On December 9, 2025, the Financial Industry Regulatory Authority (FINRA) released its Annual Regulatory Oversight Report (Report) recapping its notable findings and regulatory activities. The Report itself does not create any new legal obligations but rather serves as an informative resource to firms by providing effective practices based on current trends and evolving risks within the industry. The Report supplements FINRA’s goals set forth in its 2025 initiative, FINRA Forward, discussing the need for updated rules to accurately reflect current markets, ways to increase member firm compliance, and most notable, increased attention directed at cybersecurity and fraud concerns.

Based on FINRA’s observations over the past year, cybersecurity breaches and cyber-fraud tactics continue to pose a significant risk to both member firms and investors. FINRA reports an uptick in sophisticated cybersecurity threats using tactics such as ransomware, extortion events, data breaches, phishing, account takeovers, account impersonations, imposter sites, and relationship investment scams. Recent technological developments have also led to an increase in new, Generative Artificial Intelligence (GenAI) based cyber threats defined as GenAI-Enabled Fraud. Unlike pre-existing cybersecurity tactics, GenAI is capable of generating fake content, such as audio, video, and imposter sites, and can create polymorphic malware undetectable by software protections.

Apart from the recent cybersecurity and GenAI based threats, the Report acknowledges the beneficial role in which GenAI may be used by member firms and offers suggested guidelines to utilize in order to minimize potential security risks. The Report recognizes the potential benefits gained from GenAI’s use in conducting a variety of tasks including summarization of information, workflow automation, content drafting, synthetic data generation, and coding. In doing so, however, FINRA highlights several key concerns that should be considered when using GenAI. The Report emphasizes the necessity for firms to have processes in place to minimize the risk of hallucinations (instances where inaccurate or misleading information is generated as factually correct) and biased outputs (instances where skewed information is generated based on outdated or incomplete data). FINRA suggests that firms maintain up to date supervisory and monitoring procedures, while also establishing clear guidelines on the use and development of GenAI to ensure the accuracy of outputs.

Despite its clear emphasis on the risks associated with GenAI and potential benefits, the Report confirms FINRA’s technologically neutral position as regarding the application of its rules, along with securities laws, to the manner in which firms conduct their business. Firms considering the use of GenAI in their practice should remain vigilant of applicable FINRA regulations to ensure compliance requirements are satisfied. As developments in cybersecurity and GenAI continue to evolve, the existing technologically neutral approach within FINRA’s body of rules may very well begin to shift towards embracing the new wave of hi-tech advancements.