Communications Compliance: A Compliance Guide for Regulated Industries

Communications compliance is the structured discipline of capturing, retaining, monitoring, and supervising every electronic and voice communication an employee or representative sends to a customer, prospect, counterparty, or the public — and being able to prove it to a regulator on demand. In financial services, banking, insurance, and healthcare, it is one of the most consequential risk functions a firm operates, and over the past three years it has produced the largest enforcement wave the U.S. capital markets have seen in a decade.

If you run compliance, supervision, or operations at a regulated firm, the way you handle communications — emails, instant messages, chats, voice calls, video meetings, social DMs, ephemeral messengers, partner channels — directly determines two things: the size of the supervisory exam findings on your next regulator visit, and the quantum of fines if a firm-wide off-channel-communications case lands on your desk. This guide walks through what communications compliance actually is, the regulatory frameworks that govern it, what a modern surveillance workflow looks like end-to-end, the pitfalls that have produced billions of dollars in recent fines, and how AI is reshaping the discipline in 2026.

What Is Communications Compliance?

A communications compliance program is the firm’s end-to-end answer to a simple regulatory test: show us every business communication every covered person sent or received, prove it was supervised, and prove it has been retained for the required period. The discipline operates across four interlocking functions: capture (ingest the message at source from every channel a covered person uses), retention (write to a tamper-evident archive for the rule-required period), surveillance (review captured messages for policy, regulatory, and conduct concerns), and supervision (escalate, document, and act on what surveillance flags).

The scope is far wider than most firms assume. Email and recorded calls are the obvious in-scope channels; the harder ones are Bloomberg IB chats, Microsoft Teams, Slack, WhatsApp and iMessage, Signal and Telegram, Zoom recordings and meeting transcripts, LinkedIn DMs, X DMs, Bloomberg messages, voicemail, SMS, partner-channel content, and the long tail of consumer messaging apps that show up the moment a salesperson takes their personal phone to a client dinner.

A defensible communications compliance program produces three deliverables on every covered communication: a complete capture (every party, every attachment, every edit), an immutable archive that satisfies the firm’s recordkeeping rule, and a documented supervisory review by a qualified person. Without all three, the firm is exposed even on communications that happen to be perfectly clean.

Why Communications Compliance Matters: The $3 Billion Wake-Up Call

Between September 2022 and the end of 2024, the SEC and CFTC announced settlements totaling roughly $3 billion in fines from more than sixty firms for failures to maintain and preserve electronic communications — most of them tied to employee use of WhatsApp, personal text, and other off-channel messaging tools that were never captured by the firm’s archive. The crackdown started with the major broker-dealers and quickly spread to investment advisers, swap dealers, and credit-rating agencies. The fines were not for what the messages said. They were for the fact that the firms could not produce them.

The pattern across the settlements is consistent and instructive:

• Personal devices used for business. Employees, including senior managers and supervisors, routinely conducted business over personal phones via WhatsApp, iMessage, and SMS. Firms’ written supervisory procedures prohibited this, but the prohibitions were not enforced.
• Recordkeeping rule violations as a strict-liability offense. SEC Rule 17a-4 and the equivalent CFTC and FINRA rules require firms to preserve business communications. The SEC’s position has been that failure to preserve is itself the violation; whether the underlying communications contained anything problematic is irrelevant.
• Self-reporting did not insulate firms. Several settlements include credit for cooperation, but every covered firm paid a meaningful fine.
• The crackdown is not over. Subsequent SEC examination priorities have continued to flag electronic-communications recordkeeping as a focus area, and the CFTC has signaled the same posture for derivatives.

For firms outside the U.S. capital markets the pressure looks different but the substance is the same. The UK’s Financial Conduct Authority enforces parallel obligations under FCA SYSC 9 and Consumer Duty, with several seven-figure fines in the past two years for failures to record relevant conversations. EU firms face the same expectations under MiFID II Article 16(7) and the Market Abuse Regulation. The discipline is no longer a back-office archiving question; it is a front-line operational risk function with seven- and eight-figure consequences when it fails.

