Some of the compliance challenges for financial firms this year were detailed by the Financial Industry Regulatory Authority in its 2025 Annual Regulatory Oversight Report, according to AdvisorHub.
The report, covering 24 topics, contains insights and observations from recent activities of FINRA’s regulatory operations to help firms strengthen their compliance programs.
Cybersecurity risks, anti-money laundering controls, and the selection of third-party vendors were among the key issues addressed in observations from across FINRA’s Member Supervision, Market Regulation and Enforcement programs.
The third-party risk landscape is one of the new topics addressed in the 2025 report. In recent years, FINRA said it has observed an increase in cyberattacks and outages at third-party vendors used by member firms. An attempted cyberattack or an outage at a third-party vendor could potentially impact a large number of firms, the report said, given the industry’s reliance on third-party vendors to support key systems and activities.
FINRA recommends that firms set up “adequate third-party vendor risk management policies” that include “initial or ongoing due diligence” of vendors, validation of their data protection controls, and a list of all vendors being used.
“This report is a valuable tool that we provide to member firms in support of our self-regulatory mission to protect investors and ensure market integrity,” said Greg Ruppert, Executive Vice President and Head of Member Supervision at FINRA. “The topics reflect areas where FINRA has observed gaps in firm compliance programs as well as areas of emerging or increased risk. The report contains new topics, including a section addressing the third-party risk landscape, and many that will be familiar—such as cybersecurity and cyber-enabled fraud, communications with the public, and Regulation Best Interest and Form CRS—which have been updated to reflect evolving risks, industry trends and exam findings.”
Along with third-party risks, other areas of new content covered in the report include:
-Sales practice and Reg BI compliance regarding complex products. The Securities and Exchange Commission’s Regulation Best Interest establishes a “best interest” standard of conduct for broker-dealers and associated persons when they make recommendations to retail customers of any securities transaction or investment strategy involving securities, including recommendations of variable annuities and registered index-linked annuities.
-Extended hours trading. Over the last few years, trading in National Market System stocks and other securities has increasingly stretched beyond regular trading hours. As a result, FINRA has observed a growing number of firms offering varying degrees of extended hours trading services, in some instances including the overnight period of 8:00 p.m. to 4:00 a.m. ET.
-Artificial intelligence (AI). FINRA has noted that AI-based tools have been widely used in the financial services for a number of years, and recognizes their potential value for investors, member firms and markets, etc.—and also the need for all those involved to manage potential risks. FINRA said firms are proceeding cautiously with their use of Generative AI (Gen AI) technology.
-Investment fraud by bad actors that directly targets investors. FINRA has observed an increase in investment fraud that typically includes enticing victims to withdraw funds from their securities accounts and send the funds to the bad actors as part of a fraudulent scheme.
-FINRA rules concerning the Remote Inspections Pilot Program and Residential Supervisory Location designation. In light of the technological advances that have changed the way business is conducted, FINRA adopted FINRA Rules 3110.18 (Remote Inspections Pilot Program) and 3110.19 (Residential Supervisory Locations), which modernize the approach to supervision while preserving investor protection objectives.
With regards to cybersecurity, FINRA’s head of enforcement Bill St. Louis said the authority intended to focus on violations of regulations requiring safeguarding systems for data related to clients’ identities. He said many firms already had been put on notice about certain cybersecurity gaps, but “even after such notice, the firms have experienced numerous cyber incidents that could have been avoided if they had reacted to the red flags that were brought to their attention.”.
St. Louis added that FINRA continued to bring a number of significant anti-money laundering (AML) cases last year alleging infractions of customer identification rules and customer due diligence failures. “Essentially, some of those cases involve firms that relied on their systems to comply with those requirements, but the systems weren’t calibrated properly, and there was a lack of testing around those systems that contributed to those failures,” he said.
The attorneys at Lewitas Hyman regularly monitor SEC, FINRA and other self-regulatory organizations’ rule-making activities to help ensure that our clients are aware of any new policies, while assisting them in implementing any recommended changes. Our clients include broker-dealers, RIAs, banks, investment companies and hedge funds, along with registered representatives and other individuals participating in the securities industry. Should you be in need of experienced counsel regarding a matter involving a regulatory agency, please contact Lewitas Hyman at (888) 655-6002 or through our online contact form.
