2025 FINRA Annual Regulatory Oversight Report

On January 28, 2025, the U.S. Financial Industry Regulatory Authority (FINRA) released its Annual Regulatory Oversight Report. This report provides transparency by offering member firms insights on findings and observations from FINRA’s member supervision, market regulation, and enforcement programs. The contents of the report are meant to build off the prior year’s releases. FINRA also adds new topics and updates previous topics as necessary.

This year’s report focuses on the following items:

• Relevant rule(s)
• Key considerations for member firms’ compliance programs
• Noteworthy findings or observations from recent oversight activity
• Continuing risk and emerging risks
• Effective practices observed
• Additional resources

The 2025 report builds on the previous year’s report with six topics and 23 subtopics. The following key topics remain a priority this year.

Technology

Crypto

In 2025, FINRA again reminds firms that seek to engage in crypto asset activities to identify and address relevant regulatory and compliance challenges and risks. As noted in the report, firms participating in crypto-related activities remain under FINRA’s jurisdiction. Additionally, federal securities laws and specific FINRA rules apply to these activities and their associates, regardless of the nature of the crypto assets involved.

FINRA notes an ongoing trend of bad actors taking advantage of investors interested in crypto assets and blockchain technology. This market abuse is being conducted via manipulative schemes similar to those that already exist in other markets. Firms should also be aware of schemes that are amplified by social media.

Artificial intelligence (AI)

AI adoption in the financial services industry continues to expand. While AI offers benefits, such as increased efficiency and improved data analysis, it also introduces risks. FINRA has been actively engaging with firms to discuss these risks and ensure compliance with regulatory requirements. Many firms are cautiously implementing third-party generative AI (Gen AI) tools to assist with summarizing information, analyzing data, and retrieving policy-related content.

As part of its efforts to stay informed on AI developments, FINRA issued a questionnaire in late 2023 to assess firms' use of third-party AI vendors and has since followed up based on their responses. In June 2024, FINRA released Regulatory Notice 24-09 reminding firms of their regulatory obligations when using Gen AI and large language models (LLMs). FINRA maintains that its rules remain applicable regardless of the technology used and advises firms to assess AI tools before implementation to ensure compliance.

Firms using Gen AI should consider supervision strategies, risk mitigation for accuracy and bias, and cybersecurity concerns, including potential data leaks and AI-powered cyber threats. Additionally, those relying on third-party AI tools should evaluate vendor compliance with regulatory requirements. As AI technology continues to evolve, firms must remain vigilant about addressing cybersecurity risks posed by AI-driven threat actors who may exploit these tools.

Cybersecurity

FINRA has identified an increase in cybersecurity threats targeting the financial industry. Bad actors are using increasingly sophisticated methods in their attacks. Key threats include:

• Ransomware attacks: cybercriminals hijack and encrypt firm or customer data for ransom
• New-account fraud: bad actors use stolen or falsified identities to open fraudulent accounts
• Insider threats: both intentional and accidental as employees can misuse their access to harm firms and clients
• Account takeovers
• Data breaches
• Imposter sites
• "Quishing": using QR codes to direct victims to phishing websites

These threats expose confidential information and deceive investors. 

Emerging threats include quasi-advanced persistent threats (Quasi-APTs), where well-resourced actors attempt prolonged system intrusions without direct state sponsorship. Gen AI has enabled cybercriminals to create realistic fake content, such as deepfake videos and documents. It has also helped them develop advanced malware that evades detection. Cybercrime-as-a-service has further expanded the threat landscape by making hacking tools developed by more experienced cybercriminals more easily available to less technically skilled individuals. Ransomware also poses a particular issue in this area.

Lastly, quantum computing may introduce future security risks as its advanced computational power could potentially break current encryption methods. This outcome would make financial data and cybersecurity protocols vulnerable.

As these threats evolve, financial institutions’ cybersecurity personnel must remain vigilant and protect their systems and customers through the implementation of strong security measures and proactive risk management strategies.

