What SEC and FINRA Actually Expect From Your Communications Archive
If you're an RIA or broker-dealer, you know you have to archive communications. But what exactly do the SEC and FINRA expect—and how do you prove you're compliant when examiners show up?
This guide breaks down the real requirements: Rule 17a-4, WORM storage, readily accessible, and the edge cases that trip firms up (email, chat, social, personal devices).
The short version
- SEC Rule 17a-4 (and related rules) requires broker-dealers to preserve certain records in a non-rewriteable, non-erasable format (WORM) and to keep them readily accessible for the duration of the retention period.
- RIAs are subject to Advisers Act record-keeping rules that overlap in spirit: you must keep and retain records in a way that supports examination and cannot be altered or deleted to hide misconduct.
- "Readily accessible" means examiners can get what they need without you rebuilding or restoring from backups—so your archive must be searchable and producible in a reasonable time.
What is WORM, and why does it matter?
WORM = Write Once, Read Many. Regulators want to ensure that once a communication is captured, it can't be overwritten or erased. That protects the integrity of the record and supports enforcement.
| Requirement | What it means in practice |
|---|---|
| Non-rewriteable | Records can't be edited after capture. |
| Non-erasable | Records can't be deleted before the end of the retention period. |
| Readily accessible | You can search and produce them for examiners without undue delay. |
| Retention period | Typically 3–6+ years depending on record type; know your obligations. |
If your "archive" is just a shared drive or inbox that admins can delete from, you're not meeting the standard. You need a system that enforces immutability and retention.
What has to be archived?
Coverage depends on whether you're an RIA, broker-dealer, or both. In general, business-related communications that relate to recommendations, orders, or advice need to be captured.
| Channel | Often in scope | Edge cases |
|---|---|---|
| Yes—business email used for firm business | Personal email used for firm business; forwarding to personal. | |
| Instant message / chat | Yes—if used for business | Off-channel (e.g. WhatsApp, iMessage) used for client or order-related talk. |
| Social media | Yes—posts and DMs that are business-related | Who posts (firm vs rep), what counts as an ad vs. personal. |
| Video / meetings | Increasingly in scope | Recordings, links, and summaries may need to be retained. |
Edge case: personal devices. If reps use personal phones or email for firm business, those communications are still subject to the same rules. Your policies and technology need to account for that (e.g. capture at the firm level or require business-only channels).
Readily accessible: what examiners want
"Readily accessible" doesn't just mean "we have it somewhere." It means:
- Searchable — By date, person, topic, or other criteria examiners care about.
- Producible — You can export or provide access in a format they can use.
- Timely — No "we'll need two weeks to restore from backup." Your archive should support same-day or next-day production for exam requests.
If you can't run a targeted search and produce results within a reasonable window, you're at risk of being cited for record-keeping failures.
FAQ
Do we need to archive every Slack message?
If Slack (or similar) is used for business-related communications that relate to recommendations, orders, or advice, then yes—those messages need to be captured and retained per your applicable rules.
What if we use personal email for some client communication?
If it's firm business, it's subject to the same retention and accessibility requirements. Best practice is to use firm-captured channels or a solution that captures copies of sent/received business communication.
How long do we have to keep communications?
It varies by record type and regulator. Broker-dealer 17a-4 has specific retention periods (e.g. 3 or 6 years). RIAs have their own retention rules. Confirm with your compliance lead or counsel and document your retention schedule.
Can we use the cloud?
Yes. Cloud storage can meet WORM and retention requirements if the provider and configuration support non-rewriteable, non-erasable storage and your ability to search and produce is maintained.
Bottom line
SEC and FINRA expect your communications archive to be complete (all in-scope channels), immutable (WORM), retained for the required period, and readily accessible for examination. Getting this right reduces exam risk and gives you confidence when examiners ask for records.
See how Cudara keeps your communications archive audit-ready — capture, retain, and produce with the controls examiners expect.