The Financial Industry Regulatory Authority (FINRA) has released its 2025 Annual Regulatory Oversight Report, providing crucial insights into the regulatory landscape for member firms. This year's report covers a broad range of topics, including some new areas of focus plus perennial areas of regulatory concern.

A guide to better compliance in 2025

The report outlines challenges and risks that FINRA regulatory operations staff have seen in the field over the past 12 to 18 months and trends that FINRA leadership expects to see in the upcoming year. The report also describes effective practices to mitigate the observed risks to help firms effectively address the broad set of topics within their own compliance programs.

On the FINRA Unscripted podcast Unpacking the 2025 FINRA Regulatory Oversight Report, Member Relations and Education Vice President Kayte Toczylowski stated that “FINRA's purpose with the report is to share our insights and observations so that firms can use the information to enhance their compliance programs, which helps protect investors and further market integrity.”

Executive Vice President and Head of Market Regulation and Transparency Services Stephanie Dumont notes that the report contains emerging risks along with evergreen topics, calling out market integrity and transparency in particular as areas that are “just foundational to investor confidence and the efficient operation of our markets” and should remain perennial areas of focus. She also reminds firms that space is finite in the report, so if a topic has been in the report in the past and is not included this year, that does not mean that it’s no longer an area of regulatory focus.

Read about FINRA and SEC priorities over the past few years:

• FINRA 2024 Priorities Include Conflicts of Interest and Communications
• 2023 FINRA Exam Report Includes New Financial Crime Risks
• SEC Examination Priorities Provide a Roadmap for 2025 Compliance
• The SEC Speaks About Off-Channel Communications, Disclosures and More
• SEC Enforcement and Priorities Set Compliance Expectations for 2024
• SEC Priorities Focus on MNPI, Insider Trading and Crypto

Highlights from FINRA’s 2025 Regulatory Oversight Report

Cyber-Enabled Fraud

With the threat of cyber-enabled fraud increasing, the report emphasizes the need for firms to bolster their cybersecurity measures to combat potential cyber-attacks, including ransomware, new account fraud, insider threats, account takeovers, data breaches, imposter sites, and quishing via QR codes.

To combat cyber-enabled fraud, FINRA recommends that firms adopt effective practices, such as implementing advanced cybersecurity technologies, conducting regular risk assessments, monitoring email communications and providing comprehensive training to employees. The report also underscores the importance of monitoring third-party vendors, as they can introduce vulnerabilities that may lead to data breaches and supply chain attacks.

Failure to effectively manage cyber-security across the firm can lead to daunting consequences including the exposure of customer and firm data, financial loss, reputational damage and operational failures. It can also compromise the firm’s ability to meet core regulatory requirements, including FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information), FINRA Rule 3110 (Supervision), Securities Exchange Act (SEA) Rules 17a-3 and 17a-4, Regulation S-P and Regulation S-ID, FINRA Rule 4530(Reporting Requirements, including Reporting of Firms’ Conclusions of Violations) and FINRA Rule 3310 (Anti-Money Laundering Compliance Program).

See how MCO provides firms with efficient and effective communications surveillance and monitoring

Anti-Money Laundering, Fraud and Sanctions

FINRA Rule 3310 mandates that firms develop and implement written AML programs designed to comply with the Bank Secrecy Act (BSA) and its regulations. These programs must include policies and procedures to detect and report suspicious transactions, independent testing for compliance, ongoing training for personnel, and risk-based customer due diligence.

FINRA continues to emphasize the importance of robust AML programs. The report highlights common deficiencies, such as inadequate transaction monitoring and insufficient customer due diligence. Firms are encouraged to enhance their AML frameworks to detect and prevent money laundering activities effectively.

Investment fraud remains a significant concern, with FINRA noting an increase in sophisticated schemes targeting investors. The report underscores the need for firms to implement stringent fraud detection measures and compliance with sanctions regulations.

Manipulative Trading

FINRA Rule 2010, Rule 2020 and Rule 5210 are among the regulations that prohibit insider trading and manipulative and deceptive behaviors in the accounts of the firm and its associated persons. FINRA Rule 3310 requires that firms have processes in place to review transactions to identify potential violations of the Exchange Act. In addition, firms must promptly conduct investigations into any transaction that appears suspicious.

Manipulative trading practices, including spoofing and layering, are ongoing regulatory concerns. They should be a perennial concern for firms as well, but FINRA's findings indicate that for many organizations, detecting and preventing these activities remains a struggle. The report notes that inadequate Written Supervisory Procedures (WSPs) and non-specific surveillance thresholds are common deficiencies that need to be addressed to ensure effective monitoring and compliance.

