| Priority | 2022 | 2023 | 2024 | 2025 | 2026 |
|---|---|---|---|---|---|
| Financial Crimes Prevention | |||||
| Cybersecurity and Cyber-Enabled Fraud | 10 | 5 | 4 | 3 | 6 |
| Exam Findings | |||||
| Ransomware & Extortion Events | 6 | 3 | 7 | ||
| Data Loss Prevention Programs/Data Breaches | 11 | 6 | 7 | 3 | 7 |
| Phishing, Smishing or Quishing | 3 | 7 | |||
| New Account Fraud | 3 | 7 | |||
| Account Takeovers | 3 | 7 | |||
| Account Impersonations | 7 | ||||
| Imposter Websites | 6 | 3 | 7 | ||
| Relationship Investment Scams | 7 | ||||
| Insider Threats | 6 | 3 | 7 | ||
| Account Access Authentication | 6 | 7 | |||
| New Account Opening Identity Validation | 6 | 7 | |||
| Identity Theft Prevention Program | 6 | 7 | |||
| Inadequate Risk Assessment Process | 11 | ||||
| Insufficient Branch Policies, Controls and Inspections | 11 | 6 | 7 | ||
| Insufficient Training | 11 | ||||
| Insufficient Vendor Controls | 11 | 6 | 7 | ||
| Insufficient Access Control Management | 12 | ||||
| Inadequate Change Management Supervision | 12 | ||||
| Limited Testing and System Capacity | 12 | ||||
| Digital Transformation and the Adoption of Cloud | 7 | 7 | |||
| Log Management Practices | 7 | 7 | |||
| Updating WSPs | 7 | 7 | |||
| Suspicious Activity Report (SAR) Filings | 7 | 7 | |||
| New SEC Cybersecurity Rules | 4 | ||||
| Emerging Risks | |||||
| Vendor Risk | 12 | 6 | |||
| Generative Artificial Intelligence (GenAI)-Enabled Fraud | 10 | 4 | 7 | ||
| Quasi-Advanced Persistent Threats (Quasi-APTs) | 4 | ||||
| Cybercrime-as-a-Service | 4 | 7 | |||
| Anti-Money Laundering, Fraud and Sanctions | 5 | 9 | 11 | 6 | 9 |
| Exam Findings | |||||
| Misconstruing Obligation to Conduct CIP and CDD | 11 | 13 | 7 | 13 | |
| Unestablished/Implemented Policies and Procedures for CIP and CDD | 7 | 13 | |||
| Inadequate Verification of Customer Identities | 11 | 13 | 7 | 13 | |
| Inadequate Due Diligence on Correspondent Accounts of Foreign Financial Institutions | 14 | ||||
| Inadequate Due Diligence | 11 | 13 | 8 | 14 | |
| Inadequate Detection and Responses to Red Flags | 13 | 7 | 13 | ||
| Inadequate Ongoing Monitoring and Reporting of Suspicious Transactions | 7 | 11 | 13 | 8 | 13 |
| Insufficient Staff and Resources | 14 | ||||
| Inadequate Handling of FinCEN Information Requests | 11 | 13 | |||
| Inadequate Training | 9 | 14 | |||
| Insufficient Independent Testing | 7 | 13 | 8 | 14 | |
| Insufficient Compliance With Certain Requirements of the BSA | 7 | ||||
| Emerging Risks | |||||
| Manipulative Trading in Small Cap IPOs | 11 | ||||
| Sanctions Evasion | 12 | ||||
| ACATS Fraud | 13 | ||||
| New Account Fraud | 15 | ||||
| Investment Fraud by Bad Actors Targeting Investors Directly | 6 | ||||
| Continuing Risk: ACH Fraud | 9 | ||||
| Adversarial Use of Generative Artificial Intelligence | 12 | 15 | |||
| Manipulative Trading | 15 | 18 | 13 | 19 | |
| Exam Findings | |||||
| Inadequate WSPs | 16 | 19 | 14 | 20 | |
| Non-Specific Surveillance Thresholds | 16 | 19 | 14 | 20 | |
| Surveillance Deficiencies | 16 | 19 | 14 | 20 | |
| Emerging Risks | |||||
| Manipulative Trading in Small Cap IPOs | 15 | 21 | |||
| Targeted Exam | |||||
| Firms participating in small-cap offerings with business operations in foreign jurisdictions | 22 | ||||
