Communications Compliance for RIAs and Wealth Managers: SEC 17a-4, 204-2, and the Off-Channel Cycle

TL;DR — Communications compliance for RIAs and wealth managers in 2026 is dominated by one enforcement story: the off-channel communications cycle. Since September 2022, the SEC has collected more than US$2.3 billion in penalties (since fiscal year 2022, plus parallel CFTC penalties) from broker-dealers, dual-registrants, and advisers for failing to preserve business communications conducted on personal devices and unapproved channels (WhatsApp, Signal, iMessage, personal email, Telegram). The underlying rules — SEC Rule 17a-4 for broker-dealers, Rule 204-2 for advisers, FINRA Rule 3110 for supervision — predate the messaging-app era by decades. The supervisory programme that works in 2026 has three layers: a policy that recognises how people actually communicate, a technology layer that captures and reviews communications across every channel the firm sanctions, and an audit trail that holds up under examination.

Table of contents

• The off-channel communications cycle, in numbers
• The rules behind the cycle
• What counts as a "business communication"
• The two surfaces: recordkeeping vs supervisory review
• The supervisory architecture that works
• The technology layer
• Integrating Sedric with archives and surveillance vendors
• Building a programme that survives a sweep
• FAQ

The off-channel communications cycle, in numbers

On 27 September 2022, the SEC announced charges against fifteen broker-dealers and one affiliated investment adviser for "widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications." Combined penalties were US$1.1 billion. The CFTC announced parallel charges the same day, adding US$710 million in penalties. The firms admitted that, across thousands of employees, business communications had been routinely conducted on personal devices and unapproved channels and not preserved.

That action was the start of a multi-year enforcement cycle. The SEC followed with additional charges throughout 2023, 2024, and into 2025, each round picking up additional firms and additional categories of registrant. The cumulative settled penalties from SEC actions on off-channel communications are now more than US$2.3 billion since fiscal year 2022, with parallel CFTC penalties on top of that. The cycle is no longer limited to broker-dealers and dual-registrants; standalone investment advisers have been charged.

The pattern in each settled order is consistent. Employees — including senior personnel — used WhatsApp, Signal, iMessage, personal email, and other unapproved channels for business communications. The communications were not preserved as the firm's books and records required. The firm's policies prohibited the conduct on paper, but the firm did not have surveillance or capture in place to detect the conduct in practice. The settled orders cite the policy-versus-reality gap as the defining failure.

For RIAs and wealth managers, the lesson of the cycle is operational: a written policy banning off-channel use is not enough. The firm has to detect, capture, and respond. The technology layer is the difference between policy-on-paper and a defensible supervisory programme.

The rules behind the cycle

The off-channel cycle is litigated under longstanding books-and-records rules, but the supervisory standard sits across multiple regulations.

Rule 17a-4 (broker-dealers and dual-registrants)

Rule 17a-4 under the Securities Exchange Act of 1934 sets the books-and-records retention rules for broker-dealers. It covers, among other things, the preservation of electronic communications relating to the broker-dealer's business. Communications must be retained in a non-rewriteable, non-erasable format (the "WORM" requirement, modernised in 2022 to permit alternative serial archival methods), and they must be readily accessible during the retention period — generally three years for retail communications, six years for some categories.

Rule 204-2 (investment advisers)

Rule 204-2 under the Investment Advisers Act sets the books-and-records retention rules for advisers. It covers communications received and copies of communications sent by the adviser that relate to its advisory business, including recommendations and advice. The retention period is generally five years, with the first two in an easily accessible place.

FINRA Rule 3110 (supervision)

FINRA Rule 3110 requires broker-dealers to establish and maintain a system to supervise the activities of associated persons that is reasonably designed to achieve compliance with applicable securities laws and FINRA rules. Communications supervision sits squarely within this. Rule 3120 requires the firm to test the supervisory system annually.

FINRA Rule 4511

FINRA Rule 4511 incorporates the SEC books-and-records rules into FINRA's framework and adds specific recordkeeping requirements for FINRA member firms.

