Finra Focuses on Outside Vendor Use, Cybersecurity and AML in 2025

The Financial Industry Regulatory Authority on Tuesday touted its focus this year on a number of common compliance themes, including broker-dealers’ cybersecurity risks and anti-money laundering controls while adding some new hot spots, including the selection of third-party vendors, according to its annual regulatory oversight report. 

The report is aimed at informing firms about where Finra observes gaps in their compliance programs and increased risks, according to an announcement about the report. Finra’s addition of third-party vendors to the list dovetails with the Securities and Exchange Commission’s efforts to hold investment advisors accountable for outsourcing risks. 

“Given the financial industry’s reliance on third-party vendors to support key systems and covered activities, an attempted cyberattack or an outage at a third-party vendor could potentially impact a large number of firms,” the report said.

Based on its examinations, Finra recommends that firms set up “adequate third-party vendor risk management policies” that include “initial or ongoing due diligence” of vendors, validation of their data protection controls and a list of all vendors being used, according to the report. 

Finra’s enforcement unit has “more cases to come” in general on cybersecurity, and it will broadly focus on infractions of regulations requiring safeguarding systems for data related to clients’ identities, Bill St. Louis, the head of enforcement for Finra, said on a podcast posted in conjunction with the 2025 report’s publication.

In many cases, Finra’s exam program or the SEC’s efforts already “called out deficiencies, things that need to be addressed about the firms’ cyber programs,” St. Louis said, but “even after such notice, the firms have experienced numerous cyber incidents that could have been avoided if they had reacted to the red flags that were brought to their attention,” he added. 

Much of Finra’s report reiterated concerns from prior years, including firms’ communications with the public, the SEC’s Regulation Best Interest and Form CRS requirements and anti-money laundering. 

“[W]e continue to bring a number of significant [AML] cases,” St. Louis said, as he recalled enforcement actions brought last year that alleged violations of customer identification rules and customer due diligence failures. “Essentially, some of those cases involve firms that relied on their systems to comply with those requirements, but the systems weren’t calibrated properly, and there was a lack of testing around those systems that contributed to those failures,” he said.

Neither the report nor St. Louis identified firms by name. The SEC has also been focused on AML issues and fined LPL Financial $18 million for lapses that allowed thousands of accounts to evade compliance requirements. 

This year, Finra will also focus on manipulative trading cases, as it did in the past two previous years, St. Louis said. “Manipulative trading really undermines the transparency and integrity of the markets by distorting the true nature of the supply and demand,” he added. 

The report highlighted some product-specific areas, including registered index linked annuities, or RILAs. Finra said it would be looking at the type of marketing to retail investors about those products, as well as bolstering its Reg BI related language in the report to address those products, according to the report and St. Louis. 

“Sales of RILAs have recently outpaced sales of variable annuities, so it’s important for firms to ensure that their procedures and supervisory systems are set up to ensure recommendations and sales of this product adhere with their requirements under Regulation Best Interest,” St. Louis said.  SOURCE