The report advises that advanced surveillance technologies plus better internal controls are necessary to mitigate the risk of improper trading. FINRA also recommends that firms tailor their supervisory procedures to the specific types of business they conduct. This includes establishing clear steps and responsibilities for monitoring manipulative conduct and outlining escalation processes for detected issues. Additionally, firms should periodically evaluate the adequacy of their controls and thresholds in light of changes in their business, customer base, or market conditions. 

MNPI Remains a High Risk Area for Compliance

Third-Party Risk

The report introduces a new section on the third-party risk landscape, reflecting the growing reliance on third-party vendors for critical functions within the financial industry. FINRA highlights the potential risks associated with these relationships and underscores the importance of establishing and maintaining robust supervisory systems, including written supervisory procedures.

To manage third-party risks effectively, FINRA recommends several effective practices. These include conducting thorough due diligence on third-party vendors, validating data protection controls in vendor contracts, and involving vendors in the testing of incident response plans. Additionally, firms should maintain a comprehensive list of all third-party services and providers. It is also important that firms conduct ongoing monitoring of third parties across the lifecycle of a relationship, from onboarding through offboarding and throughout the time in between.

Technology Management

With the increasing use of technology and digital platforms across the financial services industry, managing technological risks is critical. The report emphasizes the importance of cybersecurity measures, data protection, and the responsible use of artificial intelligence (AI).

Firms are encouraged to adopt best practices in technology management including having written policies and procedures and administrative, technical, and physical safeguards to protect their operations and client data under Regulation S-P.  Regulation S-P also mandates incident response programs and customer notifications in the event of unauthorized access to customer information in addition to processes to detect, prevent, and mitigate identity theft.

AI has the potential to drive efficiencies for both firms and investors, but effectively harnessing these benefits means also mitigating potential risks and ensuring compliance with regulatory standards. Effective practices for AI management recommended by FINRA include dedicated AI oversight committees, providing ongoing training for employees, and ensuring that AI systems are regularly tested for fairness and accuracy. The report also underscores the importance of collaboration with regulators, industry peers, and technology experts to stay abreast of emerging risks and regulatory developments.

Using AI? The Rules of Effective Compliance Still Apply

Outside Business Activities and Private Securities Transactions

FINRA requires that firms monitor the outside business activities and private securities transactions of employees to prevent conflicts of interest and ensure transparency. FINRA Rules 3270 and 3280 require registered persons to notify their firms in writing of proposed OBAs and PSTs. This allows firms to determine whether to prohibit, limit, or allow these activities.

Common deficiencies noted in the report include incorrect interpretation of "selling compensation," inadequate approval processes, and insufficient documentation. To address these issues, FINRA recommends that firms implement robust controls and procedures for reviewing and approving OBAs and PSTs. This includes maintaining comprehensive records and conducting regular reviews. The report also emphasizes the need for firms to evaluate crypto asset-related activities to determine if they should be treated as PSTs. 

Optimal Outside Business Activities Compliance Goes Beyond Disclosures

Books and Records

Accurate and complete record-keeping is fundamental to regulatory compliance. Firms are reminded of their obligations to retain and produce records promptly when requested by regulators.

The report highlights the requirements under SEA Rule 17a-3 and SEA Rule 17a-4, which outline the minimum standards for record-keeping by broker-dealers. These rules mandate that firms create and preserve records of all communications related to their business, including emails, instant messages, and other electronic communications. Additionally, FINRA Rule 3110 and Rule 4511 require firms to establish written supervisory procedures to ensure compliance with these record-keeping obligations

Get the Message! Preserve eComms or Face Steep Regulatory Consequences

Across the many areas of risk covered in the report, the findings where firms came up short in meeting their regulatory obligations were consistent:

• Failing to establish policies and procedures that can be reasonably expected to detect compliance issues
• Failing to establish policies and procedures that met the specific needs of the firm
• Surveillance deficiencies including non-specific thresholds
• Not devoting sufficient resources to monitoring programs
• Inadequate due diligence
• Inadequate testing and controls
• Inadequate training and lack of training documentation
• Failing to implement a reasonably designed supervisory system
• Failure to follow up on red flags in a timely manner
• Lack of sufficient documentation

The MyComplianceOffice platform provides a single platform for consistent and effective compliance that closes the gaps – and provides definite proof for regulators that you’re indeed doing the right thing.

• Outside Business Activity Compliance
• Insider List and MNPI Management
• Communications Monitoring and Archiving
• Post Trade Surveillance
• Deal Review and Suitability
• Control Testing and Verification
• Third-Party Risk Management
• AML Compliance
• Compliance Attestations
• Configurable Rules and Workflows

MCO can help you navigate the regulatory landscape in 2025.

Ready to learn more? Contact us for a demo today!