The Advisers Act compliance rule (Rule 206(4)-7)

Rule 206(4)-7 requires every SEC-registered adviser to adopt and implement written policies and procedures reasonably designed to prevent violation of the Advisers Act and the rules thereunder, to review the adequacy of those policies and procedures annually, and to designate a chief compliance officer. Communications-compliance failures are routinely cited as 206(4)-7 violations because they reflect a programme that was not reasonably designed for the activity it was supposed to cover.

The off-channel cycle is technically a books-and-records cycle, but the SEC's framing in the settled orders has emphasised the supervisory rule violations alongside the retention failures. A firm cannot win the supervisory question on paper alone.

What counts as a "business communication"

The defining question in the off-channel cycle is whether a given communication is a business communication that must be preserved. The answer turns on substance, not channel.

A business communication, for purposes of 17a-4 and 204-2, is any communication that relates to the firm's business activities — trades, recommendations, advice, internal coordination on client matters, regulatory or compliance discussions, supervisory communications, and (importantly) communications about prospective business as well as executed business.

The medium does not matter. A WhatsApp message between two registered representatives discussing a client trade is a business communication. A Signal message from a portfolio manager to an analyst about a research recommendation is a business communication. A personal-email exchange between an adviser and a prospective client is a business communication.

The fact that a communication is "informal," "personal," or "off-the-clock" does not change the analysis. The fact that the device is personally owned does not change the analysis. The fact that the channel is end-to-end encrypted does not change the analysis. If the substance relates to the firm's business, the firm has a preservation obligation.

The settled orders make this point repeatedly. Senior personnel who maintained the practice were specifically called out in the orders; their seniority did not exempt them from the rule.

The two surfaces: recordkeeping vs supervisory review

Communications compliance has two distinct surfaces, and most firm programmes need both.

Recordkeeping

The firm must capture and preserve business communications. Capture means the communication is technically routed to the archive at the time it is sent or received. Preserve means the archive retains the communication for the required period, in the required format, accessible to the firm and to regulators on request.

The archive is typically a third-party platform: Smarsh, Global Relay, Bloomberg Vault, Microsoft Purview, or comparable systems. The archive layer handles capture, retention, retrieval, and (in some cases) basic lexicon-based monitoring.

Supervisory review

The firm must supervise business communications — identify risk patterns, follow up on issues, document the review, and produce evidence of the supervisory programme to examiners on request. Supervisory review goes beyond capture; it asks whether the firm actually looked at communications and acted on what it found.

In the off-channel cycle, the SEC has been clear that supervision is a separate obligation from recordkeeping. A firm that captured every communication but never reviewed any of them would still have a supervisory failure under Rule 3110 (broker-dealers) or 206(4)-7 (advisers).

Supervisory review is where the AI and machine-learning layer of modern communications compliance sits. Lexicon-based monitoring catches obvious red flags ("inside information," specific prohibited claims) but misses the contextual signals that matter — sentiment, intent, coercion, hidden compensation, off-channel routing. A serious supervisory review platform reads context and routes the relevant communications to a human reviewer.

The supervisory architecture that works

The supervisory programme that survives an off-channel sweep has a consistent shape. Five components.

1. A communications policy that recognises how people actually communicate

The policy must enumerate the firm-sanctioned channels (email, the firm's chat platform, the firm's recorded-call infrastructure, specific text-messaging products that are captured to the archive) and clearly prohibit the use of any other channel for business communications. It must address mobile devices specifically: a firm that issues mobile devices has a different policy from a firm that operates BYOD, and the policy must reflect the reality of the firm's choice.

2. Technology that captures across the firm's sanctioned channels

For every sanctioned channel, the firm must have a capture mechanism that routes business communications to the archive. Email is the easy case. Chat and DM platforms are usually well-handled by the firm's IT infrastructure. The hard cases are recorded calls, video conferencing (Zoom, Teams), screen sharing, social-media DMs, and (where sanctioned) mobile text messaging and WhatsApp Business.

3. Detection of off-channel use

This is the gap in most settled-order firms. The firm prohibited off-channel use on paper but had no way to detect it in practice. Detection mechanisms include: client-side mobile device management with messaging-app monitoring; firm-issued device policies that route all business communications through captured channels; periodic attestations by associated persons; targeted reviews of communications that reference off-channel activity (e.g. "let's take this to Signal"); and exit-interview review of departing employees' communications history.

