Unpacking the 2025 FINRA Regulatory Oversight Report

Listen and subscribe to our podcast on Apple Podcasts, Google Podcasts, Spotify, YouTube or wherever you listen to your podcasts. Below is a transcript of the episode. Transcripts are generated using a combination of speech recognition software and human editors and may contain errors. Please check the corresponding audio before quoting in print.
 

FULL TRANSCRIPT
 

00:01 - 00:38

Ray Pellecchia: The 2025 FINRA Annual Regulatory Oversight Report provides FINRA member firms with insight into findings from FINRA's regulatory operations programs. The report reflects FINRA's commitment to providing firms with a compliance resource that offers transparency into FINRA's observations. I'm Ray Pellecchia from FINRA Public Relations. And in this special episode of FINRA Unscripted, we'll be joined by the leaders of FINRA’s regulatory operations departments to discuss the main takeaways for our member firms and the investing public.

00:47 - 00:55

Ray Pellecchia: Here to lead the discussion is Kayte Toczylowski, our vice president of Member Relations and Education. Kayte, over to you.

00:55 - 01:41

Kayte Toczylowski: Thank you. Ray. I am delighted to join this discussion because the Regulatory Oversight Report is such an important resource for FINRA member firms. FINRA's purpose with the report is to share our insights and observations so that firms can use the information to enhance their compliance programs, which helps protect investors and further market integrity. Joining us to walk through the report today are the heads of FINRA's three regulatory programs. The head of Member Supervision, Greg Ruppert, the head of Market Regulation and Transparency Services, Stephanie Dumont, and the head of Enforcement, Bill St. Louis. Welcome, everybody, and thank you so much for joining us today for this important conversation.

01:42 - 02:02

Kayte Toczylowski: So, all of you have participated in a FINRA Unscripted in the past, so I know many of our listeners are already very familiar with each of you and what you do here at FINRA. But for those of you that might be new to the program, can you each please reintroduce yourselves and give us a brief background of what you do here at FINRA. So, Greg, can you give us a start?

02:03 - 02:42

Greg Ruppert: Great. Thanks, Kayte. Greg Ruppert, and I lead Member Supervision. We interface with firms from kind of the beginning throughout their lifecycle, starting with the membership application team, through the risk monitoring teams, through exams. And then we have the National Cause and Financial Crimes Detection programs that have the aspects of cause exams, cause investigations, but also some very technical specialty teams. And then an intelligence function that we have as well. I came to FINRA about five years ago from a member firm where I was in their risk department, and then prior to that, I spent a little over 17 years with the federal government, specifically in the FBI.

02:43 - 02:45

Kayte Toczylowski: Great. Thanks, Greg. Bill, what about you?

02:46 - 03:38

Bill St. Louis: Hi, Kayte. Great to be here with you today. I lead FINRA's Enforcement department. I've been the leader of the department since August of last year, and as a leader, I work with my colleagues, 380 of us, investigators, attorneys, data analysts, operations folks, paralegals, and we work with our colleagues in Market Regulation and Member Supervision to receive referrals from those departments and a few other departments and try to reach the right outcome. We work very diligently to assess all of the cases and the facts and the evidence. Many of our cases don't result in formal action, but we do bring formal action where we find it warranted. Prior to my time in Enforcement, I held a number of senior roles in Member Supervision, including co-leading the Risk Monitoring group and being a district and regional director.

03:39 - 03:41

Kayte Toczylowski: Great. Thanks, Bill. And Stephanie?

03:42 - 04:23

Stephanie Dumont: Hi, Kayte. Thanks for having me today. I'm excited to be here and talk about the report. So I lead Market Reg and Transparency Services or MRTS. And, as the name suggests, it consists of two distinct but related areas. Market regulation and transparency services. So on the market regulation side, it's essentially the market surveillance program at FINRA, and it serves as the center of surveillance for the organization. We run patterns or automated scenario detections on the data that we get in that comes through transparency services as well as other facilities like the Consolidated Audit Trail or CAT.