| Crypto Asset Developments | |||||
| Crypto Asset-Related Market Abuse | 23 | ||||
| Targeted Examination on Crypto Asset Retail Communications | 23 | ||||
| Firm Operations | |||||
| Outside Business Activities and Private Securities Transactions | 13 | 18 | 26 | 23 | 32 |
| Exam Findings | |||||
| Incorrect Interpretation of Compensation | 14 | 18 | 26 | 23 | 32 |
| Inadequate Approval Process | 19 | 26 | 23 | 32 | |
| Inadequate Consideration of Need to Supervise | 14 | ||||
| No Documentation | 14 | 19 | 27 | 23 | 32 |
| No or Insufficient Notice and Notice Reviews | 14 | 19 | 27 | 23 | 33 |
| No PST Monitoring/Inadequate Controls | 14 | 19 | 27 | 23 | 33 |
| No Review and Recordkeeping of Digital Asset Activities | 14 | 19 | 27 | 23 | |
| Books and Records | 16 | 20 | 29 | 25 | 34 |
| Exam Findings | |||||
| Misinterpreted Obligations | 16 | 22 | 30 | ||
| Failure to Maintain Email Correspondence | 22 | 30 | 26 | ||
| Failure to Maintain Non-Email Electronic Communications | 26 | 35 | |||
| Failure to Maintain Electronic Correspondence of Part-Time CCOs or FINOPs | 35 | ||||
| Failure to Maintain Converted Records | 22 | 31 | 26 | 35 | |
| No ESM Notification | 16 | ||||
| Inadequate Due Diligence of Third-Party Vendors | 26 | 35 | |||
| Inadequate Supervision of Third-Party Vendors | 27 | ||||
| Inadequate Supervision | 26 | 35 | |||
| Inadequate WSPs | 26 | 35 | |||
| Contacting Customers Through Off-Channel Communications | 30 | 27 | 35 | ||
| Inadequate Reviews | 27 | 35 | |||
| Emerging Risks | |||||
| Direct Mutual Fund Business Risk | 17 | ||||
| Regulatory Events Reporting | 18 | 22 | 31 | ||
| Exam Findings | |||||
| No Reporting to the Firm | 18 | 23 | 32 | ||
| Inadequate Surveillance | 18 | 23 | 32 | ||
| No Reporting to FINRA | 18 | 23 | 33 | ||
| Incorrect Rule 4530 Product/Problem Codes | 18 | 23 | 33 | ||
| Senior Investors and Trusted Contact Persons | 20 | 26 | 34 | 28 | 37 |
| Exam Findings | |||||
| No Reasonable Attempt to Obtain TCP Information | 20 | 26 | 34 | 28 | 38 |
| No Written Disclosures | 21 | 26 | 35 | 28 | 38 |
| No Documented Training | 26 | 35 | 28 | 38 | |
| No Documented Internal Review | 26 | 35 | 28 | 38 | |
| Attempted Circumvention of FINRA Rule 3241 | 35 | 28 | 38 | ||
| Emerging Risks | |||||
| Customer Account Information Risks | 22 | ||||
| Senior Investors | 28 | 29 | |||
| Crowdfunding Offerings: Broker-Dealers and Funding Portals~ | 22 | 28 | 36 | 30 | |
| Exam Findings | |||||
| Failure to Obtain Attestation | 23 | 29 | 37 | 31 | |
| Inadequate Supervision | 31 | ||||
| Missing Disclosures | 23 | 29 | 37 | 31 | |
| Failure to Report Customer Complaints | 23 | 29 | 37 | 31 | |
| Untimely Required Filings | 23 | 29 | 37 | 31 | |
| Not Filing CMAs | 23 | 29 | 37 | 31 | |
| Offering Investment Advice or Recommendations | 29 | 37 | 31 | ||
| Misleading Statements | 29 | 37 | 32 | ||
| Failing to Transmit Funds | 30 | 37 | 32 | ||
| Failing to Take Measures to Reduce Risk of Fraud | 30 | 37 | 32 | ||
| Issues Regarding Maintenance and Transmission of Funds | 32 | ||||
| Member Firms' Nexus to Crypto | |||||
| Exam Findings | |||||
| Communications with the Public | 33 | 41 | |||
