# FINRA 25-07: Rethinking Communication Oversight DMs, apps, remote work... are your compliance tools keeping up? FINRA's 25-07 says it's time to modernize. Source: https://commacompliance.com/post/finras-25-07 Last updated: 2025-06-17 --- ## **Is Your Compliance Process Stuck in the 1990s? FINRA agrees.** FINRA recently published a notice, Regulatory Notice 25-07, on modernizing its rules, guidance, and processes.\ \ If you didn’t read the entirety of it (although I’m sure you did, right? It’s only a nice, dense, 8000+ words), here’s the short version: "We get it. You're not working out of a 1997 branch office anymore." - FINRA (not verbatim) Remote work, AI, mobile apps, and a merciful lack of extreme shoulder pads are all standards now as compared to the 1990s. And, thankfully, FINRA **isn’t**issuing a rule change here. They’re **inviting the industry into a conversation**.\ \ “_Are the current rules still practical, fair, and effective in today’s fast-moving environment?”_ In short, they’re asking **what you see** instead of telling you **what to do**. ### Why section D of 25-07 matters \ In today’s financial services industry, client-investor communication is a lot less paper forms than it was thirty years ago. It's DMs, emails, and app alerts.  Even so, many compliance frameworks still rely on outdated manual review practices that no longer align with the way investors and firms operate.\ \ Why? Well, because they were told to go by the book by FINRA. But that book is outdated as _Myspace for Dummies._ Let’s zoom in on one of the more immediately actionable parts of the notice: Section D: **Delivery of Information to Customers.**\ \ _Don’t worry, there are only seven other sections of pure delight and no legalese at all. /s_ ### **Electronic Delivery: Welcome to the 21st Century (Finally)** **TL;DR** FINRA and the SEC originally cooked up the[ E-Delivery rules](https://www.finra.org/rules-guidance/notices/98-03) in 1998 - the year my family got dial-up internet. Three decades later, electronic communication isn’t the future. **It’s just Thursday.** ###### The Rules? - Obtain **informed customer consent** for electronic delivery - Take **reasonable steps** to protect the confidentiality and integrity of customer information These core principles still apply, but the expectations of clients have evolved.\ \ Clients expect access via WhatsApp, iMessage, Slack, secure portals, and more. Sending a paper confirmation letter? That feels about as modern as asking them to fax back a response. FINRA’s recent Regulatory Notice 25-07 highlights this shift.\ \ Delivery of required documents, once heavily reliant on hardcopy mailing, is now governed by electronic delivery guidance aligned with longstanding SEC releases.\ \ FINRA is asking for **public feedback** on whether FINRA’s current rules around **electronic delivery** of information and **negative consent letters** are still appropriate in today’s digital and fast-changing business environment.\ \ While FINRA isn’t mandating changes (yet), their invitation is clear: _Help shape the future of electronic delivery and oversight._ That means now is the time to: - Evaluate where your firm stands - Identify what’s working (and what isn’t) - Don’t be a subject of enforcement later if you can be part of the solution today. ### **What Can Firms Do Right Now?** ### **1. Review your E-Delivery process** - Are you collecting _explicit_ and _informed_ consent for digital delivery? - This means you're directly asking clients if they want to receive required documents (like trade confirmations, statements, or disclosures) via email or another digital method. - It’s not just a checkbox buried in a giant onboarding form. The client should understand **what they’re agreeing to.** - Is that consent stored securely and updated as needed? - You’re not just collecting consent; you’re keeping a record of it. This is critical if regulators ask for evidence that the customer opted into digital communications. - Are your electronic delivery methods secure, especially for sensitive investor data? - For example, **is it encrypted**, or are you emailing sensitive information in plain text? - _Seriously. Is it encrypted? The entire time? Okay, good_[_._ If recent breaches](https://micahflee.com/despite-misleading-marketing-israeli-company-telemessage-used-by-trump-officials-can-access-plaintext-chat-logs/) have taught us anything, it’s that **marketing language isn’t the same as technical protection.** ###### If you can’t confidently answer yes to all three, maybe it’s time for a checkup. ### **2. Audit your communications coverage** What platforms are employees actually using to communicate with clients? If your answer relies on assumptions or informal conversations, it's time to verify. Modern messaging isn’t confined to email.  In 2009, WhatsApp barely existed.\ By 2013, it had 200 million users.\ By 2020? [Two **billion**](https://blog.whatsapp.com/two-billion-users-connecting-the-world-privately).\ \ That’s one in four people alive using a messaging app that's just now old enough to get a driver’s license. Communication today is informal, fragmented, and fast-moving. Conversations that once happened in memos now unfold via DMs, voice notes, disappearing messages, and shared links, often across multiple apps in a single client interaction. Yet many compliance programs ignore these channels entirely or treat them like an afterthought.  That’s not just inefficient.