Both the SEC and FINRA have released their risk-based priorities for 2025 exam programs: the SEC Examination Report (SEC Report) and the FINRA Annual Regulatory and Risk Oversight (AROR) Report. Let’s compare the two publications and highlight details that may impact your own internal examinations.
Let’s start with the SEC Report sections relevant to Investment Advisers (IAs). Don’t be lulled into complacency because the Report appears to address the same, familiar topics to which we have become accustomed—fiduciary duty and compliance programs. There are nuances worth noting.
In its Report, the SEC clarifies that the IA fiduciary duty of care includes recommendations made by firms with dual registrants. Similarly, the Report advises that firms with a “large number” of geographically dispersed independent contractors (ICs) would subject the adviser to scrutiny. What is “large” is not known, allowing a window for firms to make their own determination. To do this, firms should consider comparing and contrasting their own numbers of ICs versus employees across the enterprise, as well as alongside its peers. From that starting point, the firm could prepare written procedures that clearly establish lines of responsibility that are proportionate to its operations.
The SEC Report also clarifies what firms should consider when it comes to conflicts of interest. The report includes examples such as account allocation practices over an investor’s multiple accounts and how the firm determines the recommendation of a brokerage versus an advisory account. IA firms should be prepared to address their compliance programs in terms of any dually registered personnel. I believe both the SEC and FINRA can be expected to consider the potential conflicts of interest consistent with the SEC Report particularly in the context of Reg BI, which I’ll talk about later. It’s worth noting that since scrutiny of ICs in far-reaching locations is not new to BDs, IAs could also look to FINRA guidance for industry standards that could be repurposed for the IA.
By general comparison, the SEC Report is the easier of the two to digest, coming in at 22 pages. The AROR is substantially meatier and more modern, providing links to content and resources. That said, there does appear to be general agreement between them on a few topics:
While “Third-Party Risk Landscape” is new in 2025, the AROR provides observations and effective practices from previous years’ exams leading to it as a separate topic. The scope is broad and worthy of a close review because, regardless of the strengths or weaknesses of the vendor itself, the regulatory risks associated with the use of any 3rd-party vendor falls to the BD.
AI figures into both regulators’ guidance in a significant way. The SEC Report summarizes its concern by simply noting that “advisers integrating AI into their operations should be prepared for examination of relevant compliance procedures.” FINRA goes substantially farther referencing the 2024 AROR plus adding additional commentary regarding continuing and emerging trends.
Ebook | Navigating regulatory compliance: three questions to help you get on the right path
The use of Gen AI tools is a focus, and the AROR provides a concise list of considerations. The bullets provided in the publication address direct uses of Gen AI as well as the indirect use through vendors. Advice is not given as to which vendors count and which may not. With a scope this broad in the center of the regulatory radar, compliance professionals should dedicate resources and time to ensure that business decisions regarding the selection and deployment of vendor technologies into the firm’s operations pass through compliance.
From vendor management to technology management, the AROR transitions to a stand-alone section that covers branch office controls, data back-ups, and data loss prevention (DLP). The section focuses heavily on Reg S-P. FINRA’s guidance for firms includes establishing and maintaining an Identity Theft Prevention Program (IDTPP) in line with Reg S-ID.
Suffice it to say that in regard to Reg S-P and the IFTPP, the SEC and FINRA are aligned. The 2025 exam priority guidance by both institutions suggests that Reg S-P will likely be a priority in 2025. Firms can expect their exams to test the firm’s compliance programs including incident response procedures, notifications to customers, and safeguards/disposal rules to cover public and non-public information collected about customers from another financial institution, among other amendments.
Yes, IAs have their own fiduciary duty, but it turns out BDs have their own care obligation.
The AROR incorporates types of exam findings likely not considered “new” such as switching, replacements, complex/risky products, leveraged/inverse ETPS. But through the lens of Reg BI, these recommendations take on a new light.
Clearly “reasonableness” is so 2020, and “best” is the new standard. Based on the consistent high degree of attention in the AROR over the years, FINRA has not forgotten; and there remains work to do. Recommendations now require consistency with the customer’s best interest. The AROR describes a degree of dedication that will keep the topic in high focus.
For its part, the SEC and FINRA appear to be on the same path. The SEC states that conflicts review shall take into account “the broker’s interest,” describing that “broker’s interest” includes the firm as well as the individual associated person. This is not a dramatically new concept. Nonetheless, it stands out to me as a call to action for a refreshed review of the firm’s existing conflicts of interest statements. Firms should consider differentiating between conflicts that can be mitigated versus those that must be eliminated. Firms are wise to consider the materiality of the conflicts as key to their determination, noting that FINRA emphasized “material” twice in its guidance.
The SEC Report stresses the importance of reviewing reasonably available alternatives, a fundamental component of Reg BI. The AROR takes this one step further, emphasizing that alternatives should be considered before the recommendation. Subtle, but potentially impactful depending on the firm’s procedures. It’s not stated how far in advance—but notable nonetheless, as firms may be able to categorize certain specific products, or types of products, to provide the front-line salesperson with readily accessible information.
Notwithstanding the ongoing public enforcement actions regarding off-channel communications, the SEC Report is silent on the topic. The AROR made up for the difference. It cites an emerging trend in retail communications related to registered index-linked annuities (RILAs). If this is relevant to your firm, be sure to have a look because FINRA provides a succinct list of dos and don’ts.
As for general communications, FINRA provides effective practices for information on a firm’s digital communications which may be off-channel, depending on the firm’s method of delivery. The AROR provides guidance regarding mobile apps, social media influencers, and in particular, communications that utilize Gen AI. Notably, FINRA reminds firms that the BD must review AI-generated communications for customers including through chat bots or other digital means (often vendor-supported applications) as they may not be compliant with securities regulations.
FINRA also states that communications that mention AI tools or AI services, such as portfolio construction, research, or products that rely on AI management, accurately describe how the services incorporate AI technology. They should also balance the discussion of benefits with appropriate discussion of risks. This goes to the challenge of explainability, which is a reasonably high bar for non-technical compliance professionals.
There is additional content in the SEC Report of interest for Private Fund advisers and Investment Companies. If that applies to you, have a quick look. There is much more content in the AROR that cannot be effectively addressed in the confines of this blog. There are sections relevant to most firms, regardless of business model, on topics such as cybersecurity, AML, fraud schemes, and firms’ crypto interactions. So don’t stop here; please review the publications themselves.
The opinions provided are those of the author and not necessarily those of Fidelity Investments or its affiliates. This content is for informational purposes only and should not be interpreted to be or relied upon as legal or compliance advice. Saifr, and its related Fidelity entities, are not responsible for determining the requirements of any laws or rules applicable to customers for actions taken or not taken in reliance on Saifr's products and services or the information provided. Fidelity does not assume any duty to update any of the information.
1188757.1.0