The Financial Industry Regulatory Authority (FINRA) has published its Annual Regulatory Oversight Report for 2025, which sets out the findings from FINRA’s regulatory operations programs in a bid to ensure that FINRA remains transparent about its regulatory observations and activities. At 80 pages long, the report offers invaluable insight into emerging risk areas for financial services – looking at regulatory obligation, instances where FINRA has seen effective practices, and the findings and observations of recent reviews.
Having analysed the findings, three key areas repeatedly arise as areas of concern: Generative AI, third-party risks, and the monitoring and surveillance of emerging communication channels. We’ve summarized the most critical learnings below.
Firm operations: Recordkeeping must evolve, third-party risks should be considered
FINRA’s Oversight Report is broken down into six key chapters:
- Financial crimes prevention
- Firm operations
- Member firms’ nexus to crypto
- Communications and sales
- Marketing integrity
- Financial management
For brevity, we will only cover the chapters containing critical emerging trends, the first of which is “firm operations.” This section looks at myriad areas of organizational practices, including technology management, outside business activities, and senior investors and trusted contact persons.
Of particular interest under the umbrella of “firm operations” is books and records, as well as the third-party risk landscape, which is marked as a new area of focus for 2025.
Third-party risk landscape
FINRA is turning its attention to the third-party risk landscape after observing an “increase in cyberattacks and outages at third-party vendors” – perhaps pointing to the CrowdStrike outage from early 2024. In a bid to mitigate the risks posed by relying on an increasingly complex web of third-party providers, FINRA lists a number of steps firms should consider to enhance their third-party vendor risk management programs, including:
- Establishing adequate third-party vendor risk management policies
- Conducting initial or ongoing due diligence of third-party vendors that support systems related to key areas
- Validating data protection controls in third-party vendor contracts
- Having procedures that address the return or destruction of firm data at the termination of a third-party vendor contract
- Addressing third party vendors’ use of vendors (i.e. fourth party vendors)
Interestingly, as an additional recommendation, FINRA suggests that firms look at whether their third-party vendors incorporate Gen AI into their products or services and, if so, evaluate contracts with those vendors to ensure that they are amended to comply with regulatory obligations.
It adds that:
“Firms contemplating the use of Gen AI tools and technologies may want to consider:
– How to supervise the use of Gen AI on an enterprise level (as well as by individual associated persons) and
– How to identify and mitigate associated risks, for example, regarding accuracy or bias”
While concerns around Generative AI within financial services are not new, it has become a key theme of FINRA’s annual report, perhaps hinting at a future regulatory focus.
Books and records
Recordkeeping rules are now well established, but continue to be a focus area for U.S. regulators, and FINRA is no exception. Despite longstanding regulatory obligations, FINRA continues to find that firms are not maintaining comprehensive records of electronic communications, including “not retaining, archiving and reviewing non-email communications through firm-approved channels.”
FINRA also highlights that it is seeing “inadequate supervision” including where firms are “not reviewing electronic communications for indications of associated persons’ potential use of off-channel communications.” It has also seen that firms are “not preserving and reviewing business-related text messages,” and that individuals are contacting customers through off-channel platforms, including personal platforms, which fly under the radar.
Communications and sales: Social media and Gen AI risks
Communications and sales pertain to how FINRA-registered firms are interacting with customers and prospects. Within this chapter, there Is particular focus on how emerging technology and communication channels are affecting interactions.
Communications with the public
FINRA highlights that there are ongoing issues with inadequate supervision of social media influencers that work with firms. In particular, it notes that firms are:
“Not establishing, maintaining and enforcing a system, including WSPs, reasonably designed to supervise communications disseminated on the firm’s behalf by influencers (e.g. not reviewing influencers’ videos prior to posting on social media platforms; not retaining those videos).”
FINRA again highlights Gen AI technology as a risk and, as an example of effective practice, suggests firms should be reviewing any Gen AI outputs:
“When using Gen AI technology to create or otherwise assist in creating chatbot communications that are used with investors, ensuring the appropriate supervision of those communications, and retention of those chat sessions, in accordance with SEC and FINRA rules.”
