FINRA Annual Regulatory Oversight Report Highlights GenAI and Cyber Threats
Commentary by Vijay Dewan
In its Annual Regulatory Oversight Report, FINRA identified key compliance risks and effective practices for broker-dealers based on its 2025 examination and enforcement activities.
The report was released earlier than usual to support member firms' annual compliance planning. FINRA said that member firms use the report to identify applicable findings, incorporate topics into risk assessments, perform gap analyses of compliance programs, and for training purposes.
In the report, FINRA covered four major risk areas. First, FINRA addressed generative artificial intelligence, noting that AI agents can autonomously perform tasks but pose risks including hallucinations producing inaccurate information, unauthorized access to sensitive data, and potential manipulation by bad actors. Second, FINRA detailed cybersecurity threats including social engineering attacks targeting firm employees, business email compromise schemes, and SIM swapping attacks against customers. Third, FINRA identified trends in manipulative pump-and-dump schemes involving small-cap exchange-listed equities, particularly those with foreign operations. (Note: FINRA announced that it initiated a targeted examination of firm practices regarding offerings of such issuers in October.) Fourth, FINRA addressed third-party vendor risks, noting an increase in reported cyberattacks and outages at vendors supporting key firm systems.
For each risk area, FINRA outlined effective practices the agency observed during examinations. These include conducting ongoing due diligence on third-party vendors, maintaining inventories of firm data accessed by vendors, and monitoring vendor services for vulnerabilities.
Commentary
FINRA’s inclusion of a standalone GenAI section is a welcome recognition of a fundamental shift in the industry. The 2026 Report is striking in how practically it treats this emerging technology. Rather than trying to invent an entirely new AI rulebook, FINRA roots GenAI in the familiar pillars of supervision, communications, recordkeeping, and investor protection. That is exactly the approach that gives firms a clear path forward: treat GenAI as one more powerful tool that must live inside the existing control environment, not outside it.
The integration of themes across sections is a quiet but important strength of this Report. The same technologies that enable better surveillance and faster analysis also show up in cyber-enabled fraud, synthetic identity, small-cap manipulation, third-party risk, and senior-investor exploitation. By weaving GenAI into discussions of AML, cybersecurity, third-party vendors, CAT reporting, and liquidity planning, FINRA is encouraging firms to think about AI the way sophisticated practitioners already do, as an enterprise-wide capability that cuts across business lines and control functions, and belongs squarely within the core of the compliance program.