With New Technologies Come New Risks: FINRA Issues 2025 Regulatory Oversight Report

Last week, the Financial Industry Regulatory Authority (FINRA) published its 2025 Annual Regulatory Oversight Report. The 80-page report hits on a number of familiar themes and subjects and includes two new areas of focus: 1) risks arising from the use of third-party vendors, including cybersecurity and data privacy risks, and 2) extended-hours trading services, which have become increasingly common across the industry. FINRA offers new observations regarding registered index-linked annuities (RILAs) in the context of Reg BI obligations. The report also reflects FINRA’s increased scrutiny of risks associated with emerging technologies, with a particular focus on generative artificial intelligence (AI) tools. Additionally, although much of the report repeats items included in prior years, it provides useful, comprehensive checklists reflecting FINRA’s views on the various topics and risk areas covered. Efforts to operationalize some of the items raised can present unique challenges, and we encourage you to reach out to a Sidley contact to talk further about particular concerns raised in the report.

Takeaways

Here, we summarize key takeaways from FINRA’s report, divided into the same categories as the report itself: Financial Crimes Prevention, Firm Operations, Member Firms’ Nexus to Crypto, Communications and Sales, Market Integrity, and Financial Management.

Financial Crimes Prevention

Cybersecurity and Cyber-Enabled Fraud 

• The report highlights the need to take precautions against threats involving emerging technologies, including quantum computing and generative AI.

• Firms incorporating quantum computing into internal systems should prioritize cybersecurity and take steps to prevent threat actors who gain access to the firm’s system from using quantum computing to exploit the system further. 

• Beware of ways in which bad actors can exploit generative AI. For example, they can create fake content used to trick the firm or customers, malware that changes to avoid system security, or fraudulent new accounts.

Anti-Money Laundering and Fraud

• FINRA expects firms to take reasonable precautions to prevent and detect clients’ falling prey to investment scams. Firms should monitor customer activity for uncharacteristic behavior (including the timing or size of a withdrawal request), educate customers and firm personnel on how these scams occur and how to identify red flags, place holds on customer accounts when appropriate, and develop response plans for instances in which a firm identifies that a customer has been victimized.

• The report highlights an increase in suspicious activity relating to ACH fraud, which can include (i) customers initiating fraudulent ACH reclaims without sufficient funds or (ii) third-party bad actors initiating fraudulent ACH transactions. Effective practices to mitigate the risk of ACH fraud can include requiring additional documentation at account opening and upon initiation of ACH requests, using test deposits to verify that a request connects to a customer’s bank account, and limiting the amount and number of outbound transfers each account can initiate in a specified time period.

Manipulative Trading

• The report highlights several forms of manipulative trading for which firms should account when designing a surveillance program, including — among others — marking the close, mini manipulation, and cross-product manipulative trading schemes (e.g., manipulating the price of a stock to affect the price of related options). 

• Ramp-and-dump schemes in small-cap initial public offerings (IPOs) are evolving. For example, these schemes can occur weeks and months after the IPO (as opposed to within the first few days); the price increases tend to originate from nominee accounts; and after purchasing the shares, the nominee accounts may funnel them to foreign omnibus accounts to be liquidated for profit.

Firm Operations

Third-Party Risk Landscape — New Area of Focus

• Due to the financial industry’s reliance on third-party vendors, attempted cyberattacks or other outages at a third-party vendor could affect a large number of firms.

• In designing third-party vendor risk management programs, firms should consider the impact of failures by third-party vendors to perform a function for which they are contracted on the firm’s ability to meet its regulatory obligations and should assess the ability of third-party vendors to protect sensitive firm and customer information and data, including in instances where the third-party vendor uses generative AI. 

Technology Management

• Newly adopted amendments to Regulation S-P require customer notification in the case of unauthorized access or use of customer information.