| Supervision | 33 | 42 | |||
| Private Securities Transactions of an Associated Person | 42 | ||||
| Outside Business Activities of Registered Persons | 42 | ||||
| Anti-Money Laundering (AML) Compliance Programs | 33 | 42 | |||
| Customer Account Transfer Contracts | 42 | ||||
| Standards of Commercial Honor and Principles of Trade | 42 | ||||
| Emerging Risks | |||||
| Crypto Asset-Related Market Abuse | 35 | ||||
| Communication and Sales | |||||
| Communications with the Public | 30 | 39 | 39 | 37 | 45 |
| Exam Findings | |||||
| False, Misleading, Inaccurate or Unbalanced Information in Mobile Apps | 32 | 41 | 40 | 37 | 44 |
| Inadequate Supervision of Firms' Social Media Influencers and Failure to Retain Records | 37 | 45 | |||
| Inadequate Reviews of Electronic Communications | 46 | ||||
| Deficient Digital Assets Communications | 33 | 41 | 40 | 40 | |
| Municipal Securities Advertisements | 41 | 41 | 41 | ||
| Communications Promoting ESG Factors | 41 | 41 | 41 | ||
| Misrepresentations in Cash Management Accounts Communications | 33 | ||||
| Insufficient Supervision and Recordkeeping for Digital Communication | 33 | ||||
| No WSPs and Controls for Communication That Use Non-Member or OBA Names (so-called “Doing Business As” or “DBA” Names) | 33 | ||||
| Municipal Securities Advertisements | 33 | ||||
| Emerging Risks | |||||
| Retail Communications Focused on Registered Index-Linked Annuities | 37 | ||||
| Targeted Exam Letter on Crypto Asset Retail Communications | 43 | ||||
| Reg BI and Form CRS | 24 | 31 | 43 | 39 | 47 |
| Exam Findings | |||||
| WSPs That Are Not Reasonably Designed to Achieve Compliance with Reg BI and Form CRS | 26 | ||||
| Inadequate Staff Training | 26 | ||||
| Failure to Comply With Care Obligation | 27 | 34 | 47 | 39 | 47 |
| Failure to Comply with Conflict of Interest Obligation | 34 | 47 | 40 | 48 | |
| Not Identifying and Addressing All Potential Conflicts of Interest | 35 | ||||
| Failure to Comply with Disclosure Obligation | 35 | 48 | 40 | 48 | |
| Failure to Comply with Compliance Obligation | 35 | 48 | 40 | 49 | |
| Improper Use of the Terms "Advisor" or "Adviser" | 27 | ||||
| Insufficient Reg BI Disclosures | 27 | ||||
| Deficient Form CRS Filings | 27 | 36 | 48 | 41 | 50 |
| Failing to Properly Deliver Form CRS | 36 | 49 | 41 | 50 | |
| Form CRS Not Posted Properly on Website | 27 | 36 | 49 | 41 | 50 |
| Inadequate Form CRS Amendments | 27 | 36 | 49 | 42 | 50 |
| Misconstruing Obligation to File Form CRS | 28 | 36 | 49 | 42 | |
| Private Placements | 35 | 44 | 51 | 44 | 53 |
| Exam Findings | |||||
| Inadequate Filings Procedures | 36 | 45 | 52 | 44 | 54 |
| Failing to Conduct Reasonable Investigation | 36 | 45 | 52 | 45 | 54 |
| Failure to Evidence Due Diligence | 53 | 45 | 54 | ||
| Improper Discharge of Reg BI Obligations | 54 | ||||
| Failure to Comply with SEC Rules Regarding Contingency Offerings | 45 | 54 | |||
| Concerning Third-Party Due Diligence | 36 | ||||
| Emerging Risks | |||||
| Private Placements Offerings of Pre-IPO Securities | 45 | 55 | |||
| Conservation Donation Transactions Risks | 38 | ||||
| Annuities Securities Products | 39 | 46 | 55 | 46 | 56 |
| Exam Findings | |||||
| WSPs | 47 | 56 | |||
