Framework · Broker-dealer

FINRA 24-09 for generative AI.

FINRA Regulatory Notice 24-09 makes the point plainly: the rules you already follow — supervision, recordkeeping, communications — apply to generative AI. Meilynx is how you extend those controls to AI without standing up a parallel stack.

What 24-09 reminds firms

Existing rules, applied to AI.

The notice doesn't invent obligations — it reaffirms that supervision, books-and-records, and communications rules reach your use of generative AI. The work is making AI activity supervisable and on the record.

Supervision of AI use under Rule 3110.
Recordkeeping of AI activity under Rule 4511 / SEA 17a-4.
Communications review under Rule 2210 for AI-generated content.
MNPI and model risk managed as the notice highlights.

How Meilynx maps

Each rule, to a control.

The specific Meilynx control for each rule 24-09 points to — and the record it produces.

FINRA 24-09 → Meilynx controls

Requirement	How Meilynx maps	Examination artifact
Supervise the use of generative AI FINRA Rule 3110	Policy-as-code enforces what AI may and may not do, inline; governance findings and a review surface give supervisors a reviewable record of AI activity.	Supervisory policy + findings log
Make and preserve books and records FINRA Rule 4511 · SEA 17a-4	Every AI request and decision is written to a WORM audit store with a 6-year retention floor and a tamper-evident hash chain — recordkeeping built for the regulatory floor.	WORM audit trail · 6-yr retention
Supervise communications with the public FINRA Rule 2210	Output controls — safety scans and content rules — screen AI-generated text before it returns, so communications stay within policy.	Output-control findings
Protect material non-public information Information barriers	MNPI detection flags or blocks material non-public information before it reaches a model or leaves in a response, attributable to the team involved.	MNPI findings, by team
Manage model and vendor risk Reg Notice 24-09	An auto-populated model inventory and a per-customer isolated data plane address the model- and third-party-risk themes the notice raises.	Model inventory + isolation record

Supervise the use of generative AI

FINRA Rule 3110

Maps to · Policy-as-code enforces what AI may and may not do, inline; governance findings and a review surface give supervisors a reviewable record of AI activity.

Examination artifact · Supervisory policy + findings log

Make and preserve books and records

FINRA Rule 4511 · SEA 17a-4

Maps to · Every AI request and decision is written to a WORM audit store with a 6-year retention floor and a tamper-evident hash chain — recordkeeping built for the regulatory floor.

Examination artifact · WORM audit trail · 6-yr retention

Supervise communications with the public

FINRA Rule 2210

Maps to · Output controls — safety scans and content rules — screen AI-generated text before it returns, so communications stay within policy.

Examination artifact · Output-control findings

Protect material non-public information

Information barriers

Maps to · MNPI detection flags or blocks material non-public information before it reaches a model or leaves in a response, attributable to the team involved.

Examination artifact · MNPI findings, by team

Manage model and vendor risk

Reg Notice 24-09

Maps to · An auto-populated model inventory and a per-customer isolated data plane address the model- and third-party-risk themes the notice raises.

Examination artifact · Model inventory + isolation record

The examination artifact

Books and records, ready.

The audit trail renders into a package aligned to the FINRA reflex — a supervisable record of AI activity, communications findings, and a WORM-backed history retained to the regulatory floor.

In the package

Supervisory policy snapshot and review findings.
Communications (Rule 2210) output-control findings.
Model inventory drawn from live traffic.
WORM audit trail, 6-year retention, SHA-256 integrity hash.

FAQ

24-09 and AI.

Does FINRA 24-09 create new rules for AI?

No. Regulatory Notice 24-09 (2024) reminds firms that FINRA's existing rules — supervision, recordkeeping, communications, and others — already apply when firms use generative AI. The obligation is to extend those existing controls to AI tools, not to follow a separate AI rulebook.

How does Meilynx satisfy the recordkeeping requirement?

AI activity is written to a write-once, read-many audit store with a 6-year retention floor — aligned to the FINRA Rule 4511 and SEA 17a-4 expectations — and sealed in a tamper-evident hash chain so the record is examiner-verifiable.

Can supervisors actually review what the AI did?

Yes. Because enforcement happens inline, every governed AI interaction lands in the audit trail with the policy decision attached. Supervisors get a reviewable record of AI activity rather than reconstructing it after the fact.

Build the evidence.

Examination-ready audit trailWORM recordkeeping with a 6-year retention floor.Inline policy enforcementSupervisory and communications controls, enforced inline.For the CCOHow Meilynx fits a compliance program.

Examination package

See exactly what an examiner receives

Download a sample examination package — model inventory, control coverage, a governance policy snapshot, and a SHA-256 integrity hash.

Get the sample package Request a demo