- Control Tower aggregates every agent's activity live
- Pause, gate, or kill agent activity from one console
- Oversight Modes set a supervised autonomy per agent
- Denials and anomalies surface for a supervisor
AI on the trading floor your supervisors can stand behind.
FINRA oversees US broker-dealers through rules on books-and-records, supervision, and communications with the public. When agents draft client communications, screen activity, or assist registered reps, those rules attach. Cortex supplies the supervisory controls and the immutable, retained recordkeeping FINRA and the SEC expect — every agent action reviewed, approved where required, and sealed in a ledger you can produce on request.
Aligned with FINRA Rules 3110 · 2210 · SEA 17a-4 recordkeeping
FINRA Rules (Books-and-Records & Supervision), in plain language.
FINRA is the self-regulatory organization for US broker-dealers, operating under SEC oversight. Several rule sets bear on AI: Rule 3110 (supervision) requires a system to supervise associated persons' activities; Rule 2210 (communications with the public) requires that communications be fair, balanced, and — for certain categories — reviewed and approved before use; and SEC Rule 17a-4 (with FINRA 4511) requires that records be preserved, often in a non-rewriteable, non-erasable (WORM-like) format for set periods. AI that touches any of these creates supervisory and recordkeeping obligations. Cortex maps supervision to the Control Tower and Oversight gates, communications review to the approval gate, and recordkeeping to the hash-chained, retention-controlled Trust Ledger.
applies to ▸ United States · broker-dealers & registered representatives
Each requirement becomes an enforced, recorded control.
FINRA's core duties — supervise, review communications, and preserve records — map to three Cortex controls. Each produces a tamper-evident record so a FINRA exam finds a complete, retained trail.
- Approval gate holds communications for pre-use review
- Output guardrails screen for fair-and-balanced content
- Designated principal approves before send (recorded)
- Audited break-glass with a mandatory reason on overrides
- Hash-chained Trust Ledger — non-rewriteable by design
- verifyChain proves records were not altered or deleted
- Retention windows set per record class
- Signed receipts as offline-verifiable evidence
- 10-hop lineage reconstructs any agent decision
- Datapoint provenance pins figures to source filings
- Produce a decision's full context on examiner request
- Citations carry source, page, and as-reported flags
- Agent IAM ties each agent to an owner and risk tier
- Allowed models / actions enforced at runtime (403)
- RBAC scopes who may change supervisory controls
- Recertification cycle keeps identities current
From a written obligation to provable evidence.
Every obligation reduces to a fail-closed runtime gate whose verdict lands in a tamper-evident ledger you can hand an examiner. This is the table a Compliance Pack exports for this framework.
| Obligation | Enforced Cortex control | Ledger evidence |
|---|---|---|
| Rule 3110 — supervisory system & review | Control Tower + Oversight | 409 hold · supervisor receipt |
| Rule 2210 — communications reviewed & approved | Approval gate + output guard | approved before send |
| SEA 17a-4 / 4511 — preserve records (WORM-like) | Hash-chained Trust Ledger + retention | verifyChain ▸ ok:true |
| Books-and-records integrity & completeness | record_hash chain + receipts | hashOk:false flags edits |
| Reconstruct any decision on examiner request | 10-hop lineage + provenance | lineage/:correlationId |
| Access limited to authorized identities | Agent IAM + RBAC | 403 MODEL_NOT_ALLOWED |
One-click evidence export, straight from the Trust Ledger.
A FINRA exam or SEC request demands records produced promptly and in their original, unaltered form. A Compliance Pack maps the rules to their Cortex controls and exports the retained, sealed records — and because the ledger is hash-chained, you can prove the records were never edited or deleted.
- The FINRA control map, generated — not assembled by hand
- Sealed run records you can verifyChain offline
- Datapoint provenance: every fact threads back to its source
- Honest by construction — evidence is generated, never asserted
The FINRA verdicts you'll see in the demo.
These are not slideware promises — they are the literal codes and receipts the runtime returns when you challenge it against this framework's controls.
Three steps from FINRA on paper to provable.
- 01
Map
Pick FINRA. Cortex lines each obligation up against the runtime gate that enforces it — no spreadsheet archaeology.
- 02
Enforce
Every agent run passes the same fail-closed gates. A denied control returns a real code (402 / 403 / 409) — never a silent pass.
- 03
Prove
Export a Compliance Pack: the mapping table plus the sealed ledger records that show each control fired, verifiable offline.
Aligned with — never certified-claimed
There is no FINRA certification for a vendor. Cortex is aligned with FINRA's supervision, communications, and recordkeeping rules and the related SEC 17a-4 requirements, supplying the supervisory controls and the immutable, retained records; compliance remains the broker-dealer's responsibility.
The Cortex capabilities that satisfy this framework.
Each obligation above is enforced by a real capability in the runtime. Explore the ones that do the work for this framework.
Control Tower
Live supervision and the ability to pause or kill agent activity deliver the Rule 3110 supervisory system.
Trust Ledger
A non-rewriteable, retention-controlled, hash-chained record satisfies 17a-4 / 4511 recordkeeping.
Oversight
Approval gates hold communications for the pre-use review Rule 2210 requires.
Map the rest of your regulatory surface.
The same enforced controls and one-click evidence export cover the other frameworks your auditors cite.
SOC 2
Aligned with SOC 2 Trust Services Criteria: access controls, change management, audit logging, and tamper-evident evidence..
IRS Circular 230
How Cortex aligns tax AI agents with IRS Circular 230: due diligence, competence, reliance on accurate data, and provable, reviewable work product..
NIST AI RMF
Aligned with the NIST AI Risk Management Framework: Govern, Map, Measure, and Manage — with documented, exportable evidence..
All frameworks
The full compliance hub — every framework Cortex maps to, with the shared control-to-evidence model.
Built for the frameworks your auditors already cite.
The sealed ledger, signed receipts, and lineage graph map to the obligations across every regime you report against — aligned with, never claiming a certification you don't hold.
Turn FINRA from a burden into a button.
See how Cortex maps FINRA to enforced controls and exports auditor-grade evidence on demand.