4. Supervisory review with documented decisions

The firm must review captured communications, document what was reviewed, document the decisions made, and document the follow-up. The review can be sampled or risk-scored, but it must actually happen and the documentation must show that it happened.

5. Examination-ready production

The firm must be able to produce, on request, captured communications for a defined set of employees over a defined time period, in a form that an examiner can search. The retention layer must be tested with a mock production at least annually.

The first three components are about prevention. The fourth and fifth are about evidence. A firm that gets the first three right but cannot produce evidence on request is still at risk under a 3110 or 206(4)-7 finding.

The technology layer

The communications compliance technology stack has three layers:

• Capture. The mechanism by which a business communication ends up in the archive. Capture is mostly a network-and-endpoint problem and is provided by the firm's IT infrastructure plus the messaging vendor's enterprise tier.
• Archive. The repository that holds preserved communications for the required retention period in the required format. Provided by archive vendors: Smarsh, Global Relay, Bloomberg Vault, Microsoft Purview, Mimecast, and others.
• Supervisory review. The intelligence layer over the archive that reads communications, surfaces risk, routes communications to reviewers, captures decisions, and produces audit trails. Provided by surveillance and review vendors: Sedric, Theta Lake, Behavox, the surveillance modules of the archive vendors themselves.

The three layers integrate. The archive is the system of record for retention; the supervisory review platform is the system of action over the archive. Most firms run both layers from different vendors and need them to interoperate cleanly.

The supervisory review layer is where the off-channel programme has the most room to mature. Lexicon-based monitoring — the historical default — fails on the off-channel pattern because the warning signs are contextual, not keyword-driven. A supervisor cannot just search for the word "Signal" or "WhatsApp" and assume the search is complete; the patterns the SEC has found include communications about communications ("let's take this offline," "I'll text you the details"), unusual timing patterns, and communication-volume changes around sensitive periods.

Integrating Sedric with archives and surveillance vendors

Sedric sits in the supervisory-review layer. The platform reads captured communications from the firm's archive — Smarsh, Global Relay, Bloomberg Vault, Microsoft Purview, or comparable — and provides the intelligence, workflow, and audit trail layer over them.

The platform reviews communications for:

• Off-channel routing references and patterns (signals that business communications are being moved off the captured surface).
• Marketing Rule and FINRA 2210 content issues in client-facing communications — performance claims without substantiation, missing risk disclosures, prohibited testimonial framing.
• UDAAP-style consumer-protection risks in retail-facing communications.
• Reg BI obligations in broker-dealer recommendations to retail customers.
• Suitability and best-interest patterns in client communications.
• Insider-information and MNPI signals in research and trading communications.
• Outside business activities and gifts-and-entertainment patterns.

The review output is routed to the right supervisor or principal in the firm's workflow, with the source communication, the relevant rule citation, and the suggested action. The supervisor's decision is logged with reasoning. The audit export is what an SEC or FINRA examiner asks for: every reviewed communication, every flag, every decision, every override, with timestamps and attributable decision-makers.

For dual-registrants, the same workflow covers both Rule 17a-4 (broker-dealer) and Rule 204-2 (adviser) communications, with the differing retention schedules handled in the export.

Building a programme that survives a sweep

A communications compliance programme that survives an off-channel sweep has answers to seven examiner questions before they are asked.

1. What channels are firm-sanctioned for business communications, and what is the basis for that determination? The firm should have a written analysis of each channel — what business activities it supports, what capture mechanism is in place, what the retention path is.
2. How does the firm detect off-channel use? The firm should be able to describe specific detection mechanisms — not just "we have a policy."
3. How does the firm respond when off-channel use is detected? The firm should be able to point to the response playbook: investigation, remediation, escalation, training, discipline.
4. What is the supervisory review programme? The firm should describe what is reviewed, how often, by whom, with what tooling, and what the review output is.
5. How is the review documented? The firm should be able to produce, on request, the review log: communications reviewed, flags raised, decisions made, supervisors involved, dates.
6. How is the policy communicated and enforced? The firm should be able to point to onboarding training, annual training, attestations, and disciplinary action where warranted.
7. How are the books and records maintained, and how are they produced on request? The firm should be able to demonstrate the retention path, the access path, and a recent mock-production test.

