Inside FINRA’s 2026 Oversight Agenda: Emerging Risks, Persistent Pitfalls, and Examination Focus Areas

FINRA’s 2026 Annual Regulatory Oversight Report is best understood as a blueprint. While FINRA is careful to describe the report as guidance rather than rulemaking, the document functions in practice as a forward-looking examination and enforcement roadmap. It reflects where FINRA has seen recurring failures, where risks are evolving, and where it expects firms to devote meaningful compliance resources in the year ahead.

Notably, FINRA released the report earlier than in prior years, citing feedback from member firms seeking additional time to assess risk, align controls, and remediate gaps. That timing decision is itself instructive. FINRA is signaling that firms are expected to operationalize the report, not merely acknowledge it.

What follows is a synthesis of the most consequential themes for broker-dealers, with emphasis on areas where FINRA scrutiny is intensifying or where firms continue to underestimate regulatory risk.

Cybersecurity and Cyber-Enabled Fraud

Cybersecurity remains one of FINRA’s highest-priority risk areas, and the 2026 report reinforces that cyber incidents are no longer treated as isolated IT failures. FINRA frames cybersecurity as a direct driver of customer harm, operational disruption, and market integrity risk.

FINRA’s expectations track closely with the SEC’s amended Regulation S-P, which now requires policies and procedures reasonably designed to detect, respond to, and recover from unauthorized access to customer information, including formal incident response and notification processes. Firms should expect examiners to test not only whether policies exist, but whether they are actionable, current, and supported by training and testing.

FINRA also highlights the continued rise of cyber-enabled fraud, including account takeovers, impersonation scams, social engineering attacks, and insider misuse of access. Increasingly, these schemes are enhanced through AI-generated content, making traditional controls less effective if they are not continuously updated.

Practical implication: cybersecurity programs, identity theft prevention, and incident response testing must be treated as examination-ready compliance infrastructure, not discretionary operational safeguards.

Generative AI and Automation

One of the most significant additions to the 2026 report is FINRA’s expanded treatment of generative AI. FINRA’s message is direct: securities laws and FINRA rules are technology-neutral, and firms remain responsible for compliance outcomes regardless of whether decisions are made by humans, algorithms, or hybrid systems.

FINRA observes that firms are already deploying GenAI tools, most commonly for summarization, data extraction, and internal efficiency. That usage, however, brings new supervisory obligations. FINRA expects firms to assess regulatory risk before deploying GenAI, not after issues arise.

The report emphasizes the need for governance frameworks that address model accuracy, hallucinations, bias, cybersecurity vulnerabilities, and data integrity. FINRA also underscores the importance of logging prompts and outputs, maintaining version control, and ensuring meaningful human oversight.

Of particular note, FINRA flags the emergence of autonomous or semi-autonomous AI agents as an area requiring heightened attention. Systems capable of initiating actions without direct human input raise novel supervision, accountability, and access-control questions that firms must address proactively.

Practical implication: if AI tools touch supervision, communications, surveillance, customer interactions, or recordkeeping, FINRA expects controls that look like a compliance program, not an innovation pilot.

Vendor Management and Operational Resilience

FINRA devotes significant attention to vendor oversight, reflecting the industry’s increasing reliance on third-party providers for critical functions such as IT infrastructure, cybersecurity, AML systems, data storage, and communications platforms.

FINRA expects firms to maintain supervisory systems, including written supervisory procedures, that extend to outsourced activities. The report highlights a rise in vendor-related cyber incidents and outages, warning that industrywide reliance on common vendors can create correlated risk across multiple firms.

Effective practices identified by FINRA include maintaining detailed vendor inventories, tracking software versions and data access points, conducting ongoing due diligence, incorporating vendors into incident-response testing, and implementing clear data-return and access-termination procedures upon contract end.

Practical implication: vendor governance is now treated as firm governance. Examiners will expect documentation, testing, and accountability comparable to internal controls.

Digital Assets Still Squarely in FINRA’s Crosshairs

Despite shifting emphasis in other regulatory forums, FINRA makes clear that digital assets remain an examination focus. FINRA’s jurisdictional lens is centered on member firms and their associated persons, and many FINRA rules apply regardless of whether an activity involves a traditional security.

The report reiterates expectations around due diligence for crypto-related offerings, including analysis of token economics, development teams, smart contract functionality, conflicts of interest, and cybersecurity risks. FINRA also highlights failures tied to outside business activities and private securities transactions involving crypto-related compensation.

FINRA further emphasizes customer disclosures. Firms must clearly explain differences between brokerage accounts and affiliated crypto accounts, including distinctions in SIPC protection, regulatory oversight, supervision, and complaint resolution.

Practical implication: firms cannot assume that crypto-adjacent activity falls outside FINRA’s supervisory perimeter, even where business teams believe securities laws are not implicated.

