The Financial Industry Regulatory Authority’s (FINRA’s) 2025 Annual Regulatory Oversight Report provides member firms with key insights and observations from its regulatory operations programs. The report covers fixtures such as financial crimes prevention, communications and sales, market integrity and financial management. It also reiterates and expounds upon other critically important topics such as cybersecurity and artificial intelligence (AI). New to the report this year are three topics: third-party risk landscape and the cybersecurity issues it presents, extended hours trading, and registered index-linked annuities.
Although the report does not create any new legal or regulatory requirements, firms should carefully review it and consider whether to incorporate any findings and effective practices into their operations in light of their own business. FINRA will certainly focus its efforts in 2025 on understanding and evaluating how firms operate in these areas.
New Topics for 2025
Third-Party Risk Landscape: FINRA has observed a recent uptick in cyberattacks and outages at third-party vendors — i.e., vendors engaged by member firms to handle specific tasks such as preparing confirmations or retaining electronic communications. Given the reliance of the industry on third-party vendors, and the nature of the information those vendors receive, the report emphasizes that a cyberattack or outage at a third-party member could impact FINRA member firms and their customers. FINRA reminds firms to consider implementing supervisory controls for third-party vendors, reviewing and adjusting vendor offerings to ensure compliance with regulatory obligations (e.g., electronic communication features), and assessing third-party access to sensitive customer information.[1] Additionally, the report highlights the importance of assessing if third-party vendors use generative AI (GenAI) in their products and services. Use of GenAI continues to be a regulatory theme in 2025 and is discussed further below.
Registered Index-Linked Annuities: Registered index-linked annuities (RILAs) have increased in growth in recent years, with $47.4 billion in sales in 2023 (15% increase from 2022). Recognizing this increase, the report highlights the importance of firms’ compliance with Regulation Best Interest (Reg BI), which requires broker-dealers and associated persons to refrain from putting their financial or other interests ahead of the interests of retail customers. Through its regulatory operations programs, FINRA discovered that many firms lacked reasonable supervisory procedures in relation to RILAs and variable annuities to ensure that, among other things, customers were not over-concentrated in these product offerings and that their recommendations considered key suitability criteria, such as the investor’s age, in assessing whether an RILA was in the customer’s best interest.
Extended-Hours Trading: FINRA has observed a growing number of firms offering varying degrees of extended-hours trading services, including overnight trading. FINRA reminds firms their regulatory obligations, including best execution (FINRA Rule 5310) and supervision requirements (FINRA Rule 3110) extend into extended-hours trading, and customer risk disclosures must be given if the firm allows extended-hours trading (FINRA Rule 2265). Firms should assess their disclosures, supervisory controls, best execution reviews, operational readiness and business continuity plans, considering the unique characteristics and risk of extended-hours trading.
Other Noteworthy Additions
Artificial Intelligence: Gen AI, which uses machine learning and generative models, continues to be an important focus for FINRA in 2025, and addresses Gen AI in several different topics throughout the report. Member firms should be aware of the increasing risks posed by bad actors leveraging GenAI to conduct sophisticated fraud schemes including using GenAI to create synthetic identities, enhance phishing schemes impersonating firm executives or employees, or create fake websites mimicking legitimate firms to lure victims into transferring funds to fraudulent entities. Additionally, deepfake videos and AI-generated misinformation can be spread on social media to artificially inflate or deflate stock prices, allowing bad actors to profit off market manipulation. To help combat such schemes, the report suggests that firms consider communicating with their employees and customers about the heightened risks related to GenAI and advises on steps employees and customers can take to mitigate these threats.
When communicating with clients and the public, firms using GenAI technology to generate or assist in creating communications to customers should review the subject communications in a manner consistent with their current compliance practices regarding written communications. In addition, FINRA called out the use of “chatbot” sessions with a GenAI tool and the related supervision and recordkeeping considerations of using such tools. Lastly, FINRA noted that member firms should make sure retail communications that mention AI tools, products or services accurately describe the tool and its benefits and risks.
Cybersecurity and Cyber-Enabled Fraud: Consistent with prior reports, FINRA again shined a spotlight on cybersecurity issues, noting that it has observed an increase in the variety, frequency and sophistication of certain cybersecurity attacks and incidents that represent threats to the financial industry. The report reminds firms to conduct regular and thorough reviews on account intrusions, engaging senior leadership and external stakeholders in cybersecurity discussions, and ensuring that networks are subdivided into segment networks to restrict the ability of bad actors to move across networks to find valuable data.
Anti-Money Laundering (AML), Fraud and Sanctions: Consistent with prior reports, FINRA discusses the importance of a robust anti-money laundering program. Given an increase in investment fraud committed by bad actors who directly engage with investors, enticing them to withdraw funds from their securities accounts, firms should consider monitoring for abrupt behavior changes in its customers, educating both firm personnel and customers about scams, and developing response plans for situations in which the firm identifies that a customer has been victimized.
The report notes that firms are not adequately monitoring suspicious transactions, including not devoting sufficient resources to suspicious activity monitoring programs, including following a business expansion or a material increase or change in transactions. In the past year, numerous FINRA enforcement actions noted member firms’ failure to scale AML program to the firm’s business growth. FINRA notes that firms should evaluate whether their customer identification program and customer due diligence program policies and procedures are adequately documented, clear and detailed.