Who Needs a Communications Compliance Program?

Any business whose conduct, advice, or transactions with customers are governed by sector-specific recordkeeping or supervision rules needs a formal communications compliance program. That includes, at minimum:

• Broker-dealers and registered investment advisers — SEC Rule 17a-4, Rule 204-2, FINRA Rule 3110, FINRA Rule 4511, FINRA Rule 3170 (taping rule), MSRB Rule G-9.
• Banks, credit unions, and consumer lenders — CFPB UDAAP-driven communications oversight, fair-lending considerations, FDIC and OCC examination expectations on customer communications.
• Swap dealers, futures commission merchants, introducing brokers — CFTC Rule 1.31 and CFTC Rule 23.202.
• Insurance carriers, MGAs, and producers — NAIC Model Regulation 470 (suitability in annuity transactions), state DOI call-recording rules, market-conduct examination expectations.
• Healthcare communications under HIPAA — covered entities and business associates handling protected health information.
• UK- and EU-regulated firms — MiFID II Article 16(7) (record electronic comms and relevant phone calls), Market Abuse Regulation Article 16, FCA SYSC 9 (record-keeping), FCA Consumer Duty Principle 12.
• Trading platforms and crypto-asset service providers — the same financial-services framework plus MiCA (Markets in Crypto-Assets Regulation) marketing and conduct provisions in the EU.
• BPOs, third-party servicers, and any partner handling regulated communications on a covered firm’s behalf — the supervisory obligation flows down through vendor management; the regulator holds the firm accountable for what its servicers say.

If your firm sits in any of these categories, every channel a covered person uses for business is in scope of the recordkeeping rule, regardless of which device or app it was sent from.

The Regulatory Map: Communications Compliance Frameworks by Jurisdiction

The substantive rules look different across regulators, but the structural pattern is consistent: capture every covered communication, retain it in a tamper-evident archive for a fixed minimum period, supervise it with documented review, and produce it on regulator demand within tight deadlines. Below is a working map of the frameworks that drive most U.S. and UK programs today.

U.S. Broker-Dealers: SEC Rule 17a-4 and the FINRA Supervision Stack

SEC Rule 17a-4 is the foundational recordkeeping rule for U.S. broker-dealers. It requires preservation of originals of all communications received and copies of all communications sent in connection with the firm’s business as such, for at least three years (the first two readily accessible). The 2022 amendments added an audit-trail requirement and clarified that records may be preserved using either WORM-compliant electronic storage or an audit-trail system that meets specific requirements. FINRA Rule 4511 incorporates and extends the recordkeeping requirements; FINRA Rule 3110 sets the supervisory framework, including the requirement that a registered principal review communications subject to filing or pre-use approval. FINRA Rule 3170 (the taping rule) requires firms with a defined concentration of registered persons from disciplined firms to record all telephone conversations with customers.

U.S. Investment Advisers: SEC Rule 204-2

Registered investment advisers fall under the Advisers Act recordkeeping rule, Rule 204-2, which requires preservation of all written communications received and copies of all written communications sent by the investment adviser relating to recommendations, advice, receipt or disbursement of funds, or the placing or execution of orders. The retention period is generally five years from last use, with the first two readily accessible. The amended SEC Marketing Rule overlays additional substantiation and preservation requirements on advertisements and testimonials.

CFTC-Regulated Entities

CFTC Rule 1.31 sets the analogous recordkeeping standard for futures commission merchants and other CFTC registrants; Rule 23.202 covers swap dealers and major swap participants. The standards are functionally aligned with the SEC framework but contain CFTC-specific scope and retention nuances. The 2022–2024 enforcement wave produced parallel CFTC settlements alongside the SEC actions.