04:23 - 05:04

Stephanie Dumont: So, our surveillance patterns focus on three main areas: market compliance type rules, customer order handling rules, and then market abuse like fraud and pump-and-dumps and insider trading. And then the transparency services side, they operate all the trade reporting facilities. You may be familiar with the equity trade reporting facilities or TRFs as they're called, and the fixed income trade reporting facility, or TRACE. And these facilities collect information for surveillance and other regulatory purposes, as well as make that data transparent and available to the public and other market professionals.

05:04 - 05:24

Stephanie Dumont: And as far as my background personally, I have been with FINRA almost 30 years in a variety of roles, including starting my career here as an investigator in market regulation than in the general counsel's office doing policy work. And then I took over this role almost four years ago. So happy to be here.

05:24 - 06:21

Kayte Toczylowski: Great. Thank you. And thank you all three for being here with us. So the report, just like our speakers, is going to be very familiar to many of our listeners. But for those of you that might be new to it, it's a very comprehensive resource that describes challenges and risks as well as effective practices to mitigate them, which we've identified through our interactions with firms in regard to FINRA's regulatory operations. So we package this information and share it with firms so that they can leverage it to enhance their compliance programs. So by focusing the industry's attention to key risks and effective practices to mitigate them, the information in the report supports a very healthy broker dealer industry, which in turn supports capital formation and is a primary example of how FINRA helps firms as a self-regulatory organization.

06:21 - 07:16

Kayte Toczylowski: Now, before we dig into the contents of this year's report, I do want to head off a question that I hear quite often from member firms, especially this report is not a priorities letter. Now, FINRA did publish a priorities letter for many years, but this report is definitely broader than that priorities letter. This reflects issues that FINRA regulatory operations staff have seen over the past 12 to 18 months in its package for firms to help them address a broader set of topics within their own compliance programs. So now that we've cleared that up and said what the report isn't, let's dig into what the report is. So let's start off our conversation today with the main messages that each of you want firms to take away from the 2025 report. Greg, let's start with you.

07:16 - 07:50

Greg Ruppert: Great. Thanks, Kayte. And I think the three points I want to talk about land squarely within that unique aspect of us being that self-regulatory organization and taking our empirical evidence from the over thousands exams that we do throughout the year and combine it with our expertise around what risks they're going to be facing firms in the coming year. And that really falls under three things I hear from firms a lot around cybersecurity, fraud and AI. And AI specifically being artificial intelligence and how firms are using that.

07:50 - 08:54

Greg Ruppert: So diving a little deeper on each of these topics. On the cybersecurity front, this report this year, much like last year, where we talked about some of the risks, provides guidance to the key cybersecurity obligations, including the SEC's recent amendments to Reg SP. That really was to enhance the protection of customer clients nonpublic personal information. This year, a little bit of a change. We're splitting the cybersecurity content into two topics: one, cybersecurity and cyber-enabled fraud activity, and the other being technology management. So I would say look for both of those areas. But really as we're talking cyber enabled fraud, that requires us to go deeper into the fraud topic. So we have a separate topic under fraud that dovetails nicely with the cyber enabled fraud, where we're monitoring the evolving fraud that's happening, such as investment fraud or investment club fraud, directly targeting investors or people that aren't investors yet, but they're being directed to become investors as part of that fraud. So that would include investment club scams, the relationship affinity type fraud, investment scams.

08:54 - 09:37

Greg Ruppert: But we also talk about ACH fraud, which we've been calling out for a number of years. That's happening both by first party and third party actors, and then the adversarial use of the generative AI in order to amplify the threats to investors and firms. So in that particular area, we're looking at how I might be a greater risk to firms when criminals are using it. So I would say take a look from a fraud perspective, but then also we'll dive deeper into the AI. Lastly, on the fraud side, I would be remiss if I didn't mention that we're really highlighting guidance around protecting senior investors and vulnerable adults, specifically around investment fraud, but around all types of related fraud type activity.