| Exchanges | 48 | 57 | |||
| Reg BI Care Obligation Violation | 48 | 57 | |||
| False or Misleading Documentation | 48 | 57 | |||
| Not Addressing Buyouts | 40 | 47 | 56 | ||
| Unsuitable Exchanges | 40 | 47 | 56 | ||
| Inadequate Surveillance | 56 | ||||
| Insufficient Training | 40 | 47 | 56 | ||
| Poor and Insufficient Data Quality | 40 | 47 | 56 | 48 | 57 |
| Additional Deposits | 48 | 56 | |||
| Reasonably Available Alternatives | 48 | 56 | 48 | 57 | |
| Emerging Risks | |||||
| RILAS | 47 | ||||
| Market Integrity | |||||
| Consolidated Audit Trail (CAT) | 42 | 50 | 59 | 51 | 61 |
| Exam Findings | |||||
| Incomplete Submission of Reportable Events | 51 | 60 | 51 | 62 | |
| Failure to Repair Errors Timely | 60 | 51 | 62 | ||
| Inaccurate or Incomplete Reporting of CAT Orders | 42 | 51 | 60 | 51 | 62 |
| Late Resolution of Repairable CAT Errors | 43 | 51 | |||
| Failure to Submit Corrections | 51 | 60 | 51 | 62 | |
| Inadequate Vendor Supervision | 43 | 51 | 60 | ||
| Unreasonable Supervision | 51 | 62 | |||
| Recordkeeping | 51 | 60 | 51 | 62 | |
| Emerging Risks | |||||
| Data Integrity and Timeliness Issues in Municipal Underwriting Filings | 53 | ||||
| Customer Order Handling: Best Execution | 43 | 53 | 62 | 53 | 63 |
| Exam Findings | |||||
| No Assessment of Execution in Competing Markets | 44 | 54 | 63 | 54 | 64 |
| No Review of Certain Order Types | 45 | 54 | 63 | 54 | 64 |
| Unreasonable "Regular and Rigorous Reviews" | 54 | 63 | 54 | 64 | |
| Securities with Limited Quotations or Pricing Information | 54 | 64 | |||
| No Evaluation of Required Factors | 45 | ||||
| Conflicts of Interest | 45 | 54 | 63 | ||
| Emerging Risks | |||||
| Targeted Review of Wholesale Market Makers | 45 | ||||
| Customer Order Handling: Order Routing Disclosure | 46 | 55 | 64 | 54 | 63 |
| Exam Findings | |||||
| Inaccurate Quarterly Reports | 46 | 56 | 65 | 54 | 64 |
| Incomplete Disclosures | 47 | 57 | 66 | 55 | 64 |
| Incomplete Disclosure When Incorporating by Reference | 57 | 66 | 55 | ||
| Deficient Communications | 47 | 57 | 66 | 55 | |
| Not Held Customer Reports | 57 | 66 | 55 | ||
| Insufficient WSPs | 47 | 57 | 66 | 55 | 64 |
| Fixed Income Fair Pricing | 58 | 68 | 60 | 68 | |
| Exam Findings | |||||
| Incorrect PMP Determinations | 59 | 69 | 60 | 68 | |
| Outdated Mark-Up/Mark-Down Grids | 59 | 69 | 60 | 69 | |
| Failure to Consider Impact of Mark-Up on Yield to Maturity | 69 | 60 | 69 | ||
| Unreasonable Supervision | 69 | 60 | 69 | ||
| Exception Reports | 59 | ||||
| Market Access Rule | 48 | 73 | 63 | 70 | |
| Exam Findings | |||||
| Insufficient Controls | 48 | 73 | 63 | 70 | |
| Failure to Consider Additional Data | 74 | 63 | 71 | ||
| Impermissible Exclusions | 74 | 63 | 71 | ||
| Inadequate Financial Risk Management Controls | 48 | 74 | 63 | 71 | |
| Reliance on Third-Party Vendors | 48 | 74 | 63 | 71 | |
| Inadequate Post Trade Surveillance | 64 | 71 | |||
| Failure to Document Annual Review of Effectiveness | 74 | 64 | 71 | ||
| Extended Hours Trading | 65 | 73 | |||
| Exam Findings | |||||
| Inadequate Supervision | 66 | 74 | |||
| Reporting Failures | 66 | 74 | |||
| Financial Management | |||||
| Net Capital | 50 | 63 | 76 | 67 | 75 |
| Exam Findings | |||||
