Rules Navigator

FINRA releases 2025 Regulatory Oversight Report

Montage of woman messaging on her mobile phone next to the FIRNA sign.
GRIP Montage: Getty Images

Alexander Barzacanos

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Compliance trends, emerging risk areas and best practices pointers are highlighted.

FINRA has published its 2025 Regulatory Oversight Report, a compendium of compliance deficiencies the self-regulatory body observed in its investigations over the year, plus recommendations for improvement.

The report covers familiar compliance topics, such as public communications, anti-money-laundering efforts, cybersecurity, and Regulation Best Interest. And, for the first time, the report covered oversight of third-party vendors, extended hours trading, and issues related to annuities securities products.

Let’s take a look at some highlights.

Financial crime and money laundering

The report noted an increasing frequency of cybercrimes, including generative AI-enabled fraud, market manipulation, advanced persistent threats (APTS), and hacking-for-hire.

FINRA noted that these recurring problems might escalate in severity as quantum computers develop the ability to rapidly bypass security controls and generative AI becomes more sophisticated.

The report also pointed out a persistent issue with surveillance thresholds, which are often set too high or too low to effectively spot suspicious activity. Effective anti-money-laundering (AML) policies were also a focus, with an emphasis on comprehensive training, monitoring, and identity verification processes.

Common deficiencies included:

  • Excessive latency in evaluating customer identity, such as failing to identify customers at the time of account opening or within a feasible timeframe, and failing to re-evaluate provided information when suspicious activity is detected;
  • Deficiencies in customer due diligence (CDD) and customer identification programs (CIPs), such as failing to establish customer identity at the outset, and failing to update customer profiles as changes occur;
  • “Auto-approving” accounts despite red flags and failing to catch suspicious account details, such as repetitive email addresses;
  • Failing to establish AML programs that are fine-tuned to catch suspicious crypto asset transactions;
  • Maintaining ineffective policies and procedures to detect and report suspicious transactions, as well as poor escalation frameworks; and
  • Maintaining inadequate testing and training protocols to identify suspicious transactions.

Recommendations on curbing fraud and money laundering centered on investigating large withdrawals from vulnerable customers, conducting formal AML assessments, and requiring multiple sources of ID, such as non-documentary information like credit reports, home purchases, and IP addresses.

FINRA also endorsed maintaining outreach programs for vulnerable customers.

Technology and data

Inaccurate privacy notices, identity-theft-prevention programs incommensurate with a firm’s size and complexity, and out-of-date cybersecurity written policies were highlighted as common tech deficiencies among member firms.

Recommendations for shoring up cyber protections included:

  • exerting heightened control over branch use of emailssystems and servers;
  • establishing criteria for filing SARs due to cybersecurity events;
  • comprehensive data logging of technical activity to assist with forensic investigation of cyber breaches; and
  • making sure that all electronic communications are retained, off-channel communications are limited, and ensuring that third-party vendors and complying with Books and Records requirements.

Reg BI and market integrity

The report examined compliance with Regulation Best Interest (Reg BI) and emphasized the importance of upholding policies and procedures to safeguard investors and marketplaces.

Common deficiencies included:

  • failing to conduct reasonable investigations of offerings prior to recommendation, including failure to consider associated costs;
  • recommending risky products that do not align with a customer’s investment profile;
  • failing to identify and document applicable conflicts of interest that put extraneous factors, such as a firm or associate’s bottom line, ahead of customers’ best financial outcomes;
  • failing to include disciplinary histories costs, and conflicts of interest in Forms CRS, or failing to deliver the forms to customers;
  • failing to have effective written policies in place to secure compliance with Reg BI;
  • failing to disclose crypto risks, or false implications that cryptocurrencies functioned like cash or had full protections of federal securities laws;
  • failing to do due diligence to learn about employees’ outside business activities (OBAs) and private securities transactions (PSTs); and
  • possessing insufficient Market Access Rule controls, like failing to establish pre-trade order limits and preset capital thresholds, and maintaining overly extensive reliance on third party vendors.

For the first time, FINRA noted emerging Reg BI difficulties surrounding variable annuities (VAs) and Registered Index-Linked Annuities (RILAs), whose market has more than quintupled since 2017. FINRA identified that member firms often lacked WSPs to ensure that customers are not over-invested in those products or other illiquid assets, and that they failed, at times, to accurately represent fees and surrender charges to customers.

Extended hours trading was broached as a topic for the first time in the 2025 Report. FINRA noted that after-hours trading, including overnight trading, has become increasingly popular over the last few years, and signaled it will be making closer reviews of how member-firms manage and report on round-the-clock trading.

Overnight trading statistically leads to disadvantages for market participants for a variety of reasons including reduced liquidity and trader overconfidence, and FINRA requires firms that permit overnight trading provide customers with a risk disclosure statement.

FINRA stated firms must be diligent in ensuring customers are made aware of risks, a move also endorsed in SIFMA’s review of overnight trading.

Third-party risk landscape

FINRA has added a new section focusing on the risk to firms stemming from the use of services provided by third-party vendors. FINRA says that it has “observed an increase in cyberattacks and outages at third-party vendors” that firms use and is concerned about the potential impact on a large number of firms of an attempted cyberattack on or an outage at a vendor.

The new section puts forward areas that firms may consider when developing and enhancing their third-party vendor risk management programs along with effective practices covering the entire lifecycle of the outsourcing relationship, from onboarding to monitoring and ending with offboarding.

This part of the report also covers AI as a continuing and emerging trend with observations from FINRA on key compliance and risk management considerations for firms.

We cover this part of the report in more detail in a separate article, which will publish on Monday.

How are firms using FINRA reports?

Finally, the report noted the ways in which member firms are using the SRO’s publications to bolster their compliance programs.

These include:

  • incorporating FINRA-highlighted topics into risk assessments;
  • assessing gaps between issues noted in Priorities Letters and Exam Findings Reports with firm compliance policies; and
  • using FINRA reports to guide staff, inform training, and support presentations to business leaders.
, , , , , , , , ,

You may also like