Many investment advisers assume the off-channel enforcement sweep was a broker-dealer problem. It wasn’t. The SEC’s 2024 action explicitly named investment advisers alongside broker-dealers — 26 firms, $392 million in penalties. The regulatory obligation is the same. The rule citations are different.
For RIAs, the off-channel risk is often more acute than at large institutions. Principals are frequently the advisers. The person communicating with clients on WhatsApp and the person responsible for compliance are sometimes the same person. That makes the gap harder to detect and harder to defend.
The rule that governs RIAs
Investment advisers are subject to SEC Rule 204-2 under the Investment Advisers Act of 1940. Rule 204-2 requires registered investment advisers to make and keep true, accurate, and current records relating to their advisory business — including all written communications received and sent.
The retention standard: five years total, with records from the first two years kept in an easily accessible location and producible on the same business day an examiner requests them.
Off-channel communications are covered. If a message relates to advisory activities — investment recommendations, client instructions, portfolio decisions — it is a required record under Rule 204-2 regardless of which channel it was sent on.
What the enforcement record shows
The SEC off-channel sweep that began in 2021 was not limited to the large broker-dealers that generated the biggest headlines. By 2024 the sweep had reached investment advisers directly, with the SEC settling charges against firms for failing to capture and retain business communications on WhatsApp, iMessage, and similar apps.
The pattern across enforcement actions is consistent: employees, principals, and in some cases CCOs were using consumer messaging apps for client communication. None of those communications were in the archive. When examiners asked for records, the firm couldn’t produce them.
The “we’re too small for the SEC to care” assumption is wrong. The SEC examines RIAs through its EXAMS division on a risk-based schedule. Off-channel messaging gaps are now a standard examination focus regardless of firm size.
The CCO problem specific to RIAs
At most large institutions, there’s a meaningful separation between the advisers communicating with clients and the compliance officers responsible for supervising those communications. At many RIAs, that separation doesn’t exist.
When the principal of a small advisory firm is using WhatsApp with clients, the supervision failure and the compliance failure belong to the same person. This creates a specific defense problem: a firm cannot claim it had adequate supervisory procedures if the person responsible for those procedures was the one communicating off-channel.
SEC examiners are aware of this dynamic and look for it specifically at smaller advisory firms.
Why app bans don’t work
Prohibiting WhatsApp or iMessage doesn’t satisfy Rule 204-2 if the firm has no mechanism to detect when employees use those channels anyway. Regulators cite the missing record, not the broken policy. Several firms in the enforcement sweep had written policies prohibiting off-channel communication — those policies were cited as evidence of awareness, not as a defense.
The stronger position: capture business communications wherever they occur. A policy that says “prohibited” alongside a system that captures anyway protects the firm in both directions.
What compliance requires
Capture at point of delivery. The message must be archived when it’s sent or received — before any device backup, employee action, or deletion can affect the record.
Five-year retention. Rule 204-2 requires a five-year retention period for most adviser records. The first two years must be immediately accessible and producible on the same business day an examiner requests them.
Same-day production. When an SEC examiner requests records, they expect them on the same business day. An archive that exists but can’t be searched granularly — by employee, by client, by date range — fails this standard just as badly as no archive.
Written policies that name specific channels. Vague references to “electronic communications” are insufficient. Policies must identify permitted platforms and describe the capture mechanism for each.
What SEC examiners check
RIA examinations are risk-based, not scheduled. An off-channel gap flagged by a whistleblower tip, a data analytics pattern, or a complaint can trigger an unscheduled examination. By the time the request letter arrives, the examiner may already have context.
The examination often ends in a deficiency letter rather than an immediate enforcement referral. That distinction matters less than it sounds. A deficiency letter that identifies off-channel recordkeeping gaps starts a remediation clock. Failure to respond adequately — or evidence that the gap continued after the letter — converts the deficiency into a referral. Firms that treat deficiency letters as the end of the process sometimes find they’re the beginning.
At a small advisory firm, there is usually no compliance team between the examiner and the principal. The examiner is talking directly to the person who was using WhatsApp with clients. There is no buffer. Vague answers become part of the record.
Specific questions to be ready for:
- “What channels do your advisers use to communicate with clients?” The answer cannot be “only firm email” if there’s any evidence of mobile messaging — and examiners often arrive with that evidence already.
- “How are those communications captured and retained?” Describe the mechanism, not the policy. “We prohibit it” is not a mechanism.
- “Produce all communications between [adviser] and [client] from [date range].” A specific thread, same business day. An archive you can’t search granularly fails this as badly as no archive.
- “Does your Form ADV accurately describe your recordkeeping practices?” If ADV says communications are retained and the archive shows gaps, that’s a second violation layered on the first.
- “Who is responsible for supervising electronic communications at your firm?” At a small RIA where the CCO is also an adviser, the answer to this question and the answer to “who was using WhatsApp” are sometimes the same name.
FAQ about Off-Channel Compliance for RIAs
Are RIAs subject to the same off-channel rules as broker-dealers?
What is the retention period for RIA communications under Rule 204-2?
Does a prohibition policy satisfy the Rule 204-2 recordkeeping requirement?
What happens if the CCO was also communicating off-channel?
Does Rule 204-2 cover BYOD — personal devices used for client communication?
Related reading
- Off-Channel Communications Compliance The broader off-channel compliance landscape — enforcement record, what firms get cited for, and what examiners check.
- BYOD Messaging Compliance How BYOD policies intersect with off-channel obligations — and why prohibition without capture doesn't satisfy the requirement.
- FINRA Off-Channel Enforcement The $2B+ enforcement sweep — named cases, penalty amounts, and what examiners are still looking for.
- WORM Storage The non-erasable, non-rewritable storage standard required for compliant recordkeeping.
- Channels & Integrations Every channel Comma captures — WhatsApp, iMessage, Signal, email, and more.