| Inadequate Supervision of Net Capital Compliance | 68 | 76 | |||
| Inadequate Processes or Supervision of Net Capital Deductions | 68 | 76 | |||
| Inaccurate Classification of Receivables, Liabilities and Revenue | 50 | ||||
| Failed to Deliver and Failed to Receive Contracts (Fails) | 50 | ||||
| Inadequate Processes or Supervision for Capital Charges for Underwriting Commitments | 51 | 63 | 77 | 68 | 76 |
| Inaccurate Net Capital Deductions and Concentration Charges | 63 | 77 | 68 | ||
| Inadequate WSPs | 63 | 77 | |||
| Inaccurate Recording of Revenue and Expenses | 51 | 64 | 77 | 68 | 76 |
| Late or Inadequate Filings | 68 | 76 | |||
| Insufficient Capital for Underwriting Participation | 68 | 76 | |||
| Inaccurate OCC Charges | 68 | 76 | |||
| Insufficient Documentation Regarding Expense-Sharing Agreements | 51 | ||||
| Liquidity Management | 52 | 64 | 78 | 69 | 79 |
| Exam Findings | |||||
| Insufficient Stresses on Clearing Deposit Requirements | 69 | ||||
| Unreasonable Stress Test Assumptions | 69 | ||||
| Inadequate Supervision | 70 | ||||
| Establishing Inaccurate Clearing Deposit Requirements | 52 | 65 | 79 | ||
| Not Extending the Stress Test Period | 65 | ||||
| Not Modifying Business Models | 52 | 65 | |||
| No Liquidity Contingency Plans | 52 | 65 | 79 | 70 | |
| Inaccurate or Incomplete SLS Reporting | 79 | 70 | 80 | ||
| Credit Risk Management | 53 | 67 | 81 | ||
| Exam Findings | |||||
| No Credit Risk Management Reviews | 54 | 67 | 81 | ||
| No Credit Limit Assignments | 54 | 67 | |||
| No Monitoring Exposure | 54 | 67 | 81 | ||
| Inadequate Systems to Monitor Customer and Counterparty Limits | 67 | ||||
| Customer Asset Protection | 55 | 70 | 84 | 71 | 82 |
| Exam Findings | |||||
| Inadequate Supervision | 71 | 83 | |||
| Treatment of Free Credit Balances – Transfers to Another Account/ Institution | 83 | ||||
| Inconsistent Check-Forwarding Processes | 56 | 71 | |||
| Inaccurate Reserve Formula Calculations | 56 | 71 | 84 | 71 | 83 |
| Improper Withdrawals from Reserve Bank Account | 84 | ||||
| Inaccurate Segregation of Customer Securities | 71 | 84 | 72 | 83 | |
| Inadequate FINOP access to books and records to fulfill required duties | 83 | ||||
| Inadequate external reconciliations of books/records for customer asset location/custody | 83 | ||||
| Inadequate Handling of Customer Checks | 72 | ||||
| Omitted or Inaccurate Blotter Information | 56 | ||||
| Emerging Risks | |||||
| FINRA Reminds Firms of Their Obligations to Designate FINOPs | 73 | 83 | |||
| Portfolio Margin and Intraday Trading | 56 | 68 | 82 | ||
| Exam Findings | |||||
| Inadequate Recordkeeping | 83 | ||||
| Incorrect Account Equity | 83 | ||||
| Accounts Below Minimum Equity | 83 | ||||
| No Internal Audit Review of Portfolio Margin Process | 83 | ||||
| Inadequate Monitoring Systems | 57 | 69 | |||
| Not Promptly Escalating Risk Exposures | 57 | 69 | |||
| Insufficient WSPs | 57 | 69 | |||
| Non-Eligible Products Included in the Portfolio Margin Methodology | 69 | ||||
Sub-section (with page numbers)
Not a stated priority that year
Source: 2026 FINRA Annual Regulatory Oversight Report. Values represent page numbers in each year's source report.
Bates Group Research.