Kroll at the FINRA 2025 Annual Conference

Kroll was privileged to attend the highly anticipated FINRA 2025 Annual Conference, and we are excited to share highlights from these insightful panels that underscore the evolving risks and innovative solutions shaping the financial industry.

Communication Supervision Trends and Effective Practices

This panel focused on off-channel communications, evolving risks and practical supervision approaches. FINRA emphasized that it continues to see off-platform communication issues as a significant exam and enforcement priority, with new business lines or shifts into retail channels triggering heightened scrutiny.

Key best practices discussed included:

• Building a culture of compliance: Firms should train employees from day one on what’s permitted and continue to refresh this training to keep pace with technology and business changes. Regular attestations help reinforce expectations.
• Using surveillance tools: Firms can leverage lexicon searches and monitoring systems to flag possible off-channel or unapproved communications. Special attention should be given to underutilized accounts, which might signal that employees are communicating elsewhere.
• Preparing for regulatory focus: FINRA outlined how off-channel concerns often come to light through customer complaints, regulatory intelligence or changes in firm activities. Their exams are risk based and look for early indicators of poor oversight.

The panel also highlighted the rise in impersonation schemes, where fraudsters mimic firm representatives using scraped Central Registration Depository data and cloned websites. FINRA urged firms to notify their risk-monitoring analyst or file tips if targeted, pointing to recent joint actions with the Securities and Exchange Commission (SEC) and Federal Bureau of Investigation (FBI) that shut down such fraud.

The overall message was clear: With communication channels evolving rapidly, firms must proactively educate, surveil and maintain robust controls to detect and mitigate off-channel risks before they escalate.

Comprehensive Insights: Compliance, Supervision and Trade Surveillance at FINRA 2025

The FINRA 2025 Annual Conference highlighted the intricate interplay across compliance, supervision and risk detection, revealing how market volatility, evolving regulations and operational complexity are transforming the financial services landscape. Panels throughout the event explored how firms are navigating new challenges and leveraging innovation to safeguard investors and maintain market integrity.

Adapting to Market and Regulatory Change

Compliance and legal teams are under unprecedented pressure, as recent surges in market activity have strained internal systems, increased fraud attempts and led to a spike in exception reports. These conditions test the resilience of surveillance and financial crimes functions, demanding sharper focus and coordination across departments. Internal and client communications remain crucial—firms must equip representatives to handle turbulent periods with calm, informed dialogue, reducing the risk of miscommunication. Forward-looking firms are also emphasizing succession planning and teaming arrangements to ensure continuity, especially for aging advisors and clients.

The ever-shifting regulatory landscape is also top of mind. Presenters discussed FINRA’s modernization initiatives and the SEC’s evolving regulatory posture, urging firms to participate actively in shaping new rules. Persistent challenges—like off-channel communications; the supervision of outside business activities; and legacy requirements, such as the $100 gift cap—remind firms of the importance of practical compliance strategies. Technology has improved detection capabilities, but heightened expectations for flawless compliance make it vital to design policies that are robust yet achievable, balancing traditional risks with new arenas like crypto and hybrid work models.

Modern Supervision in a Hybrid World

With the rise of flexible work, supervision programs have evolved considerably. The introduction of residential supervisory locations and the Remote Inspections Pilot Program has brought flexibility to non-branch supervision, as more employees operate outside traditional offices. Large firms now deploy data-driven risk models to prioritize on-site exams where they are most needed, while smaller firms employ more manual but effective methods. Day-to-day supervision—like lexicon reviews, social media checks and regular outreach—remains fundamental, with inspections seen as just one component of a broader oversight strategy.

The pilot program’s early results indicate that remote inspections can be effective, provided that firms assess risk on a case-by-case basis. Most remote inspections have focused on lower-risk sites, and the reporting requirements have proven more manageable than anticipated. As FINRA continues to update rules to reflect current operational realities, firms are encouraged to submit feedback to ensure that future frameworks remain practical and risk based.

Trade Surveillance and Risk Detection

Trade surveillance is becoming more complex as manipulation and fraudulent activity become more sophisticated. The panel spotlighted a surge in small-cap pump-and-dump schemes, account takeovers and advanced options manipulation, often orchestrated by overseas actors through social media, encrypted messaging and AI-powered tactics. Simply relying on post-trade surveillance is no longer sufficient—many organizations now use pre-trade and real-time controls, fostering collaboration among fraud, trading and compliance teams.

Leading firms are embedding risk experts alongside fraud teams and developing data-driven models that overlay behavioral and transactional patterns. Industry-wide partnerships and intelligence sharing—particularly with FINRA and law enforcement—are proving invaluable, as evidenced by joint efforts that have frozen substantial sums in illicit assets mid-scheme. The message is clear: To stay ahead, firms must break down internal silos, refine detection models continuously and remember that strong foundational practices—such as transparent communication and thorough post-mortems—are just as critical as advanced technology.

