Rules Navigator

Third-party risk a key addition to FINRA’s 2025 Regulatory Oversight Report

Montage of woman messaging on her mobile phone next to the FIRNA sign.
GRIP Montage: Getty Images

Thomas Hyrkiel

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Annual report includes new section on third-party supplier risk landscape, including emerging regulatory concern about AI use within firms and by third-parties.

FINRA has published its 2025 Regulatory Oversight Report, a compendium of compliance deficiencies the self-regulatory body observed in its investigations over the year, plus recommendations for improvement.

The report covers familiar compliance topics, such as public communications, anti-money-laundering efforts, cybersecurity, and Regulation Best Interest. And for the first time, the report covered oversight of third-party vendors, extended hours trading, and issues related to annuities securities products.

We have covered key highlights of the report in a separate article. But here we focus on the new section covering the third-party risk landscape as well as some pertinent changes to the section dealing with technology management.

Third parties

FINRA, just like the EU’s ESMA and other regulators globally, is concerned about the increasing reliance of firms on third parties – particularly where their services support key system and covered activities and are adopted broadly by firms and so potentially pose a systemic risk.

FINRA’s concern is driven by the fact that it has “observed an increase in cyberattacks and outages at third-party vendors”, which suggests that firms are becoming more vulnerable to potential disruption. 

It is therefore reminding firms of their existing regulatory obligations in the area of third-party vendor risk management. It has previously published guidance for firms on this topic. But its recent firm examinations have identified a number of key areas that firms should focus on in connection with their risk management programs. These include:

  • establishing adequate management policies;
  • conducting initial or ongoing due diligence on vendors that support systems related to key areas such as:
    • information technology and cybersecurity; and
    • AML monitoring;
  • validating data protection controls in vendor contracts;
  • involving vendors that support key systems in the testing of their Incident Response Plan;
  • maintaining a list of all vendor services, including hardware and software components, that the firm’s technology infrastructure uses;
  • having procedures that address the return or destruction of firm data at the termination of a vendor contract; and
  • addressing vendors’ use of other vendors (for example, fourth-party vendors) that may handle firm data.

Effective practice

In addition firms should consider the risks posed by third-party vendors throughout the entire lifecycle of the business relationship. In connection with this FINRA has put forward some examples of effective practices:

  • maintaining a list of all vendor services, systems and software components in order to be able to assess the consequences of an outage;
  • establishing supervisory controls for vendor technology vendors including potential business impact and contingency planning;
  • evaluating the impact on the firm’s ability to meet its regulatory obligations in cases of an outage or failure;
  • explicitly asking vendors about their Gen AI usage – and amending contracts in order to ensure that regulatory obligations, particularly those around the ingestion of sensitive customer information by such models, continue to be complied with;
  • reviewing vendor tool default features and settings to ensure compliance with regulatory obligations – here FINRA specifically cites the disabling of out-of-the-box chat features that might not be captured for supervisory review;
  • assessing the vendors’ ability to protect sensitive firm and customer non-public information and data;
  • ensuring that vendor access to systems, data and corporate infrastructure is revoked at the end of a working relationship.

AI and Gen AI use risks

FINRA recognizes AI as a “continuing or emerging trend” and has asked firms to review:

  • how to supervise the use of this technology at both an enterprise and an individual level;
  • how to identify and mitigate associated risks; and
  • whether the firm’s cybersecurity program specifically considers:
    • the implications and risks of AI and Gen AI being used by third-party vendors; and
    • the use of technology tools, data provenance, and processes to identify the use of AI by threat actors.

According to FINRA firms using third-party Gen AI tools should consider ensuring continuing compliance with regulatory requirements including in connection with:

  • the deployment of foundation models by third-party vendors;
  • the inclusion of Gen AI within existing solutions by third-party vendors.

AI adoption by nefarious players

Like other regulators, FINRA is also concerned about the potential increase in the number, credibility and severity of attacks as a result of the adoption of Gen AI by threat actors themselves and is asking firms to specifically prepare for the deployment of more sophisticated and more frequent, AI driven attacks, such as:

  • fake web personas;
  • deepfake audio and video; and
  • advanced malware.

Much of this information and practice will be familiar to our regular readers. And although framed as suggested and recommended actions rather than the more prescriptive and formal route taken by European regulators with DORA, there is no doubt that it represents both a warning shot from FINRA as well as a good opportunity for firms to review the outsourcing foundations on which their operations and technology stack may be based.

We have chosen to reproduce the lists of recommendations and best practice cited by FINRA in full (although abbreviating the language) because they represent an excellent high-level checklists and a good starting point for a strategic audit of key practice and considerations connected to third-party vendors as well as any systems and process outsourcing more generally.

Regulation S-P

In the context of managing technology, including that being provided by third-party vendors, FINRA is also reminding firms of the recent changes to Regulation S-P that also “address incident response programs and require customer notification in the case of unauthorized access or use of customer information.”

Amendments to this rule, adopted on 16 May, 2024, will apply to larger firms starting on 2 December, 2025 and smaller firms on 3 June 2026. FINRA is recommending that firms start to prepare for these newly incoming obligations by reviewing and, where necessary, modifying their cybersecurity programs.

FINRA, in its examinations, has found some specific additional weaknesses in firm practices in this area including:

  • inadequate customer record and information safeguards;
  • Identity Theft Prevention Program (ITPP) in place, as required by Reg S-ID, inappropriate or inadequate with observed examples of short-comings such as:
    • large volume of red flags indicating accounts opened with stolen or false identities not reviewed;
    • red flags detected by the ITPP not appropriately addressed.
  • inaccurate privacy notices.

The additions to this section make very clear that FINRA believes that ensuring that customer information remains safe and secure is a key obligation for firms and that this requires a robust approach to data and information management, including a well-structured underlying systems architecture and appropriate safeguards and controls.

The compliance obligations for firms also include an appropriate and effective approach to communications; and this includes communications with customers as well as reporting to relevant regulatory bodies.

A pro-active stance to cybersecurity is expected by FINRA with the report emphasizing that known vulnerabilities actively exploited by threat actors must be addressed. Although this addition to the report is connected specifically with security patching, it should also be a key consideration in the context of safeguarding client data as well as firm systems more generally.

, , , , , , , ,

You may also like