We've compiled a list of key financial compliance terms below. Included are also terms that we mention in our security and data discussion to clarify any questions about our platform security.
Established by the U.S. National Institute of Standards and Technology (NIST) in 2001, AES is a symmetric encryption algorithm. The 256-bit key length provides high security, which makes AES-256 suitable for protecting sensitive information across government, financial, and commercial systems worldwide.
FINRA’s web portal for Rule 2210 (advertising & public comm) filings; supports PDF, video, HTML, etc.
An AWS (Amazon Web) service for creating and managing encryption keys, using FIPS 140-3 Security Level 3 validated hardware.
A chronological log of actions and changes within a system, used to ensure accountability and meet compliance requirements.
A FINRA tool that provides public background info on brokers and firms. Required to be linked on webpages with registered rep profiles.
Central Registration Depository Number — a unique FINRA ID assigned to registered reps and principals. Used when logging or approving content.
A documented process tracking who handled data, when, and why from origin to the final use. More often, you'll hear the term "audit trail," since chain of custody preservation is often just the term used in legalese.
An auditing process to maintain internal policies, external regs (eg SEC and FINRA), and legal requirements. This includes testing for compliance with standards such as the Sarbanes-Oxley Act (SOX).
The ongoing process that records the handling of evidence, from collection to safeguarding and analysis. It logs who handled the data/evidence, when it was collected or changed hands, and why, ensuring the integrity and trackability of the evidence. It is essential to maintain the integrity of the data.
One-on-one or small group communications sent to 25 or fewer retail investors in any 30-day period. Example: a personal email to a prospect. Requires internal review, not pre-filing. For more a more indepth look at correspondence nad retail communication, check out FINRA rule 2210 for startups.
A method to link digital records together. To ensure that sequences of events, messages, or entries have not been changed, hash chains are used. Each hash of the chain depends on all the previous hashes. This makes it easy to verify the integrity, and near impossible to forge.
The Financial Industry Regulatory Authority (FINRA) is a non-profit organization that acts as a self-regulatory body for broker-dealers in the U.S. Its main mission is to promote fairness in the markets and protect investors. However, not every financial professional or firm involved in investing is required to register with FINRA — for example, registered investment advisors (RIAs) fall under a different regulatory framework.
European privacy law that gives individuals more control over their personal data. GDPR requires organizations to be transparent about how they collect, process, and store personal information and to respond quickly to data-access or deletion requests.
A type of data permenance. Once stored in an immutable archive, the data is not able to be deleted, edited, or changed.
Communication intended exclusively for institutional investors (e.g., pension funds, hedge funds). Requires internal approval, but not filing with FINRA.
A login method requiring two or more types of identity proof, improving security beyond passwords.
The contextual “data about your data” that your system automatically captures. Think timestamps, user IDs, message channels, or device types. Metadata helps you reconstruct what happened when, who did it, and where it lived - and for how long.
AI that interprets human language to detect risks or automate review, beyond basic keyword matching. For example, in a compliance setting, machine learning could analyze audit trails or chain-of-custody logs to identify suspicious access patterns that might indicate insider threats or policy violations.
Also referred to as Shadow Messaging, off-channel communications are side conversations that happen outside official channels. From iMessages to LinkedIn DMs, these unoffical types of communication are risks that need to be monitored. With how many emerging techs are on the market, off-channel comms can be a hassle to deal wtih in the compliance section.
The U.S. Treasury bureau that charters, regulates, and supervises all national banks and federal savings associations. If you’re a fintech or broker-dealer with a national bank partner, you’ll often need to align with OCC guidance.
Any statement—actual, hypothetical, or projected—about how an investment, strategy, or firm has performed or is expected to perform (e.g., past returns, back-tested or model performance, guarantees, targets, benchmarks). Under FINRA Rule 2210 a performance claim must be fair and balanced: it can’t omit material risks or fees, can’t promise results, and must disclose how the figure was calculated.
Submittal of public-facing content to FINRA’s Advertising Regulation Department at least 10 business days before it’s used ( which is mandatory in first year).
Capturing and storing communications (chat, email, SMS, voice) when they occur. Real-time archiving keeps you audit-ready and helps compliance teams spot issues right away rather than weeks later.
Automatically scanning live conversations or posts for policy violations, then alerting your compliance team the second something risky appears to turn reaction to immediate intervention.
A FINRA-licensed supervisor (usually Series 24) who must review and approve communications, trading, operational, and sales activity; the person legally accountable for the firm’s compliance in those areas. To learn about the activites permitted by registrered principals, you can view them on FINRA.
FINRA-licensed individuals (often Series 7 or 63) who are authorized to solicit and sell securities to clients. Any communication they send, be it emails, social posts, or even WhatsApp messages, fall under FINRA’s review and archiving rules.
Formal audits or inspections conducted by regulators (FINRA, SEC, OCC, state authorities) to verify you’re following rules.
Any content sent to more than 25 retail investors within a 30-day period. Examples: websites, Instagram ads, email newsletters, YouTube videos. Requires pre-filing with FINRA during your first year.
FINRA rule that sets advertising and public-communication standards for broker-dealers (filing, content, record-keeping). For a look at rule 2210 for new firms, you can read through our in-depth guide.
FINRA’s rule requiring broker-dealers to establish and maintain written supervisory procedures, designate qualified supervisors, and conduct regular inspections of offices and activities. It’s the backbone of any compliant surveillance and review program. To learn more about details, you can read our article on rule 3110.
FINRA rule that requires broker-dealers to promptly self-report certain violations or events.
According to SEC.gov, SEC was "founded to help our country respond to the Great Depression, we’re the agency that protects investors from misconduct, promotes fairness & efficiency in the securities markets, and facilitates capital formation for those looking to hire, innovate, and grow."
SEC rule that details how broker-dealers must preserve electronic records in WORM format.
Secure Hash Algorithm 256 is a type of integrity verification that helps to maintainthe integrity of stored files, to ensure they are fully functional and not altered or tampered during transit.
Independent audit reports that assess how well your service controls protect customer data. Type I covers the design of those controls at a point in time; Type II proves they work over a sustained period.
An independent party or system that securely holds and manages archived communications and data on behalf of a firm. A Secure Custodian ensures the integrity, confidentiality, and availability of records by using encryption, strict access controls, audit logs, and tamper-proof storage, all in line with regulatory requirements.
An authentication option that lets users sign in once and access multiple apps to streamline user access and enhance security.
A feature of Comma Compliance that automatically distinguishes between business and personal contacts, archiving only messages from work-related contacts, while leaving private contacts untouched. Smart Contact Filters ensure your compliance archive captures the communications you need without compromising employee privacy.
Write Once, Read Many is a type of secure storage that ensures archived data (like communications or social media posts) can’t be altered after saving. Required for compliance.