In sum, the panels converged on a common theme: As the financial industry faces rapidly evolving risks, adaptability, collaboration and commitment to practical, risk-based controls are paramount. These efforts lay the groundwork for the industry’s next chapter, in which innovation and vigilance will go hand in hand.

Harnessing AI and Data: Smart Strategies, Big Risks and Even Bigger Opportunities from FINRA 2025

At the FINRA 2025 Annual Conference, two panels—“Artificial Intelligence: Opportunities and Use by Member Firms” and “How to Use Data to Drive Effective Oversight”—highlighted the industry’s rapid adoption of data-driven technologies and evolving use of AI.

Discussions underscored that firms of all sizes are cautiously exploring generative AI to drive productivity and efficiency, while remaining acutely aware of risks such as data privacy, bias and hallucinations. FINRA shared that over 500 firms are actively developing thousands of generative AI use cases, with summarization and question-answering emerging as top applications. FINRA also stressed best practices, such as avoiding public AI tools that could compromise confidential data, and urged firms to ensure AI use aligns with governance policies.

On the data oversight side, panelists emphasized a decisive shift from having an application-centric mindset to treating data itself as a core product. Large firms described embedding controls, clear definitions and collaborative structures across compliance, legal and technology teams to fully leverage data. FINRA highlighted its own strategy of reducing false positives in surveillance by refining data ingestion and applying advanced analytics to prioritize substantive reviews over broad requests.

Both sessions made clear that success hinges on a strong data foundation, robust governance and a culture that promotes collaboration across business, compliance and analytics. As AI capabilities grow more sophisticated and data tools become more accessible—even to smaller firms—the industry’s focus is on balancing innovation with careful oversight to maximize value while managing emerging risks.

Cybersecurity: Trends and Building Strong Programs

This panel stressed the escalating cyber threat landscape and the need for firms to strengthen defenses and resilience. Speakers from the SEC, FBI, FINRA and industry outlined growing risks from ransomware, AI-enhanced phishing, account takeovers and sophisticated third-party attacks.

The SEC highlighted its new Regulation S-P amendments, requiring incident response programs, customer notifications within 30 days of breaches and oversight of third-party providers. Examinations will soon assess firms’ preparedness, mirroring the approach taken ahead of T+1.

The FBI and FINRA warned of nation-state and criminal actors exploiting privileged accounts, LinkedIn disclosures and internal administrative tools (“living off the land” attacks) to deepen intrusions. They underscored the role of layered defenses, data encryption, continuous third-party monitoring and strong governance.

Best practices included conducting frequent tabletop exercises with leadership, fostering a culture in which cybersecurity is everyone’s responsibility and partnering with regulators, law enforcement and industry peers. Encouragingly, ransomware payments have dropped due to improved defenses, showing that collective action and resilience are starting to pay off.

Regulatory Roundup Corner

FINRA’s Long-Awaited Rule 2210 Overhaul

FINRA has proposed a long-anticipated amendment to Rule 2210, marking a significant shift in how broker-dealers communicate with investors. The change would permit the inclusion of performance projections and targeted returns in written communications, specifically in institutional communications and those directed at qualified purchasers. 

Previously prohibited, such projections created a regulatory gap between broker-dealers and investment advisors. The amendment aims to harmonize standards across the industry while preserving investor safeguards. Projections will be allowed for specific securities and under defined conditions to ensure transparency and responsible use. This update also provides welcome relief to dually registered firms, which have long faced conflicting standards when operating as both broker-dealers and investment advisors. 

The proposal will be filed with the SEC for approval, and a prior version currently under review will be withdrawn. If approved, this change could reshape how firms present investment strategies and expected outcomes to sophisticated investors.

Amendments to Regulation S-P: New Data Protection Obligations for Broker-Dealers

In May 2024, the SEC adopted significant amendments to Regulation S-P, expanding the data privacy and safeguarding requirements for broker-dealers and other covered institutions. The changes mandate that firms maintain robust written policies and procedures for protecting customer information, including clear protocols for incident response. Notably, the amendments introduce a new 30-day customer notification requirement for data breaches involving unauthorized access to sensitive customer data. These enhancements aim to strengthen safeguards of customer records and information, and apply equally to data held by third-party service providers.

In response, FINRA issued a cybersecurity advisory emphasizing that member firms should review and update their written supervisory procedures, vendor oversight practices and breach response plans to ensure compliance with these new standards. 

FINRA also encouraged broker-dealers to align their programs with the amended Regulation S-P requirements well ahead of the compliance date, underscoring the regulator’s focus on data security as an essential element of investor protection.

Compliance Date for Broker-Dealers

The SEC has established compliance deadlines for broker-dealers based on entity size. Larger entities must comply within 18 months (December 11, 2025), while smaller entities have 24 months from the publication date in the Federal Register (June 11, 2026). A broker-dealer qualifies as a small entity if on the last business day of its prior fiscal year, it had total capital below $500,000 and was not affiliated with a non-small entity.