Banking, Lending, & Consumer Finance

For banks, fintechs, and consumer lenders, communications compliance lives at the intersection of CFPB UDAAP authority, fair-lending considerations under ECOA and the Fair Housing Act, and the prudential regulators’ examination expectations. A bank’s communications-compliance program must capture not only direct customer communications but also the conduct of partner banks and BaaS arrangements, where the regulator holds the bank accountable for the partner’s communications. For a deeper treatment of how UDAAP risk runs through customer communications, see Sedric’s analysis of how AI can help tame UDAAP risk.

Insurance: NAIC Model Regulations and State DOI Rules

Insurance communications are regulated primarily at the state level, with most states adopting elements of the NAIC’s suitability and best-interest model regulations (Model 270, the parallel annuity suitability framework, and state-by-state market-conduct expectations). Several states require call recording for annuity sales and post-sale customer interactions; market-conduct exam questionnaires routinely sample those recordings. A communications compliance program for an insurance carrier or distributor must therefore handle a 50-state matrix of overlapping recording, retention, and supervision rules.

UK: FCA SYSC 9, Consumer Duty, and the Recording Regime

In the UK, FCA SYSC 9 sets the high-level record-keeping requirement; the chapter-specific recording obligations live in COBS 11.8 for in-scope investment business. The Consumer Duty (in force since July 2023) added a Principle 12 obligation to act to deliver good outcomes for retail customers, which the FCA has explicitly tied to communications quality. FCA enforcement in 2024 included multiple seven-figure fines for failure to record relevant conversations or to act on what surveillance flagged.

EU: MiFID II Article 16(7) and the Market Abuse Regulation

MiFID II Article 16(7) requires in-scope investment firms to record electronic communications and relevant phone calls intended to result in transactions, and to retain those records for at least five years (extendable to seven by the competent authority). The Market Abuse Regulation overlays an obligation to detect and report market-abuse signals; firms must run surveillance against captured communications for that purpose. ESMA Q&As have repeatedly clarified that personal-device use is not a get-out clause — the obligation attaches to the business communication, not the device.

Cross-Industry: GDPR, Privacy, and Data-Localization Layered On Top

Every communications compliance program must layer privacy and data-protection obligations on top of recordkeeping rules. GDPR and UK GDPR set retention-minimization expectations that can pull in the opposite direction from financial-services preservation requirements; firms resolve the tension via documented legal-basis analyses and channel-specific retention policies. State privacy laws (CCPA/CPRA, the parallel laws in Virginia, Colorado, Connecticut, Utah, Texas, and others) and HIPAA in healthcare add further constraints on what may be collected, who may access it, and how long it may be held.

What a Modern Communications Compliance Workflow Looks Like

A defensible communications compliance program is not a single product. It is a documented workflow that connects capture, retention, surveillance, supervision, and audit response into one continuously running pipeline. The shape of that pipeline is broadly the same across regulated industries.

Stage 1: Channel Inventory and Capture Coverage

Every workflow starts with a complete inventory of channels a covered person uses for business. Email and recorded voice are the easy two; the work is in the long tail — Bloomberg IB, Teams, Slack, WhatsApp, iMessage, Signal, Telegram, Zoom, LinkedIn, X DMs, Bloomberg messages, voicemail, SMS, partner channels. For each channel, the program must answer: is the channel approved for business, is capture technically in place, and is capture enforced at the device or identity layer? Channels approved without capture are the failure pattern that produced the off-channel-communications enforcement wave.

Stage 2: Retention and Archive Integrity

Captured communications flow into a retention archive that satisfies the firm’s applicable rule (3 years for broker-dealers under 17a-4, 5 years for advisers under 204-2, 5–7 years for MiFID II, longer for some state insurance regimes). The archive must meet the rule’s integrity standard — WORM or audit-trail under 17a-4(f) — and must include a complete chain of custody from capture through retrieval. A modern archive also handles legal-hold mechanics and produces the rule-required undertakings letter for an independent third party.

