FINRA alignment

AI on the trading floor your supervisors can stand behind.

FINRA oversees US broker-dealers through rules on books-and-records, supervision, and communications with the public. When agents draft client communications, screen activity, or assist registered reps, those rules attach. Cortex supplies the supervisory controls and the immutable, retained recordkeeping FINRA and the SEC expect — every agent action reviewed, approved where required, and sealed in a ledger you can produce on request.

Aligned with FINRA Rules 3110 · 2210 · SEA 17a-4 recordkeeping

audit/verify
#101hash ✓#102hash ✓#103hash ✓#104hash ✓#105hash ✓
head 0x9f3a…c1ok: true
verifyChain ▸ chained SHA-256 · signed receipts
What FINRA is

FINRA Rules (Books-and-Records & Supervision), in plain language.

FINRA is the self-regulatory organization for US broker-dealers, operating under SEC oversight. Several rule sets bear on AI: Rule 3110 (supervision) requires a system to supervise associated persons' activities; Rule 2210 (communications with the public) requires that communications be fair, balanced, and — for certain categories — reviewed and approved before use; and SEC Rule 17a-4 (with FINRA 4511) requires that records be preserved, often in a non-rewriteable, non-erasable (WORM-like) format for set periods. AI that touches any of these creates supervisory and recordkeeping obligations. Cortex maps supervision to the Control Tower and Oversight gates, communications review to the approval gate, and recordkeeping to the hash-chained, retention-controlled Trust Ledger.

applies to ▸ United States · broker-dealers & registered representatives

The obligations — and how Cortex maps to them

Each requirement becomes an enforced, recorded control.

FINRA's core duties — supervise, review communications, and preserve records — map to three Cortex controls. Each produces a tamper-evident record so a FINRA exam finds a complete, retained trail.

Rule 3110 · Supervision
  • Control Tower aggregates every agent's activity live
  • Pause, gate, or kill agent activity from one console
  • Oversight Modes set a supervised autonomy per agent
  • Denials and anomalies surface for a supervisor
Rule 2210 · Communications review
  • Approval gate holds communications for pre-use review
  • Output guardrails screen for fair-and-balanced content
  • Designated principal approves before send (recorded)
  • Audited break-glass with a mandatory reason on overrides
17a-4 / 4511 · Recordkeeping
  • Hash-chained Trust Ledger — non-rewriteable by design
  • verifyChain proves records were not altered or deleted
  • Retention windows set per record class
  • Signed receipts as offline-verifiable evidence
Audit & reconstruction
  • 10-hop lineage reconstructs any agent decision
  • Datapoint provenance pins figures to source filings
  • Produce a decision's full context on examiner request
  • Citations carry source, page, and as-reported flags
Access & identity
  • Agent IAM ties each agent to an owner and risk tier
  • Allowed models / actions enforced at runtime (403)
  • RBAC scopes who may change supervisory controls
  • Recertification cycle keeps identities current
The control mapping

From a written obligation to provable evidence.

Every obligation reduces to a fail-closed runtime gate whose verdict lands in a tamper-evident ledger you can hand an examiner. This is the table a Compliance Pack exports for this framework.

ObligationEnforced Cortex controlLedger evidence
Rule 3110 — supervisory system & reviewControl Tower + Oversight409 hold · supervisor receipt
Rule 2210 — communications reviewed & approvedApproval gate + output guardapproved before send
SEA 17a-4 / 4511 — preserve records (WORM-like)Hash-chained Trust Ledger + retentionverifyChain ▸ ok:true
Books-and-records integrity & completenessrecord_hash chain + receiptshashOk:false flags edits
Reconstruct any decision on examiner request10-hop lineage + provenancelineage/:correlationId
Access limited to authorized identitiesAgent IAM + RBAC403 MODEL_NOT_ALLOWED
Compliance Packs

One-click evidence export, straight from the Trust Ledger.

A FINRA exam or SEC request demands records produced promptly and in their original, unaltered form. A Compliance Pack maps the rules to their Cortex controls and exports the retained, sealed records — and because the ledger is hash-chained, you can prove the records were never edited or deleted.

  • The FINRA control map, generated — not assembled by hand
  • Sealed run records you can verifyChain offline
  • Datapoint provenance: every fact threads back to its source
  • Honest by construction — evidence is generated, never asserted
01 · Humanrisk-ops@nw02 · AgentFraud Triage03 · Skilltriage.v404 · Promptsha 0x3a…05 · Policyapprove≥5k06 · Modelclaude-opus07 · ToollookupCase08 · Artifactmemo #447109 · Outcomeapproved10 · Approvalj.lee
Prove it — don't just claim it

The FINRA verdicts you'll see in the demo.

These are not slideware promises — they are the literal codes and receipts the runtime returns when you challenge it against this framework's controls.

gate verdicts ▸ FINRA
Client communication held for principal409 HOLDenforced
Record alteration detectedok:false · brokenAtSeqenforced
Figure traced to source filingpage · bbox · asReportedenforced
Unauthorized model rejected403 deniedenforced
compliance-pack ▸ generated from the trust ledger · verifiable offline
Getting audit-ready

Three steps from FINRA on paper to provable.

  1. 01

    Map

    Pick FINRA. Cortex lines each obligation up against the runtime gate that enforces it — no spreadsheet archaeology.

  2. 02

    Enforce

    Every agent run passes the same fail-closed gates. A denied control returns a real code (402 / 403 / 409) — never a silent pass.

  3. 03

    Prove

    Export a Compliance Pack: the mapping table plus the sealed ledger records that show each control fired, verifiable offline.

Aligned with — never certified-claimed

There is no FINRA certification for a vendor. Cortex is aligned with FINRA's supervision, communications, and recordkeeping rules and the related SEC 17a-4 requirements, supplying the supervisory controls and the immutable, retained records; compliance remains the broker-dealer's responsibility.

Compliance framing

Built for the frameworks your auditors already cite.

The sealed ledger, signed receipts, and lineage graph map to the obligations across every regime you report against — aligned with, never claiming a certification you don't hold.

EU AI ActNIST AI RMFISO 42001SOC 2HIPAAFINRAIRS Circular 230

Turn FINRA from a burden into a button.

See how Cortex maps FINRA to enforced controls and exports auditor-grade evidence on demand.