SIFMA C&L Recap: AI, Vendor Risk, and the New Test for Compliance Oversight

At SIFMA C&L Regional Midwest, a familiar compliance standard came through clearly: firms need policies that match practice, and practices they can prove. As AI, vendors, digital channels, and market models evolve, compliance teams need connected oversight that shows how tools are approved, supervised, retained, reviewed, and defended.

What changed in compliance oversight?

While the regulatory standard hasn’t changed, the operating environment certainly has.

Regulators still expect written policies, supervisory structures, books and records, clear accountability, and evidence that controls work. That was a consistent theme across SIFMA C&L Regional Midwest. The harder question is whether those controls still reflect how firms operate today.

Financial services firms are adopting AI across employee research, communications review, meeting summaries, chatbot experiences, fraud detection, portfolio analysis, and advisor support. Vendors are embedding GenAI capabilities into collaboration and communication platforms. Retail investors are engaging through social media, finfluencers, in-app communities, prediction markets, and automated trading experiences. Tokenization is raising questions about custody, ownership rights, settlement, market fragmentation, and regulatory treatment.

Although these developments are different, they create the same control challenge.

Can the firm explain what changed? Can it show who approved the tool? Can it identify what data was used? Can it prove what was reviewed, retained, escalated, or remediated?

This is where “say what you do, do what you say” becomes more than a compliance phrase. It becomes the test for regulatory readiness.

While many firms have the right pieces in place—such as policies, archives, supervision teams, vendor reviews, and escalation paths—the danger is that those pieces sit apart. When evidence is fragmented, control becomes harder to prove.

How is AI changing supervision?

AI compliance governance is becoming more use-case specific.

An internal AI tool that helps employees search policies has one risk profile. A customer-facing chatbot has another. A meeting summary tool is different from a portfolio analysis tool. A fraud detection model is different from an advisor-assist workflow that may influence a recommendation.

That distinction matters. AI oversight cannot rely on a broad policy alone.

Firms need to know what the tool does, what data it touches, who uses it, and whether outputs reach customers. They also need controls for large language model risks, including hallucinations, prompt design, model drift, privacy exposure, data leakage, and human review.

One SIFMA C&L discussion made this practical. A tool may compare a client portfolio with a model portfolio. The firm may intend the output to be factual. But if the prompt asks the tool to respond like a trusted friend, the language may move closer to advice.

That changes the supervision question.

The issue is not only whether an AI policy exists. It’s whether the firm can show the approved use case, risk assessment, prompt controls, testing, review process, and human oversight.

That evidence is hard to recreate later. It needs to be part of the workflow.

This is why compliance teams need connected records. AI governance, communications supervision, retention, and investigations cannot operate as separate tracks when the same tool creates risk across all of them.

Why does vendor risk matter?

Vendor risk is becoming harder to separate from AI risk.

Financial services firms already rely on third parties for communications, collaboration, archiving, surveillance, analytics, and workflow automation. AI adds a new layer because functionality can change inside tools firms already use.

A vendor may add a GenAI feature. A collaboration platform may enable automated summaries. A communications tool may introduce an embedded assistant. Employees may see a new AI capability inside a familiar application and assume it is approved.

That creates a governance gap.

The question is no longer only whether the vendor was approved. Firms also need to know what data is involved, what models support the feature, whether subprocessors are used, and what happens when functionality changes.

This is where fourth- and fifth-party risk becomes part of the compliance record. Vendor diligence, contract terms, employee training, communication records, supervision activity, and policy enforcement need to connect.

If they don’t, the firm may have diligence documents in one system, records in another, and supervision evidence somewhere else. That makes the control environment harder to explain.

For compliance leaders, the practical need is a shared view of change. Legal, compliance, risk, IT, and the business need to see what changed, what policy applies, and what evidence proves the control worked.

Without that connection, vendor oversight becomes reactive. With it, firms can govern new capabilities before they become exam issues.

Why is more capture not enough?

More capture does not automatically create better compliance oversight.

A larger archive may give firms more data. It does not guarantee better context, faster review, or stronger defensibility. The real requirement is to capture the right information, preserve it with context, classify it by policy and risk, and connect it to supervision, investigation, retention, and regulatory response.

This is where Arctera is strongest.

The Arctera Unified Platform helps firms create a compliance intelligence foundation across regulated communications and data. It supports capture across modern channels, contextual preservation, explainable classification, supervision and review workflows, investigations, eDiscovery, retention, and regulatory readiness.

The value is practical. When a regulator, auditor, court, or board asks what happened, firms need to reconstruct the story.

What communication occurred? What policy applied? Was AI involved? Which vendor system supported the workflow? Who reviewed it? What action was taken? Can the firm prove it?

That is the difference between stored data and defensible oversight.

The future of compliance is not just more review or more retention. It’s connected evidence. As AI, vendors, channels, and market models keep evolving, firms need a foundation that turns fragmented activity into something understandable, governable, and defensible.

Say what you do. Do what you say. Be ready to prove it.

FAQ

What was the main takeaway from SIFMA C&L Regional Midwest?

The main takeaway was that firms need stronger evidence of control. As AI, vendors, digital channels, and market models evolve, regulators still expect policies, supervision, records, accountability, and proof that controls work.

How is AI changing compliance oversight?

AI makes oversight more use-case specific. Internal tools, customer-facing chatbots, meeting summaries, portfolio analysis, and advisor-assist workflows create different risks. Each requires controls tied to data use, output review, prompt design, and human oversight.

Why is vendor risk important now?

Vendor risk matters because many AI capabilities enter firms through third-party platforms. Firms need visibility into new features, data use, subprocessors, model dependencies, and control changes, even when the function is outsourced.

How does Arctera support regulatory readiness?

Arctera helps firms connect regulated communications, context, policy, supervision, investigation, retention, and audit evidence. That enables teams to reconstruct what happened, explain decisions, and defend responses during exams, audits, litigation, or regulatory inquiries.