Summary
Registered investment advisers (RIAs) are increasingly adopting artificial intelligence (AI) tools that automatically transcribe and summarize client calls. While these technologies may offer efficiency gains, they introduce significant legal and compliance risks. This alert discusses the intersection of AI transcription tools with state wiretapping laws, privacy considerations, Securities and Exchange Commission (SEC) requirements, and the evolving litigation landscape.
AI-Generated Transcripts and Call Summaries: The New Normal in Advisory Practices?
RIAs have long maintained records of client communications by preparing and storing contemporaneous notes in their customer relationship management (CRM) systems. AI transcription tools have fundamentally altered this practice, enabling platforms to automatically transcribe calls in real time and generate detailed summaries without human intervention.
Although these tools assist advisers, the automated generation of transcripts and summaries creates legal exposure across multiple dimensions, including state wiretapping statutes, privacy concerns, federal securities recordkeeping requirements, and civil litigation discovery. Firms that have adopted these tools without a thorough compliance review, including evaluation by their Chief Compliance Officers (CCOs), may already be in violation of applicable law.
All-Party Consent State Issues: Criminal and Civil Exposure Under State Wiretapping Laws
The legal framework governing telephone recording varies by jurisdiction. While some states follow a "one-party consent" rule, a significant number require the consent of all relevant parties. As of the time of publication, these "all-party consent" jurisdictions include California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan (under certain circumstances), Montana, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington.
When an AI tool records a client call, it may constitute an interception under these statutes. If the client has not provided affirmative consent, the adviser may be violating state criminal law and face potential penalties. For example, California Penal Code Section 632 makes unauthorized recording punishable by fines of up to $2,500 per violation and imprisonment, while Florida's statute imposes felony liability. It is important to note that a disclosure buried in an advisory agreement may not suffice.
The patchwork nature of state consent laws compounds the challenge. An RIA headquartered in Texas (a one-party consent state) speaking with a client located in California – even if the client is only there on vacation – may be subject to California law. Determining which law governs a recording requires careful analysis that many RIA firms have not conducted.
Beyond criminal exposure, violations of wiretapping statutes frequently give rise to civil claims for statutory damages, actual damages, and attorneys' fees. In a class action context, exposure could multiply rapidly across an entire client base.
Privacy Considerations at the Federal and State Level
Firms should be aware of privacy considerations relating to AI-generated transcripts and summaries. Regulation S-P requires RIAs to safeguard client information. A data breach involving transcripts or summaries could expose an RIA firm to enforcement actions, civil liability, and reputational harm.
In addition, state consumer privacy statutes, such as the California Consumer Privacy Act, impose independent requirements regarding notice, consent, and data-subject rights. Compliance with wiretap laws does not ensure compliance with privacy laws.
Document Retention Requirements: AI-Generated Records as Books and Records Under the Advisers Act
AI-generated transcripts and summaries constitute "books and records" subject to SEC Rule 204-2 (the Books and Records Rule) under the Investment Advisers Act of 1940, as amended (the Advisers Act). The Books and Records Rule requires RIAs to maintain written communications relating to recommendations made or advice given. While the SEC has not issued formal guidance regarding AI-generated transcripts and summaries, such records likely constitute covered books and records.
If subject to the Books and Records Rule, once created, these transcripts and summaries must be retained for five years (the first two years in an appropriate office) and produced to the SEC upon request. Many firms have not updated their policies to account for AI-generated content. Transcripts and summaries may be stored on third-party platforms with inadequate retention controls or may be periodically deleted in violation of recordkeeping requirements.
The SEC has brought enforcement actions for recordkeeping failures. An inadequate retention framework could result in regulatory sanctions.
The "Call, Don't Email" Problem, In Reverse
For decades, financial services professionals have been trained to "pick up the phone" for sensitive conversations.
AI transcription has turned this strategy on its head. Every transcribed call generates a permanent written record. AI transcriptions may not perfectly reflect what was actually said. Even when accurate, AI transcripts capture informal language, hypotheticals, and offhand remarks that a thoughtful professional would never commit to writing. In sum, some RIAs are now documenting every word their advisers say to clients. AI summaries compound the problem by distilling conversations into bullet points that may lack critical context.
Advisers who believed they were managing risk by using the phone may now be inadvertently creating documentary trails that are more detailed than anything that existed before through their use of AI transcription tools.
A Field Day for Regulators and Plaintiffs' Attorneys
AI-generated transcripts and summaries will provide regulators and plaintiffs' attorneys with an unprecedented window into adviser-client communications. Where examiners and attorneys previously relied on emails and witness recollections, they will now have verbatim records.
AI transcriptions contain errors, misattribute statements, and may fail to capture tone essential to understanding a conversation. AI summaries reflect the model's interpretation, not necessarily an accurate account. Yet, these documents will likely be produced in discovery and closely scrutinized by opposing parties for any incriminating language.
Further, RIAs' fiduciary obligations heighten these concerns. If an RIA relies on an AI summary that mischaracterizes a client's risk tolerance or objectives, the resulting recommendation may violate the RIA's fiduciary duty, exposing the RIA to regulatory and litigation risk.
The advisory industry has not experienced a severe market downturn since 2008 – 2009; downturns typically trigger waves of client complaints and litigation. The transcripts firms are creating today will be the evidence for tomorrow's disputes. Firms without a clear compliance framework will be at a severe disadvantage.
Recommendations and Next Steps
RIAs using or considering AI transcription tools should promptly undertake the following:
Review AI Tool Usage: Inventory all AI transcription tools in use, determine which personnel use them and under what circumstances they are used, and evaluate whether existing policies adequately govern their deployment. The CCO should be directly involved in this process.
Assess Consent Practices: Evaluate whether consent practices comply with wiretapping laws in all jurisdictions where clients are located. Consider implementing real-time point-of-use consent mechanisms at the start of any call using AI transcription and updating advisory agreements with clear consent language.
Conduct Due Diligence on Providers: Conduct due diligence on AI providers' security practices and contractual data-protection obligations to ensure compliance with applicable privacy laws.
Update Compliance Policies: Revise compliance policies and procedures to address AI-generated transcripts and summaries, ensure retention periods comply with the Books and Records Rule, and confirm that third-party providers' practices align with compliance obligations. Implement policies clearly stating when AI transcription may and may not be used and requiring that appropriate personnel review and revise AI-generated summaries, as appropriate.
CCO Supervision: Work to ensure the CCO has access to and appropriately supervises the use of AI-generated transcripts and summaries.
Train Personnel: Ensure staff understand that transcribed calls create permanent records subject to regulatory examination and litigation discovery. Document this training as part of the CCO's compliance program.
Update Form ADV: Consider whether AI transcription practices should be disclosed in Form ADV Part 2A as material information clients would reasonably expect to receive.
AI transcription tools offer benefits but also create compliance and litigation risks that RIAs must carefully evaluate. RIAs that take proactive steps to address these risks will be far better positioned in the event regulators and litigants come calling than those who are using the tools with only an eye to their benefits.
For more information, please contact: Paul J. Foley, Kiki Scarff, John Faust, Cole Beaubouef, Lori H. Patterson, Brittany A. Puckett, or any member of the Firm's Corporate Group.
Ana Marin Higuita, a paralegal at Baker Donelson, contributed to this article and is not admitted to the practice of law.