Manipulative Trading: Multiple firms were fined in the past two years for spoofing-related surveillance cases. In the report, FINRA focuses on surveillance systems reasonably designed to monitor for potentially manipulative trading (e.g., potential layering, spoofing, wash trades, prearranged trades, marking the close, and odd-lot manipulation). FINRA notes that firms should evaluate that their surveillance patterns are reasonably designed toward both their business model and products offered.
Additionally, the report notes the increase in manipulative trading in small cap initial public offerings, similar to pump-and-dump schemes. In 2024, these schemes primarily involved issuers with operations in foreign jurisdictions. Further, the report notes that these schemes involved social media scams inducing retail investors to purchase shares of the small-cap companies.
Outside Business Activities (OBA) and Private Securities Transactions (PST): A perennial topic for FINRA, this year’s report remains consistent with prior FINRA priorities for outside business activities and private securities transactions. However, FINRA again reminds firms of their obligations to supervise and record private securities transactions, including those involving cryptocurrency assets. While not discussed in the report, firms should keep an eye out for changes to the OBA/PST rules framework. As disclosed by FINRA in December 2024, FINRA plans to publish a regulatory notice soliciting comments on a proposal to replace FINRA’s OBA/PST Rules with a single Outside Activities Requirements Rule.
Member Firms’ “Nexus” to Crypto: The report reminds firms that FINRA has jurisdiction only over its member firms and their associated persons. Federal securities laws and FINRA rules generally apply to member firm activities involving crypto assets that are securities, including those that are offered and sold as an investment contract. FINRA also suggests that certain FINRA rules apply to the activities of firms and their associated persons irrespective of whether the activity involves a security. Given that FINRA’s rules and regulatory authority primarily address securities-related conduct, firms should pay close attention to exactly how FINRA intends to involve itself in the regulatory oversight of non-securities activities.
Reg BI and Form CRS: FINRA’s observations on Reg BI and client relationship summary (Form CRS) echo previous reports. FINRA found that firms are failing to comply with the care obligation of Reg BI, as their recommendations do not take into account the features and risks of a recommended security or investment strategy. Additionally, FINRA found firms have recommended that customers replace or switch existing products without considering the associated risks or costs. Lastly, FINRA found that firms are making recommendations of complex or risky products that exceed limits in firm policies. While the SEC did not require a prescribed approach to supervision in adopting Reg BI, the report suggests that firms should conduct systematic and data-driven reviews to confirm that their recommendations are appropriate.
Consolidated Audit Trail (CAT): CAT also is a perennial favorite for FINRA’s annual reports. This report expands previous findings on supervision related to CAT reporting. For example, the CAT supervision finding has been expanded to cover unreasonable supervision. Examples of unreasonable supervision include: (i) not establishing and maintaining reasonable written supervisory procedures or supervisory controls regarding CAT reporting and clock synchronization that are performed by the firm, third-party vendors or both; (ii) not implementing an accuracy review (as described in Regulatory Notice 20-31); (iii) not using a reasonable sample size when selecting firm CAT reports for review; (iv) not supervising reporting agents that report to CAT on the firm’s behalf; and (v) not promptly remediating CAT reporting issues when brought to the firm’s attention either through its own reviews or regulatory inquiries from FINRA.
Additionally, this year’s report describes a member firm’s recordkeeping obligations more generally, stating that member firms must maintain underlying books and records to support transactional data reported to CAT.
Regulation SHO — Bona Fide Market Making and Close-Out Requirements: The 2025 report’s Reg SHO section remains consistent with the 2024 report. FINRA reemphasizes that firms are impermissibly extending the SEC guidance regarding Rule 204 and closing out fails using exchange-traded fund (ETF) conversions to other types of conversions (e.g., American depositary receipt). With this finding in mind, FINRA reminds firms to ensure that they develop and document any written guidance related to the requirements of Rule 204 (e.g., the 2017 SEC No Action Letter discussing use of ETF conversions for closing out of fails).
Trade Reporting Enhancements for Fractional Share Transactions: With the increase in fractional share trading offerings and capabilities, FINRA reminds firms that it plans to implement enhancements to the FINRA Facilities to support the reporting of fractional share quantities. While FINRA has not yet given an implementation date, FINRA noted in its March 22, 2024, Trade Reporting Notice that the effective dates will be no earlier than the first calendar quarter of 2025 and will be announced in a future notice.
* * *
FINRA will continue in 2025 to focus on the bread-and-butter issues broker-dealers face regularly. Although it is difficult to be ahead of the rapidly evolving business, technological and regulatory landscape, FINRA’s Annual Regulatory Oversight Report is a good resource for helping broker-dealers remain vigilant and thoughtful when it comes to assessing its compliance with FINRA rules and the federal securities laws. To be sure, we can expect FINRA to continue to expand and focus its efforts in that regard.
McGuireWoods’ Securities Enforcement and Regulatory Counseling (SERC) practice is a national leader in securities enforcement defense and broker-dealer and investment adviser regulatory counseling. Anchored by former SEC and FINRA attorneys from enforcement and trading and markets, as well as prominent federal prosecutors, the team manages complex securities investigations at every stage — from informal inquiries and routine exams through investigations, litigation and appeals — all while staying at the forefront of the ever-developing issues confronting the securities industry.
[1] See also FINRA Regulatory Notice 21-29, “FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors,” available at https://www.finra.org/rules-guidance/notices/21-29.