Outside Business Activities and Private Securities Transactions

• FINRA reminds firms that “selling compensation” as it relates to potential private securities transactions (PSTs) must be interpreted to include all direct and indirect financial benefits from PSTs (e.g., receipt of securities and tax benefits) and not just direct compensation such as commissions. 

• When evaluating outside business activities (OBAs) and PSTs, firms should not assume that all crypto assets are not securities and should extend assessment of potential OBAs and PSTs to crypto asset-related activities. Firms should expand electronic correspondence review regarding undisclosed crypto asset-related OBAs and PSTs and establish policies, procedures, and controls for these OBAs that include conditions for prohibited crypto asset-related OBAs and explain how the firm will assess whether the activity is a PST (i.e., crypto assets sold in an investment contract). 

Books and Records

• Recent amendments to FINRA Rule 2231 impose requirements for customer account statements related to the customer’s externally held assets, including that such assets must be clearly identified and distinguished from assets held at the firm. 

Member Firms’ Nexus to Crypto

• Firms should conduct due diligence of unregistered offerings of investment contracts involving crypto assets and understand information including the unregistered offering’s registration exemption, token governance and ownership rights related to token ownership, relevant token and smart contract functionality, and cybersecurity risks to the token’s blockchain protocol.

• Firms should conduct risk-based on-chain reviews when firms or their associated persons accept, trade, or transfer crypto assets and should create procedures addressing performance and documentation of these reviews.

• FINRA expects that retail communications regarding crypto assets will provide a fair and balanced assessment of associated risks, including the speculative nature and significant volatility of crypto assets, the lack of Securities Investor Protection Corporation protections, and fraud risks. 

• Firms should identify, segregate, and differentiate communications related to broker-dealer products from those related to third-party or affiliate offerings and crypto asset products and services. 

• Beware of market manipulation involving crypto assets, including pump-and-dump schemes, which may be amplified by social media promotions.

Communications and Sales

Communications With the Public

• When firms use mobile applications to communicate with customers, promotional information transmitted through the app must be accurate and fully disclose risks and all material information. 

• The report also highlights firm failures to supervise influencers on social media; firms should establish, maintain, and enforce systems reasonably designed to supervise content created or shared by influencers on behalf of the firm.

• FINRA notes that there is an emerging trend of retail communications about RILAs inadequately explaining how RILAs function, the risks attendant to RILAs, and the fees associated with these products.

Annuities Securities Products

• New this year is FINRA’s emphasis on RILAs, for which the report notes the market has grown significantly in recent years. RILAs are complex financial products with distinct characteristics that can affect their performance. 

• Written supervisory procedures concerning RILAs must be appropriately tailored to the risk inherent in these products. 

• Consider carefully whether a RILA is in the customer’s best interest and provide guidance to associated persons as to whether the structure, interest calculation and credit, renewals, or adjustments affect the suitability of a RILA for that particular customer.

Market Integrity

Extended-Hours Trading – New Area of Focus

• FINRA has observed a growing number of firms offering varying degrees of extended-hours trading services, in some cases including the overnight period from 8 p.m. to 4 a.m. ET. FINRA reminds such firms that permit customers to engage in extended-hours trading online that FINRA Rule 2265 requires them to provide customers with an extended-trading-hours risk disclosure statement that is also posted in a clear and conspicuous manner on the firm’s website.

• The report also emphasizes that firms that participate in extended-hours trading must continue to comply with other applicable Securities and Exchange Commission (SEC) and FINRA rules, including Rules 5310 (best execution) and 3110 (supervision).

• Areas of concern observed by FINRA in connection with extended-hours trading include inadequate supervision for potentially manipulative activity and trade reporting failures.  

• Firms should evaluate their supervisory processes and other applicable procedures to account for any unique characteristics of extended-hours trading, including potentially volatile or illiquid market conditions.

Order Routing Disclosures

• FINRA reminds firms that FINRA Rule 6151 (Disclosure of Order Routing Information for NMS Securities) took effect on June 30, 2024, requiring that firms submit to FINRA for publication their Exchange Act Rule 606(a) order routing reports.