Anti-money laundering (AML), fraud, and sanctions

In the report, FINRA notes that firms have exhibited several deficiencies with their customer identification program (CIP) compliance and required customer due diligence (CDD) processes. FINRA indicates that firms are failing to classify some of their relationships as customer relationships, which has led to inadequate verification of identities and insufficient identification of suspicious activity. FINRA has also found firms to have unclear procedures regarding CIP and CDD, which can result in insufficient measures in place to detect identity theft and fraud.

Additionally, FINRA noted inadequacies in some firms’ ongoing monitoring of suspicious transactions where insufficient AML procedures caused a failure to investigate red flags or inquiries from law enforcement effectively.

Finally, FINRA’s 2025 report notes concerns about insufficient AML program testing.

Regulation Best Interest (Reg BI) and Form CRS

Since Reg BI and Form CRS went into effect on June 30, 2020, FINRA has identified several instances when firms have failed to address their obligations. Building off the prior years’ findings, FINRA’s 2025 report notes firms often fail to conduct reasonable investigations before recommending securities, neglect to assess the suitability of products for retail customers, and make excessive or unsuitable transaction recommendations. FINRA notes frequent lack of documentation and inadequate review processes for communications with customers. It also notes conflicts of interest that were not properly identified or mitigated. In some instances, firms might not provide “full and fair” disclosures for fees and conflicts associated with their recommendations. Additionally, firms frequently fall short in the maintenance of adequate compliance policies and procedures to meet Reg BI requirements.

FINRA notes that firms must improve their processes for evaluating costs and reasonably available alternatives when making recommendations, ensuring that disclosures are clear and accurate, while also adhering to regulatory requirements.

Issues with Form CRS include:

• Inaccurate representations
• failure to deliver the form properly
• Delayed amendments in response to material changes

Third-party risk landscape

An increasing reliance on third-party vendors for various operational and compliance activities exposes firms to risk. Given the rise in cyberattacks and outages at these vendors, monitoring third parties has become more important. FINRA Rules 3110 and 3120 require firms to establish and maintain a supervisory system and written procedures to ensure compliance with applicable securities laws and regulations when using third-party services. In its 2025 report, FINRA notes specific areas for enhancing third-party vendor risk management, including conducting due diligence, validating data protection controls in vendor contracts, and maintaining a comprehensive list of all third-party services used.

Additionally, firms need to address data return or destruction protocols when terminating vendor arrangements. Firms also need to manage risks related to the use of fourth-party vendors. As firms explore the use of Gen AI tools to improve efficiency, they should consider enhancing controls for supervision, accuracy, and cybersecurity. FINRA highlights the importance of adhering to SEC regulations about customer data protection and incident response, as well as maintaining robust cybersecurity practices. These practices include effective logging and monitoring to mitigate operational risks.

Registered indexed linked annuities

In its 2025 report, FINRA notes substantial growth in the market for registered index-linked annuities (RILAs). The sales of these products reached $47.4 billion in 2023, marking a 15% increase from the previous year, and more than a fivefold increase since 2017. RILAs are a type of annuity contract offered by insurance companies that allow investors to allocate payments to various investment options linked to the performance of an index over a defined crediting period.

RILAs possess unique characteristics that can influence their performance. These characteristics include periodic realization of gains and losses at the end of each crediting period, which can force liquidation, even in unfavorable market conditions. Their performance may be based on a “price return” index, which typically yields lower returns and would not account for dividend reinvestment. Additionally, while RILAs generally do not have explicit fees (aside from surrender charges), their bounded return structure limits potential gains and losses. These characteristics require investors to make economic cost and benefit tradeoffs.

FINRA also notes concerns with variable annuity exchanges that may not align with the best interests of retail customers. These offerings could lead to increased fees and the potential loss of significant benefits.

Market integrity and trading

Regulation SHO

Regulation SHO outlines requirements for bona fide market making and close-out practices. In its 2025 report, FINRA notes findings that indicate some firms struggle to differentiate bona fide market making from other proprietary trading activities that do not qualify for Regulation SHO exceptions. Issues include quoting only at maximum allowable distances from the inside bid/offer, posting quotes near the inside ask without corresponding bids, and displaying quotes or indications of interest that are not accessible to a broad range of market participants.

