Rules Navigator

FINRA Annual 2025: Modernizing rules and empowering compliance

Image of Greg Ruppert, Head of FINRA Member Supervision.
FINRA’s Greg Ruppert leads a session. Photo: Julie DiMauro

Julie DiMauro

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

The 2025 FINRA annual conference kicked off with reminders of the SRO’s accomplishments and mission, but the tone was muted.

The need to update, streamline and focus – all while protecting investors and the US marketplace – was the emphasis as President and CEO Robert Cook opened the FINRA annual conference event in Washington, DC, detailing several new initiatives at the self-regulatory organization (SRO).

FINRA Forward

Cook described the FINRA Forward Initiative at the agency as a new and enhanced version of the prior FINRA 360 one. Announced in April, it comprises a series of initiatives to improve effectiveness and efficiency in pursuing the agency’s mission. 

The program focuses on modernizing FINRA rules to facilitate innovation and eliminate unnecessary burdens. To this end, the agency has targeted FINRA rules that affect member firms’ support of capital formation and rules that affect the extent to which member firms can organize and operate their workplaces using modern technology.

This means adjusting the rulebook with an eye toward modernizing, tailoring, enhancing, or eliminating requirements in those areas, Cook said, knowing that modern capital formation techniques and work-from-home and virtual working arrangements require a redress of these mandates.

FINRA Forward also includes empowering the compliance programs and teams at member firms, and one example of this occurred on Monday with a tabletop exercise centered on cybersecurity best practice, offered to member firms as one of the pre-event sessions, he observed. The agency also asks for continuous feedback and provides members with educational events, training tools and guidance documents.

Unnecessary burdens

As an example of trying to streamline and lighten the burden on member firms (rule-wise) Cook mentioned the agency’s Regulatory Notice 25-05, issued in March, which is designed to reduce the existing requirements addressing the outside activities of member firms’ associated persons. The proposal would replace two rules with one, and is intended to enhance efficiency without compromising protections for investors and members relating to outside activities.

Cook said he wants to ensure firms are definitely performing their oversight duties here – but not to the extent that they are spending any time parsing out outside business pursuits not related to securities. The rule would eliminate the reporting and assessment of low risk side work that does not affect customers, such as brokers refereeing sports games or driving for a car service. “We want to get rid of some of the white noise that got built up with the old rules,” he said.

Easing effective dates

In October 2023, the SEC adopted Rule 10c-1a, which is intended to enhance transparency in the securities lending market. In effect, the rule requires market participants to report securities lending transactions to FINRA, and requires FINRA to adopt rules establishing a system to facilitate such reporting and to publicly disseminate specified reported loan information. Earlier this year, the SEC approved the required FINRA rules.

Now, FINRA seeks an extension of the compliance date from January 2026 to September 2026 in recognition of the special challenges to IT systems posed by a new calendar year, holiday staffing issues, and other considerations. FINRA also suggests extending the time between when transaction reporting first begins and when the public dissemination of reported information must occur, up from the current one of “within 90 calendar days of the launch of transaction reporting.”

Cook explained: “Additional time would better enable the SEC and FINRA to review the information that has been reported and consider whether adjustments to the data dissemination requirements are appropriate to avoid unintended consequences arising from the dissemination.”

Ruppert stresses threat intelligence

Taking the stage after Cook – but continuing the dialogue about how the agency was poised for a modern-day marketplace – was Greg Ruppert, Executive Vice President of Member Supervision.

Ruppert highlighted FINRA’s Threat Intelligence Product (TIP), which provides an overview of FINRA’s observations regarding the vulnerability of senior investors to investment scams, the devastating consequences for the victims and the importance of education about financial scams.

As part of TIP, FINRA sent out an investor alert that spotlighted artificial intelligence and investor scams, noting how bad actors are using the growing popularity and complexity of AI to lure victims into scams.

Ruppert said he spoke with one member firm that gave out this investor alert as part of its new-hire package. He said the firm reported back that educating new employees about how fraudsters typically deploy multiple, sophisticated persuasion techniques using AI proved to be pivotal in helping train them to spot fraudulent practices.

“Quishing” attack case

You could be forgiven for having missed this one, but the story comes with a new, cool term (if you didn’t already know it) and a message about how FINRA provides important tips to law enforcement agencies.

Last year, ONNX Store, a phishing-as-a-service platform, targeted Microsoft 365 accounts at FINRA member firms with an advanced social engineering attack known as quishing: a business email compromise attack that uses QR codes in embedded PDF documents to redirect victims to phishing URLs. (So it’s phishing, but the perpetrators use QR codes to lure you in.)

Threat actors leverage quishing attacks because victims will typically scan QR codes on their personal mobile devices, which they might also use for some business purposes, making these attacks hard to monitor with typical endpoint detection.

How did this involve FINRA? Well, FINRA had some evidence to share in support of Microsoft’s affidavit requesting a seizure that would help take down these illicit domains, and the agency agreed to help in just that way. The nefarious infrastructure was shut down and FINRA’s timely information helped.

After the matter was resolved, FINRA collected its best practice tips pertaining to quishing and published a cyber alert for its members.

Tone of the event

FINRA conference on day one was a lot more reserved than usual, with representatives from the SRO emphasizing the great benefits the agency provides its members, as well as how it services other regulatory bodies (like the SEC), law enforcement (like the FBI and CISA), investors and the securities markets as a whole.

Its concern and this emphasis on its value is likely manifesting because of political pressure and lawsuits questioning the constitutionality of its enforcement authority, along with Project 2025 – conservative think tank The Heritage Foundation’s white paper – having called for its abolishment.

But the 85-year-old agency has proven over the years to be a great steward for the SEC’s regulatory regime, balancing rulemaking with enforcement, and it has been at the forefront of investor education, a component of its remit that has great bipartisan appeal.

As shown by what was outlined in this opening day to the annual event, the agency is willing to make its rulebook less burdensome on businesses by taking very seriously the informed commentary supplied by member firms, which could work to its advantage as well.

, , , , , , ,

You may also like