• The report highlights the following areas of potential concern in connection with order routing disclosures that firms should be mindful of:

• publishing incomplete or inaccurate information in quarterly order routing reports (e.g., inaccurately classifying orders, incorrectly disclosing receipt of payment for order flow, only reporting held orders in listed options instead of held and not-held orders)

• not adequately describing material aspects of a firm’s relationships with disclosed venues

• insufficiently incorporating by reference another firm’s Exchange Act Rule 606(a)(1) quarterly report

• not notifying customers in writing of the availability of information specified under Exchange Act Rule 606(b)(1)

• failing to provide Exchange Act Rule 606(b)(3) not-held reports to customers in a timely manner

• not establishing or maintaining procedures reasonably designed to achieve compliance with Exchange Act Rule 606

• FINRA encourages firms to provide their Exchange Act Rule 606(a) reports in the same time and format as the report is required to be made publicly available pursuant to Exchange Act Rule 606(a).  

• The report also highlights that firms should correct and resubmit erroneous or rejected submissions, confirm that any hyperlinks in their reports are operational, make sure any reports made publicly available by the firm are consistent with those submitted to FINRA, and, for introducing firms that incorporate by reference their clearing firms’ reports, provide complete and current clearing firm information to FINRA.

OTC Quotations in Fixed Income Securities

• FINRA reminds firms that fixed income securities sold in compliance with the Exchange Act Rule 144A safe harbor are subject to permanent exemptive relief from Exchange Act Rule 15c2-11, and on November 22, 2024, the SEC issued a no-action letter, without an expiration date, that extends previously provided relief for certain other fixed income securities.

• The report also identifies areas of concern for firms subject to Exchange Act Rule 15c2-11 to be mindful of, including the following:

• failures of systems and controls and written procedures to include publications of “quotations” on all systems that meet the definition of “quotation medium” and to all counterparties, including both broker-dealer and non-broker-dealer customers

• failures to conduct and document an analysis to confirm the accuracy of the firm’s representation that it quotes only in exempt securities

• failures to implement procedures and controls, including a process for complying with Exchange Act Rule 15c2-11 

• Among other effective practices, FINRA encourages firms to periodically reassess Exchange Act Rule 15c2-11’s applicability to the firm’s business activities and maintain reasonable controls and procedures designed to fit the firm’s specific business.

Market Access Rule

• In connection with Exchange Act Rule 15c3-5, the Market Access Rule, FINRA cautions firms that provide market access not to overly rely on multiple, stand-alone risk management controls while failing to consider market access controls in the aggregate. This emphasis on stand-alone versus aggregate risk controls is consistent with recent SEC settlements in this area.

• As other areas of potential compliance concern, FINRA identifies setting pre-trade order limits at unreasonable thresholds; not demonstrating and documenting the reasonability of pre-trade capital, credit, and erroneous order controls; and relying on third-party vendor tools (such as those of an alternative trading system (ATS) or exchange) to apply controls without also performing adequate due diligence concerning the operation of those controls and determining the proper parameters for them. 

Fractional Share Trade Reporting

• FINRA advises firms that it expects to implement enhancements to its trade reporting facilities (i.e., TRF, ADF, and ORF) to support the reporting of fractional share quantities in a firm’s last sale trade reports. 

• While the report does not specify an implementation date, FINRA notes that it may phase in the implementation of the fractional share reporting enhancements.

• Firms that execute transactions that include a fractional share amount should remain apprised of FINRA’s implementation schedule and any related notices so that they are properly reporting their fractional trades when new trade reporting facility enhancements are activated.

FINRA Requests Extension of Securities Lending and Transparency Engine (SLATE) Launch

• Although not part of the Annual Priorities report, it is noteworthy that just three weeks after the SEC approved FINRA’s proposed rule change to adopt its new Rule 6500 Series (SLATE Rules), FINRA urged the SEC to extend the January 2, 2026, reporting date for covered persons to begin reporting securities loan transaction data to SLATE as well as the date by which FINRA must begin publishing reported information (currently required to commence within 90 days of the reporting date).  

