FINRA Issues 2025 Annual Regulatory Oversight Report

Introduction

On January 28, 2025, FINRA issued its 2025 Annual Regulatory Oversight Report, providing a detailed look into FINRA’s current regulatory oversight of member firms and their registered personnel.

Spanning 80 pages, the 2025 report incorporates content from previous reports, adding three new topic areas, including the third-party risk landscape, registered index-linked annuities (RILAs), and extended hours trading. Additionally, the report highlights updates to key areas, such as artificial intelligence (AI), investment fraud by bad actors, the Remote Inspections Pilot Program and Residential Supervisory Location designation, and trade reporting enhancements for fractional share transactions.

The report delves into six main topics and 24 subtopics. For each subtopic, the report provides the following sections: regulatory obligations, which include relevant federal securities laws, regulations, and FINRA rules; effective practices; and hyperlinks to additional resources. Additionally, for several topics, the report provides FINRA’s findings, observations, and insights into emerging and continuing trends and risks.

Although not a complete resource for all applicable legal and regulatory requirements, the report is a useful tool for firms seeking to mitigate risks, adapt to regulatory expectations, and strengthen compliance with federal securities laws and regulations.

The discussion below focuses on key areas from the report.

Financial Crimes Prevention

The report addresses three topics related to financial crimes prevention: cybersecurity and cyber-enabled fraud; anti-money laundering, fraud and sanctions; and manipulative trading. Key developments are summarized below.

Cybersecurity and Cyber-Enabled Fraud

Consistent with the prior year’s report, FINRA continues to emphasize cybersecurity risks. Over the past year, FINRA observed an increase in the variety, frequency, and sophistication of cybersecurity attacks. FINRA identified the various rules and regulations that may be implicated due to cybersecurity incidents: FINRA Rules 4370 (Business Continuity Plans and Emergency Contact Information), 3310 (Supervision), 4530(b) (Reporting Requirements), 4530.01 (Reporting of Firms’ Conclusions of Violations), and 3310 (Anti-Money Laundering Compliance Program), as well as Exchange Act Rules 17a-3 (Recordkeeping) and 17a-4 (Recordkeeping), and Regulations S-P (Privacy Rules) and S-ID (Identity Theft).

Imposter websites, insider threats, ransomware, new account fraud, account takeovers, and data breaches continue to pose threats to the financial industry. Beyond threats to firms themselves, cyber risks affecting third-party vendors can also result in data breaches and supply chain attacks. The report observes the following new types of threats that may impact firms:

• Quishing – phishing-style attacks that use QR codes to redirect victims to fraudulent URLs.
• Quasi-Advanced Persistent Threats – well-resourced threat actors engaging in sophisticated, malicious cyber activity targeted and aimed at prolonged network intrusion but are not necessarily sponsored by nation-states or large organizations.
• Generative AI-Enabled Fraud – threat actors exploiting generative AI to enhance cybercrimes, such as generating fake content, creating polymorphic malware, and other malicious tools.
• Cybercrime-as-a-Service – the sale of malicious technical tools to less sophisticated actors.
• Quantum Computing Risks – the exploitation of quantum computing to quickly break into encrypted systems.

To mitigate these risks, the report identifies the following effective practices, among others:

• Monitor cybersecurity activity to determine whether future action is appropriate.
• Utilize FINRA’s Cross Market Options Supervision: Potential Intrusion Report Card, which provides lists of trades related to potentially fraudulent options transactions facilitated by account takeover schemes.
• Develop a process for validating the identity of new clients and use third parties to provide a risk score associated with a new account.
• Regularly conduct simulated emergency exercises.
• Subdivide networks into separate sections to restrict the ability of threat actors to move across networks to find valuable data.

Anti-Money Laundering, Fraud, and Sanctions

The report discusses an increase in investment fraud directly targeting investors. Bad actors are increasingly using investment club scams, relationship investment scams, imposter websites, tech support scams, and support center scams to target and defraud investors. FINRA provides effective practices to mitigate these threats such as: monitoring for red flags; freezing suspicious customer transactions; emphasizing trusted contact persons; educating customers of these risks; and developing appropriate response plans.

The report also notes an increase in automated clearing house (ACH) fraud, possibly from bad actors’ preference for ACH over wire transactions. Effective practices include the use of additional verifications, cut-off times, test transactions, third-party verifiers, and identifying red flags.

