FINRA Publishes 2025 Annual Regulatory Oversight Report

On January 28, 2025, FINRA published its 2025 Annual Regulatory Oversight Report (the “Report”) as “an up-to-date, evolving resource or library of information for firms” that highlights specific industry trends, new developments and findings, and effective firm practices. The Report builds on the 2024 Report, draws on findings by FINRA’s Member Supervision, Market Regulation, and Enforcement programs, and can serve as a roadmap firms can use to focus on new developments and bolster their compliance programs throughout the year.

Overview

FINRA included two new topic areas for 2025: (1) after hours trading and (2) the “third party landscape” – which focuses on firms’ use of third party vendors and the increase in cyber outage events and attacks FINRA has observed at many of these vendors. FINRA also continues to focus on crypto assets under the category of “member firms’ nexus to crypto.” FINRA also highlighted certain topics in new “callout boxes,” including for AI, quantum computing, and investment fraud. The Report continues to include evergreen topics such as AML, cybersecurity, net capital, communications, and sales practices (including issues related to Reg. BI and Form CRS) along with topics that were new in 2024, specifically OTC quotations in fixed income securities, advertised volume, and market access.

Crypto Assets

FINRA identified potential rule violations relating to member involvement with crypto assets, including with respect to communications, supervision, and AML. FINRA emphasized that firms should understand requirements related to applicable exemptions from 33 Act registration, asset maintenance, wallet access, fund return mechanisms, use of proceeds, token governance, and blockchain protocols. FINRA further highlighted that firms involved in trading crypto assets should conduct risk-based on-chain assessments and establish procedures for when and how these reviews should be performed and documented. Firms offering crypto products should ensure customers understand the differences between brokerage accounts and linked/affiliated crypto accounts, including protections, regulatory oversight, and communication avenues. Additionally, firm communications should provide a fair and balanced presentation of crypto asset risks, including volatility, regulatory protections, and fraud risks, and firms should clearly identify and segregate communications related to broker-dealer products from those related to offerings by affiliates or third parties, when applicable, and clearly explain any regulatory protections available (or the lack thereof).

Financial Crimes

With regard to cybersecurity, AML, and manipulative trading, FINRA highlighted ransomware, new account fraud, imposter sites, and “quishing” – using QR codes to redirect potential victims to phishing URLs. FINRA also noted the use of generative AI by fraudsters to enhance cybercrime by generating fake content and generating malware, and that AI has enabled non-technical bad actors to become sophisticated cybercriminals. FINRA suggested that firms monitor the internet for imposter domains, implement systems that can monitor outbound email and block the release of sensitive information, and enhance periodic training to educate staff on growing and evolving threats.

FINRA also highlighted specific risks related to quantum computing, noting its observations that firms are exploring quantum computing for trade execution optimization, settlement processes, and market simulations. FINRA highlighted the potential for significant cybersecurity risks stemming from quantum computing, for example, the increasing ability of quantum computers to break current encryption standards, and suggested that firms consider related diligence and compliance efforts, such as vendor management, data governance, and supervision when incorporating quantum computing.

Market Integrity

Market Integrity covers the consolidated audit trail, best execution, disclosure of routing information, Reg. SHO, fair pricing in fixed income securities, OTC quotations in fixed income securities, the Market Access Rule, and extended hours trading (this last topic is new in 2025). FINRA noted observations related to insufficient controls, failure to consider additional data, over reliance on vendors, and examples of unreasonable supervision of firm technologies and procedures. For best execution, FINRA frequently observed a lack of assessment of execution in competing markets, lack of review of certain order types, reviews that were not “regular and rigorous,” and failure to address conflicts of interest.

FINRA also highlighted the growing trend of trading beyond regular hours and related key regulatory obligations, such as providing risk disclosures and ensuring compliance with best execution and supervision obligations along with operational readiness.

Firm Operations

FINRA highlights AI in this section, noting its observations that firms are proceeding cautiously with their use of generative AI, generally exploring or implementing third-party vendor-supported AI tools to increase efficiency of internal functions, including summarizing information from multiple information sources into one document, conducting analyses across disparate data sets (e.g., assessing and validating the accuracy of reported transactions with source documentation), and utilizing generative AI for employees to retrieve relevant portions of policies or procedures.

Communications and Sales

FINRA identified a trend relating to potential fraud with respect to private placements of pre-IPO securities. FINRA noted instances of material misrepresentations and omissions in recommendations of pre-IPO securities, including related to selling compensation, and failures to conduct reasonable due diligence or confirm the seller’s access to the shares.

Change is the Constant

FINRA’s priorities are constantly evolving, yet firms can use the Report as a resource to identify and evaluate compliance across key areas of their business before FINRA’s examinations or enforcement teams pay them a visit.  While the Report can be useful in this regard, 2025 is a year of transition at the SEC, and as the federal regulator maps out its own priorities over the coming months, doing so is sure to affect FINRA’s focus on specific topics. This could not be more true than with respect to crypto assets and the manner in which the SEC (and FINRA) plan on regulating that space over the next four years.

 

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.