09:37 - 10:42

Greg Ruppert: It's a key area that we have a high focus on, and therefore we put it in that report. So just ending up real quick on the AI section, we're monitoring the evolution of the generative AI and the industry. We're engaging with firms to better understand what they're using it for, what their compliance challenges. There's definitely a benefit for using generative AI in your day-to-day roles, but we're just also calling out a number of risks that you should be thinking about and looking about in advance of doing that. We intend for our roles to be technologically neutral, and that will continue to apply whether firms use the generative AI or other types of models or other types of technology. So with that, we're able to take what firms are doing and what we're seeing and then provide some effective practices going forward. But look at this in the report, but also stay tuned throughout the year as we'll be providing more information around generative AI on how we're using it, how firms are using it then, but also how the criminal elements are also using it to attack firms, and how we can better help firms protect themselves and their clients.

10:43 - 10:59

Kayte Toczylowski: Great. Thanks, Greg. Right off the bat, three major topics that have such wide applicability across so many different firms within the industry. I don't think any business model is safe from cyber fraud and AI, given the current environment that we're in. Thank you. Stephanie, what about you?

11:00 - 11:29

Stephanie Dumont: Thanks, Kayte. In my space, the market integrity and transparency areas in particular, both of those areas are just foundational to investor confidence and the efficient operation of our market. So as in years past, you're going to see some recurring or even evergreen topics, as well as some new trading and reporting related areas that we want firms to be focused on based on our observations in the report. And I'll call out a few.

11:29 - 12:23

Stephanie Dumont: The first is manipulative trading. So preventing fraud and manipulation, that's of course, a primary focus of ours, and we continue to highlight it in this year's report as well. You see it year after year. In addition to the usual points of emphasis, we've included some new findings this year related to surveillance deficiencies, including around firm's systems for detecting potential layering or spoofing. So while not in the report itself, I'd note that we finalized several public disciplinary actions concerning spoofing this past year, building on a particularly significant case that we finalized in 2023. And this is a key market integrity issue. We'll continue to prioritize it both in our own surveillance and then as well as in our review of firm's supervisory systems.

12:24 - 13:15

Stephanie Dumont: We also included a new highlight this year on manipulative trading and small cap IPOs. So this is an issue we had previously published alerts on, but we observed evolving schemes this past year, particularly involving the use of social media scams and investment clubs. So our market integrity section also has some new findings and practices in our other repeat areas of focus, like the Consolidated Audit Trail, or CAT, as I mentioned earlier. Best execution, Regulation SHO, fixed income, fair pricing and market access rules. A couple of notable takeaways from these recurring topics include our continued focus on best ex, including in the options market, and the need to consider market access controls in the aggregate consistent with SEC guidance.

13:15 - 14:25

Stephanie Dumont: And then the last one I'll talk about briefly is OTC quotations in fixed income securities focused on the compliance with the SEC's Rule 15c2-11. And this is an area that's generated significant discussion over the last several years. And we've recognized that there were challenges with the firms that have been raised. And applying this rule, the 15c2-11 rule to fixed income. And so we felt that this was an area that was important to flag again this year to make sure firms are appropriately prepared for the SEC's requirements. And many of you may know that we note in the report that late last year, in 2024, the SEC did reissue important no-action relief, and that helps provide a clearer path forward for firms by effectively codifying the compliance approach that was in the no-action relief. So this does cover a large swath of bonds, but it doesn't cover everything, and firms should take care to make sure they understand the scope of the relief, both in terms of which bonds it applies to, as well as the scope of bonds that aren't subject to the relief.

14:26 - 14:37

Kayte Toczylowski: Great. Thanks, Stephanie. Very important and timely information. Now, last but not least, Bill, what are the key messages that you want firms to take away from this report?

14:38 - 15:16

Bill St. Louis: Sure. I'll build a little bit on items that Greg and Stephanie raised and touch on a few other issues. So cybersecurity: clearly an important area. We certainly encourage you to look at the report. We've added text there. But cybersecurity has been a focus for FINRA for some time now. It's been the focus of and the subject of regulatory notices, threat intelligence products and the Cyber Threat Briefing series that we host alongside regional FBI offices. We know maintaining a strong cyber program is a large and ever evolving challenge.