Stage 3: Surveillance and Lexicon Application

Surveillance applies the firm’s policy library to captured communications and flags messages that warrant supervisory review. Traditional lexicon-based surveillance uses regular-expression rules over a set of risky terms; modern surveillance layers natural-language and context-aware models that understand intent rather than literal phrasing. The output is a queue of alerts, ranked by risk, routed to supervisors with the relevant context.

Stage 4: Supervisory Review and Documentation

A qualified principal or supervisor reviews each escalated alert, documents the review decision (no action, coaching, escalation, remediation), and closes the loop. The review record is the artifact a regulator asks to see during an exam — not just “we surveil” but “we surveilled this message, this person reviewed it, this decision was made, and here is the audit trail.”

Stage 5: Escalation, Remediation, and Disclosure

Some alerts trigger escalation paths: a possible market-abuse signal goes to the surveillance-investigations team; a UDAAP-adjacent customer interaction goes to the consumer-protection team; a confirmed misconduct goes to HR and potentially regulator self-reporting. The workflow must connect these escalation paths to existing case-management infrastructure rather than running in a parallel silo.

Stage 6: Audit Response and Production

When a regulator’s production request lands — an SEC subpoena, a FINRA Rule 8210 request, a state DOI market-conduct exam — the workflow must locate, hold, and produce the responsive communications within the response window (often 10–30 days). Programs that rely on manual search across siloed systems routinely miss the window or produce incomplete sets. Programs with a queryable single archive produce on time.

Stage 7: Continuous Improvement and Lexicon Tuning

The lexicon and surveillance models drift as products, channels, and regulator priorities evolve. The workflow must include a periodic tuning cycle — review false positives, calibrate thresholds, add patterns for emerging risks, retire patterns that have become noise. Without it, alert volume balloons and meaningful signals get buried.

For a deeper treatment of how marketing review (the cousin discipline) operates end-to-end, see Sedric’s pillar on marketing review for regulated industries.

Common Pitfalls That Trigger Enforcement

The same patterns recur across nearly every electronic-communications enforcement action. Knowing them is the first defense.

• Off-channel communications. Personal-device WhatsApp, iMessage, and SMS for business. Employees default to whatever channel the customer uses; supervisors do the same; firms’ prohibitions exist on paper but not in practice. The single most expensive failure pattern in the past three years.
• Ephemeral messaging. Signal, Telegram, and disappearing-message modes in standard apps create a recordkeeping black hole by design. The SEC’s position is unambiguous: a channel that auto-deletes business communications is not compliant, regardless of intent.
• Unsupervised channels. A salesperson’s LinkedIn DMs, a branch-level Facebook page, partner co-marketing emails, customer-service chatbots — all are firm communications and all must be in scope. Programs that focus only on email and Bloomberg leave entire surfaces unsupervised.
• Lexicon-only surveillance against modern messaging. A regex for “guaranteed return” will not catch “you’re basically guaranteed to do well here, just between us.” Surveillance that depends entirely on literal phrasing misses most of what enforcement actions actually find.
• Stale or missing supervisory documentation. Reviews happen but are not documented; documentation exists but is unsearchable; surveillance flags issues but no resolution is recorded. The exam-day question is always the same: show us the record.
• Capture coverage drift. A new collaboration tool is rolled out by IT; capture isn’t configured; covered persons start using it for business; six months later a regulator asks for the records and they don’t exist. New-tool onboarding without capture review is one of the most common root causes of capture-coverage gaps.
• Voice surveillance neglect. Programs frequently invest heavily in email surveillance and treat voice as an afterthought. Voice carries higher-risk content (live sales conversations, unscripted statements, customer complaints). A modern program treats voice with at least as much surveillance depth as text.

