Slack is where lunch orders happen. It’s also where investment strategies get hashed out.
Most compliance teams are focused on outward-facing conversations: ones that are going out as advertisements (hello social media!) and conversations with clients (WhatsApp, anyone?), and consider internal conversations as relatively safe.
With email clients archived, it’s easy to forget all the other ways communication happens - no, not just Slack, but places like Shared Google Docs or Notion. (This blog will have multiple internal comments in Google Docs before it’s published.)
Yes, the highest risks often occur in LinkedIn DMs and text conversations, but it’s not the only place teams communicate. Internal collaboration tools, as per SEC and FINRA regulations, must also be securely stored for safekeeping.
When Zoom overtook the nation -and the world- in 2020, compliance teams had to jump to keep up. There were widespread security and privacy concerns in Zoom’s early pandemic era, like “Zoombombing,” poor access controls, and unclear end-to-end encryption claims. These risks forced compliance teams to adapt quickly, and many still lack robust workflows for auditing video-based decisions.
Even with many returning to the office over the last several years, collaboration tools that we grew to rely on have dug in their heels in our workspaces. Many tasks no longer feel email-worthy, but that conversation needs to be catalogued. These software options have streamlined our workflow, but they carry the same compliance obligations as email.
Internal Chats = Business Communications
Slack, Teams, and similar platforms aren’t just casual chat apps. If someone discusses investment recommendations, pricing strategy, or risk in a message, it’s a business communication—and under SEC Rule 17a-4 and FINRA 3110, it must be captured, archived, and supervised.
Informal Decision Making
In 2025, compliance isn’t just about what you say to clients. It’s about how your firm reaches those decisions in the first place.
When key decisions are made over small, informal messages - texts, iMessages, Slack messages, the conversation is fragmented. Who said what? When did someone respond? Did everyone in the channel see the message before the decision was made?
This type of informal decision-making can feel “cohesive” or even like a low-key brainstorming session. However, informal decision-making can become dangerous. Threads split off into side DMs, ideas are greenlit with a "👍" or “makes sense,” and before anyone realizes it, a material business choice has been made without oversight or compliance involvement.
Without a clear lineage of who said what (and where) your risks are heightened. The origin of the idea becomes nearly impossible to trace, but regs won’t accept ‘the idea just emerged organically.’ They’ll scrutinize how those choices were made.
Different Tools, Different Compliance Risks
It’s important to distinguish between different types of tools. Treating Slack, Zoom, Google Docs, and Trello as a monolith oversimplifies the actual landscape. Each category of tool presents unique supervisory and recordkeeping challenges.
- Slack / Microsoft Teams: Slack and Teams are the core of communication at many firms. Faster than email, informal threads often act as de facto approvals, and private DMs and side threads. Decisions made here can complicate compliance oversight.
- Zoom / Google Meet / Video Calls: Verbal commitments and key decisions are made on live calls. Decisions made over video calls can disappear unless properly recorded and archived.
- Notion / Google Docs: These tools are often used to document strategy and proposals, but comments and changes may lack version control or consistent metadata. A decision made in a Google Doc comment that’s later deleted might be impossible to recover or defend during an audit.
- Jira/Trello: Designed for project and task management, these tools often convert informal discussions into action, and that trail matters.
Compliance strategies need to reflect these nuances, tailoring supervision, retention, and review protocols to the actual use of each tool within your organization.
Let’s look at what typically gets missed:
- Private DMs and group chats: Most compliance captures focus on public or shared channels. But sensitive info often flows through private threads.
- Edits and deletions: Unlike email, Slack and Teams allow for message editing or deletion unless retention settings are enforced.
- External guests: Zoom chats and shared docs often include third parties. Are you treating those as internal?
- Project management tools (Notion, Asana, Trello): Strategy notes and comments often contain business-related content here.
If your current system isn’t archiving these platforms in real time with context, you’re at risk.
So, are we advocating blanket surveillance? Immediately no. That leads to decision fatigue, poor morale, and just doesn’t help anyone.
You do need to:
- Understand which channels are used for business discussions
- Capture content that relates to regulated activity
- Review and supervise high-risk discussions
With Comma Compliance’s policy matching engine, compliance teams can set clear definitions for what counts as risky, and automatically filter relevant content for review.
Internal Transparency
One of the easiest ways to build and execute a solid compliance program is to make sure your company culture revolves around transparency.
Training staff that Slack/Teams messages are subject to review
- Defining what must be escalated to email or CRM (if any, depending on how you archive your conversations)
- Publishing your collaboration compliance policy internally
- Using visible approval workflows (e.g., pinning decisions, tagging reviewers)
It also means flagging when content could trigger an audit or review. With Comma’s audit-ready case management, firms can build defensible threads from internal comms with full metadata, attachments, and context intact, then export them readily since screenshots aren’t a strategy.
If your compliance program ignores Slack, Teams, or shared Docs, you’re vulnerable. Internal conversations are business conversations—and regulators care.
Comma Compliance helps you capture what matters, flag risk in real time, and build defensible records—without micromanaging your workforce.
Ready to reduce exposure and bring your compliance oversight into the modern era? Let's Talk.