15:16 - 15:57

Bill St. Louis: But we have brought some cases in this area, and we have more cases to come in this area. And those cases generally focus on Reg SP and Reg S-ID . Essentially, these are red flags cases where firms are on notice of issues with their controls. They may be unnoticed because we, our exam program or the SEC exam program has called out deficiencies, things that need to be addressed about the firm's cyber programs. And even after such notice, the firms have experienced numerous cyber incidents that could have been avoided if they had reacted to the red flags that were brought to their attention. You can certainly see more themes reflected in the report

15:58 - 16:44

Bill St. Louis: On manipulative trading, as Stephanie has noted, we have brought a number of significant spoofing cases, both in 2023 and again in 2024. Manipulative trading really undermines the transparency and integrity of the markets by distorting the true nature of the supply and demand. And in 2023, we brought a significant U.S. Treasury spoofing case. And that case and other manipulative trading cases that we've brought in 2024 really involved supervisory failures, where hundreds of instances of manipulative trading occurred over prolonged time periods. So again, I urge you to take a look at the report and some of the language there and some of the cases that we issued in 2024.

16:45 - 17:32

Bill St. Louis: Another area is CAT reporting. CAT reporting has been around for a while now, but our examination, our surveillance, our reviews of CAT reporting have essentially led to informal discipline in most instances where we have findings of concerns, but there have been some situations, some cases that we've brought, typically involving millions of late reports or inaccurate CAT reporting. And really, the issue in those cases have involved a failure to have adequate supervisory procedures and systems to ensure adequate and compliant CAT reporting. So on that, we urge you to take a look at the report and also to take a look at Reg Notice 20-31, which is certainly mentioned in the report.

17:32 - 18:06

Bill St. Louis: And finally, in the AML space, we continue to bring a number of significant cases. In 2024, we brought a number of cases involving customer identification program, or CIP, failures or CDD failures, customer due diligence failures. Essentially, some of those cases involve firms that relied on their systems to comply with those requirements, but the systems weren't calibrated properly, and there was a lack of testing around those systems that contributed to those failures.

18:07 - 18:27

Kayte Toczylowski: Thanks, Bill. Great information. So already our listeners can see there's so much that's included in this report. I do want to give Greg, Stephanie and Bill a chance also to flag what's new in the report that you should pay particular attention to. So, Greg, why don't we start off with you to flag those items? 

18:27 - 19:28

Greg Ruppert: Thanks, Kayte. One of the new things that I'm really excited to highlight is our inclusion of third-party risk landscape. So often referred to as vendor risk, really we're looking at an increase in the number of cyber attacks and related cyber outages that happen at third-party providers, so not at the member firms themselves. That has a direct impact on our member firms. And it also can have a cascading impact if other firms rely on member firms for services. So the downstream aspect of it is something we're also in tune to. With this, the report presents recurring themes that we've seen in effective practices for countering and dealing with the related third-party risk. So it'll be tied in with our outreach, our surveying related to the third-party vendor research that we've done in the past and we're about to refresh for this year, but it just shows the importance of how FINRA and member firms can work together to address these types of risks that are happening at firms throughout the year. 

19:28 - 19:31

Kayte Toczylowski: Thanks, Greg. Bill, what do you want to flag that's new? 

19:32 - 20:28

Bill St. Louis: Well, this year's report adds two new call out boxes related to registered index linked annuities or RILAs, one related to the product generally and one focused on retail communications concerning RILAs. We've also made a number of additions to the Reg BI section, more generally to address variable annuities and RILAs. Sales of RILAs have recently outpaced sales of variable annuities, so it's important for firms to ensure that their procedures and supervisory systems are set up to ensure recommendations and sales of this product adhere with their requirements under Regulation Best Interest. One issue we continue to observe is around recommendations to replace or exchange a variable annuity with a RILA or with a new variable annuity where proper consideration isn't given to the benefits the customer would be giving up or sacrificing within the exchange. 

