Risk in the securities industry is evolving at an unprecedented pace. From the rise of artificial intelligence and cybersecurity threats to regulatory crackdowns and shifting compliance expectations, financial institutions are facing a complex and rapidly changing landscape.
The U.S. Securities and Exchange Commission (SEC)’s Division of Examinations and the Financial Industry Regulatory Authority (FINRA) recently outlined their 2025 examination priorities, shedding light on the biggest risks confronting financial advisers, wealth managers, and investment firms. These regulatory roadmaps reveal a heightened focus on compliance enforcement, third-party risks, and technology-driven challenges — making it clear that firms must be proactive, not reactive, in their approach to risk management.
How can financial professionals stay ahead? It starts with understanding the critical compliance risks shaping the year ahead.
Related: Exploring the SEC’s 2025 Priorities: What Financial Advisers & Wealth Managers Need to Know
According to PwC’s recent Asset and Wealth Management Survey, 84% of asset and wealth managers said disruptive technology is fueling their organization’s operational efficiency, while 80% noted it is driving revenue growth. From product innovation to new markets and technology — including artificial intelligence (AI), machine learning (ML), and cryptocurrency — disruptive technology is impacting organizations on a broad level and introducing new risks.
In its 2025 Examination Priorities, the SEC specifically mentions the use of AI in investment practices and how vendors are developing AI — whether independently or via third-party models. The increased attention to AI isn’t surprising considering the SEC’s recent charges against investment advisers for AI washing, which is the process of making false or misleading statements about AI use.
The SEC noted that it will evaluate firms to ensure they have adequate AI policies and procedures for fraud prevention, back-office operations, anti-money laundering (AML), and trading functions. FINRA also reminded its members of AI risks and regulatory obligations in a 2024 Regulatory Notice. In November 2024, FinCEN issued an alert regarding generative AI (GenAI) fraud schemes to help institutions recognize schemes utilizing deepfake media created with AI.
Over the next year, advisers should pay special attention to their AI usage, ensuring the technology is used accurately and responsibly.
Related: The Risks of AI in Banking
Cybersecurity risk remains a significant concern for regulators, especially how firms and advisers maintain operational resiliency and protect their customers’ data amid heightened cybersecurity risk.
In 2023, the SEC adopted new rules to reflect the growth of cyber-related incidents. These rules require companies to disclose cybersecurity-related information, including material incidents and their cybersecurity risk management, strategy, and governance.
These incidents can also affect compliance with FINRA regulations, including Rules 4370 and 3110. Additionally, firms must adhere to FINRA Rule 4530(b), which mandates prompt reporting of any securities and financial conduct violations (including those involving cybersecurity) to FINRA based on established standards.
These rules — as well as the U.S. Department of Treasury’s Managing Artificial Intelligence-Specific Cybersecurity Risks report and other resources — emphasize the importance of including cybersecurity risk oversight in a risk management framework.
Related: Regulating the Future: What Financial Institutions Need to Know About AI and Regulatory Risks
The Division's emphasis on cyber risks is also related to vendor products and services, underscoring the importance of third-party risk management (TPRM). Too often, financial companies overlook vendor red flags, leaving their organizations susceptible to operational, reputational, and compliance risks.
The third-party risk landscape was also a new section in FINRA's Regulatory Oversight Report. Some of the regulator's best practices include:
Adherence to new or amended rules is another compliance risk for advisers and firms.
Last year, the SEC adopted amendments to Form PF, a confidential reporting form for certain SEC-registered investment advisers to private funds. The new updates include enhanced reporting on hedge fund advisers' investment exposures, borrowing, counterparty risks, and detailed operational data. The amendments also require more basic information about advisers and funds, such as assets under management and performance metrics, to better understand industry trends and reduce reporting errors. Private fund managers must adhere to the new requirements by June 12, 2025.
In its 2025 Priorities, the SEC also mentions that its examiners will review compliance with the already-in-effect updated rules for governing investment adviser marketing.
Related: Receive regulatory updates in your inbox!
The Bank Secrecy Act (BSA) mandates that financial institutions, including broker-dealers and certain registered investment companies (RICs), establish anti-money laundering (AML) programs tailored to their specific risks. These programs must include compliance policies, internal controls, independent testing, and customer due diligence procedures, which involve identifying customers and suspicious transactions.
Both the SEC and FINRA are assessing whether their institutions are effectively adapting their AML programs to their business models, conducting necessary testing, establishing a customer identification program (CIP) to meet new requirements, fulfilling Suspicious Activity Report (SAR) obligations, managing oversight of financial intermediaries, and complying with sanctions from the Treasury’s Office of Foreign Assets Control.
Related: 20 Questions to Risk Assess Your BSA/AML Program in a Post-Pandemic World
Two other important areas of concern are broker-dealer compliance with the T+1 settlement cycle under Rule 15c6-1, which mandates settlement one day after the trade date rather than two (T+2), and Rule 15c6-2, which requires written agreements for trade allocation and confirmation by the trade date.
To stay compliant, advisers should update their records according to the new rules and revisit their operations strategy to make changes and technology upgrades for institutional transactions.
Related: What is Compliance Risk?
The Division also notes its continued focus on compliance relating to consumer protection. While many federal laws exist for this purpose, S-P should be a significant focus for advisers and firms.
Under the final Regulation S-P amended rule, covered institutions must have an incident response plan if an event leads to unauthorized access or use of customer information. The rule also requires institutions to notify customers within 30 days of the incident or its discovery.
Regarding Regulations S-ID and S-P, examination areas will include identity theft prevention measures, customer information security practices, and identity theft prevention training. The Division will also evaluate how firms manage operational and technology risks (including third-party risks) that could affect their data protection capabilities.
Related: Inside the SEC’s New Vendor Management Requirements
Addressing compliance risk is an ongoing responsibility and is essential for investment advisers, firms, and other wealth management professionals adhering to their fiduciary duty. However, staying on top of the latest SEC and FINRA regulations alone is a full-time job.
The right compliance management solution can save your firm valuable time and resources by streamlining tasks, from vendor contract management to cybersecurity monitoring and business continuity.
Learn about the key components to look for in a compliance management solution in our free Compliance Management Buyer’s Guide.