On January 28, 2025, FINRA released its 2025 Annual Regulatory Oversight Report, highlighting key findings and observations from the past year. The self-regulatory organization (SRO) publishes the annual report with an aim to increase transparency and support member firms in their commitment to maintaining compliance.
“This report is a valuable tool that we provide to member firms in support of our self-regulatory mission to protect investors and ensure market integrity. The topics reflect areas where FINRA has observed gaps in firm compliance programs as well as areas of emerging or increased risk. The report contains new topics, including a section addressing the third-party risk landscape, and many that will be familiar—such as cybersecurity and cyber-enabled fraud, communications with the public, and Regulation Best Interest and Form CRS—which have been updated to reflect evolving risks, industry trends and exam findings,” said Greg Ruppert, Executive Vice President and Head of Member Supervision at FINRA.
In this blog, we’ll break down the findings within the report, including new focus areas for the SRO as well as perennial focus areas which continue to make headlines year in and year out.
2025 FINRA Annual Regulatory Oversight Report: What’s New
In their 2025 report, FINRA included new sections as well as new content in existing sections. New topics this year include third-party risk landscape, registered index-linked annuities, and extended hours trading.
Third-Party Risk Landscape
Firms increasingly depend on third-party vendors for various functions, but this reliance introduces risks, including cyberattacks and outages, which have become more frequent in recent years. Given the critical role third-party vendors play in supporting key systems, disruptions at these vendors could affect multiple firms in the financial industry. As a result, firms are required to establish and maintain a supervisory system, including written supervisory procedures, to ensure compliance with securities laws, regulations like Regulation S-P, and relevant FINRA rules, such as Rules 3110 and 4370.
FINRA’s findings indicate that firms have failed to manage third-party vendor risks effectively. Key issues include the lack of comprehensive risk management policies, inadequate due diligence on vendors, insufficient validation of data protection controls in contracts, failure to involve vendors in incident response plan testing, not maintaining an updated list of third-party services and components, lacking procedures for data return or destruction at contract termination, and not addressing the risks associated with fourth-party vendors.
Recommended Best Practices:
- Maintaining a list of all third-party vendor-provided services, systems and software components that the firm
- Establishing supervisory controls for a third-party technology vendor’s business impact
- Evaluating the impact on the firm’s ability to meet its regulatory obligations if the third-party vendor fails to perform the outsourced activity or function
- Asking potential third-party vendors if they incorporate Gen AI5 into their products or services, and, if so, evaluating contracts with these third-party vendors
- Reviewing, and as appropriate adjusting, third-party vendor tool default features and settings to meet firm business needs and applicable regulatory obligations
- Assessing third-party vendors’ ability to protect sensitive firm and customer non-public information and data
- Ensuring that a third-party vendor’s access to systems, data and corporate infrastructure is revoked when the relationship ends
FINRA also commented on the use of Artificial Intelligence (AI) continuing to expand and cautioned firms to consider how to supervise the use of AI, how to identify and mitigate risks associated with using AI, and how to ensure compliance with applicable regulatory requirements with respect to third-party AI solutions.
Registered Index-Linked Annuities (RILAs)
The SEC’s Regulation Best Interest (Reg BI) requires broker-dealers to act in the best interest of retail customers when recommending securities transactions or investment strategies, including annuities. This standard emphasizes that financial interests must not take precedence over the customer’s interests, and compliance cannot be achieved through disclosure alone. FINRA Rule 2330 also applies to the recommendation of deferred variable annuities, requiring firms to maintain supervisory procedures to ensure compliance. The market for registered index-linked annuities (RILAs) has grown rapidly, with sales reaching $47.4 billion in 2023.
RILAs are complex products tied to index performance, offering a bounded return structure that limits both potential gains and losses. Key characteristics of RILAs include forced liquidation at the end of each crediting period, limited upside participation, and restrictions on investor actions, all of which come with economic trade-offs.
FINRA’s findings highlight several compliance failures, including inadequate supervisory procedures for FINRA Rule 2330 and Reg BI, recommending unsuitable variable annuity exchanges, Reg BI Care Obligation violations for annuity transactions, insufficient consideration of alternative annuity options, submitting misleading paperwork, and poor record-keeping practices for annuity transactions, especially in high-volume scenarios.