Building a Scalable Communications Compliance Program

The hard part of communications compliance is not running the workflow once. It is running it consistently, across every channel and every covered person, at the velocity modern firms operate at, without becoming the bottleneck the business resents.

A few program-level decisions separate scalable programs from the ones that fail audit:

A single source of truth. Captured communications from every channel land in one queryable archive. Programs with separate archives per channel cannot answer a regulator’s “produce all communications between X and Y” request without weeks of forensic work.

Identity-based capture, not device-based capture. The covered person is the unit of supervision, not the device. A program that captures the BlackBerry but not the iPhone the same person uses on weekends is failing.

Risk-tiered surveillance. Not every covered person warrants the same surveillance depth. Sales-floor personnel running high-pressure conversations need denser surveillance than back-office operations staff. Tiering by risk lets the program focus attention where the regulatory exposure actually lives.

Codified, evolving lexicons and models. The policy library must be a living artifact — updated when new products launch, when regulators publish new priorities, when the firm’s own incident history points to new patterns. A static lexicon is a stale lexicon within twelve months.

Defensible documentation by default. Every alert, every review, every decision is captured automatically as a byproduct of the workflow. If documentation is something a supervisor has to remember to add, it will fail.

Metrics the regulator will ask for. Average time from capture to surveillance review, alert closure time, escalation rates, false-positive rates by lexicon element, percentage of channels under continuous capture, audit-readiness score. The program is only as good as the metrics it can produce on the morning of an exam.

How AI Is Changing Communications Compliance in 2026

Communications surveillance has historically been a regular-expression discipline. A reviewer wrote a lexicon, the system flagged messages matching the lexicon, and a human triaged the flags. That model worked when communications volume was measured in millions of messages a quarter. It does not scale to a world where a single firm produces tens of millions of messages a day across dozens of channels, with most of the high-risk content in the form of inferential conversation rather than literal phrasing.

AI is reshaping the discipline in three concrete ways. First, large language models can read messages the way a senior compliance analyst would — understanding context, sarcasm, inferential meaning, and code-switching across languages — at a speed and consistency human surveillance teams cannot match. Second, AI can run continuous, lexicon-free surveillance against the firm’s policy library, identifying conduct concerns that no regex would have caught. Third, AI can triage and prioritize the alert queue so human supervisors spend their time on the messages that matter, not on yet another “guaranteed” false-positive.

The risk is also real. A surveillance model that hallucinates flags wastes supervisor time and, worse, can produce documentation that itself becomes a regulatory liability. The bar is human-in-the-loop oversight, model documentation, bias monitoring, explainability of every flag, and continuous validation. Regulators have been explicit that they expect AI surveillance tools to be governed with the same rigor as any other compliance control.

Used well, AI takes communications compliance from a backwards-looking sampling discipline to a forward-looking continuous-monitoring discipline. Used carelessly, it just creates a faster way to miss the same things.

Where Sedric Fits

Sedric is an AI compliance platform built specifically for regulated communications and marketing. Its communications compliance product sits across the workflow described above — capture coverage, surveillance, supervisory review, escalation, and audit response — and applies a regulator-tuned policy engine to every captured communication. The platform encodes the relevant frameworks (SEC 17a-4, FINRA 3110/4511/3170, SEC 204-2, CFTC 1.31/23.202, MiFID II 16(7), MAR Article 16, FCA SYSC 9 and Consumer Duty, NAIC suitability, and the firm’s own internal policies) as a structured rule library, runs every covered communication against that library, and produces an explainable, auditable supervisory record.

In practice, that means surveillance teams shift from sampling a fraction of messages to continuously reviewing all of them, false positives drop materially as the policy engine learns the firm’s context, and the firm walks into any regulator exam or production request with a complete, queryable archive of what was captured, what was reviewed, who reviewed it, and what was decided. Sedric’s broader compliance platform extends the same approach across marketing and partner-channel content — the surfaces where most of the recent enforcement action has actually occurred. Firms looking at the underlying engine can read more about the AI Reviewer for a closer look at how the policy library is applied at scale.

