On January 28, the Financial Industry Regulatory Authority (FINRA) published the 2025 update to its annual Regulatory Oversight Report.¹ The report collects recent observations and findings from FINRA's oversight programs – Member Supervision, Market Regulation and Transparency Services, and Enforcement – and provides FINRA member firms with a helpful resource to evaluate compliance on a number of cutting-edge topics. Through the report, member firms get to "see what FINRA sees" when it examines firms, conducts enforcement actions throughout the industry, and engages with firms throughout the year in providing regulatory guidance.

While FINRA's report is not new, the 2025 edition is particularly noteworthy. First, it addresses new topics (like third-party risk/vendor management and extended-hours trading) and adds new findings and effective practices for prior topics. But more importantly, the report highlights practices and topics deemed important to FINRA. With Trump's second administration in Washington and the likely change in regulatory priorities from federal securities regulators, coupled with the Supreme Court and other federal court decisions limiting the role of federal administrative agencies, FINRA may very well fill any vacuum of regulation. For these reasons, the topics deemed important to FINRA and the best practices that FINRA highlights and encourages may take on outsized importance. The report is not a list of enforcement priorities (which FINRA published through 2020), but it still provides a helpful window into the topics that FINRA is considering and, therefore, what member firms should similarly consider to the extent applicable to their business.

Using FINRA's Regulatory Oversight Report

Given the wide range of business that FINRA member firms conduct, it is impossible to provide a one-size-fits-all document. Retail firms, for example, will find greater use for topics such as ACH transfer fraud, Regulation BI compliance, and issues relating to senior investors. Institutional firms and firms with trading execution businesses will make better use of guidance on the Market Access Rule and Regulation SHO bona fide market-making compliance. And all firms will benefit from observations on core compliance issues such as books and records, net capital, outside business activities and private securities transactions.

Regardless of the applicable topic, the report is organized as a helpful resource on the topics that it covers and the regulatory requirements applicable to them. A firm currently engaged in a particular subject business can evaluate whether it has experienced or considered any of the emerging threats that FINRA lists. It can conduct a gap analysis of the firm's current supervisory systems and written supervisory procedures to see how the firm supervises the applicable business in the face of those threats. Members can review FINRA's recent findings on topics from two perspectives: if the firm has experienced issues similar to a recent finding, it can evaluate the remedial steps taken and any new policies and procedures implemented. A firm not yet affected by a recent finding can ask "what if" and evaluate whether its supervisory and other systems are well-designed to address or prevent the issue. Further, armed with an answer to the age-old question of "What do other firms do here?," a firm can critically assess the best practices highlighted by FINRA to determine whether the firm can and/or should implement any of them in its compliance and supervisory systems. Above all, the report provides a good opportunity to prompt informed discussion among applicable stakeholders in the organization and a helpful resource to lead that discussion.

New Topics Added to the Report

Described in greater detail below, FINRA added two new sections to the 2025 report to address third-party risks and extended hours trading. FINRA also added additional information addressing Generative artificial intelligence (AI).

Third-Party Risk Landscape. As noted in the report, cyberattacks on and outages at third-party vendors are on the rise. The report reminds firms that its supervisory obligations extend to activities and functions performed by third-party vendors. FINRA recommends effective practices to address third-party vendor risks, including:

1. maintaining a list of third-party vendor-provided services, systems and software components;
2. adopting supervisory controls and conducting risk assessments on the effects of a third-party vendor failure;
3. taking reasonable steps to help ensure that third-party vendors do not utilize Generative AI in a manner that would ingest the firm's or customers' sensitive information;
4. periodically reviewing third-party vendor tool default features and settings;
5. assessing third-party vendors' ability to protect sensitive firm and customer non-public information and data; and
6. revoking a third-party vendor's access with the relationship ends.

While it is unclear which specific regulatory requirement a firm needs to supervise with respect to the use of third-party vendors, it would certainly be prudent to take the steps described to avoid or minimize any service interruptions or other deficiencies that a third-party vendor might introduce.²

Extended Hours Trading. US securities markets trading outside of regular trading hours has become increasingly popular. The report reminds firms that offer extended hours trading to provide their customers with a risk disclosure statement that addresses extended hours trading under FINRA Rule 2265. The report also recommends effective practices to address risks associated with extended hours trading, including:

1. conducting best execution reviews that properly evaluate execution quality during extended hours;
2. reviewing customer disclosures to help ensure that the disclosures properly address extended hours trading risks;
3. establishing and maintaining appropriate supervision that addresses the unique risks of extended hours trading; and
4. evaluating operational readiness, customer support and business continuity planning associated with extended hours trading.

Focus on Generative AI. The report focuses on the risk of artificial intelligence and particularly notes how Generative AI can and is being used to further account takeovers and other forms of fraud. The report highlights a number of emerging cybercrime-related threats, including the use of Generative AI to provide fake content and to create malware that can constantly change to avoid detection.

Next Steps

We encourage firms to begin with the report's table of contents to identify the topics most applicable to their business.