Addressing these deficiencies effectively involves developing robust supervisory systems for market making activities. Firms should conduct thorough reviews of their quoting practices, considering factors such as the placement of quotes, the frequency and timing of quoting activity, and the ratio of proprietary trades to customer transactions. By implementing these supervisory measures, firms can confirm appropriate reliance on Regulation SHO's bona fide market making exceptions.

Manipulative trading

FINRA enforces various rules to prevent manipulative trading practices, such as insider trading, front running, and deceptive order execution. Under FINRA Rule 3110, firms must establish supervisory procedures to review transactions and identify violations, ensuring compliance with FINRA Rule 5210 (accuracy in trade reporting), and Rule 5270 (prohibiting trading on material nonpublic block transaction information). However, FINRA has identified common deficiencies, including inadequate written procedures, weak surveillance thresholds, and insufficient resources for monitoring alerts. Failures in surveillance, such as overlooking wash trades, layering, spoofing, and prearranged trades, can result in regulatory breaches and undermine market integrity.

Market manipulation schemes, particularly in small-cap initial public offerings (IPOs), have evolved from immediate post-IPO price spikes to longer-term price inflation via nominee accounts. Fraudsters exploit social media scams, such as encrypted chat investment clubs, to mislead retail investors into purchasing overvalued shares, benefiting bad actors. To combat such risks, firms should implement robust surveillance programs tailored to different trading strategies and asset classes, monitor cross-platform activity, and strengthen controls on algorithmic trading. Firms should also consider establishing strong information barriers and improving oversight of wash and prearranged trading. Tracking correlated securities, like exchange-traded products (ETPs) and options, would also help detect and prevent sophisticated manipulation tactics, reinforcing overall market stability.

Extended hours trading

In recent years, trading in National Market System (NMS) stocks has increasingly extended beyond regular hours (9:30 am to 4:00 pm ET), with some firms offering overnight trading from 8:00 pm to 4:00 am ET. FINRA Rule 2265 requires firms engaging in extended hours trading to provide customers with a clear risk disclosure statement outlining specific risks. This disclosure must be prominently displayed online if trading is conducted through the firm's website.

FINRA’s key findings of extended hours trading indicate issues such as inadequate supervision and reporting failures. Firms also did not effectively identify or report potentially manipulative after-hours trading activities.

FINRA noted some effective practices can include conducting regular best execution reviews of extended hours orders, regularly updating customer risk disclosures to meet regulatory requirements, and establishing robust supervisory processes tailored to the unique risks of extended hours trading.

Other key topics

FINRA also addressed other trading-related topics and subtopics in the 2025 report:

• Consolidated Audit Trail (CAT)
• Data Integrity and Timeliness Issues in Municipal Underwriting Filings
• Customer Order Handling: Best Execution and Order Routing Disclosures
• Order Routing Disclosures
• Fixed Income—Fair Pricing
• OTC Quotations in Fixed Income Securities
• Market Access Rule
• Upcoming Trade Reporting Enhancements for Fractional Share Transactions

Use of FINRA publications

Firms have used prior FINRA publications, such as Exam Findings Reports, Priorities Letters, and Reports on FINRA’s Examination and Risk Monitoring Program, to enhance their compliance programs. Firms may consider these practices, if relevant to their business model:

• Assessment of applicability of issues noted in the report
• Risk assessment of the firm’s activities
• Gap analysis of key practices and controls
• Circulation of information to compliance groups
• Presentation of key risks to business leaders
• Guidance and training to inform employees of key risk areas

Want to know more?

We will be hosting a webcast in March, 2025 to discuss these topics and how firms can ensure they are meeting FINRA's expectations. If you are interested in attending this webcast, please fill out this form, and we will send you an email invite as soon as we open registration for the webcast.

Send me an invite to this webcast

How we help

The compliance environment has never been more complex or demanding. We can help you navigate the evolving regulatory landscape while considering the complexity of your firm’s unique compliance requirements. ACA Signature can help.

With ACA Signature, you can choose the combination of regulatory compliance consulting, innovative compliance technology,  compliance management services, and  cybersecurity technology assessments to create a scalable solution that is right for your firm and gain expert insight, guidance, and support as you navigate emerging compliance and risk challenges.

Reach out to your ACA consultant, or contact us to learn how ACA Signature can help you launch, grow, and protect your firm.