FINRA has also seen an increase in the use of generative AI by bad actors. Generative AI fraud increases threats to investors, firms and markets, and firms should be aware of these heightened risks. The report notes that bad actors have used generative AI to do the following:

• Impersonate well-known financial personalities to advertise fraudulent investment clubs over social media;
• Create synthetic IDs and media to establish fraudulent brokerage accounts or take over customers’ brokerage accounts;
• Enhance social engineering schemes, phishing campaigns, and malware attacks.
• Create imposter websites; and
• Manipulate the market by spreading false information on social media.

The report also provides new effective practices, which include conducting thorough inquiries for unusual customer requests and reviewing transactions on a firm-by-firm basis to identify patterns of potentially suspicious transactions.

Manipulative Trading

The report highlights the use of “ramp-and-dump” schemes to manipulate the market in small-cap initial public offerings (IPOs). These schemes have been linked to social media scams. FINRA also found additional surveillance deficiencies, including firms not: establishing and maintaining a surveillance system for manipulative trading; considering external sources for red flags; and performing timely reviews of, nor properly resourcing, surveillance alerts. The report provides new effective practices, which include:

• Tailoring supervisory systems to differing types of manipulative activity.
• Monitoring for red flags associated with conflicts of interest in advance of IPOs.
• Looking for efforts to artificially manipulate the price of securities.

Firm Operations

Third-Party Risk Landscape

Third-party vendors can create great risks for a firm. FINRA has observed an increase in cyberattacks and outages at third-party vendors used by firms. To mitigate these risks, firms are obligated to establish and maintain a third-party vendor risk management program for all activities and functions performed by third parties, including written supervisory procedures reasonably designed to establish compliance with relevant securities laws and regulations (e.g., Regulation S-P) and FINRA rules (e.g., FINRA Rules 3110 and 4370).

The report identifies the following effective practices for assessing and managing third-party vendor risks throughout the entire lifecycle of the vendor relationship, from onboarding through offboarding, such as:

• Maintain a comprehensive list of all third-party vendor services, systems, and software components that a firm may use to assess the impact of a cybersecurity incident or technology outage occurring at a third-party vendor on the firm.
• Establish supervisory controls for a third-party technology vendor’s business impact, such as assessments and contingency plans.
• Inquire of third-party vendors prior to establishing a relationship whether they use a generative AI tool in any of their products or services, and if so, ensuring that contracts with these vendors comply with the firm’s regulatory obligations, such as prohibiting the generative AI tool from obtaining sensitive firm and customer information.
• Evaluate a third-party vendor’s capacity to protect sensitive firm and customer nonpublic information and data.

Senior Investors and Trusted Contact Persons

FINRA has observed that firms relying on FINRA Rules 4512, 3241, and 2165 engaged in several defective practices. FINRA issued a Threat Intelligence Product titled “Protecting Vulnerable Adult and Senior Investors,” which explains common tactics used by scammers to defraud senior investors and vulnerable adults, the devastating consequences this has on victims, and the importance of education about financial scams to prevent both initial victimization and re-victimization.

The report highlights several effective practices for firms to consider when considering how to protect senior investors.

Crowdfunding Offerings: Broker-Dealers and Funding Portals

Funding portals must register with the SEC, become a member of FINRA, and comply with Regulation Crowdfunding and FINRA Funding Portal Rules.

Broker-dealer firms relying on Title III of the Jumpstart Our Business Startups (JOBS) Act (enacted in 2012) to engage in the sale of securities must notify FINRA per FINRA Rule 4518 (Notification to FINRA in Connection with the JOBS Act). Broker-dealer firms may also need to apply for approval of a material change in business operations by filing a Form CMA and pay related fees, unless they are already FINRA-approved to participate in private placements or underwriting.

Regulation Crowdfunding imposes the following requirements:

• Gatekeeper responsibilities for intermediaries, through Rule 301(a) and Rule 301(c)(2);
• Maintenance and transmission rules for an intermediary that is a funding portal, through Rule 300(c)(2)(iv) and Rule 303(e)(2):
  • Rule 300(c)(2)(iv) prohibits funding portals acting as an intermediary from holding, managing, possessing, or otherwise handling investor funds or securities;
  • Rule 303(e)(2) requires funding portals to direct investors to transmit the funds directly to a “qualified third party” who agreed in writing to hold, and promptly transmit or return, such funds for the correct parties; and
• Record-keeping requirements on funding portals, through Rule 404. Notably, the use of a third party to prepare and maintain records on behalf of a funding portal does not affect the funding portal’s record-keeping responsibilities.

Firms that engage in Regulation Crowdfunding transactions must comply with the full record-keeping requirements under Exchange Act Rules 12a-3 and 17a-4, and FINRA Rules 3110(b) (Supervision) and 4510 (Books and Records).   

