Key takeaways from the 2025 FINRA Annual Regulatory Oversight Report 

FINRA has observed an increase in ransomware, new account fraud, insider threats, account takeovers, data breaches, imposter sites, and quishing. Emerging threats include Quasi-Advanced Persistent Threats (Quasi-APTs), generative AI (Gen AI) enabled fraud, and cybercrime-as-a-service.

Relevant rules:

• Reg S-P Rule 30; Reg S-ID; FINRA Rule 4370
• Any cyber incidents could implicate Rules 4370, 3110, 3129, 17a-3, 17a-4, Reg S-P and Reg S-ID
• The SEC has adopted updates to Reg S-P that come into effect December 2025 for large firms, and June 2026 for smaller firms

Best practices:

• Implement effective technology controls, including account intrusion detection, email monitoring, and identity verification for online accounts
• Monitor the internet for imposter domains and websites
• Conduct training and phishing exercises
• Conduct tabletop exercises with internal and external stakeholders
• Subdivide networks

AML is an ongoing priority for FINRA and this year is no different. Inadequate customer identification, including identifying beneficial owners, is the primary theme included in this section of the report. However, FINRA also reports findings related to red flag monitoring, suspicious transaction monitoring and reporting, and inadequate testing and training. The Report also highlights failures involving investment fraud and ACH fraud.

Relevant rules:

• FINRA Rule 3310; CIP Rule (31 CFR 1023.220); CDD Rule (31 CFR 1010.230)

Best practices:

• Review and investigate potentially suspicious withdrawals and transactions
• Conduct risk assessments
• Ensure verification of customer and beneficial owner identities
• Delegate AML responsibilities as needed to those best placed to identify issues
• Conduct comprehensive training

A first for the 2025 Report, this topic primarily involves the cybersecurity risk at third-party providers used by firms. As FINRA has noted many times previously, broker-dealers are required to conduct due diligence on their third-party vendors. Such due diligence processes should include an evaluation of the third-party’s cybersecurity and technology platforms. Firms have a duty to protect both customers and company data.

Relevant rules:

• Reg S-P; FINRA Rules 3110 and 4370

Best practices:

• Establish effective vendor risk management policies, including initial and ongoing due diligence and validation of the vendors’ data protection controls
• Involve vendors in incident response testing
• Institute procedures for the return or destruction of firm data at termination of the vendor
• Evaluate “fourth-party” vendors, i.e. the vendors your vendor uses
• Revoke vendor access to firm systems at termination

A perennial topic on the report and returning this year is supervision of outside business activities (OBAs) and private securities transactions (PSTs). Most compliance personnel know the rules, but OBAs and PSTs still trip up firms, making them easy targets for FINRA examiners.

Many firms misunderstand what is and isn’t a PST. Sometimes referred to as “selling away”, the definition of a PST goes deeper. It includes not only selling securities outside the firm’s platform, but also covers any investment a person makes into a private security. Firms must ensure their people understand the definition, with clear instructions on when and how to report PSTs.

Relevant rules:

• FINRA Rules 3270, 3280, and 3110

Best practices:

• Ensure the obligations in Rule 3270.01 are followed to determine whether a disclosed OBA should be a PST and subject to Rule 3280
• Document approvals and evidence supervision of PSTs
• Issue questionnaires to registered and associated persons to ensure they have disclosed all OBAs and PSTs
• Run periodic background checks
• Monitor registered representatives’ correspondence, social media, online activities, financial records, etc. for evidence of undisclosed OBAs
• Reinforce training to ensure associated persons understand their disclosure requirements
• Consider disciplinary actions for failures to disclose

Since December 2021, the SEC has fined over 100 firms more than $2.2 billion for failures related to off-channel communications. SEC and FINRA rules require broker-dealers to maintain all written communication related to the business of the firm in a WORM or audit-trail format (see SEA Rule 17a-4(f)). The SEC’s message has been loud and clear: merely prohibiting off-channel communications is no longer enough to be compliant.

FINRA’s findings indicate that firms have not captured all email and non-email electronic communications and have not held such communications for the applicable retention period. The Report also notes that some firms have inadequate supervision and written procedures, have not conducted reviews to detect the use of off-channel communications, and have not properly supervised third-party vendors that archive or conduct reviews.

