Summary: Each year, FINRA highlights emerging risks in its Annual Regulatory Oversight Report, yet firms still struggle with the same key issues. Common audit challenges like, books and records, supervision, communications, Reg BI, and financial responsibility rules remain frequent sources of audit issues. This article explores why these “evergreen” risks persist and how firms can finally close the execution gap.
Old Problems, New Priorities: FINRA’s Real Compliance Struggle
Each year, FINRA releases its Annual Regulatory Oversight Report to help firms understand regulatory priorities, examination trends, and emerging risks. While many organizations are eager to focus on headline-grabbing topics, such as sophisticated cyber threats, advancements in AI, rise of digital assets, and the complexities of third-party risks, the real story often lies beneath the surface. Amid the rush to address new risks, this report serves as an essential guide for navigating the ever-changing regulatory landscape.
However, what often receives less attention is a more sobering reality. Despite years of guidance, FINRA examinations continue to surface the same core deficiencies. Books and records, supervision, communications, Regulation Best Interest (Reg BI), and financial responsibility rules remain consistent sources of exam findings.
FINRA has openly acknowledged that these areas are “evergreen,” noting that everything old is new again when it comes to compliance failures. This cyclical pattern raises compelling questions: why do firms, despite their efforts and awareness, stumble over the same hurdles? The issue is rarely about understanding the rules and what they require. The real challenge is execution.
Why Do Traditional FINRA Risks Continue To Surface in Audits?
One of the most consistent themes across FINRA oversight reports is that deficiencies stem from breakdowns in execution rather than a lack of regulatory knowledge. This recurring struggle exposes the gap between policy and practice, where written procedures fail to translate into operational discipline.
Most firms have written policies and procedures, understand their regulatory obligations, and acknowledge FINRA’s guidance year after year. Yet examinations continue to uncover supervisory reviews that are inconsistent or undocumented, books and records that are incomplete or inaccessible, and business-related communications occurring outside approved channels. These findings can signal deeper organizational challenges, such as unclear accountability, siloed processes, or insufficient resources that can stall real progress.
Firms also struggle with Reg BI frameworks that exist on paper but lack meaningful supervisory testing, as well as net capital or financial responsibility controls that are not actively monitored. The fact remains that firms know the rules, but have difficulty operationalizing them consistently across people, processes, and systems.
How Static Compliance Programs Create Repeat Deficiencies
Many firms rely on compliance programs designed for a simpler operating model. As products, technology, and business structures evolve, compliance frameworks often fail to keep pace.
Written supervisory procedures may meet technical requirements, but they do not always reflect:
- How the business operates today,
- Who is accountable for oversight in practice, or
- How risks are identified, escalated, and remediated.
FINRA has been clear that generic or boilerplate policies are no longer sufficient. Firms must demonstrate that controls are actively working in real-world conditions, connecting compliance to evolving business realities.
The Persistent Challenges of Supervision and Testing
Supervision is one of the most frequently cited areas in FINRA examinations. Common breakdowns include:
- Reviews that occur but are not documented,
- Exceptions that are identified but not escalated or resolved, and
- Testing that focuses on form rather than substance.
These lapses can signal that compliance is viewed as a “check-the-box” exercise rather than a robust, integrated function. FINRA examiners increasingly focus on evidence of supervision, not merely the existence of supervisory roles. If a firm cannot demonstrate how supervision occurred, regulators will assume it did not. This shift underscores the importance of having a compliance culture in which documentation, escalation, and follow-through are valued as much as the policy itself.
How Has Technology Outpaced Compliance Controls?
Technology has added complexity to nearly every aspect of broker-dealer operations. Electronic communications, record retention systems, and third-party vendors introduce new risks that legacy controls are not always equipped to manage.
FINRA continues to identify issues where business communications occur on unapproved platforms, firms rely on vendors without sufficient oversight, or recordkeeping systems fail to capture or retain required data. While technology can enhance compliance, it also amplifies risk when controls are poorly designed or inconsistently applied. The challenge is not just adopting new tools, but ensuring they are integrated into the compliance strategy and evolve with the business.
Why Does Reg BI Remain a Focal Point Years After Implementation?
Nearly five years after implementation, Reg BI remains a central focus of FINRA examinations. However, what has changed is the regulator’s tolerance for superficial compliance.
FINRA now expects firms to demonstrate how conflicts are identified and mitigated, how recommendations are reviewed and challenged, and how supervisory principals validate best-interest determinations. Firms relying solely on high-level disclosures or static documentation without ongoing testing risk falling behind as regulatory expectations grow more nuanced and face increased scrutiny and exam findings.
How Can Firms Break the Cycle of Repeat FINRA Findings?
These findings are not inevitable. Firms that reduce repeat exam issues focus on execution discipline rather than rule interpretation alone.
Effective compliance programs do three things:
- Align policies with how the business actually operates
- Strengthen supervisory evidence rather than oversight in name only
- Embed ongoing testing and feedback loops
Successful firms do not wait for exams to identify weaknesses. They identify and remediate issues proactively and treat evergreen risks as strategic priorities. Just because an issue is not new does not mean it is low risk. In many cases, repeat deficiencies should receive heightened regulatory attention.
Final Thoughts: Execution, Not Awareness, Drives Exam Outcomes
Passing a FINRA exam is not about discovering new rules. It’s about proving that longstanding requirements are embedded into daily operations. Firms that prioritize execution, documentation, and testing position themselves to break the cycle of repeat findings and reduce regulatory friction over time.
Maintaining compliance is not about avoiding new risks, but rather mastering the fundamentals, adapting to change, and putting regulatory guidance into practice every day and at every level.