Broker-dealers and wealth management firms relying on third-party vendors for critical operations should reassess their oversight policies to mitigate risks related to data security and operational disruptions, according to regulators.
In its latest annual oversight report, FINRA highlights key compliance gaps and emerging risks that firms must address to maintain regulatory integrity.
“Transparency is the foundation of an effective regulatory framework, and that’s our goal with the Regulatory Oversight Report,” says Bill St. Louis, executive vice president and head of enforcement at FINRA. The report serves as both a compliance guide and a preview of regulatory expectations in upcoming examinations.
FINRA’s Future in Question
The report is released amid uncertainty regarding FINRA’s long-term role and authority. Legal challenges threaten its structure, including a lawsuit from a broker contesting an expulsion order on constitutional grounds.
Additionally, FINRA was identified for potential elimination in Project 2025, a conservative policy blueprint created under the Heritage Foundation, which some believe outlines a framework for a second Trump administration. While Trump has distanced himself from the document, several of its key contributors have taken prominent positions in his administration, including Russell Vought, his nominee for director of the White House Office of Management and Budget.
Despite these uncertainties, FINRA remains under the oversight of the Securities and Exchange Commission (SEC) and continues to enforce critical regulatory standards. Given its broad enforcement powers, firms should take its guidance seriously.
Cybersecurity and Vendor Risk
This year, FINRA highlights the growing risks associated with third-party vendors, reflecting a rise in cyberattacks and service outages affecting brokerage firms.
“A cyberattack or outage at a third-party provider could have widespread consequences across the industry,” FINRA warns.
The regulator advises firms to maintain an updated inventory of vendor-provided services, assess the impact of potential service disruptions, and establish contingency plans. FINRA also urges firms to evaluate vendor security practices, including default system settings and the use of generative AI in their technology stack.
AI Under the Regulatory Microscope
Artificial intelligence receives dedicated attention in the report, not as a new concern but as a growing area of regulatory focus. While AI adoption in financial services is expanding, firms are proceeding cautiously, particularly with generative AI tools provided by third-party vendors.
“FINRA has observed that firms are exploring AI applications primarily to enhance internal efficiencies, rather than rushing into full-scale implementation,” the regulator notes.
For firms considering AI deployment, FINRA stresses the importance of supervision at both the individual and enterprise levels. The report advises firms to develop oversight mechanisms to manage risks such as data security breaches and inadvertent exposure of client information.
Regulatory Best Interest and Annuities Scrutiny
FINRA continues to focus on brokers’ recommendations to retail clients, reinforcing its role in enforcing Regulation Best Interest (Reg BI), the SEC’s broker-dealer advice standard implemented in 2020.
This year’s report spotlights concerns about the sale of annuities, including registered index-linked annuities (RILAs) and variable annuities. FINRA warns that some firms are pushing these products without proper supervisory measures to ensure they align with clients’ best interests.
Under FINRA Rule 2330, firms must implement robust oversight procedures to monitor annuity sales practices. FINRA stresses that member firms should conduct ongoing surveillance to detect unsuitable recommendations and ensure compliance with regulatory standards.
While FINRA’s authority could face challenges in a shifting political landscape, its regulations remain in force for now, and firms should continue prioritizing compliance to avoid enforcement actions.