Manipulative Trading and Surveillance

Manipulative trading continues to be an evergreen focus, with renewed attention to small-cap fraud and non-bona fide trading. FINRA identifies recurring surveillance failures, including systems that are not capable of detecting common manipulation schemes, poorly calibrated thresholds, and inadequate alert review processes.

Operational weaknesses, such as insufficient staffing, delayed reviews, and poor documentation, continue to feature prominently in exam findings and enforcement referrals.

CAT, Best Execution, and Order Routing

FINRA’s observations regarding CAT reporting include incomplete submissions, delayed error correction, and inadequate supervisory review. FINRA expects firms to map internal records to CAT fields, conduct daily portal reviews, and maintain clear processes for correcting errors, including when third parties submit on the firm’s behalf.

Best execution remains a programmatic enforcement priority. FINRA continues to cite failures to conduct meaningful execution-quality reviews, including inadequate venue comparisons and insufficient order-type analysis. Inaccurate or incomplete Rule 606 disclosures also remain a frequent source of enforcement action.

Practical implication: market integrity obligations are tested through documentation, rigor, and repeatability. Weak processes often become enforcement matters.

Communications, Sales, and Retail Investor Protection

FINRA continues to scrutinize communications with the public, particularly as firms adopt new platforms, features, and live or interactive formats. Firms are expected to define permissible channels clearly and supervise emerging media with the same rigor applied to traditional communications.

Regulation Best Interest remains a central focus. FINRA emphasizes training associated persons on complex products, maintaining accurate records of Form CRS delivery, and incorporating Reg BI testing into branch exams.

The report also highlights failures in private placement due diligence, particularly where firms rely on prior relationships rather than conducting current, independent investigation of issuers and covered persons.

FINRA separately addresses annuities and annuity-like products, including RILAs, reinforcing that these products are firmly within Reg BI’s best interest framework and continue to receive heightened scrutiny.

Financial Responsibility and Customer Asset Protection

FINRA identifies ongoing deficiencies in net capital compliance, particularly around underwriting commitments and open contractual commitment charges. The report emphasizes moment-to-moment capital compliance, accurate charge application, and clear documentation supporting when charges may be discontinued.

Liquidity risk management also remains a focus, with FINRA highlighting weaknesses in stress testing, data governance, and contingency planning.

With respect to customer asset protection, FINRA reiterates expectations under Rule 15c3-3, including reserve computation accuracy, possession and control procedures, and documentation supporting custody arrangements for digital assets held at qualified locations.

Books and Records, OBAs, and Extended-Hours Trading

FINRA continues to find deficiencies in books and records compliance, including failures tied to off-channel communications, record format requirements, and financial reporting accuracy.

Outside business activities and private securities transactions remain an area of persistent weakness, particularly where firms fail to obtain proper notice, evaluate compensation structures, or apply heightened supervision where required.

FINRA also flags extended-hours and overnight trading as discrete risk areas, emphasizing supervision, customer disclosures, and inclusion of these executions in best execution reviews.

Using the Report as FINRA Intended

FINRA explicitly encourages firms to use the Oversight Report as a governance tool. That means assessing applicability, integrating findings into enterprise risk assessments, conducting gap analyses tied to WSPs, assigning accountable owners, and incorporating themes into training and management reporting.

The message is clear: firms that treat the report as a checklist will struggle. Firms that treat it as a compliance playbook will be better positioned when examiners arrive.

That’s all for now,

Braeden

- - - - - - - - - - - - -

About the author:

K. Braeden Anderson is a Partner at Gesmer Updegrove LLP, where he leads the firm’s Securities Enforcement & Investigations practice, and chairs Mackrell International’s Blockchain & Digital Assets Group and Securities Enforcement & Investigations Group. He is a nationally recognized securities regulatory and enforcement attorney whose practice sits at the intersection of traditional financial regulation and emerging technology. He has been recognized in Best Lawyers: Ones to Watch® in America (2025) for Financial Services Regulation Law and Securities Regulation, and was named the #1 most-read fintech thought leader in the United States in Mondaq’s Spring 2025 Thought Leadership Awards.

Before joining Gesmer Updegrove, Braeden founded a Washington, D.C.–based law firm. He previously served as Assistant General Counsel at Robinhood Markets, Inc. (NASDAQ: HOOD), advising on high-stakes regulatory and enforcement matters, and earlier practiced at Kirkland & Ellis LLP and Sidley Austin LLP in New York and Washington, D.C.

Braeden is a prominent voice in securities and crypto regulation and a leading example of how lawyers can build brand through education and content. He publishes a weekly newsletter reaching more than 20,000 legal and financial professionals, runs a YouTube channel with over 160,000 subscribers, and regularly produces written and multimedia thought leadership through his blog, Anderson Insights. His work focuses on enforcement trends, fintech regulation, and the evolving role of digital assets in capital markets.