Your employees are using personal devices. That doesn't change your obligations.

Bring Your Own Device (BYOD) refers to employees using personal phones, tablets, or laptops for business activity. In financial services, the compliance question isn’t whether to allow it it’s whether business communications on personal devices are being captured and retained.

FINRA Regulatory Notice 11-39 is unambiguous:

“Firms may permit their associated persons to use any personal communication device… the firm must be able to retain, retrieve and supervise business communications regardless of whether they are conducted from a device owned by the firm or by the associated person.” FINRA Regulatory Notice 11-39

The obligation follows the communication. A client conversation on a personal iPhone is subject to the same recordkeeping requirements as one on a firm-issued device.

The enforcement gap

Most firms fined in the SEC and FINRA off-channel sweep had BYOD policies. The policy wasn’t the problem. The missing record was.

Under SEC Rule 17a-4 and FINRA Rule 4511, every business communication must be captured at point of delivery, retained in WORM-compliant storage for 6 years, and producible on demand.

A policy that prohibits personal device use without a mechanism to detect violations or capture when use occurs anyway doesn’t satisfy these requirements.

For compliance officers: what your WSPs need to cover

FINRA Rule 3110 requires Written Supervisory Procedures that specifically address BYOD. Examiners will ask:

What your WSPs must include:

• Which personal devices and platforms are permitted for business use
• How business communications on personal devices are captured
• Who is responsible for verifying capture is working
• How violations are detected, documented, and remediated
• Review frequency specific intervals, not “periodically”

What gets you cited:

• “Employees are prohibited from using personal devices for business” with no detection mechanism
• WSPs that reference “electronic communications” broadly without naming specific platforms or devices
• No monitoring logs showing the policy is actively enforced

The stronger position: document that business communications on personal devices are captured automatically regardless of channel. Examiners care about records, not prohibitions.

For IT and operations: what capture actually requires

The challenge with personal devices isn’t policy it’s architecture. Standard approaches have significant gaps.

MDM (Mobile Device Management) can enforce policies and wipe devices, but doesn’t capture message content from apps like WhatsApp, Signal, or iMessage. It tells you what apps are installed. It doesn’t archive what was said.

Backup-based archiving misses messages deleted before the next backup runs, or sent while the device was offline. Gaps in backup timing are gaps in the record.

Capture at point of delivery is the compliant path. Comma captures business communications as an authorized participant in the conversation at point of delivery, before any backup or device dependency. Only messages with business contacts are captured. Personal conversations are not touched.

This means employees use their own devices normally, no MDM enrollment is required, and business communications are captured automatically regardless of device settings or backup schedules.

The privacy question

The most common objection to BYOD capture is employee privacy. It’s a legitimate concern and it’s why the distinction between business and personal communications matters.

Comma captures by contact, not by device. If a message is with a business contact, it’s captured. If it’s with a family member, it isn’t. Employees keep full control over personal conversations. That distinction is what makes BYOD compliance workable without eroding employee trust.

What examiners check

During a BYOD-related examination, expect:

• “Do employees use personal devices for client communication?” You must answer honestly and show what controls are in place
• “How do you capture communications on personal devices?” You must describe the mechanism, not just the policy
• “Can you produce messages from [employee]‘s personal WhatsApp over the last 18 months?” Same-day production expected for records within 2 years
• “What do your WSPs say about personal devices?” Must name specific platforms and describe capture, not just prohibition

Internal alignment

Most BYOD compliance projects stall before they reach a vendor. The blocker is internal. At some point, every compliance officer brings capture to HR and legal and hits the same three objections. Here’s how to answer them.

“What about personal messages?”

Capture is contact-based, not device-based. Messages with designated business contacts are archived. Messages to personal contacts are not retained — they aren’t held, reviewed, or stored as business records. One edge case worth flagging: if a group chat includes both business and personal contacts, that conversation is captured because a business contact is present. Employees can see exactly which contacts are marked as business in the platform.

“This feels like surveillance.”

Email has been archived at every regulated firm for 20 years. No one calls that surveillance. WhatsApp used for client communication is the same category: a business channel with a recordkeeping obligation attached. The question isn’t whether to monitor — it’s whether to comply. Firms that have treated messaging differently from email are the ones paying eight-figure fines.

“What’s our liability if we capture and get breached?”

Weigh it against the alternative. The firms fined in the SEC and FINRA off-channel sweep faced hundreds of millions in penalties — not for being breached, but for having no records at all. Captured data stored in WORM-compliant, encrypted archives with strict access controls is a manageable risk. Missing records during a regulatory examination are not. Legal’s job is to weigh liability in both directions. Every firm that has been fined wishes it had captured. None has been fined for capturing.

FAQ