Recommended Best Practices:
- Incorporating into a firm’s WSPs and written policies and procedures heightened policies and procedures for recommendations of RILAs
- Providing guidance to associated persons on how to consider whether RILAs and particular features of a RILA are in a retail customer’s best interest
- Using exchange disclosure forms to provide the customer with meaningful information about the advantages and disadvantages of the recommended exchange
- Providing guidance on how to consider account types and costs when potentially recommending broker-dealer versus advisory annuity contract classes.
- Using automated tools, exception reports and surveillance to review annuity exchanges; and implementing second-level supervision of supervisory reviews of exchange-related exception reports and account applications
- Detailed Rationales for Exchanges
- Standardizing review thresholds for rates of annuity exchanges; and monitoring for emerging trends across registered representatives, customers, products and branches
- Engaging with insurance carriers (affiliated and non-affiliated) and third-party data providers (e.g., Depository Trust and Clearing Corporation (DTCC), consolidated account report providers) to confirm their annuity data integrity
- Establishing a supervisory system that collects and uses key transaction data
- Considering the [certain] data points when conducting a review of a recommended exchange transaction under FINRA Rule 2330 and Reg BI
Extended Hours Trading
As trading in NMS stocks and other securities increasingly extends beyond regular hours, including overnight periods, FINRA has seen more firms offering extended hours trading services. FINRA Rule 2265 requires firms that allow such trading to provide customers with a risk disclosure statement, which must outline at least six specific risks, and be posted on the firm’s website if trading is available online. Firms must also comply with relevant FINRA and SEC rules, such as FINRA Rule 5310 (Best Execution) and FINRA Rule 3110 (Supervision), to ensure proper oversight of extended hours activities.
FINRA’s findings indicate that firms failed to maintain effective supervisory systems and controls, particularly in identifying and reporting potentially manipulative activities during after-hours trading. Additionally, firms did not report required information from extended hours trading to FINRA’s Trade Reporting Facilities (TRF) or Consolidated Audit Trail (CAT).
Recommended Best Practices:
- Evaluating how extended hours orders are handled, routed and executed in regular and rigorous best execution reviews to confirm that the firm’s practices are reasonably designed to achieve best execution
- Reviewing customer disclosures about the risks of extended hours trading to ensure that such disclosures address, at a minimum, the risks enumerated in FINRA Rule 2265; evaluating whether any additional product-specific or other disclosures may be necessary to address other risks related to extended hours trading; and reviewing any customer disclosures about the firm’s customer order handling procedures
- Establishing and maintaining reasonably designed supervisory processes that address any unique characteristics or risks of extended hours trading
- Evaluating unique operational readiness and customer support needs during overnight hours, as well as the availability of backup trading arrangements during trading sessions that are offered to customers and considering appropriate communications with customers about potential service interruptions
FINRA also commented on upcoming trade reporting enhancements for fractional share transactions. Currently, FINRA’s trade reporting rules require firms to report transactions in NMS stocks and OTC equity securities to the appropriate FINRA trade reporting facility within 10 seconds of execution, including the number of shares in the transaction. While fractional shares can be traded, the current reporting facilities do not support fractional quantities, so trades in fractional shares must be rounded up to one share or truncated to the whole number portion, depending on the quantity. FINRA plans to enhance its reporting facilities to support fractional share quantities by adding a new “Fractional Share Quantity” field, where firms will report the entire quantity, including the fractional part, up to six decimal places. Firms that do not trade fractional shares will not need to make any changes to their reporting.
Perennial Focus Areas – Highlights from FINRA
Reg BI and Form CRS
Reg BI Findings: Failure to Comply with the Care Obligation, Conflict of Interest Obligation, Disclosure Obligation, and Compliance Obligation
Form CRS Findings: Deficient Form CRS Filings; Failing to Properly Deliver, Post, and Adequately Amend Form CRS; and Misconstruing Obligation to File and Deliver Form CRS
Recommended Best Practices:
- Including in procedures and processes specific factors related to evaluating costs and reasonably available alternatives to recommended products
- Mitigating the risk of making recommendations that might not be in a retail customer’s best interest
- Establishing and implementing policies and procedures to address conflicts of interest
- Maintaining a record for delivering Form CRS and Reg BI-related documents to retail customers in a timely manner
- Providing retail customers with clear, accessible materials that allow them to compare the features, benefits and costs of certain account type recommendations (e.g., rollovers).
