Q1 2025 Regulatory Roundup: What Financial Services Compliance Teams Should Watch
In our recent quarterly webinar, Smarsh and Eversheds Sutherland unpacked the regulatory trends that shaped the start of 2025. From enforcement priorities to AI governance and crypto oversight, this roundup provides financial services firms with key insights and compliance takeaways for the year ahead.
Why it matters
Regulators are adjusting their posture — but not lowering their expectations. As firms adopt new technologies, expand their digital footprint, and test the limits of communication platforms, supervision must keep pace. Enforcement may evolve in tone, but compliance obligations remain high-stakes.
Regulatory enforcement trends: Familiar themes, evolving expectations
The SEC reported 200 enforcement actions in the first quarter of FY25 — a record high for Q1 activity and a capstone to an aggressive enforcement era. However, our panel noted that many of these actions were filed under the prior administration. Expectations are that standalone off-channel communications cases may taper off in the coming months.
Still, firms shouldn’t get complacent. The volume and variety of enforcement actions in recent months make clear that regulators are continuing to scrutinize communications practices and supervisory controls, even as the enforcement tone may soften.
"We don’t expect to see these standalone record retention cases, but we do expect them to bring some record retention cases where there are other violations."
Recent regulatory enforcement examples:
- In January, the SEC fined 12 firms a combined $63M for failing to preserve off-channel communications, reinforcing that recordkeeping remains a high priority
- One firm was fined $45M for a mix of violations, including cybersecurity gaps and off-channel communications issues, signaling that recordkeeping lapses will still appear in multi-violation cases
- Social media promotions came under the microscope, with FINRA fining firms up to $750K for influencer campaigns that featured misleading or noncompliant content
"You can't just prohibit spoofing... You need to have effective policies and procedures designed to prohibit and catch it."
The takeaway? Regulators are looking beyond written policies. Implementation, monitoring, and enforcement of supervision programs are now central to compliance expectations.
Update on FINRA oversight: Back to basics, with a tech twist
FINRA’s 2025 Regulatory Oversight Report emphasized four areas:
- Books and records
- Public communications
- Third-party vendor risk
- AI use
While none are new to compliance professionals, the nuance in FINRA’s expectations has deepened.
Books and records remain foundational. But FINRA made it clear that supervisory effectiveness includes a firm’s ability to detect activity across all communication channels — including messaging apps, video, and non-English language messages.
"It’s hard for a firm to meet its supervisory obligations if it doesn’t have an adequate handle on what the firm’s associated persons are communicating about on firm systems."
To support effective oversight, regulators encourage firms to:
- Define and enforce clear boundaries for permitted digital tools
- Implement supervisory systems tailored to each channel
- Take disciplinary action when policies are ignored
The latest on AI governance: Regulation still lags, expectations don’t
On AI governance, FINRA is watching closely. Most are still finding their footing with AI compliance. That’s not surprising. Regulatory frameworks were never designed with generative AI models in mind.
"There’s no specific regulation for AI today, so you’re mapping to things like Reg BI, the Advisers Act, and trying to determine what’s fair and balanced in an AI-generated statement."
While explicit AI rules are still emerging, regulators are signaling that firms should begin to approach AI use with the same care applied to other business tools. That includes evaluating supervisory, documentation, and risk management practices.
What should firms consider when complying with communications regulations?
- Supervision: Are outputs from tools like Copilot or generative AI chat platforms reviewed or monitored before reaching clients or the public?
- Recordkeeping: Can AI-generated content or decisions be captured and archived under your existing books and records policies?
- Governance: Do you have cross-functional policies in place to assess who can use AI tools, for what purposes, and with what level of oversight?
- Compliance mapping: How are you aligning AI-related communications and advice to existing regulatory standards, such as Reg BI, the Advisers Act, or FINRA communications rules?
What’s next for regulatory enforcement: The shape of things to come
The panel forecasted a few directional shifts for the remainder of 2025:
- Crypto and meme coins: Expect continued — but more targeted — oversight of speculative investments as the SEC’s new administration recalibrates its approach. The newly formed Cyber and Emerging Technologies Unit (CETU) replaces the Crypto Assets and Cyber Unit and includes approximately 30 fraud specialists focused on digital asset scams, meme coins, and AI-related fraud. This shift signals a clear move from broad-based crypto crackdowns to more fraud-centric targeting.
- Finfluencers: Enforcement involving social media influencers is likely to broaden. Firms using influencers should be prepared to document their review processes and ensure claims are balanced and not misleading.
- A pragmatic path forward: Perhaps the biggest shift? A more measured approach to recordkeeping enforcement. Two SEC commissioners recently signaled support for a “pragmatic and privacy-respecting” framework, suggesting a possible move away from one-size-fits-all enforcement and toward expectations that reflect each firm’s risk profile, supervisory efforts, and good-faith compliance measures.
"We’re witnessing [deregulation] happen at lightning speed at the SEC..."
Final takeaway: Reasonableness is the new watchword in regulatory compliance
As firms continue to assess their risk posture in 2025, it’s no longer just about checking regulatory boxes. The shift in tone at the SEC and FINRA points toward a renewed focus on reasonableness in supervision, emphasizing that while perfection may be unrealistic, gaps in oversight and documentation may still lead to enforcement.
Expectations are still clear: Firms must demonstrate a proactive, documented, and evolving approach to compliance — especially as the lines between communications, promotions, and day-to-day operations increasingly intersect across digital channels.
Looking ahead to Q2: Don't miss the latest regulatory enforcement news
Now may be the time to:
- Review your influencer and digital marketing policies
- Reassess your AI governance framework and supervisory readiness
- Revalidate your archiving and supervision programs — with a focus on off-channel communications and control gaps
Share this post!
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
More Resources
Watch it Work
Contact Us
Chat
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US