The point is not that AI replaces the principal, the supervisor, or the in-house counsel. It does not, and regulators do not expect it to. The point is that a modern communications compliance program treats human judgment as the scarce resource and uses AI to apply that judgment consistently across a much larger volume of communication than any team could supervise by hand.

Communications Compliance FAQ

What is communications compliance?

Communications compliance is the discipline of capturing, retaining, supervising, and producing every business communication a covered person sends or receives, against applicable recordkeeping and supervision rules. In financial services, banking, insurance, and healthcare, it is governed by sector-specific frameworks including SEC Rule 17a-4, FINRA Rule 3110, MiFID II Article 16(7), and FCA SYSC 9.

What are off-channel communications and why are they a problem?

Off-channel communications are business messages sent over channels the firm has not approved or captured for compliance — typically personal-device WhatsApp, iMessage, SMS, or ephemeral messengers. The 2022–2024 SEC and CFTC enforcement wave produced more than $3 billion in fines from sixty-plus firms for off-channel communications failures, almost all of them tied to inadequate capture rather than the content of the messages.

How long must firms retain electronic communications?

Retention periods vary by regulator. SEC-registered broker-dealers are subject to Rule 17a-4 (generally three years from last use, with the first two readily accessible). SEC-registered investment advisers are subject to Rule 204-2 (generally five years). MiFID II Article 16(7) requires at least five years (extendable to seven). State insurance regimes vary; many require five to ten years for annuity-related communications. Always confirm the applicable rule for your firm and product line.

Does communications compliance apply to social media DMs and ephemeral messengers?

Yes. FINRA Regulatory Notices 10-06, 11-39, and 17-18, and the SEC’s public statements following the off-channel-communications enforcement wave, make clear that the recordkeeping obligation attaches to the business communication itself — not the channel or device. A LinkedIn DM about an investment recommendation is a covered communication. A Signal message conducting business is a covered communication, and an ephemeral channel is not a defense.

Who is responsible for communications compliance in a regulated firm?

Responsibility is shared. The Chief Compliance Officer or designated principal owns the program. Supervisors review and document escalated alerts. IT and security own the capture and archive infrastructure. The General Counsel handles regulator engagement during exams or productions. The CEO and Board are accountable at the governance level — which is why electronic-communications failures have produced senior-leadership consequences alongside firm-level fines.

Can AI replace human supervisors in communications surveillance?

No, and regulators are clear on this point. AI can dramatically expand surveillance coverage, apply the firm’s policy library more consistently than any human team, and triage the alert queue so supervisors focus where the risk is. But the principal’s sign-off, the supervisory documentation, and the regulator-facing accountability remain human responsibilities. AI is the senior analyst that never sleeps; the principal is still the principal.

What records does a regulator typically request during a communications compliance exam?

A standard production request will ask for: a complete inventory of approved communication channels and capture status; the firm’s written supervisory procedures for communications; the lexicon or surveillance policy library; alert volumes and disposition rates over the exam period; supervisory review records for sampled alerts; the audit trail for a sample of communications by named individuals; and evidence of capture coverage on personal devices used for business. Firms that cannot produce any of these on demand face material findings.

Closing Thought

Communications compliance is, in the end, the firm’s answer to a single regulator question: show us every business message every covered person sent, prove you supervised it, and prove it has been retained. The firms that answer that question well have a single queryable archive across every channel, a continuously running surveillance engine that understands intent rather than just literal phrasing, defensible supervisory documentation produced as a byproduct of the workflow, and the technology to apply that machinery at the scale of modern business communication. The firms that answer it badly are the ones that paid eight-figure fines for messages they couldn’t even produce. Communications compliance is not glamorous, but in regulated industries it is the difference between an exam that ends with a no-action letter and an exam that ends with a press release. The discipline is worth getting right.