FINRA Issues 2026 Regulatory Oversight Report

On December 9, 2025, the Financial Industry Regulatory Authority (FINRA) released its 2026 Annual Regulatory Oversight Report (2026 Report). The nearly 90-page report highlights emerging risks — including cybersecurity, data privacy, and generative AI (GenAI) — and offers tools and best practices for member firms. It also reemphasizes the perennial focus areas of Regulation Best Interest (Reg BI) compliance, third-party vendor management, best execution, consolidated audit trail (CAT), and compliance with the financial responsibility rules. Below are key takeaways, followed by a deeper dive into notable areas of focus, for some of the topics most relevant for broker-dealers.

Takeaways

FINRA has emphasized that the 2026 Report was released early in response to feedback from member firms. It is important to keep in mind that FINRA considers its oversight reports to be guidance that firms should review to assess how FINRA interprets its rules and assess member firm compliance with those rules. In particular, the 2026 Report reflects the following important takeaways:

• New technologies bring about new risks, and corporate governance and supervision frameworks need to keep pace.
• Cybersecurity must be prioritized.
• Anti-money-laundering (AML) testing, including evaluation of customer due diligence processes, remain a focus.
• Everything old is new again: Manipulative trading, vendor management; communications and sales; and best execution are evergreen topics for compliance review.
• Certain FINRA rules apply to the activities of firms and their associated persons irrespective of whether the activity involves a security (e.g., crypto).
• Firms must stay on top of changes to financial management and reporting rules and the application of these rules to newer asset or product types, such as crypto.

Notable Areas of Focus

GenAI: Continuing and Emerging Trends

In this newly added section of the 2026 Report, FINRA highlights that it expects firms to assess regulatory compliance obligations before deploying GenAI and to establish governance frameworks to supervise GenAI usage. FINRA offers the following:

• Controls should address hallucinations, bias, cybersecurity risks, and threat-actor use of AI.
• Ongoing human monitoring of model outputs is essential.
• Autonomous AI agents may require novel oversight, including tracking actions and restricting system access.

Financial Crimes Prevention

Cybersecurity and Cyber-Enabled Fraud

FINRA emphasizes that cybersecurity remains a core operational and compliance risk. Firms are expected to maintain robust cybersecurity programs aligned with applicable SEC and FINRA rules, including safeguards for customer information and identity theft prevention. Recent SEC amendments to Regulation S-P require policies to detect, respond to, and recover from unauthorized access to customer data. FINRA identified several key threats targeting both broker-dealers and their customers:

• ransomware and extortion attacks that compromise firm systems and hold data for ransom
• data breaches exposing confidential firm and customer information
• social engineering (phishing, smishing, QR-code “quishing”) leveraging deceptive messages to capture credentials
• new account fraud and account takeovers via stolen or falsified identity information
• imposter sites and social accounts spoofing firms or regulators to defraud investors
• insider threats from employees misusing access
• GenAI-enabled fraud, with threat actors using AI to produce deepfakes, fake IDs, polymorphic malware, and other tools that enable sophisticated cybercrimes

Anti-Money Laundering, Fraud, and Sanctions

• As in prior years, FINRA outlines the expectation that firms will incorporate affirmative practices to detect and mitigate external attempts to defraud the firms’ customers. These practices include, among others, designing risk-based compliance programs to identify red flags of external fraud, educating associated persons and customers on how scams occur, and developing response plans for use if a firm determines a customer has been victimized.
• Firms should review whether their written supervisory procedures (WSPs) clearly delegate AML-related responsibilities to business units or individuals best positioned to identify potentially suspicious activity. Further, firms should arrange independent AML compliance testing and schedule periodic assessments of alerts and exception reports to confirm proper functioning.

Manipulative Trading

• The prevention and detection of manipulative trading is an evergreen focus for FINRA. In the 2026 Report, in addition to reemphasizing points from prior years’ reports, FINRA calls out concerns about small-cap fraud in exchange listed equities. This particular area has been a prior focus of regulatory guidance and in 2025 became the subject of a now-ongoing targeted examination.
• The report also notes concerns about non-bona-fide trading, front running, and prearranged trading and surveillance for those activities.
• The report highlights findings related to market manipulation surveillance deficiencies, including:
  • failing to implement surveillance systems capable of detecting a range of manipulative trading schemes (e.g., spoofing, layering, wash trades, prearranged trades, marking the close)
  • poorly designed surveillance thresholds and controls — set improperly, not tailored to relevant securities or account types, or not inclusive of both customer and proprietary activity
  • failing to periodically reassess surveillance parameters as their business, customer base, or market conditions change
  • failing to review customer activity for broader patterns of potential manipulation across time periods, customers, or related alerts
  • delaying review of surveillance alerts, lack of adequate staffing or training to evaluate them, or failing to document review findings