FINRA has observed violations of crowdfunding offerings and funding portals requirements.

The report identifies the following effective practices:

• Develop compliance resources, such as annual questionnaires, that verify a funding portal’s associated persons accuracy per Funding Portal Rule 300(c), follow-up questions for associated persons, and procedures to ensure that issuer disclosures mandated by Regulation Crowdfunding Rule 201 is available to investors on the funding portal’s platform per Regulation Crowdfunding Rule 303(a).
• Implement supervisory review procedures for communications requirements and identify whether any contemplated structural or organizational changes requires a CMA filing.
• Review existing funds instructions to ensure that the transmission of investor investment funds, per directions, are only sent to a qualified third party — and no other entity — acting as the escrow agent for that offering.
• Incorporate the Written Supervisory Procedures Checklist for Funding Portals to ensure the firm’s written supervisory procedures comply with Regulation Crowdfunding and FINRA Funding Portal Rules.

Member Firms’ Nexus to Crypto

FINRA continues to monitor member firms and their associated persons in connection with digital assets. FINRA rules apply to all digital assets, including unregistered digital asset securities and digital assets that do not fall under the SEC’s jurisdiction. FINRA has observed that malicious actors continue to employ manipulative schemes, such as pump-and-dumps, to profit off investor interest in blockchain and digital assets.

FINRA has observed recurring violations of Rules 2210 (Communications With the Public), 3110 (Supervision), and 3310 (Anti-Money Laundering Compliance Program) in the digital asset space.

For firms and their associated persons engaged in digital asset-related activities, the report identifies the following effective practices:

• Perform due diligence of unregistered offerings by understanding the (1) exemption from registration; (2) digital asset governance and ownership rights; (3) mechanics of the digital asset; and (4) cybersecurity risks related to the blockchain protocol.
• Conduct risk-based on-chain assessments for accepting, trading, or transferring a digital asset and establishing procedures for this assessment.
• Ensure customers clearly understand the differences between the brokerage account and their blockchain account.
• Provide a fair and balanced presentation of the risks associated with digital assets to retail investors.
• Differentiate digital asset product communications from firm product communications.

Communications and Sales

The report addresses four topics related to communications and sales: communications with the public, Regulation Best Interest (Reg BI) and Form CRS, private placements, and annuities securities products. We summarize below the new developments identified in the report.

Communications With the Public

FINRA continues to focus on compliance issues involving communications in a time of rapid technological change. In addition to the use of mobile apps, FINRA is raising concerns of firms’ inadequate supervision regarding their social media influencers. FINRA observed that firms were not establishing reasonably designed supervisory systems for communications that influencers are posting on behalf of the firm. Further, firms were not reviewing influencers’ videos before being posted and did not retain the videos after being posted.

The report provides the following effective practices for communications involving generative AI:

• Review communications to customers generated by generative AI for compliance with securities laws and regulations and FINRA rules.
• Ensure the proper supervision and retention of generative AI chatbot communications.
• Ensure retail communications accurately mention the use of AI, how it is used, and discuss the risks and benefits of its use.

In addition to technology concerns, the report provides effective practices for ensuring that communications that promote or recommend income-sharing programs to retail investors accurately and clearly disclose the terms and conditions of the program.

The report also highlights findings for retail communications for RILAs. FINRA observed RILA communications that: inadequately explained how RILAs worked; insufficiently explained specialized terms; did not include sufficient disclosures for risk, charges, and changes; made misleading statements; and made hypothetical illustrations showing more than merely how RILAs function.

Reg BI and Form CRS

FINRA continues to examine firms for compliance with SEC Reg BI and Form CRS. The report provides new finding and recommendations for Reg BI.

Regarding new effective practices for Reg BI’s care obligation, the report provides additional guidance for associated persons making recommendations for evaluating costs and reasonable available alternatives. The report advises providing associated persons guidance on formulating recommendations considering reasonably available alternatives, and ensuring technology generating recommendations consider costs of affiliated and non-affiliated investment products.

Private Placements

The report highlights that some parties involved in pre-IPO private placements have been engaging in fraudulent activity. Firms in some instances purportedly made material misrepresentations and omitted material information when recommending a private placement offering of pre-IPO securities.

The report identifies the following new effective practices:

• Amend due diligence checklists to account for certain private placements with unique risks.
• Evaluate issuer’s intended use of proceeds upon learning of material changes during the offering.
• Have representatives complete targeted, in-depth training about the firms’ policies, process, and filing requirements prior to recommending an offering.