- Establishing and implementing policies and procedures to address conflicts of interest
- Monitoring associated persons’ compliance with Reg BI
- Incorporating Reg BI-specific reviews into the branch exam program, in addition to other ongoing monitoring and surveillance.
- Focusing on areas such as documenting Reg BI compliance and following the firms’ Reg BI written policies and procedures (as part of overall Reg BI compliance efforts)
Communications with the Public
FINRA specifically noted certain failures related to both social media influencers as well as mobile app communications/information.
Recommended Best Practices:
- Maintaining and implementing procedures for the supervision of mobile apps
- Monitoring new communication channels, apps and features available to associated persons and customers
- Clearly defining permissible and prohibited digital communication channels, tools and features, and blocking those prohibited channels, tools and features
- Implementing supervisory review procedures tailored to each digital channel, tool and feature
- Developing WSPs and controls for live-streamed public appearances, scripted presentations or video blogs
- Implementing mandatory training programs prior to providing access to firm-approved digital channels
- Temporarily suspending or permanently blocking from certain digital channels or features those registered representatives who did not comply with the policies
- Gen AI Technology:
- When using Gen AI technology to generate or otherwise assist in creating communications to customers, reviewing to ensure that these communications comply with applicable federal securities laws and regulations and FINRA rules.
- When using Gen AI technology to create or otherwise assist in creating chatbot communications that are used with investors, ensuring the appropriate supervision of those communications, and retention of those chat sessions, in accordance with SEC and FINRA rules.
- Ensuring that retail communications that mention AI tools, AI services (e.g., portfolio construction, research) or products that rely on AI management accurately describe how these offerings incorporate AI technology and balance the discussion of benefits with appropriate discussion of risks.
- Ensuring that communications that promote or recommend income sharing programs to retail investors (e.g., fully paid securities lending programs) accurately and clearly disclose the terms and conditions of the program
Anti-Money Laundering, Fraud and Sanctions
FINRA’s findings reveal several deficiencies in firms’ compliance with Customer Identification Program (CIP) and Customer Due Diligence (CDD) requirements. These include misinterpreting CIP and CDD obligations, lacking clear policies and procedures, failing to verify customer identities adequately, and not responding appropriately to red flags. Additionally, firms did not conduct initial and ongoing risk-based CDD, failed to monitor and report suspicious transactions effectively, did not perform adequate independent testing of their Anti-Money Laundering (AML) programs, and provided insufficient training for relevant personnel.
Recommended Best Practices:
- Conducting thorough inquiries when customers—particularly those who may be elderly or vulnerable—request that an unusually significant amount of funds be disbursed to a personal bank account
- Reviewing transactions on a firm-by-firm basis to identify patterns of potentially suspicious transactions.
- Reviewing Regulatory Updates
- Conducting formal, written AML risk assessments that are updated in appropriate situations
- Ensuring the firm’s AML procedures are tailored to services your firm provides
- Additional Steps for Verifying Customers’ Identities When Establishing Online Accounts
- Delegating AML duties to business units in the best position to conduct ongoing monitoring to identify suspicious activity
- Establishing and maintaining an AML training program for appropriate personnel that is tailored to the individuals’ roles and responsibilities
Although only a handful of topics were featured here, overarchingly one thing is clear: the 2025 FINRA Annual Regulatory Oversight Report highlights the complex and evolving nature of the compliance landscape, placing the onus on firms to implement, adapt, and scale their programs to meet new demands.
For additional insights, visit FINRA’s website for the full 2025 FINRA Annual Regulatory Oversight Report.
Have questions about the findings from the 2025 FINRA Annual Regulatory Oversight Report and how your firm can proactively meet new and heightening demands?