While we might not have a crystal ball that lets us see our compliance futures, for the broker-dealer industry, we have the next best thing.
FINRA’s 2025 Annual Regulatory Oversight Report.
Haven’t quite gotten around to reading the full report? In this blog, we’ll highlight some of the most important takeaways from this year’s edition, best practices to meet FINRA expectations, and deep dive into new capabilities coming to the Comply platform that will streamline it all and give you a 360-degree view of compliance at your firm in the process.
What’s in the Report: A Look at the FINRA 2025 Annual Regulatory Oversight Report
While FINRA’s 2025 Annual Regulatory Oversight Report highlighted new areas of focus for the SRO, like third-party risk landscape, it also included several “core” areas of compliance which continue to be sticking points for many firms.
At a high level, the report showcased:
- The need for updated, customized WSPs to address a firm’s unique business practices and functionality
- An evolution of risk across multiple key areas of compliance – think social media influencers in Marketing and Communications with the Public or the ongoing challenge with meeting Books and Records requirements for electronic communications
- The cautious approach many of taking to navigate the use of AI within their firm
- A continued focus on the need for supervisory processes and key reviews of tasks related to AML, OBAs, private securities transactions, and more
One of the most consistent themes across the report? The need for firms to maintain ongoing supervision of critical tasks.
Key Compliance Tasks Your Broker-Dealer Needs on its Calendar
So, what are those tasks exactly? And what best practices can you deploy today to meet those requirements?
Brush Up on Your Books & Records
- Implement a holistic and practical approach to books and records management as part of your compliance program.
- Test your books and records system and review commonly noted deficiencies to avoid similar compliance missteps; use keywords to monitor and surveil for any potential off-channel communications.
- Update the firm’s books and records policies to meet SEC and FINRA requirements and examination expectations, specifically noting any necessary adjustments from newly adopted rules which include books and records requirements.
Thoroughly Review Your Marketing & Advertising
- Confirm that the marketing/communication language contained in your firm’s WSPs is up to date with and reflects the firm’s current practices.
- Regardless of whether your firm engages in additional marketing, materials that are ubiquitous, like business cards or the firm’s website, are considered marketing materials. Because of this, marketing reviews should be conducted before the material is put into use, even if such a review is as simple as confirming the compliance of an individuals’ business cards. Additionally, the firm should perform a retrospective review of selected marketing materials on a periodic basis.
- Review all marketing/communication material on a regular basis to ensure it is free of false, misleading, unwarranted, or promissory statements or claim, as well as ensuring it is fair and balanced (including benefits and risks).
Make Sure Cybersecurity Stays Top of Mind
- Confirm that the firm has obtained the privacy policies and cybersecurity policies of all third-party vendors used to store client information. You can use a vendor due diligence tool for assistance, ideally one that allows vendors to automate documentation sharing and tracking, including documents such as email compliance, data security, and cybersecurity policies.
- Confirm that all clients’ non-public information is protected using locks on file cabinets and password-protected, encrypted electronic storage. Client records – and even the fact that a person is the firm’s client – are considered non-public information.
- Confirm that all client requests for distributions received by email have been verified by a phone call to the client.
- Implement continuous monitoring of network traffic and endpoints. For this type of monitoring, we suggest software offering an inventory of devices used.
Conduct Regular Risk Assessments
- When conducting a risk assessment, the CCO should start by identifying a list of operational and compliance risks within your specific firm. For example, if your firm has onboarded new tech vendors in recent months, cybersecurity may require a more detailed review in your upcoming risk assessment.
- Use FINRA alerts, the 2025 Regulatory Oversight Report, and SEC Risk Alerts specific to broker-dealers to help guide the assessment of potential risks. Firms should be aware that regulators will likely take a closer look at any categories mentioned should the broker-dealer be selected for an audit.
- Following the risk assessment, implement any necessary changes and document remediation efforts.
Other reviews you’ll want to keep in mind?
- Best execution
- Remote office review
- Annual reviews
- Personal securities transactions review
- Vendor due diligence
The key takeaway? Firms have a lot on their plate.
And managing it all requires a comprehensive solution that provides firms with a support structure to maintain day-to-day compliance while also navigating strategic advancements to support a scaling business, evolving regulations, and advancing technologies.
Creating a Compliance Command Center with Comply
Step 1: Create customized WSPs to address your firm’s specific risk and business profile
Off-the-shelf WSPs aren’t cutting it anymore, if they did ever. And with Comply’s Intelligent Policy Builder, you don’t have to run the risk of missing the mark when it comes to your critical documents.
Create, customize, and implement your WSPs…and update them with expert guidance down the line. What makes the policy builder intelligent? Regulatory expertise is embedded within the solution. When a new SEC or FINRA rule passes, Comply’s consulting team will review your existing WSPs and push recommended edits straight to your policy builder – allowing you to review the suggestions, make edits, and publish your changes. It’s that easy.
Step 2: Develop a compliance calendar with critical tasks set at key intervals throughout the year
Let’s face it. Compliance isn’t a part time job you can do at year’s end. And managing all of those critical tasks we talked about above? Requires an advanced system that allows you to manage the juggling act of day-to-day tasks and year-long endeavors.
Comply Program Management for Broker-Dealers (coming Spring 2025) allows firms to streamline this process with an integrated calendar populated based on your firm’s unique business practices and compliance program. And the best part? Key recommendations and updates are proactively provided to you by our regulatory experts.
Comply’s regulatory consulting team will review your firm’s profile and populate your calendars with key dates and activities. You can color code your calendar to help organize your compliance activities and assign tasks directly to your compliance team members.
Step 3: Automate and streamline your annual reviews and risk assessments
Fact: Manual processes are bogging down your team. And as a result? You may not have the time or bandwidth to start your annual review before year-end. Or that risk assessment might just keep falling to the bottom of the list.
The good news? Technology is your new best friend. With an integrated tool that guides you through your Risk Assessments and Annual Reviews (if you’re a dually registered firm) the tool automatically documents results and remediation efforts. Ensuring you don’t have to wonder when you’ll find the time in your busy schedule to conduct your risk assessments.
Compliance may not be as easy as 1, 2, 3…but that doesn’t mean you have to be stuck in the old ways and old days of excel sheet, manual uploads, and perpetual pivot tables. Ready to discover what it means to have a 360-degree view of compliance and risk (and the impact you can bring to your broker-dealer because of it)?