Annuities Securities Products

FINRA continues to focus examination efforts on exchanges of variable annuities. The report notes that Reg BI’s “best interest” standard of conduct applies to all securities including variable annuities and RILAs. FINRA observed alleged violations of Reg BI’s care obligation where firms recommended investors surrender their variable annuities to purchase RILAs. FINRA also observed that some firms did not have a reasonable basis for their recommendations and did not consider their customer’s best interest.

The RILA market is growing significantly and has quintupled since 2017. The report provides new effective practices for RILAs, which include:

• Incorporate heightened policies and procedures for RILA recommendations.
• Monitor past RILA exchanges.
• Comply with Reg BI.
• Provide guidance to associated persons on whether RILAs are in a customer’s best interest.

The report makes new findings and provides effective practices for exchanges of variable annuities. New findings include firms recommending variable annuity exchanges not suitable for or in the best interest of retail customers and firms submitting variable annuity recommendation documents with misrepresentations or omissions. The report identifies a new effective practice:

• Use exchange disclosure forms to provide customers meaningful information about recommended exchanges including comparisons of fees and surrender periods, disclosures of loss of benefits, and the rationale for choosing the exchange.

Market Integrity

Extended Hours Trading

Firms that permit customers to engage in extended hours trading (between 4 p.m. and 9:30 a.m. Eastern Standard Time, outside regular trading hours) must comply with FINRA Rule 2265 (Extended Hours Trading Risk Disclosure) by providing customers with a risk disclosure statement. FINRA Rule 2265 specifies six risks: lower liquidity, higher volatility, changing prices, unlinked markets, news announcements, and wider spreads.

Similarly, if firms permit customers to engage in extended hours trading online, or if firms open accounts online that allow customers to engage in extended hours trading, then they must post a risk disclosure statement on their website in a clear and conspicuous manner. Firms should include in this statement the six specific risks in Rule 2265, and must consider, if necessary, developing additional disclosure language to address product or service-specific needs.

Additionally, firms that engage in extended hours trading must comply with applicable FINRA and SEC rules, such as FINRA Rule 5310 (Best Execution and Interpositioning), and FINRA Rule 3110 (Supervision).

To best regulate their customers’ use of extended trading hours, the report notes that firms may wish to consider the following:

• Perform best execution reviews to evaluate how extended hours are handled, routed, and executed to confirm that the firm’s practices are reasonably designed to obtain the best execution.
• Review customer disclosures about extended hours trading risks and ensure that, at a minimum, they address the highlighted risks in FINRA Rule 2265.
• Evaluate whether additional product-specific or other disclosures are needed, and review customer disclosures that address the firm’s customer order handling processes.
• Develop and maintain reasonably designed supervisory processes to address any unique characteristics or potential risks associated with extended hours trading risks, including customer order handling and volatile or illiquid market conditions.
• Evaluate the firm’s operational readiness and ability to provide customer support needs through overnight hours; assess the availability of backup trading arrangements for trading sessions offered to customers; and consider where communications with customers about the possibility of service interruptions would be appropriate.

Financial Management

The report addresses three topics related to financial management: net capital, liquidity risk management, and segregation of assets and customer protection. We summarize below the new developments that FINRA identified for net capital and segregation of assets and customer protection.

Net Capital

FINRA continues to focus on the net capital rule and further notes that firms should ensure they can show their proper application of Accounting Standards Codification 606.

Segregation of Assets and Customer Protection

The report notes that in 2024, the SEC amended the broker-dealer customer protection rule (Rule 15c3-3) and Rule 15c3-1 to: increase the frequency of computations of net cash owed to customers and other broker-dealers from a weekly to daily basis for certain firms; and decrease the required 3% daily customer reserve “buffer” for certain broker-dealers. FINRA observed that inadequate understanding of the customer protection rule caused firms to have inaccurate reserve computations.

The report reminds firms of their obligations to designate a qualified financial and operations principal (FINOP) under FINRA Rule 1220(a)(4). FINOP responsibilities are applicable regardless of the FINOP being employed full time or part time. Further, firms designating a principal financial officer or a principal operations officer are not relieved from their FINOP obligations.

The report is a helpful resource for compliance professionals. Firms are encouraged to review their compliance practices and written supervisory procedures, and revise practices and procedures as necessary to address topics covered in the report. FINRA will continue to assess the compliance, supervision, and risk management issues covered in the report.

This article was co-authored by Carlton Fields law clerk Jason Berkun.