcement style and proactive regulatory infrastructure differ.
| Dimension | SEC (US) | FCA (UK) |
|---|---|---|
| AI-specific rule | None on the books; PDA proposal withdrawn June 2025 | None; principles-based “AI Update” published April 2024 |
| Primary authorities applied to AI | Marketing Rule, Investment Advisers Act § 206, Securities Act § 17(a), Exchange Act § 10(b), Reg BI | Senior Managers and Certification Regime (SMCR), Consumer Duty, Operational Resilience |
| Dedicated AI enforcement unit | CETU (Feb 2025) | None dedicated; FCA Innovation + supervision |
| Internal AI integration | AI Task Force + CAIO (Aug 2025) | FCA Sandbox, AI Sprint, AI Live Testing |
| Proactive regulatory infrastructure | Examination priorities, no sandbox | Live Testing for AI in production; cross-regulator DRCF |
| Enforcement focus | AI washing in marketing, ADV, public filings | Operational resilience, conduct, governance |
| Penalty model | Civil penalties + disgorgement + bars; criminal via DOJ | Civil financial penalties + injunctions + orders |
| Public AI enforcement record | 6 named AI cases ($400K – $42M+ scale) | Few public AI-specific actions (most via supervision) |
Three points carry weight for firms operating in both jurisdictions. One: if you have a strong UK Consumer Duty implementation, you have most of the documentation the SEC’s exam priorities now require — outcome monitoring, customer understanding, foreseeable harm prevention. Two: the FCA’s AI Sandbox / Live Testing is a tool the SEC does not offer. UK firms can pilot AI under regulatory observation in a way US firms cannot. Three: the SEC’s AI washing focus has no direct UK analogue; firms should run separate marketing-claim reviews for US-registered communications even if the UK side passes Consumer Duty review.
For the broader federal-state AI tension that shapes SEC enforcement, see our White House AI Framework 2026 analysis. For state-level rules that may layer on top of SEC obligations for state-registered advisers, see our Colorado AI Act 2026 guide.
What Should Financial Firms Do to Comply?
1. Audit your Form ADV against actual AI usage. Item 8 must describe the AI tools you use in the investment process with enough specificity that a client — and an examiner — can tell what AI does and does not do. Generic claims will draw scrutiny in 2026 exams. Replace “we use AI to inform investment decisions” with named tools, named functions, and named human review steps.
2. Document AI governance end to end. Maintain an AI inventory: every system in use, what it does, what data it processes, who reviews its output, what limitations are known. The 2026 exam priorities require firms to demonstrate that policies operate in practice — meaning documentation that survives a question like “how does this AI tool reach a recommendation?”
3. Review marketing materials, websites, and investor communications. Run an AI-claim audit of every public-facing channel. The Delphia, Global Predictions, and Rimar cases all started with website and ADV claims that overstated AI capabilities. Pair claims with the substantiating evidence the Marketing Rule requires.
4. Implement NIST AI Risk Management Framework governance. While the SEC does not name NIST AI RMF as a safe harbor, its four functions (Govern, Map, Measure, Manage) produce exactly the supervision evidence the 2026 exam priorities require. Firms with NIST AI RMF programs walk into exams with a defensible governance framework.
5. Build the AI risk-disclosure pathway for public filings. Public companies should establish a workflow: AI incident → disclosure committee evaluation → 8-K / 10-K / 10-Q assessment. The 2024 SEC cybersecurity disclosure rules implicitly cover material AI failures coupled to cyber incidents. Treat AI risks as disclosable until your counsel says otherwise.
6. Retain explainability for AI-driven decisions. When an AI tool flags a communication, recommends an investment, or supports a trading decision, your records must allow you to explain the logic to an examiner. Black-box outputs without retained reasoning create recordkeeping liability under Rules 17a-3 and 204-2 — separate from the underlying decision risk.
Our recommendation. The cheapest enforcement defense is honesty in marketing. Most AI washing cases settle for under $500,000, but they all start with claims the firm could not back up. Before adding AI to any client-facing language, write the version of the sentence your compliance officer would defend in an exam — then publish that version, not the marketing-friendlier one.
Sources
Official Sources
- SEC Press Release 2024-36, “SEC Charges Two Investment Advisers with Making False and Misleading Statements About Their Use of Artificial Intelligence” (March 2024): sec.gov
- SEC Press Release 2024-167, “SEC Charges Rimar Capital Entities and Owner Itai Liptz” (October 2024): sec.gov
- SEC Litigation Release LR-25936, Rockwell Capital / Sewell (February 2024): sec.gov
- SEC Litigation Release LR-26282, Nate Inc. / Saniger (April 2025): sec.gov
- SEC Administrative Order 33-11352-S, Presto Automation (January 2025): sec.gov
- SEC FY 2026 Examination Priorities (December 2025): sec.gov
- SEC Artificial Intelligence page (sec.gov/ai), AI Task Force, 2025 AI Compliance Plan: sec.gov/ai
- Investment Advisers Act of 1940, § 206
- Securities Act of 1933, § 17(a)
- Securities Exchange Act of 1934, § 10(b)
- Marketing Rule, Rule 206(4)-1
- Books and Records Rules, Rule 17a-3 and Rule 204-2
Analysis & Commentary
- Morgan Lewis, “AI Enforcement Accelerates as Federal Policy Stalls and States Step In” (April 2026): morganlewis.com
- Morgan Lewis, “SEC Enforcement Trends for Investment Advisers: 2025-2026” (February 2026): morganlewis.com
- Mayer Brown / Mondaq, “2026 SEC Exam Priorities for Registered Investment Advisers and Registered Investment Companies” (December 2025): mondaq.com
- WealthManagement.com, “SEC Sets 2026 Exam Focus on AI Rules and Compliance” (December 2025): wealthmanagement.com
- Corporate Compliance Insights, “Will AI Change FinServ Regulation?” (April 2026): corporatecomplianceinsights.com
- InnoVirtuoso, “SEC Launches Cyber & Emerging Technologies Unit (CETU)” (February 2026): innovirtuoso.com
- Quiet Machines, “AI-washing and SEC enforcement: what RIAs need to know” (April 2026): quietmachines.ai
Data Sources
- SEC Investor Alert on AI and investment fraud
- FINRA 2026 Annual Regulatory Oversight Report (AI testing and monitoring)
- UK FCA AI Update (April 2024): fca.org.uk
Related Reading
US AI Regulation Series:
- NIST AI Risk Management Framework — The governance baseline that aligns with SEC supervisory expectations
- AI Liability in the United States — Where SEC enforcement fits in the broader US AI liability landscape
- Colorado AI Act 2026 — State-layer obligations for AI in financial services
- White House AI Framework 2026 — Federal preemption context and CAIO mandate
- EU vs US AI Regulation: The Definitive Comparison — cross-jurisdiction picture, NIST RMF as bridge, Digital Omnibus status
- Colorado High-Risk AI Classifier (interactive tool) — test your AI system against SB 24-205 in six questions
- FDA AI Medical Devices: PCCP + EU AI Act Comparison — 1,451+ AI devices authorized; PCCP framework for adaptive AI
This article provides general information about AI regulation and does not constitute legal advice. Laws and policies change frequently. Consult qualified legal counsel for compliance decisions specific to your organization. Reg Intel is not a law firm and does not provide legal services.
Last verified: April 27, 2026.