Each of these questions has, in some settled order, been the basis for a finding. A firm that can answer all seven with concrete, documented evidence is in a defensible posture. A firm that answers more than two of them with "we have a policy" is not.

Frequently asked questions

Does the off-channel cycle apply to advisers, or just broker-dealers?

Both. The September 2022 actions were initially against broker-dealers and a single dual-registrant adviser affiliate. Subsequent enforcement has reached standalone investment advisers. The Rule 204-2 retention obligation applies to advisers, and the supervisory obligation under 206(4)-7 applies in parallel.

What if our firm doesn't issue mobile devices?

BYOD is a permitted model, but it must come with capture or detection mechanisms appropriate to the channels associated persons use. Many firms in the off-channel cycle were BYOD firms whose policies prohibited off-channel use but whose detection mechanisms did not cover personal devices. A defensible BYOD posture has either client-side mobile device management with messaging-app monitoring, sanctioned-channel routing for any business communication, or — most commonly — a combination.

Are encrypted messaging apps prohibited?

The rules do not prohibit any specific app. They prohibit conducting business communications on channels that are not captured for the books and records. WhatsApp, Signal, and iMessage are not per-se prohibited; they are prohibited for business communications unless the firm has a capture path that routes the communications to the archive. WhatsApp Business has compliance-grade capture options; consumer WhatsApp generally does not.

What about voice calls?

Voice calls relating to business are within the scope of the books-and-records obligation when the call is sent or received on a firm-sanctioned channel that is set up for capture. Calls made on personal mobile lines without capture are off-channel by the same logic as text messages. The firm's policy must address voice as well as text.

How long do we have to retain communications?

For broker-dealer communications under Rule 17a-4, generally three years for retail communications and other categories, with some categories at six years; for adviser communications under Rule 204-2, generally five years, with the first two in an easily accessible place. Specific retention periods vary by category of record and by jurisdiction.

What does "supervised" mean in practice for communications?

It means the firm identifies, reviews, and acts on patterns in communications. The standard is "reasonably designed" — a firm is not expected to read every email, but it is expected to have a system that surfaces the communications that matter, document the review, and produce evidence of the supervisory work. A risk-scored, sampled, or pattern-targeted review process is acceptable; a "we have an archive" posture is not.

Can AI do the review?

AI can do the screening and pattern-identification layer; the human supervisor reads the output, makes decisions, and documents reasoning. The audit trail must show human accountability for supervisory decisions. AI assistance is broadly accepted; AI as the sole decision-maker in supervisory review is not.

What's the relationship between our archive vendor and our review platform?

The archive is the system of record for retention. The review platform is the system of action over the archive. Most firms run both — the archive vendor handles capture and retention, the review platform handles intelligence and workflow. The two integrate. Sedric integrates with all the major archive vendors.

How do we handle ex-employees' communications?

Records of associated persons' business communications are retained for the regulatory period regardless of whether the person remains employed. Exit reviews of departing employees' communications are common practice and a useful supervisory signal — patterns in the final weeks before departure are an examination focus.

What's the next wave of enforcement?

The pattern of the cycle suggests continued enforcement on supervisory failures — the focus has shifted from "did you capture" (where capture penetration has improved) to "did you supervise" (where review programmes are uneven). Firms with strong capture and weak review are a likely focus.

Closing the off-channel gap?

Sedric is the AI supervisory-review layer over your communications archive. We read captured communications, surface the risk patterns examiners are looking for, route flagged items to the right supervisor, and produce the audit trail that survives an examination.

Book a working session with our team. We'll walk through your current capture-and-archive setup, show you what supervisory review looks like with real flags on real communications, and walk through the exam-ready export your firm would produce on request.

Book a demo  ·  For wealth managers and trading firms

Related reading

• SEC Marketing Rule (Rule 206(4)-1): the complete 2026 guide for RIAs — the content-side counterpart to communications supervision.
• RIA compliance software: the 2026 buyer's guide — the category page that frames the supervisory-review technology layer.
• Reg BI vs fiduciary duty for dual-registrants — the standard of conduct that supervisory review enforces in retail communications.