Firm Operations — Vendor Management Is Front and Center

• FINRA expects firms to maintain a supervisory system — including written supervisory procedures — that effectively oversees outsourced activities and supports compliance with securities laws, FINRA rules, and Regulation S-P. Firms using or considering third-party vendors should evaluate whether their controls sufficiently supervise outsourced functions, including those subject to Rules 1220, 3110, and 4370. FINRA also notes a rise in cyberattacks and outages involving third-party providers, warning that such incidents can disrupt multiple firms due to industrywide reliance on vendors. FINRA continues to monitor these third-party risks closely.
• When discussing effective practices for vendor management, FINRA notes that firms should conduct thorough initial and ongoing due diligence of third-party vendors supporting critical functions — particularly IT, cybersecurity, and AML — by evaluating vendors’ use of GenAI, confirming that contracts protect sensitive data, and confirming adequate data-protection controls. Firms should maintain inventories of all vendor-provided systems, software versions, and the firm data vendors access or store. They should assess the potential impact of vendor cyber incidents, monitor vendors for vulnerabilities or breaches, and implement strong vendor risk management policies, including risk assessments, contingency plans, and incident-response testing that involves vendors. Firms must also manage contract termination obligations by confirming that firm data is returned or destroyed, revoking vendor access promptly, and evaluating risks posed by any fourth-party providers.
• The report also identifies effective practices for technology management, which is increasingly the focus of examinations and enforcement investigations:
  • Governance: Establish a technology governance framework with clear accountability, oversight, and documented processes (including change, incident, and problem management) in WSPs.
  • Risk assessments: Regularly reassess the firm’s technology risk profile as business and systems evolve and update IT governance accordingly.
  • AI/LLMs: Implement governance or model-risk frameworks for AI/LLM development and use, with strong documentation and data management controls (quality, integrity, retention, security).
  • Identity access management: Enforce least-privilege access, require multifactor authentication, and perform comprehensive access reviews for human and nonhuman accounts.
  • Data backups: Perform regular encrypted, off-network backups and test restoration capabilities.
  • Branch office procedures: Limit branch-managed servers; if permitted, confirm that devices and applications are fully inventoried.
  • Configuration management: Inventory and properly configure desktops, laptops, applications, and servers to firm standards.
  • Cloud adoption: Plan and design cloud-migration processes to facilitate readiness and compliance.
  • Log management: Capture and retain log data from relevant sources based on regulatory and business needs.
  • IT resiliency: Test both firm and vendor controls to confirm that critical systems can maintain acceptable service levels during disruptions.

Crypto — Still a Focus for FINRA

• In contrast to the SEC’s recent examination priorities report, which dropped any mention of crypto issues, digital assets remain an examination focus for FINRA.
• FINRA reiterates much of the material in last year’s report related to crypto and continues to encourage member firms to actively monitor and respond to market, legislative, and policy developments in the digital asset space. The report cites to many of the recent SEC developments and guidance that firms need to consider in light of the new regulatory environment.
• Firms should conduct due diligence of unregistered offerings of investment contracts involving cryptoassets and understand information including the unregistered offering’s registration exemption, risk factors, and conflicts of interest disclosed in offering documents or promotional materials, the identities of the initial development team, the total supply of underlying cryptoassets and other tokenomics, relevant token and smart contract functionality, and cybersecurity risks to the token’s blockchain protocol.
• Firms should conduct risk-based, on-chain fraud and AML reviews when firms or their associated persons accept, trade, or transfer cryptoassets and should create procedures addressing performance and documentation of these reviews.
• Firms should take steps to inform customers about the differences between their brokerage account and any affiliated crypto account, including differences in Securities Investor Protection Corporation protections, regulatory oversight, firm supervision, and avenues for customer questions or complaints.

Communications and Sales

Communications With the Public

FINRA continues to focus on risks presented by social media and reminds firms to monitor new communication channels, apps, and features; develop procedures and controls for live-streamed public appearances, presentations, or video blogs; and clearly define permissible and prohibited digital communications channels.

Reg BI, Form CRS, and Private Placements

FINRA continues to focus on compliance with all aspects of Reg BI; among other best practices, FINRA reminds firms to appropriately train associated persons on the features of complex or risky products, implement system enhancements to maintain a clear record for delivery of Form CRS and Reg BI-related documents to customers, and incorporate Reg BI-specific reviews into branch exams.

Private Placements

The report highlights that some firms have failed to conduct reasonable due diligence prior to recommending private placements to retail investors, including by failing to conduct sufficient research on an issuer’s business (particularly in instances where there is a lack of operating history), relying solely on the firm’s past experience with and knowledge of an issuer, and failing to conduct a reasonable investigation of “covered persons” involved in the issuer under Reg D.

Market Integrity

FINRA continues to identify CAT, best execution and order routing disclosures, fixed income fair pricing, extended hours trading, and compliance with the market access rule as areas of importance. Key findings and observations are as follows:

Consolidated Audit Trail (CAT)