Financial crimes prevention: Gen AI as a tool for fraud, social media for misleading investments
Cybersecurity and cyber-enabled fraud
FINRA has observed an increase in the variety, frequency, and sophistication of certain cybersecurity incidents that “represent threats to the financial services industry”. These include ransomware attacks, new account fraud, insider threats, and data breaches. Thematically, there has been a general increase in threat actors obtaining or accessing individual’s information through the dark web. FINRA highlights that third-party vendors also pose additional cyber threats by “introducing vulnerabilities that can lead to data breaches and supply chain attacks.”
Once again, FINRA highlights that new cyber risks include the use of Generative AI (Gen AI) to enhance cyber crime by creating fake content, to develop malware, or by leveraging Gen AI models to develop malicious tools. The effective practices FINRA has observed in its audits include an increased use of the monitoring of the internet for new imposter domains pretending to be registered firms, as well as outbound email monitoring practices that can potentially block sensitive customer information or confidential firm data.
Anti-money laundering (AML), fraud, and sanctions
FINRA has seen a significant increase in “investment fraud by bad actors targeting investors directly,” chiefly through the use of social media or imposter websites to drive investors towards schemes that – while appearing legitimate – are fraudulent. In some instances, bad actors use fraudulent social media posts using the “likeness of well-known finance personalities” to encourage individuals to join “investment clubs.”
Regarding AML, FINRA highlights a long list of weaknesses in observed approaches by firms, including, but not limited to, the inadequate verification of customer identities, inadequate responses to red flags (or failure to reasonably review red flags), inadequate resting of AML programs, and inadequate due diligence. More specifically, FINRA has highlighted persistent inadequacies in the ongoing monitoring of suspicious transactions including:
“Not devoting sufficient resources to suspicious activity monitoring programs, including following a business expansion or a material increase or change in transactions.”
Moreover, firms are:
“Not reasonably reviewing for and responding to red flags, including for patterns of activities that could be indicative of money laundering.”
Once again, FINRA highlights the use of Gen AI as an increasing risk, and encourages firms to communicate these risks with employees and develop policies and controls to mitigate Gen AI as a threat.
Manipulative trading
Under the final pillar of financial crimes prevention is FINRA’s assessment of manipulative trading. Within its findings, FINRA reports that it has seen “surveillance deficiencies,” including where firms are:
“Not establishing and maintaining a surveillance system reasonably designed to monitor for potentially manipulative trading (e.g., potential layering, spoofing, wash trades, prearranged trades, marking the close, odd-lot manipulation) with parameters that are reasonably designed and documented.”
It has also observed that firms are failing to consider external sources for red flags, not reviewing surveillance alerts in a timely manner, and not dedicating sufficient resource to such alert reviews and associated training.
Key lessons for 2025
Among a swathe of takeaways from the U.S. regulator, there are four key areas that firms should be prioritizing in 2025:
- Generative AI and social media: Firms should be aware of the risks of Gen AI from a number of different angles. Firstly, firms should incorporate the risk that Gen AI poses with regards to cyber criminals being given the tools to commit fraud or criminal activity into their programs. Secondly, firms opting to use Gen AI tools within their workflows should be endeavoring to capture and monitor any communications had with such tools, such as users inputting prompts. And finally, where firms are employing the services of third parties that use Gen AI, they should be cognizant of how these tools are being used and ensure that such operations continue to fit within regulatory expectation. This is also true of emerging social media channels.
- Surveillance and monitoring programs: Firms should ensure they are devoting enough resource to a system that is well equipped to detect signs of financial crime or anti-money laundering, and should develop that program to ensure it is able to monitor for risks on emerging channels, such as Gen AI and social media.
- Recordkeeping must evolve with technology: Finally, firms should ensure they are equipped to capture and archive all channels of business communication, not only ‘main’ or regularly used channels such as email. In particular, pay attention to business-related SMS/text messages, and ensure communications are monitored for potential signs of “off-channel” activity.
