Control 2.21: AI Marketing Claims and Substantiation
Control ID: 2.21
Pillar: Management
Regulatory Reference: SEC Marketing Rule (Investment Advisers Act Rule 206(4)-1), FINRA Rule 2210, FINRA Regulatory Notice 24-09, FTC Act Section 5, State Unfair Trade Practices Laws
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated
Objective
Establish governance controls for marketing claims about AI agent capabilities to help reduce "AI washing" risk and to support substantiation of performance, capability, comparative, predictive, and efficiency claims. This control aids in meeting regulatory expectations for truthful advertising and supports the firm's ability to demonstrate a reasonable basis for AI-related statements made to customers, prospects, and counterparties.
Why This Matters for FSI
- SEC Marketing Rule (Investment Advisers Act Rule 206(4)-1): Prohibits materially misleading statements in investment adviser advertisements and requires a reasonable basis (substantiation) for material statements of fact, including statements about AI capabilities
- FINRA Rule 2210: Requires firm communications with the public to be fair, balanced, and not misleading; AI-related claims are subject to the same content standards regardless of how content is generated
- FINRA Regulatory Notice 24-09 (June 2024): Reminds member firms that existing rules — including Rule 2210 (Communications), Rule 3110 (Supervision), and Rule 4511 (Books and Records) — apply to generative AI output and that human supervisory review remains required
- SEC Enforcement Actions: Delphia Inc. and Global Predictions Inc. settlements (March 2024) established public precedent for AI-washing enforcement under the Marketing Rule
- FTC Act Section 5: Prohibits unfair or deceptive acts or practices, including overstated AI capabilities (see FTC AI guidance, "Keep your AI claims in check")
- State Laws: Various state unfair and deceptive acts and practices (UDAP) statutes apply to AI marketing claims directed at residents of those states
No companion solution by design
Not all controls have a companion solution in FSI-AgentGov-Solutions; solution mapping is selective by design. This control is operated via native Microsoft admin surfaces and verified by the framework's assessment-engine collectors. See the Solutions Index for the catalog and coverage scope.
Control Description
This control governs the lifecycle of AI-related marketing claims from creation through publication and ongoing review. It establishes substantiation requirements, pre-publication review workflows, and ongoing monitoring.
Process Control, Not System Configuration
This control is primarily policy and process-based rather than system configuration. There are no FINRA/SEC-specific compliance tools built into Microsoft 365 or Power Platform for marketing claim governance. Organizations use general-purpose documentation infrastructure (SharePoint, Purview, Power Automate workflows) to implement these governance processes.
| Capability | Description | Implementation |
|---|---|---|
| Claims Inventory | Central registry of all AI marketing claims across channels | SharePoint list or Dataverse table (custom) |
| Substantiation Documentation | Evidence requirements for each claim type | SharePoint document library (custom) |
| Pre-Publication Review | Compliance review workflow before external publication | Power Automate approval flow (custom) |
| Performance Claim Validation | Verification of AI performance assertions | Manual review process with documented evidence |
| Ongoing Monitoring | Periodic review of published claims for accuracy | Calendar-based review process with SharePoint tracking |
SEC Marketing Rule Compliance
The SEC Marketing Rule applies to investment adviser advertising. For AI agents used in advisory contexts:
| Requirement | Application to AI Agents |
|---|---|
| No Material Misstatements | AI capability claims must be accurate and verifiable |
| Fair and Balanced | Must disclose limitations alongside capabilities |
| Substantiation Required | Must have reasonable basis for performance claims |
| No Cherry-Picking | Cannot selectively present favorable AI outcomes |
| Testimonial Rules | AI-generated testimonials require disclosure |
FINRA Rule 2210 Communication Classifications
AI marketing claims are subject to FINRA Rule 2210 communication requirements:
| Communication Type | Definition | Pre-Approval Requirement |
|---|---|---|
| Correspondence | To ≤25 retail investors in 30 days | Post-use review acceptable |
| Retail Communication | To >25 retail investors in 30 days | Pre-use principal approval required |
| Institutional Communication | Institutional investors only | Internal procedures |
Marketing Materials Are Typically Retail Communications
Marketing materials about AI agents that could reach more than 25 retail investors within 30 days qualify as Retail Communications requiring pre-use principal approval per FINRA Rule 2210(b)(1).
