Glossary
Regulatory Compliance Terms & Definitions
A plain-language glossary of key financial compliance terms, from FINRA and SEC rules to WORM storage, NLP, and off-channel communications.
A
AES-256 (Advanced Encryption Standard 256)
Established by the U.S. National Institute of Standards and Technology (NIST) in 2001, AES is a symmetric encryption algorithm. The 256-bit key length provides high security, which makes AES-256 suitable for protecting sensitive information across government, financial, and commercial systems worldwide.
AREF (Advertising Regulation Electronic Filing)
FINRA’s online portal used by broker-dealers to submit advertising and public communications materials for regulatory review under Rule 2210. Firms required to pre-file content — particularly those in their first year of operation — use AREF to upload materials in a variety of formats including PDF, video, HTML, and more. Submissions through AREF are reviewed by FINRA’s Advertising Regulation Department, which may request revisions before a firm is permitted to use the content publicly.
AWS KMS (Key Management Service)
An AWS (Amazon Web) service for creating and managing encryption keys, using FIPS 140-3 Security Level 3 validated hardware.
Audit Trail
A chronological, tamper-evident log that records all actions, changes, and events within a system, including who performed them, when, and from where. Audit trails are essential for demonstrating accountability, reconstructing past activity during regulatory exams, and detecting unauthorized or suspicious behavior. Under regulations like SEC Rule 17a-4, maintaining complete and accurate audit trails is a core recordkeeping requirement for broker-dealers.
B
BrokerCheck
A FINRA tool that provides public background info on brokers and firms. Required to be linked on webpages with registered rep profiles.
C
CRD#
Central Registration Depository Number — a unique FINRA ID assigned to registered reps and principals. Used when logging or approving content.
Chain-of-Custody Preservation
A documented process tracking who handled data, when, and why from origin to the final use. More often, you'll hear the term "audit trail," since chain of custody preservation is often just the term used in legalese.
Compliance Testing
An auditing process to maintain internal policies, external regs (eg SEC and FINRA), and legal requirements. This includes testing for compliance with standards such as the Sarbanes-Oxley Act (SOX).
Continuous Monitoring
The ongoing process that records the handling of evidence, from collection to safeguarding and analysis. It logs who handled the data/evidence, when it was collected or changed hands, and why, ensuring the integrity and trackability of the evidence. It is essential to maintain the integrity of the data.
Correspondence Communication
One-on-one or small group communications sent to 25 or fewer retail investors in any 30-day period. Example: a personal email to a prospect. Requires internal review, not pre-filing. For more a more indepth look at correspondence and retail communication, check out FINRA rule 2210 for startups.
Cryptographic Hash Chain
A method to link digital records together. To ensure that sequences of events, messages, or entries have not been changed, hash chains are used. Each hash of the chain depends on all the previous hashes. This makes it easy to verify the integrity, and near impossible to forge.
F
FINRA
The Financial Industry Regulatory Authority (FINRA) is a non-profit organization that acts as a self-regulatory body for broker-dealers in the U.S. Its main mission is to promote fairness in the markets and protect investors. However, not every financial professional or firm involved in investing is required to register with FINRA — for example, registered investment advisors (RIAs) fall under a different regulatory framework.
G
GDPR (General Data Protection Regulation)
European privacy law that gives individuals more control over their personal data. GDPR requires organizations to be transparent about how they collect, process, and store personal information and to respond quickly to data-access or deletion requests.
I
Immutable Archive
A type of data storage in which archived records cannot be deleted, edited, or altered after saving. Required for WORM-compliant record-keeping under SEC Rule 17a-4.
Institutional Communication
Communication intended exclusively for institutional investors (e.g., pension funds, hedge funds). Requires internal approval, but not filing with FINRA.
M
MFA (Multi-Factor Authentication)
A security protocol that requires users to verify their identity through two or more independent factors before gaining access to a system or application. These factors typically fall into three categories: something you know (a password), something you have (a mobile device or security token), and something you are (a fingerprint or facial recognition). For compliance purposes, MFA is a widely mandated safeguard that significantly reduces the risk of unauthorized access to sensitive client data and archived communications.
Material Non-Public Information (MNPI)
Information about a company that has not been made available to the general public and, if disclosed, could reasonably influence an investor's decision to buy or sell a security. Acting on MNPI to trade securities is considered insider trading and is a serious violation of federal securities law, enforced by the SEC. Firms are required to maintain information barriers to prevent MNPI from flowing between departments and being misused.
Metadata
The contextual “data about your data” that your system automatically captures. Think timestamps, user IDs, message channels, or device types. Metadata helps you reconstruct what happened when, who did it, and where it lived - and for how long.
N
Natural Language Processing (NLP) Analysis
AI that interprets human language to detect risks or automate review, beyond basic keyword matching. For example, in a compliance setting, machine learning could analyze audit trails or chain-of-custody logs to identify suspicious access patterns that might indicate insider threats or policy violations.
O
Off-channel communications
Also referred to as Shadow Messaging, off-channel communications are side conversations that happen outside official channels. From iMessages to LinkedIn DMs, these unofficial types of communication are risks that need to be monitored. With how many emerging techs are on the market, off-channel comms can be a hassle to deal with in the compliance section.
Office of the Comptroller of the Currency (OCC)
The U.S. Treasury bureau that charters, regulates, and supervises all national banks and federal savings associations. If you’re a fintech or broker-dealer with a national bank partner, you’ll often need to align with OCC guidance.