Relevant rules:

• SEA Rules 17a-3 and 17a-4; FINRA Rules 3110, 2210, and 4511

Best practices:

• Test and verify vendors’ abilities to maintain records and to properly review communications
• Ensure outsourced Financial and Operations Principals (FINOPs) or Chief Compliance Officers (CCOs) have access to all systems necessary to fulfill their obligations
• Monitor for associated persons’ use of off-channel communications
• Institute and frequently revise keywords used in email surveillance to specifically search for the use of off-channel communications

Exploitation of seniors and vulnerable adults is an ongoing issue for many firms. FINRA has found that firms are not making reasonable attempts to obtain trusted contact person (TCP) information, have failed to document training in this area, and have not conducted internal reviews to identify gaps.

Relevant rules:

• FINRA Rules, 2165, 3241, and 4512

Best practices:

• Customer outreach to provide education on fraud awareness and the latest scams
• Track accounts and contact customers for TCP information
• Institute processes for associated and registered persons to escalate issues to supervisors and compliance teams
• Conduct training on warning signs

Regulation Best Interest (Reg BI) imposes a best interest standard for broker-dealers when they make recommendations to retail investors. The definition of a retail investor does not consider the investors’ net worths like some other rules. Whether recommendations are made or not, firms must provide retail investors with a Form CRS.

FINRA has found that firms have not complied with a variety of requirements under the Care, Conflict of Interest, Disclosure, and Compliance obligations of Reg BI. FINRA also notes that some firms have not filed, delivered, posted to their websites, nor amended their Form CRS and have misconstrued whether the firm is subject to the Form based on its customer base and services.

Relevant rules:

• Reg BI (SEA Rule 15l-1); Form CRS (SEA Rule 17a-14)

Best practices:

• Evaluate costs and reasonably available alternatives, and provide clear guidance to registered persons before making recommendations
• Sample recommended transactions for compliance
• Establish heightened supervisory processes for recommendations of complex or risky investments
• Establish and implement policies to address conflicts of interest
• Implement systems to record the date of Form CRS and other disclosure documents
• Implement automated alerts and rules to monitor recommendations of account types, of high-risk or complex products, excessive trading, and of the same product to a large number of retail customers.

Sales of private placements are an ongoing FINRA focus area. Firms must perform due diligence on all offerings prior to selling private placements (see Regulatory Notices 23-08 and 10-22). FINRA has found that firms have not identified and disclosed conflicts of interest, have not conducted and/or evidenced adequate due diligence, have misconstrued whether recommendations were made, and failed to comply with SEC rules related to contingent offerings.

Firms are also required to file certain documents for numerous offerings with FINRA prior to offers or sales. FINRA found that firms have failed to make the required filings under Rule 5123, due to misunderstanding the accredited investor exemption.

Relevant rules:

• FINRA Rules 2111, 3110, 2210, 3280, 5122, and 5123
• SEA Rules 10b-9 and 15c2-4 and Rule 506

Best practices:

• Institute specific due diligence checklists for certain types of private placements
• Ensure you identify any “bad actors” as per Rule 506(d) and (e)
• Ensure due diligence accounts for your own independent research, and that you attempt to identify and mitigate red flags
• Review the offering terms, including contingencies and the use of escrow accounts
• Review the use of proceeds
• Institute targeted training of personnel involved in sales, compliance and filing with FINRA

The Report covers several topics concerning market integrity, including the Consolidated Audit Trail (CAT), best execution, fair pricing of fixed income securities, over-the-counter (OTC) quotations, and market access. These nuanced topics affect certain firms differently, so we encourage reviewing the full report for further information.

All firms are required to maintain a specific minimum net capital. Firms can sometimes run afoul of requirements when an affiliate or parent company pays expenses on its behalf, an issue that can be avoided with a proper expense sharing agreement (see Notice to Members 03-63). FINRA has also focused on proper revenue recognition and ASC 606 in recent years. The Report notes that some firms have had inadequate supervision of net capital issues, have not timely filed financial notifications, have incorrectly applied open contractual commitments, and have failed to record transaction in accordance with GAAP.

Relevant rules:

• SEA Rules 15c3-1, 17a-3, 17a-5, and 17a-11
• Financial Accounting Standards Board (FASB) Topic 606

Best practices:

• Perform ongoing assessments of net capital treatment of assets
• Ensure moment-to-moment net capital compliance for underwriting commitments
• Although not included in the report, IQ-EQ notes that firms that collect retainer revenue should institute written procedures related to ASC606, including when performance obligations are met and revenue can be recognized