What’s New with FINRA’s Recent 2025 Regulatory Oversight Report

2025 is here, and so is FINRA’s 2025 Annual Regulatory Oversight Report  (Report). On January 28, 2025, FINRA published the Report, which provides firms with insight into FINRA’s findings from recent observations and examinations. The Report provides new content addressing trends and potential challenges for broker-dealers. The updated content ranges from technology to data security to popular complex financial products, as well as how firms offer services. Here are four highlighted issues firms may want to consider for 2025:

1. Cybersecurity risks associated with third-party vendors, including those related to artificial intelligence (AI).
2. How Regulation BI interacts with registered index-linked annuities (RILAs).
3. Common new investment frauds and how to combat them.
4. Extended trading hours.

Third-Party Risks and AI

Firms often rely on third-party vendors for a variety of functions. These vendors might also add risk. A successful cyberattack on a third-party vendor could have ramifications for associated firms. This is why the Report made clear: “Firms have an obligation to establish and maintain a supervisory system, including establishing and maintaining written supervisory procedures for any activities or functions third-party vendors perform, that is reasonably designed to achieve compliance with applicable securities laws and regulations.”¹ The Report recommends that firms conduct “ongoing due diligence” of a third-party vendor’s information technology and cybersecurity systems. Id. Firms should also implement policies and procedures regarding deleting the firm’s data from the third-party systems once the third-party relationship ends. Firms should even consider monitoring third-party vendors’ vendors (i.e., “fourth-party vendors”) that also manage the firm’s data.

This section of the Report also discusses how several firms are using third-party AI vendors. While acknowledging AI’s prevalence, FINRA remains “technologically neutral.” Per the Report, FINRA will “continue to apply [its rules] when firms use Gen[erative] AI or similar technologies in the course of their business just as they apply when firms use any other technology or tools.” Id. Per the Report, firms must be aware of the risks that come with AI. To tackle these risks, the Report recommends that firms using AI may want to consider:

1. Supervising Gen AI on an enterprise level (as well as by individual associated persons).
2. Identifying and mitigating associated risks, like accuracy or bias.
3. Determining whether the firm’s cybersecurity program considers both:
   1. Risks associated with the firm’s and third-party vendor’s use of Gen AI (e.g., leakage of customer PII and the firm’s proprietary information entered prompts by employees).
   2. Use of technology tools, data provenance and processes to identify the use of AI or Gen AI by threat actors.²

RILA’s and Reg BI

The Report notes the rise in popularity of registered indexed-linked annuities.³ RILAs were up $17.3 billion at the end of 2024, which is a 33% increase from the year before, making it the 11^th consecutive record-setting year of RILA sales. FINRA has observed issues with how firms deal with RILAs. For instance, some firms did not have written procedures that complied with Reg BI regarding recommendation of these products. FINRA observed firms recommending these products despite customers already being overly concentrated in other illiquid assets. Additionally, brokers were recommending annuity changes (going from variable annuities to RILAs) that were generally unsuitable for customers based on objectives, age, etc. The Report offers practical tips when drafting heightened written policies and procedures regarding RILAs to ensure Reg BI compliance. Firms should:

1. Require registered representatives to document and sign their rationale for a recommendation of a RILA.
2. Require a registered principal to review and determine whether they approve of a recommended purchase or exchange of a RILA.
3. Have a reviewing principal document and sign the basis for their approval (or rejection) of the recommendation.
4. Gather information regarding whether customers have had RILA exchanges within the preceding 36 months.
5. Implement surveillance procedures to determine if any of the firm’s associated persons have rates of effecting RILA exchanges that evidence conduct which is inconsistent with Reg BI.

Common Investment Scams

The Report also discusses the rise of various fraudsters dealing directly with investors, resulting in fraudsters getting funds from victims’ securities accounts. “[I]nvestment fraud is the costliest type of crime tracked by the FBI’s Internet Crime Complaint Center”⁴ The Report notes four types of current common frauds. These include: (1) investment club scams (victims are persuaded to purchase shares of low volume and thinly traded securities through social media); (2) relationship investment scams (gaining victims trust over time through online “personal relationships” to defraud investors through fake investments); (3) imposter websites (imposters pretending to be legitimate broker-dealers and taking advantage of people) and (4) tech support and support center scams (complex schemes where bad actors impersonate customer support centers to get access to victims’ funds online to steal).

To counteract these schemes, FINRA recommends monitoring abrupt changes in customer behavior that may indicate fraud and educating firm personnel on how to recognize red flags. The Report also recommends that firms teach personnel how to communicate and escalate issues when they suspect fraud. Per the Report, firms should continue to rely on FINRA Rule 2165 (Financial Exploitation of Specified Adults) to place a temporary hold on suspicious transactions. They should also rely on FINRA Rule 4512 (Customer Account Information) to promote the importance of a trusted customer contact. Though these scams can affect anyone, elderly individuals are particularly vulnerable to these scams. A trusted contact person could help elderly customers counter these sophisticated scams.

Extended Trading Hours

Recently, “FINRA has observed a growing number” of firms offering extended trading hours.⁵ These hours are sometimes overnight between 8 p.m. to 4 a.m. ET. FINRA Rule 2265 (Extended Hours Trading Requirements) requires firms to provide a risk disclosure statement to customers before offering these hours. In its recent observations, FINRA found inadequate supervision of extended trading hours practices. Therefore, the Report offers effective practices that include (1) explaining the inherent risks of extended trading hours (potential volatility, changing prices, lower liquidity, etc.), (2) training staff to be able to handle the unique risks that come with extended trading, and (3) having appropriate operational readiness and customer support needs for these trading hours.

Conclusion

This year, certain financial products, technologies, sophisticated financial schemes, and ways of offering services will keep regulators busy. Firms should review and update policies and procedures to reflect the recommendations set forth in the Report to ensure compliance with the rules, promote customer support and reduce risks.

Footnotes

1. https://www.finra.org/rules-guidance/guidance/reports/2025-finra-annual-regulatory-oversight-report/third-party-risk
2. https://www.finra.org/rules-guidance/guidance/reports/2025-finra-annual-regulatory-oversight-report/third-party-risk#_ai-trends
3. https://www.finra.org/rules-guidance/guidance/reports/2025-finra-annual-regulatory-oversight-report/annuities
4. https://www.finra.org/rules-guidance/guidance/reports/2025-finra-annual-regulatory-oversight-report/aml#_investment-fraud
5. https://www.finra.org/rules-guidance/guidance/reports/2025-finra-annual-regulatory-oversight-report/extended-hours-trading