Broker-dealers are operating in an increasingly complex risk environment shaped by evolving regulatory expectations, rapid technological advancements, and heightened exposure to cyber-enabled threats. On 25 March 2026, K2 Integrity held a webinar that explored how internal audit, compliance, cybersecurity, and risk management functions must adapt to meet these challenges—particularly in light of recent regulatory guidance and industry observations. We heard from experts Anthony Vinci, senior director, Office of Financial and Operational Risk Policy, FINRA; KeriAnn Kelly, senior vice president, Platform Solutions Engineering, Goldman Sachs; Olivia Makara, director, Cyber and AI Resilience, K2 Integrity; and moderator Yelena Talmazan, senior managing director, Financial, Internal Audit, and Risk Advisory, K2 Integrity. Click here to view a recording of the session.
Evolving Regulatory Expectations and Risk Landscape
On 9 December 2025, FINRA released its 2026 Annual Regulatory Oversight Report, which highlighted recurring control gaps and emphasized the need for firms to align their internal audit and compliance programs with evolving expectations. Importantly, recent guidance has not introduced entirely new requirements but rather has provided greater clarity and depth in areas such as operational resilience, cyber-enabled fraud, third-party dependencies, and governance of emerging technologies, including artificial intelligence.
Firms are expected to interpret these insights as signals for risk prioritization and control enhancement functioning end to end. Internal audit functions play a central role in translating these expectations into recalibrated and actionable audit plans and risk assessments. A critical takeaway is that compliance must extend beyond documented policies. Regulators are increasingly focused on how controls are implemented, monitored, and sustained in practice.
Internal Audit as a Strategic Risk Function
Internal audit continues to evolve from a retrospective assurance function to a forward-looking strategic partner. To remain effective, audit teams must recalibrate their approaches in several key ways:
- Risk-Based Planning and Gap Analysis: Audit teams should align their annual plans with regulatory focus areas by conducting structured gap analyses against Written Supervisory Procedures (WSPs) and existing audits on the audit plan controls and supervisory procedures. This includes:
- Mapping regulatory obligations and observations to internal processes
- Identifying gaps between policy and execution
- Prioritizing audits based on high-impact and emerging threats
- Cross-Functional Risk Visibility: Many control failures stem from siloed operations. Internal audit should evaluate how effectively information flows across:
- Cybersecurity teams
- Compliance and AML functions
- Business and operational units
- Focus on Execution and Effectiveness: Audit scope should shift from verifying the existence of policies to assessing:
- Whether controls are functioning as intended
- Whether processes are scalable and sustainable
- Whether outcomes align with regulatory expectations
Market Integrity and Financial Management
Market integrity and financial management remain priority focus areas for FINRA. However, expectations are shifting toward more holistic and operationally grounded assessments.
Market Integrity: Firms are expected to move beyond transaction-level reviews and assess the cumulative impact of their practices, including order routing decisions, execution quality across systems, and reliance on third-party tools.
Financial Management: Operational readiness is critical. Firms must ensure that systems, data, and processes can support increased regulatory demands, including real-time or near-real-time requirements. Key areas of focus include:
- Accuracy of financial records and regulatory filings
- Adequacy of capital and liquidity management
- Transition from periodic to more frequent financial computations
Liquidity and Stress Testing: Regulators expect firms to develop realistic, firm-specific stress scenarios; identify early warning indicators of financial stress; and maintain actionable contingency funding plans.
Operational Resilience as a Core Compliance Requirement: Firms must demonstrate the ability not only to recover from disruptions but also to maintain continuity of critical operations. Key components of operational resilience include system and data resilience, testing and validation, and governance and accountability. Operational resilience must be embedded into the broader compliance framework, ensuring alignment between regulatory obligations and technical capabilities.
Cyber-Enabled Fraud
Cyber-enabled fraud represents a convergence of cybersecurity and financial crime risks. Emerging tactics such as synthetic identities, voice cloning, and deepfake technologies are increasing both the sophistication and scale of fraud.
Breakdowns often occur due to fragmented coordination between cybersecurity and AML teams, delayed escalation of risk signals, and a lack of shared visibility across systems and functions.
The emphasis is shifting toward early detection that depends on a combination of technical and procedural controls, including behavioral analytics for detecting anomalous activity, enhanced identity verification processes, multi-factor authentication and access controls, and real-time monitoring of account activity.
When dealing with cyber-enabled fraud, strong programs demonstrate integrated governance across cyber and AML functions, clearly defined escalation pathways, and shared understanding of risk indicators.
Third-Party Risk Management
As firms increasingly rely on external vendors, third-party risk has become a critical area of focus. Vendor environments are dynamic, and risks may increase due to expansion of services, introduction of new technologies, or changes in data handling practices. Regulatory expectations are clear: accountability cannot be outsourced.
Elements of effective third-party risk management include:
- Initial Due Diligence
- Assessment of vendor controls and security posture
- Understanding of data flows and access rights
- Evaluation of potential risks and dependencies
- Contractual Safeguards
- Data protection requirements
- Audit rights and reporting obligations
- Incident response and data recovery provisions
- Ongoing Monitoring
- Continuous assessment of vendor performance
- Review of independent audit reports
- Monitoring for emerging risks and vulnerabilities
- Assessment of risk from due to fourth-party vendors handling firm data
Firms must continuously reassess vendor relationships to ensure that original risk assumptions remain valid.
Conclusion
The current regulatory and risk environment demands a more sophisticated and integrated approach to internal audit and risk management. Broker-dealers must evolve from compliance-driven models to resilience-driven frameworks that prioritize execution, coordination, and adaptability.
Internal audit plays a critical role in this transformation by:
- Aligning audit plans with emerging risks
- Evaluating the effectiveness of cross-functional processes
- Validating operational readiness across critical areas
Ultimately, success will depend on the ability of the organization to anticipate risks, respond proactively, and maintain resilience in the face of ongoing disruption. This requires not only robust controls, but also a culture of collaboration, accountability, and continuous improvement.