The Financial Industry Regulatory Authority, Inc. (“FINRA”) has published its 2025 Annual Regulatory Oversight Report (the “Report”). This year, the Report adds new topics relating to the third-party risk landscape, registered index-linked annuities and extended hours trading. The Report also includes new content on various topics from last year’s report, including cybersecurity, artificial intelligence (“AI”) (including generative AI), investment and Automated Clearing House fraud, FINRA’s Remote Inspections Pilot Program, Residential Supervisory Location designation under FINRA rules, and trade reporting enhancements for fractional share transactions. Finally, the Report highlights new findings and effective practices relating to a wide range of topics covered by FINRA in prior years. In this article we cover four notable additions to the 2025 Report: (1) the use or artificial intelligence; (2) third-party vendors; (3) financial crime prevention; and (4) sales and trading.

1. Third-party Vendors

FINRA has observed a recent uptick in cyberattacks and outages at third-party vendors — i.e., vendors engaged by member firms to handle specific tasks such as preparing confirmations or retaining electronic communications. Given the reliance of the industry on third-party vendors, and the nature of the information those vendors receive, the report emphasizes that a cyberattack or outage at a third-party member could impact FINRA member firms and their customers. FINRA reminds firms to consider implementing supervisory controls for third-party vendors, reviewing, and adjusting vendor offerings to ensure compliance with regulatory obligations (e.g., electronic communication features), and assessing third-party access to sensitive customer information. Additionally, the report highlights the importance of assessing if third-party vendors use generative AI (GenAI) in their products and services. Use of GenAI continues to be a regulatory theme in 2025 and is discussed further below.

2. Artificial Intelligence

Gen AI, which uses machine learning and generative models, continues to be an important focus for FINRA in 2025, and addresses Gen AI in several different topics throughout the report. Member firms should be aware of the increasing risks posed by bad actors leveraging GenAI to conduct sophisticated fraud schemes including using GenAI to create synthetic identities, enhance phishing schemes impersonating firm executives or employees, or create fake websites mimicking legitimate firms to lure victims into transferring funds to fraudulent entities. Additionally, deepfake videos and AI-generated misinformation can be spread on social media to artificially inflate or deflate stock prices, allowing bad actors to profit off market manipulation. To help combat such schemes, the report suggests that firms consider communicating with their employees and customers about the heightened risks related to GenAI and advises on steps employees and customers can take to mitigate these threats.

When communicating with clients and the public, firms using GenAI technology to generate or assist in creating communications to customers should review the subject communications in a manner consistent with their current compliance practices regarding written communications. In addition, FINRA called out the use of “chatbot” sessions with a GenAI tool and the related supervision and recordkeeping considerations of using such tools. Lastly, FINRA noted that member firms should make sure retail communications that mention AI tools, products or services accurately describe the tool and its benefits and risks.

3. Cybersecurity & Financial Crime Prevention

Consistent with prior reports, FINRA again shined a spotlight on cybersecurity issues, noting that it has observed an increase in the variety, frequency and sophistication of certain cybersecurity attacks and incidents that represent threats to the financial industry. The report reminds firms to conduct regular and thorough reviews on account intrusions, engaging senior leadership and external stakeholders in cybersecurity discussions, and ensuring that networks are subdivided into segment networks to restrict the ability of bad actors to move across networks to find valuable data.

The 2025 Report also discusses the importance of a robust anti-money laundering program. Given an increase in investment fraud committed by bad actors who directly engage with investors, enticing them to withdraw funds from their securities accounts, firms should consider monitoring for abrupt behavior changes in its customers, educating both firm personnel and customers about scams, and developing response plans for situations in which the firm identifies that a customer has been victimized.

The Report notes that firms are not adequately monitoring suspicious transactions, including not devoting sufficient resources to suspicious activity monitoring programs, including following a business expansion or a material increase or change in transactions. In the past year, numerous FINRA enforcement actions noted member firms’ failure to scale AML program to the firm’s business growth. FINRA notes that firms should evaluate whether their customer identification program and customer due diligence program policies and procedures are adequately documented, clear, and detailed.

4. Sales and Trading

Multiple firms were fined in the past two years for spoofing-related surveillance cases. In the report, FINRA focuses on surveillance systems reasonably designed to monitor for potentially manipulative trading (e.g., potential layering, spoofing, wash trades, prearranged trades, marking the close, and odd-lot manipulation). FINRA notes that firms should evaluate that their surveillance patterns are reasonably designed toward both their business model and products offered.

Additionally, the report notes the increase in manipulative trading in small cap initial public offerings, like pump-and-dump schemes. In 2024, these schemes primarily involved issuers with operations in foreign jurisdictions. Further, the report notes that these schemes involved social media scams inducing retail investors to purchase shares of the small-cap companies.

With the increase in fractional share trading offerings and capabilities, FINRA also reminds firms that it plans to implement enhancements to the FINRA Facilities to support the reporting of fractional share quantities. While FINRA has not yet given an implementation date, FINRA noted in its March 22, 2024, Trade Reporting Notice that the effective dates will be no earlier than the first calendar quarter of 2025 and will be announced in a future notice.

In summary, the Report highlights key considerations for FINRA member firms’ compliance programs, summarizes noteworthy findings or observations from recent oversight activities, and outlines effective practices that FINRA has observed through its regulatory activities over the past year. Broker Dealers should review the Report and refine their written supervisory procedures to mirror the effective practices highlighted by FINRA in its 2025 Regulatory Oversight Report.