Claim Categories Requiring Review
| Claim Type | Example | Substantiation Required |
|---|---|---|
| Performance Claims | "Our AI achieves 95% accuracy" | Validated testing methodology, sample size, conditions |
| Capability Claims | "AI-powered portfolio optimization" | Technical documentation of actual AI functionality |
| Comparative Claims | "Better than human analysts" | Controlled comparison study, disclosed methodology |
| Predictive Claims | "AI predicts market movements" | Backtesting results, forward-looking disclaimers |
| Efficiency Claims | "Reduces processing time by 80%" | Measured benchmarks, consistent measurement methodology |
Key Configuration Points
Governance Process Design (Organization Policy)
- Define claim categories requiring review (performance, capability, comparative, predictive, efficiency)
- Establish pre-publication compliance review requirement for Zone 3 agent marketing
- Define substantiation evidence standards for each claim type
- Set quarterly review schedule for published claims
- Train marketing and sales teams on AI claim requirements
- Establish escalation path for disputed or novel claims
Infrastructure Implementation (Using General-Purpose Tools)
- Create claims inventory (SharePoint list or Dataverse table with custom columns)
- Build pre-publication review workflow (Power Automate approval flow)
- Configure substantiation document library (SharePoint with metadata schema)
- Set up review reminder automation (Power Automate scheduled flows)
- Enable Purview retention policies for claims records (if regulatory retention required)
No Specialized Compliance Tools
Microsoft does not provide FINRA 2210, FINRA 25-07 or SEC Marketing Rule-specific compliance tools. Organizations implement this control using general-purpose SharePoint, Power Automate, and Purview capabilities configured to support their claims governance process.
Claims Review Workflow
- Claim Submission: Marketing submits proposed AI claim with supporting evidence (SharePoint form or Power Apps)
- Initial Review: Compliance reviews claim against substantiation requirements (manual process)
- Technical Validation: AI Governance Lead validates technical accuracy (manual process)
- Legal Review: Legal reviews for regulatory compliance - Zone 3 (manual process)
- Approval/Rejection: Compliance Officer approves or returns with feedback (Power Automate approval)
- Publication: Approved claim published with effective date recorded (inventory update)
- Periodic Review: Claims reviewed quarterly for continued accuracy (scheduled review process)
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | No external marketing claims | Personal productivity agents not marketed externally |
| Zone 2 (Team) | Internal claims require basic substantiation | Team-level communications may reference AI capabilities |
| Zone 3 (Enterprise) | Full pre-publication review; substantiation file; quarterly review | Customer-facing and external marketing requires maximum protection |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Marketing / Communications (functional) | Submit claims with proposed substantiation; maintain claim source files |
| Compliance Officer | Review claims against regulatory requirements; approve or reject publication; own quarterly review |
| AI Governance Lead | Validate technical accuracy of AI capability claims against actual agent design and test results |
| Legal Counsel (functional) | Review for regulatory and contractual compliance; advise on novel or comparative claims |
| SharePoint Admin | Provision and maintain claims inventory site, evidence library, and retention labels |
| Power Platform Admin | Maintain Power Automate approval and reminder flows used to operate the workflow |
Related Controls
| Control | Relationship |
|---|---|
| 2.19 - Customer AI Disclosure | Customer-facing transparency; complements marketing claims |
| 2.6 - Model Risk Management | Performance validation supports claim substantiation |
| 2.5 - Testing and Validation | Test results used for performance claim substantiation |
| 3.3 - Compliance Reporting | Claims inventory integrated with compliance reporting |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Implementation Approach
The playbooks guide configuration of general-purpose Microsoft 365 tools (SharePoint, Power Automate) to support the claims governance process. This is a process control implemented through documentation and workflow configuration, not a specialized compliance product.
Verification Criteria
Confirm control effectiveness by verifying:
- AI marketing claims inventory exists and is current
- Pre-publication review workflow is documented and followed
- Substantiation files exist for all Zone 3 marketing claims
- Quarterly review of published claims is conducted and documented
- A documented process exists to identify, withdraw, and correct AI marketing claims that are determined to be materially misleading, with evidence of recent remediation (or attestation that no such claims have been identified in the review window)
- Training records show that marketing, sales, and content-producing staff have completed AI claims and disclosure training within the firm's defined recertification window
Additional Resources
- SEC Marketing Compliance — Frequently Asked Questions
- SEC Press Release: AI Washing Enforcement (March 2024)
- FINRA Rule 2210: Communications with the Public
- FINRA Regulatory Notice 24-09: Generative AI and LLMs
- FTC Business Guidance: Artificial Intelligence
- Microsoft Learn: Microsoft Responsible AI Standard
- Microsoft Learn: SharePoint retention labels
- Microsoft Learn: Power Automate approvals
Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current