20:29 - 20:32

Kayte Toczylowski: Thanks, Bill. And last but not least, Stephanie, what's new that you'd like to flag? 

20:33 - 21:39

Stephanie Dumont: I would like to call out our flag extended hours trading. So it's a new topic in the report this year. And it's an emerging trend that we thought important to highlight given the recent growth and public interest around overnight trading in particular. It's certainly an evolving area as new venues are coming on the scene to support extended trading hours. Our current regulatory areas of focus are manipulative trading, best execution, audit trail reporting, customer disclosures related to overnight trading, and then supervision. And as you can see in the report, we also note several findings as well as effective practices in these areas. And Kayte, I might add, you talked about questions you've gotten in the past on the report. I've gotten the question: If a topic was in last year's and not in this year's, does that mean we don't have to focus on it? No, that is not the case. We only have a finite number of topic areas here. And if one was in last year's but not next year's, that's not an indication that you don't need to worry about it or focus on it. 

21:39 - 22:03

Kayte Toczylowski: Great. That's a great piece of information, Stephanie. Very helpful. Thank you for flagging that. Now talking about member firm use of this report, I know that's really important for all of us here at FINRA and ensuring that we're continuously building and improving upon the report each year. So, Greg, can you talk us through a bit of how we do that and the metrics that we use to see how firms are using this information?

22:04 - 23:28

Greg Ruppert: Yeah, sure Kayte. As my colleagues Bill and Stephanie mentioned, this report is chock full of regulatory intelligence information that we think will be valuable to firms from what we're seeing, but also what we're anticipating. So with that, we have the report structured on FINRA's website so that you can specifically look through the items and merely click on the ones that are relevant to your firm and your firm's business model. So if you don't participate or do something related to that activity, you have the ability to skip that move to the next one. And then with that, we have a number of jump sites to dive even deeper into the material. So what we do is we look at the analytics from the approach of what is of interest to our member firms, where are we seeing the most amount of activity from the usage? And then that could gear us next year. So this is an area that receives a high amount of traffic, it's one that's a big interest that could actually also guide us through the year of maybe we should be doing other types of events. Maybe we have a specific panel at the FINRA Annual Conference that you host, Kayte. Maybe we do a webinar. Maybe this is another area we could put out more written materials from that. So we definitely take the feedback through the usage tracking of these particular categories from firms. So it's something we take seriously and we created this year based on what we saw last year. And we'll do the same throughout this year into next year. 

23:29 - 23:52

Kayte Toczylowski: Thank you, Greg, Stephanie and Bill, for joining me to dive into FINRA's 2025 Annual Regulatory Oversight Report. For all of our member firms listening, speaking for Member Relations and Education, I hope that this podcast, as well as the report itself, will be helpful information and resources for your compliance programs. And now back to you, Ray. 

23:53 - 24:20

Ray Pellecchia: Thank you, Kayte, and thank you to all of our panelists. Well, that's it for today's episode of FINRA Unscripted. Listeners, if you don't already, please be sure to subscribe to FINRA Unscripted wherever you listen to podcasts to stay up to date on all our latest episodes. Today's episode was produced by Margherita Beale and me, Ray Pellecchia, and engineered by John Williams. Thank you for listening to FINRA Unscripted. Until next time. 

24:20 – 24:26
Outro Music

24:26 - 24:53

Disclaimer 

Please note FINRA podcasts are the sole property of FINRA, and the information provided is for informational and educational purposes only. The content of the podcast does not constitute any FINRA Rule or amendment or interpretation to such rules. Compliance with any recommended conduct presented does not mean that a firm or person has complied with the full extent of their obligations under FINRA Rules, the rules of any other SRO or securities laws. This podcast is provided as is. FINRA and its affiliates are not responsible for any human or mechanical errors or omissions. Parties may not reproduce these podcasts in any form without the express written consent of FINRA.