The most valuable signal in compliance isn’t always what’s new; it’s what keeps showing up. That’s what makes FINRA’s 2025 Oversight Report so revealing. Underneath the new headlines (third-party risks, complex annuities, overnight trading) you’ll find a familiar story: firms still struggling with documentation, supervision, and suitability. But this year, the stakes feel sharper.

Whether it’s a missed escalation on a suspicious disbursement or a Form CRS that hasn’t been touched since launch, regulators are paying closer attention… and expecting firms to do the same. The 2025 report doesn’t just catalog problem areas – it paints a picture of where firms are vulnerable, and where enforcement may follow.

For compliance officers, legal teams, and anyone thinking seriously about regulatory risk, this year’s report is a call to recheck assumptions, recalibrate controls, and rethink how your program shows its work. Let’s break it down!
 

What’s New in 2025: Heightened Scrutiny in Key Operational Areas

 

Third-Party Vendor Risk: Weak Links Under Pressure

FINRA notes a growing concern over firms’ reliance on third-party and fourth-party vendors, especially in the wake of recent cybersecurity breaches and service outages. Many firms failed to maintain updated inventories of vendors, validate contractual data protection measures, or revoke system access upon contract termination. FINRA emphasized the need to comply with Rules 3110 and 4370, as well as Regulation S-P, particularly in contexts where third-party failures could impact customer data security or business continuity (FINRA, 2025 Report).

FINRA recommends that firms develop supervisory controls tailored to vendor dependencies and confirm that Gen AI functionality embedded in third-party tools aligns with regulatory standards. Though Smartria does not currently use AI, vendor oversight remains a central risk management issue across the industry.
 

Registered Index-Linked Annuities: Complex Products, Inconsistent Oversight

Sales of registered index-linked annuities (RILAs) reached $47.4 billion in 2023, marking a 15% increase year over year and a fivefold increase since 2017. RILAs present unique supervisory challenges due to their bounded return structures, forced liquidation features, and complex fee dynamics.

FINRA identified widespread failures to adhere to Reg BI and FINRA Rule 2330, including recommendations not in the customer’s best interest, insufficient disclosure of annuity features, and lack of detailed documentation supporting annuity exchanges. The report urges firms to enhance internal training, enforce exchange-specific disclosures, and use automated systems to flag high-risk transactions.
 

Extended Hours Trading: After-Hours, Afterthought

With some firms now offering overnight trading windows (8:00 p.m. to 4:00 a.m. ET), FINRA has turned its attention to supervision during non-standard trading hours. Rule 2265 requires firms to deliver prominent disclosures about extended-hours trading risks, including reduced liquidity and increased volatility; but many firms fail to meet this requirement.

The report also cites firms for not submitting required reports to the Trade Reporting Facilities (TRF) or Consolidated Audit Trail (CAT). FINRA urges enhanced best execution reviews, clear communication protocols for after-hours disruptions, and contingency planning for systems failures (FINRA Rule 2265).
 

Persistent Challenges Resurfacing in 2025

 

AML, Fraud, and Sanctions Compliance Still Falling Short

Despite years of focus, FINRA continues to observe CIP and CDD deficiencies. In many cases, firms misclassified customer relationships, failed to verify identities thoroughly, and inadequately escalated red flags of suspicious behavior. The 2025 report highlights weak internal testing of AML programs and generic training not tailored to employee roles.

A recurring concern involves disbursements to personal bank accounts, particularly involving elderly or vulnerable customers—a scenario requiring careful inquiry and documentation (FINRA AML Priorities). FINRA recommends formal risk assessments and delegation of transaction monitoring responsibilities to those closest to the customer relationship.
 

Reg BI and Form CRS: Documentation and Disclosure Gaps

Since Reg BI and Form CRS went into effect in 2020, FINRA has documented consistent shortcomings. In 2025, it noted failures in conducting cost comparisons, evaluating alternatives, and mitigating conflicts of interest. Firms also failed to update Form CRS in response to material changes and often lacked records proving delivery to clients.

Examples include unsuitable rollover recommendations and boilerplate disclosures that failed to capture firm-specific risks. FINRA advises integrating Reg BI reviews into branch exams and maintaining detailed logs of disclosure timing and rationale for investment decisions (SEC Reg BI Guidance).
 

Market Integrity and Trading Surveillance: Evolving Manipulation Tactics

Manipulative trading schemes, especially in small-cap IPOs, continue to evolve. FINRA has documented the use of nominee accounts and encrypted social platforms to orchestrate long-term pump-and-dump schemes. Surveillance systems often fail to flag wash trades, layering, spoofing, and prearranged trades.

Firms are encouraged to tailor surveillance thresholds to asset classes, track correlated securities (e.g., ETFs and derivatives), and implement cross-platform monitoring. Compliance with FINRA Rules 3110, 5210, and 5270 remains central to safeguarding market integrity (FINRA Rule 3110).
 

Translating Findings Into Action

 

What This Means for Compliance Programs

The 2025 Oversight Report makes it clear: firms can no longer rely on legacy compliance frameworks to meet modern risks. Compliance officers should conduct firmwide gap analyses, benchmark against FINRA findings, and validate WSPs and documentation trails. Effective programs will engage IT, legal, operations, and supervisory teams in end-to-end oversight planning.

Internal training should extend beyond procedures to include situational judgment, documentation best practices, and real-world case studies. Automated exception reporting, vendor access logs, and audit trail preservation should be prioritized.
 

Preparing for 2025 and Beyond

Looking ahead, compliance will increasingly be defined by documentation, governance, and defensibility. As FINRA continues to issue targeted risk notices and enhance trade reporting requirements (including for fractional shares), firms must scale (not just update) their compliance infrastructure.

The report signals regulators’ intent to hold firms accountable not only for outcomes but also for the reasoning and process behind supervisory decisions.
 

Conclusion: Raising the Bar, Not Just Meeting It

 
The 2025 FINRA Oversight Report reflects a maturing regulatory posture. The goal isn’t reactive compliance but proactive risk governance. For compliance leaders, the task now is to build systems that are responsive, documented, and resilient. Not just compliant. That means embracing the complexity, investing in cross-functional supervision, and remaining ready for what comes next.

For access to the full report and supplemental materials, visit FINRA.org.