Top FINRA Examination Findings in 2024 and 2025

FINRA's 2025 Annual Regulatory Oversight Report identified recurring deficiency categories that accounted for a disproportionate share of examination findings across the member firm population. These are not hypothetical risks — they are actual findings that resulted in deficiency letters, disciplinary actions, and enhanced supervision undertakings at firms of all sizes in 2023 and 2024.

Supervision Failures Under Rule 3110

Supervision failures remained the most common examination finding category. The specific failures FINRA identified include: Written Supervisory Procedures that do not reflect actual practices (the WSP says supervision works one way; actual practices work differently), supervisors not registered in the appropriate principal category, lack of documentation of supervisory reviews (undocumented supervision is treated as no supervision), and no supervisory system for specific business activities where firms added products or services without corresponding WSP updates.

Off-Channel Communications Recordkeeping

The off-channel communications enforcement wave has extended to mid-size and smaller broker-dealers. FINRA examiners now specifically request samples of electronic communications and ask firms to demonstrate supervisory procedures across all channels including personal devices and messaging applications. Common findings: no WSPs specifically addressing off-channel communications, no technical mechanism for capturing business communications from messaging applications, and no enforcement of existing policies — firms with policies on paper but no enforcement in practice are still cited for a supervisory failure.

AML Program Deficiencies

FINRA's 2025 report identified specific AML weakness areas: suspicious activity monitoring systems not adequate for the firm's specific business model and client profile, customer due diligence failures (inadequate beneficial ownership identification for entity accounts, failure to update CDD when circumstances change), SAR filing failures (not filing in a timely manner or not filing when thresholds were met and red flags were present), and AML training that is outdated or insufficiently specific to the firm's business.

Best Execution Documentation

FINRA Rule 5310 requires firms to seek the most favorable terms reasonably available when executing orders for customers. Findings include: no quarterly best execution review, reviews that consist of a generic affirmation rather than data-driven analysis of routing decisions and execution quality, and failure to document how the firm handles conflicts of interest in routing decisions — particularly where payment for order flow arrangements affect routing.

Third-Party Vendor Risk Management

FINRA observed increased cyberattacks and outages at third-party vendors in 2024. Findings include: no formal vendor assessment process, no WSPs addressing vendor oversight, failure to assess vendor cybersecurity controls before engagement, and no contingency planning for vendor outages or failures. This area is expected to intensify as FINRA has specifically cited it as a priority area requiring improved WSPs.

Cybersecurity Program Gaps

The most common cybersecurity findings: no multi-factor authentication for remote access to firm systems or email, no written incident response plan or a plan never tested, inadequate penetration testing frequency, failure to patch known vulnerabilities within a reasonable timeframe, and no procedure for revoking access for terminated employees promptly. These findings require operational remediation, not just policy updates — a cybersecurity policy written in an afternoon needs technical controls that take substantially longer to build.