P
Performance Claim
Any statement—actual, hypothetical, or projected—about how an investment, strategy, or firm has performed or is expected to perform (e.g., past returns, back-tested or model performance, guarantees, targets, benchmarks). Under FINRA Rule 2210 a performance claim must be fair and balanced: it can’t omit material risks or fees, can’t promise results, and must disclose how the figure was calculated.
Pre-filing
Submittal of public-facing content to FINRA’s Advertising Regulation Department at least 10 business days before it’s used ( which is mandatory in first year).
R
Regulation S-P
An SEC rule requiring broker-dealers, investment advisors, and investment companies to protect the privacy of customers' non-public personal information. Firms must provide customers with clear privacy notices, explain how their data is shared, and offer opt-out rights for certain disclosures to third parties. Reg S-P also mandates safeguards programs to protect customer data from unauthorized access or misuse.
Real-Time Archiving
Capturing and storing communications (chat, email, SMS, voice) when they occur. Real-time archiving keeps you exam-ready and helps compliance teams spot issues right away rather than weeks later.
Real-Time Flagging
Automatically scanning live conversations or posts for policy violations, then alerting your compliance team the second something risky appears to turn reaction to immediate intervention.
Registered Investment Advisor (RIA)
An individual or firm registered with the SEC or state regulators to provide personalized investment advice for compensation. Unlike broker-dealers, RIAs operate under a fiduciary standard, meaning they are legally required to act in their clients' best interest at all times. RIAs managing over $110 million in assets register with the SEC, while smaller firms register at the state level.
Registered Principal
A FINRA-licensed supervisor (usually Series 24) who must review and approve communications, trading, operational, and sales activity; the person legally accountable for the firm’s compliance in those areas. To learn about the activites permitted by registered principals, you can view them on FINRA.
Registered representatives
FINRA-licensed individuals (often Series 7 or 63) who are authorized to solicit and sell securities to clients. Any communication they send, be it emails, social posts, or even WhatsApp messages, fall under FINRA’s review and archiving rules.
Regulatory exams
Formal audits or inspections conducted by regulators (FINRA, SEC, OCC, state authorities) to verify you’re following rules.
Retail Communication
Any content sent to more than 25 retail investors within a 30-day period. Examples: websites, Instagram ads, email newsletters, YouTube videos. Requires pre-filing with FINRA during your first year.
Rule 2210 (FINRA)
FINRA rule that sets advertising and public-communication standards for broker-dealers (filing, content, record-keeping). For a look at rule 2210 for new firms, you can read through our in-depth guide.
Rule 3110 (FINRA)
FINRA’s rule requiring broker-dealers to establish and maintain written supervisory procedures, designate qualified supervisors, and conduct regular inspections of offices and activities. It’s the backbone of any compliant surveillance and review program. To learn more about details, you can read our article on rule 3110.
Rule 4530
A FINRA rule requiring broker-dealers to promptly self-report certain internal and external events to FINRA, including regulatory actions, customer complaints, civil litigation, and findings of rule violations by the firm or its associated persons. Firms must file reports within 30 days of discovering a reportable event. Rule 4530 also requires quarterly statistical summaries of written customer complaints. The rule is designed to promote transparency and ensure regulators have timely visibility into potential misconduct or compliance failures across the industry.
S
SEC (Securities and Exchange Commission)
According to SEC.gov, SEC was "founded to help our country respond to the Great Depression, we’re the agency that protects investors from misconduct, promotes fairness & efficiency in the securities markets, and facilitates capital formation for those looking to hire, innovate, and grow."
SEC Exchange Act Rule 17a-4
The U.S. Securities and Exchange Cmmission rule is the foundational records retention rule for broker-dealers, specifying exactly how electronic books and records must be stored and preserved in WORM format. For more info, you can read our write-up here.
SHA 256
Secure Hash Algorithm 256 is a type of integrity verification that helps to maintain the integrity of stored files, to ensure they are fully functional and not altered or tampered during transit.
SOC 2 Type I & II
Independent audit reports that assess how well your service controls protect customer data. Type I covers the design of those controls at a point in time; Type II proves they work over a sustained period.
Secure Custodian
An independent party or system that securely holds and manages archived communications and data on behalf of a firm. A Secure Custodian ensures the integrity, confidentiality, and availability of records by using encryption, strict access controls, audit logs, and tamper-proof storage, all in line with regulatory requirements.
Single Sign-On (SSO)
An authentication method that allows users to log in once with a single set of credentials and gain access to multiple applications and platforms without needing to sign in separately to each one. SSO is widely adopted across enterprise software and SaaS platforms, making it a standard expectation for business tools today. For compliance teams managing multiple systems, SSO streamlines user access, reduces password fatigue, and strengthens security by centralizing authentication and making it easier to revoke access when an employee leaves the firm.
Smart Contact Filters
A feature of Comma Compliance that automatically distinguishes between business and personal contacts, archiving only messages from work-related contacts, while leaving private contacts untouched. Smart Contact Filters ensure your compliance archive captures the communications you need without compromising employee privacy.
W
WORM (Write-Once-Read-Many)
Write Once, Read Many is a type of secure storage that ensures archived data (like communications or social media posts) can’t be altered after saving. Required for compliance. You can find our in-depth look at Comma’s WORM Storage here.
Written Supervisory Procedures (WSPs)
Formal, documented policies that broker-dealers are required to maintain under FINRA Rule 3110, outlining how the firm supervises its registered representatives, business activities, and communications. WSPs must be tailored to the firm’s specific operations and updated regularly to reflect regulatory changes. They serve as the foundational blueprint for a firm’s compliance program and are among the first documents reviewed during a regulatory exam.