• The SLATE Rules, as well as their associated compliance dates, are mandated by Rule 10c-1a under the Exchange Act, which the SEC adopted in October 2023. Notably, FINRA made its petition to the SEC in a January 24, 2025, blog post (available here), which cautioned that the planned launch of SLATE “at the turn of the calendar year could present unnecessary risks and challenges and be “unduly burdensome.” The blog post further urged the SEC to consider revisiting certain operational aspects of Rule 10c-1a itself.  

Financial Management

Net Capital

• In 2024, during examinations focused on net capital compliance at some member firms, FINRA observed issues including, among others, (i) inadequate supervision for net capital compliance and filing timely notices to regulators informing of net capital deficiencies, and (ii) incorrect capital charges for underwriting commitments, including inadequate processes and procedures to determine accurate open contractual commitment (OCC) charges on underwriting commitments.

• Firms should perform a regular assessment to prevent inaccurate recording of revenues and expenses as well as inadequate net capital deductions/charges (e.g., capital charges for nonmarketable securities and marketplace blockage) to confirm the correct classification for net capital purposes.

• The report also suggests that firms establish control processes and maintain current written supervisory procedures relating to moment-to-moment and net capital compliance for underwriting commitments, including ensuring that the firm’s role is clear within the applicable underwriting/purchase agreement as it relates to its role in the underwriting (firm commitment versus best efforts) and establishing processes to track OCCs and calculate and apply correct OCC charges, as required, including ensuring that OCC charges are not incorrectly reduced too early.

Liquidity Risk Management

• Firms should update their liquidity risk management practices, policies, and procedures to align with current business activities, including creating a liquidity management plan that considers, among other things, stability and other characteristics of funding sources (e.g., restrictive covenants or material adverse change clauses within funding contracts that could affect the availability of the funding under certain conditions).

• Conduct stress tests in a manner and frequency that consider the complexity and risk of the firm’s business model, including factors such as material swings in customer cash balances and the potential impact of off-balance-sheet items on the firm’s liquidity needs. Firms should review the reasonableness of their stress test assumptions.

Segregation of Assets and Customer Protection

• The SEC recently adopted amendments, not yet in effect, to Rule 15c3-3 (Customer Protection Rule) to require certain firms carrying at least $500 million of average customer and private activity bonds (PAB) account credit balances to perform their applicable reserve computations daily instead of weekly.  

• As part of these changes, the SEC also adopted amendments to Rule 15c3-3 and Rule 15c3-1 (Net Capital Rule) to permit certain broker-dealers that perform daily customer reserve computations — whether required or on a voluntary basis — to decrease the required reduction in aggregate debit balances in customer reserve formula from 3% to 2%.   

• Firms should periodically review adjustments to reserve formula computations for accuracy and compliance with the Customer Protection Rule with involvement from experienced individuals who hold the proper registrations.

• Firms should maintain all relevant documents to support the coding of accounts as customer, PAB, or noncustomer as well as the treatment of accounts as “good control locations” and should perform periodic review to identify newly established accounts and documentation that may need to be updated (such as potential miscoding or out-of-date paperwork) as well as to identify, track, or age suspense items and appropriately “action,” or remediate, segregation deficits and to ensure compliance of bank sweep programs.  

• Create and review processes/procedures for checks received and forwarded blotters to confirm they are accurately maintained and contain the necessary information to demonstrate compliance with the applicable Customer Protection Rule exemption.

Some of the emerging trends and new areas of focus are highlighted above; however, the report is 80 pages long and provides detailed information concerning over 20 topics affecting member firms. Because each of these topics presents unique risks and areas of focus by FINRA, the full report should be consulted for more granular information on relevant topics.