Control 2.21: AI Marketing Claims and Substantiation

Control ID: 2.21 Pillar: Management Regulatory Reference: SEC Marketing Rule (206(4)-1), FINRA Rule 2210, FTC Act Section 5, State Unfair Trade Practices Laws Last UI Verified: January 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03

---

Objective

Establish governance controls for marketing claims about AI agent capabilities to help prevent "AI washing" and ensure substantiation of performance claims. This control addresses regulatory requirements for truthful advertising and helps prevent misleading statements about AI functionality.

---

Why This Matters for FSI

• SEC Marketing Rule (206(4)-1): Prohibits materially misleading statements about investment adviser services, including AI capabilities
• FINRA 2210: Requires fair and balanced communications; AI claims must be accurate and not misleading
• SEC Enforcement Actions: Delphia Inc. and Global Predictions Inc. settlements (2024) established precedent for AI washing enforcement
• FTC Act Section 5: Prohibits unfair or deceptive acts, including overstated AI capabilities
• State Laws: Various state unfair trade practices laws apply to AI marketing claims

---

Control Description

This control governs the lifecycle of AI-related marketing claims from creation through publication and ongoing review. It establishes substantiation requirements, pre-publication review workflows, and ongoing monitoring.

Process Control, Not System Configuration

This control is primarily policy and process-based rather than system configuration. There are no FINRA/SEC-specific compliance tools built into Microsoft 365 or Power Platform for marketing claim governance. Organizations use general-purpose documentation infrastructure (SharePoint, Purview, Power Automate workflows) to implement these governance processes.

Capability	Description	Implementation
Claims Inventory	Central registry of all AI marketing claims across channels	SharePoint list or Dataverse table (custom)
Substantiation Documentation	Evidence requirements for each claim type	SharePoint document library (custom)
Pre-Publication Review	Compliance review workflow before external publication	Power Automate approval flow (custom)
Performance Claim Validation	Verification of AI performance assertions	Manual review process with documented evidence
Ongoing Monitoring	Periodic review of published claims for accuracy	Calendar-based review process with SharePoint tracking

SEC Marketing Rule Compliance

The SEC Marketing Rule applies to investment adviser advertising. For AI agents used in advisory contexts:

Requirement	Application to AI Agents
No Material Misstatements	AI capability claims must be accurate and verifiable
Fair and Balanced	Must disclose limitations alongside capabilities
Substantiation Required	Must have reasonable basis for performance claims
No Cherry-Picking	Cannot selectively present favorable AI outcomes
Testimonial Rules	AI-generated testimonials require disclosure

FINRA Rule 2210 Communication Classifications

AI marketing claims are subject to FINRA Rule 2210 communication requirements:

Communication Type	Definition	Pre-Approval Requirement
Correspondence	To ≤25 retail investors in 30 days	Post-use review acceptable
Retail Communication	To >25 retail investors in 30 days	Pre-use principal approval required
Institutional Communication	Institutional investors only	Internal procedures

Marketing Materials Are Typically Retail Communications

Marketing materials about AI agents that could reach more than 25 retail investors within 30 days qualify as Retail Communications requiring pre-use principal approval per FINRA Rule 2210(b)(1).

Claim Categories Requiring Review

Claim Type	Example	Substantiation Required
Performance Claims	"Our AI achieves 95% accuracy"	Validated testing methodology, sample size, conditions
Capability Claims	"AI-powered portfolio optimization"	Technical documentation of actual AI functionality
Comparative Claims	"Better than human analysts"	Controlled comparison study, disclosed methodology
Predictive Claims	"AI predicts market movements"	Backtesting results, forward-looking disclaimers
Efficiency Claims	"Reduces processing time by 80%"	Measured benchmarks, consistent measurement methodology

---

Key Configuration Points

Governance Process Design (Organization Policy)

• Define claim categories requiring review (performance, capability, comparative, predictive, efficiency)
• Establish pre-publication compliance review requirement for Zone 3 agent marketing
• Define substantiation evidence standards for each claim type
• Set quarterly review schedule for published claims
• Train marketing and sales teams on AI claim requirements
• Establish escalation path for disputed or novel claims

Infrastructure Implementation (Using General-Purpose Tools)

• Create claims inventory (SharePoint list or Dataverse table with custom columns)
• Build pre-publication review workflow (Power Automate approval flow)
• Configure substantiation document library (SharePoint with metadata schema)
• Set up review reminder automation (Power Automate scheduled flows)
• Enable Purview retention policies for claims records (if regulatory retention required)

No Specialized Compliance Tools

Microsoft does not provide FINRA 2210 or SEC Marketing Rule-specific compliance tools. Organizations implement this control using general-purpose SharePoint, Power Automate, and Purview capabilities configured to support their claims governance process.

Claims Review Workflow

1. Claim Submission: Marketing submits proposed AI claim with supporting evidence (SharePoint form or Power Apps)
2. Initial Review: Compliance reviews claim against substantiation requirements (manual process)
3. Technical Validation: AI Governance Lead validates technical accuracy (manual process)
4. Legal Review: Legal reviews for regulatory compliance - Zone 3 (manual process)
5. Approval/Rejection: Compliance Officer approves or returns with feedback (Power Automate approval)
6. Publication: Approved claim published with effective date recorded (inventory update)
7. Periodic Review: Claims reviewed quarterly for continued accuracy (scheduled review process)

---

Zone-Specific Requirements

Zone	Requirement	Rationale
Zone 1 (Personal)	No external marketing claims	Personal productivity agents not marketed externally
Zone 2 (Team)	Internal claims require basic substantiation	Team-level communications may reference AI capabilities
Zone 3 (Enterprise)	Full pre-publication review; substantiation file; quarterly review	Customer-facing and external marketing requires maximum protection

---

Roles & Responsibilities

Role	Responsibility
Marketing/Communications	Submit claims with proposed substantiation
Compliance Officer	Review claims against regulatory requirements; approve publication
AI Governance Lead	Validate technical accuracy of AI capability claims
Legal Counsel	Review for regulatory compliance; advise on novel claims

---

Related Controls

Control	Relationship
2.19 - Customer AI Disclosure	Customer-facing transparency; complements marketing claims
2.6 - Model Risk Management	Performance validation supports claim substantiation
2.5 - Testing and Validation	Test results used for performance claim substantiation
3.3 - Compliance Reporting	Claims inventory integrated with compliance reporting

---

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting:

• Portal Walkthrough — Step-by-step portal configuration
• PowerShell Setup — Automation scripts
• Verification & Testing — Test cases and evidence collection
• Troubleshooting — Common issues and resolutions

Implementation Approach

The playbooks guide configuration of general-purpose Microsoft 365 tools (SharePoint, Power Automate) to support the claims governance process. This is a process control implemented through documentation and workflow configuration, not a specialized compliance product.

---

Verification Criteria

Confirm control effectiveness by verifying:

1. AI marketing claims inventory exists and is current
2. Pre-publication review workflow is documented and followed
3. Substantiation files exist for all Zone 3 marketing claims
4. Quarterly review of published claims is conducted and documented
5. No materially misleading AI claims are published
6. Training records show marketing team completed AI claims training

---

Additional Resources

• SEC Marketing Rule Final Rule
• SEC Press Release: AI Washing Enforcement (March 2024)
• FINRA Rule 2210: Communications with the Public
• FTC Guidance on AI Claims
• Microsoft Learn: Responsible AI Principles

---

Updated: January 2026 | Version: v1.2 | UI Verification Status: Current