Frequently Asked Questions About SEC and FINRA Communications Compliance
Compliance officers and ops leads ask the same questions again and again about communications compliance. This page is a single FAQ—retention, channels, exams, vendors, “readily accessible,” and common mistakes—with short answers and links to deeper posts where they exist.
Retention and storage
How long do we have to keep business communications?
It depends on the record type and whether you’re an RIA, broker-dealer, or both. Broker-dealer Rule 17a-4 specifies retention periods (e.g. 3 or 6 years) for certain records. RIAs have Advisers Act retention requirements. Confirm with your compliance lead or counsel and document your retention schedule.
What is WORM and do we need it?
WORM = Write Once, Read Many. For broker-dealers, 17a-4 requires certain records to be kept in a non-rewriteable, non-erasable format. RIAs aren’t under 17a-4 but are expected to maintain records in a way that supports examination and isn’t alterable to hide misconduct. In practice, WORM or equivalent is the standard for serious archiving.
Can we use the cloud for our archive?
Yes. Cloud storage can satisfy WORM and retention requirements if the provider and configuration support non-rewriteable, non-erasable storage and you can search and produce in a reasonable time. Many advisers and BDs use cloud-based archive vendors.
Channels and coverage
Do we have to archive every Slack (or Teams) message?
If the channel is used for business-related communications that relate to recommendations, orders, or advice, those messages are generally in scope. Archive what’s business-related; document your policy and scope.
What about WhatsApp / iMessage / personal email?
If reps use these for firm business, those communications are subject to the same retention and supervision expectations. Best practice is to either capture them (where feasible) or prohibit business use on non-captured channels and enforce it.
Does social media need to be archived?
Business-related posts and DMs that relate to your advisory or broker-dealer activities are typically in scope. Marketing and advertising rules also apply. Archive and supervise per your policy.
Examinations and production
What does “readily accessible” mean?
You must be able to search and produce records for examiners without undue delay. That usually means searchable by date, person, and topic, and producible (e.g. export or access) within a reasonable time—not “we’ll restore from backup in two weeks.”
What if we get an exam request and our archive is slow or incomplete?
Produce what you can, by the deadline. Be transparent about limitations. After the exam, fix the gaps (retention, coverage, search) so you’re not in the same position next time.
Can we delete anything once it’s in the archive?
Generally no, for the retention period. Deletion or “we deleted it for housekeeping” is a red flag. Legal hold or regulator guidance may require preservation beyond normal retention.
Vendors and technology
What should we look for in an archiving vendor?
WORM or equivalent, search and production capability, coverage of the channels you use, configurable retention, audit trail, and a vendor that understands SEC/FINRA expectations. See our communications archiving buyers guide for more.
We use spreadsheets for attestations. Is that okay?
Examiners care that you have a process and evidence. Spreadsheets can work if they’re complete and you can produce them. For scale and audit trail, many firms move to a dedicated compliance or attestation tool.
How do we prove we’re compliant?
Policies, retention schedule, evidence of capture (e.g. archive), attestations, training records, and the ability to produce on request. Organize these so you can respond quickly to an exam.
Common mistakes
| Mistake | Better approach |
|---|---|
| Assuming “we have email in Outlook” is enough | You need capture that’s immutable, searchable, and retained. |
| Letting reps use unapproved channels for business | Define approved channels; capture them; prohibit or strictly limit the rest. |
| No attestations or ad-hoc only | Regular (e.g. quarterly) attestations with reminders and a single log. |
| Can’t search or produce in days | Treat “readily accessible” as a requirement; fix archive and process. |
| Deleting or “cleaning up” to save space | Don’t. Retention and legal hold override convenience. |
Edge cases
We’re dually registered. One archive or two?
You can use one system if it meets both RIA and BD requirements (e.g. WORM, retention, search). Document that it satisfies both sets of rules.
We’re a state-registered RIA.
State rules may add requirements. Know your state and any state-specific retention or production expectations.
We’re switching from BD to RIA only.
Historical BD records may still be subject to 17a-4 retention. Don’t destroy them without confirming with counsel.
Where to go deeper
- What SEC and FINRA expect from your communications archive
- Communications archiving tools: buyers guide
- How to prepare for a compliance exam when you’re short on time
- RIA vs broker-dealer compliance
Have a question we didn’t cover? Get in touch or request a demo—we’re happy to point you to the right resource.