**It’s a huge regulatory gap**. Ignoring off-channel communication doesn’t make it go away. It makes it risky.\ \ This is exactly why FINRA is opening the conversation. They’re saying:  > “_We know your team is communicating differently. How do we work with you, not against you?” _ #### **How to run a real communications audit:** ##### **Survey your client-facing teams** A short, 3–5 question survey can reveal: - What platforms employees _actually_ use to message clients - Which tools clients _prefer_ or expect - Which platforms are used “just for follow-ups”  but still count as business communication **Tool tip:** Most teams can build a quick internal survey using tools like **Microsoft Forms, Google Forms, or Typeform**. Even a simple SharePoint list or email-based poll can uncover meaningful data in under a week. ###### Rethink what to archive As regulators increase pressure on firms to supervise digital communications, many vendors have responded with a blanket approach: archive everything, across every channel. Never mind if it's relevant!\ But that kind of over-capture introduces a different kind of risk: eroding employee trust, invading personal privacy, and storing vast volumes of irrelevant content. The smarter path forward? Targeted oversight. Compliance systems must not only detect risk, but also know what _not_ to retain. That means distinguishing between personal-only and business-related communications and filtering accordingly.**** ##### Pull System logs and usage reports **\**Evaluate logs from messaging, conferencing, and email platforms. 👋 _We’re really good at helping firms surface system usage reports and blind spots. Ask us how\._ Smart compliance platforms that use natural language processing, (ahem, like ours...) can monitor these platforms without drowning your team in irrelevant flags or forcing employees to change how they work. The point of innovative compliance software is to adapt to actual workflows, not complicate them.  ##### **Review and analyze the results.** If you’re using a tool like Microsoft Forms or Google Forms, responses are automatically recorded and exportable. Use them to spot usage trends, off-channel surprises, and communication blind spots.  Consider mapping the data into a simple table:\ **Platform → Who's using it → Is it approved → Is it monitored?\ ** | | | | | | -------------- | -------------------------- | --------------- | ---------------- | | Platform | Who's using it | Is it Approved? | Is it Monitored? | | Slack | Everyone | Yes | Yes | | WhatsApp | Investment Analysts | No | No | | Signal | Strategist | No | No | | Facebook | ? | No | No | | iMessage | Everyone | No | No | | SMS | ? | Yes | Partial | | Instagram | ? | No | No | | Blusky | ? | No | No | | Twitter | ? | No | No | | Outlook | Everyone | Yes | Yes | | Carrier Pigeon | Employees born before 1929 | Yes | No | | Fax | Front Desk | Yes | Yes | | Gmail | Everyone | Yes | Yes | | Bloomberg Chat | All | Yes | Yes | | Teams | Everyone | Yes | Yes | | LinkedIn | Sales, HR, Ops | No | No | | Zoom | ? | No | Partial | | Google Meets | None | No | No | | Telegram | Analysts, Leadership | No | No |   ##### Compare against your approved communication policy What’s on the “official” list vs what’s actually being used? The delta=exposure.\ This is where many teams realize the real issue isn’t rogue behavior. It’s tooling that relies on people to change their habits. ### **3. Assess your manual review costs** Manual review systems may seem manageable ...right up until you model them at scale.\ \ According to McKinsey & Company’s report [_The Social Economy_](https://www.mckinsey.com/industries/technology-media-and-telecommunications/our-insights/the-social-economy)_,_ the average employee sends **5,000+ digital messages** per month. If each takes 10 seconds to review, a 50-person team generates over **170 hours** of review time monthly, costing upwards of **$10,000 in labor.** Start with a quick exercise: pull time-tracking or payroll data to estimate the number of hours spent on message review each month. (Or even easier, use[ our slider](https://trescommacompliance.com/slider) here.) Chances are, you’ll uncover a quiet cost center hiding in plain sight.\ Now add: - Secondary reviews - Inconsistent flags - Training time - Opportunity cost\ Beyond cost, there's the issue of consistency. Antiquated static keyword-based systems add to this load. It's like using AskJeeves instead of Google.\ \ They’re brittle by design, easy to game, and prone to trigger alerts on harmless messages while overlooking the more nuanced ones. Messaging is often short-form, tone-dependent, and often indirect; thus, false positives become the norm instead of the exception. ###### The True Cost of Decision Fatigue When compliance teams spend hours sifting through irrelevant alerts that turn out to be nothing, it's easy to get desensitized. That’s when essential signals can get lost in the noise. Automation is powerful, but it doesn’t replace human oversight. Its **real** value is in reducing the volume of noise, so teams can focus on high-risk activity. A well-designed compliance platform should enhance employee effectiveness, not sideline it. That means surfacing fewer, higher-quality alerts and giving professionals the context they need to make defensible decisions. Before your next compliance or budget meeting, try asking a few questions: - How much time are we really spending on review each week? - What’s our current false positive rate? - Are we confident we’re catching what matters most? Manual inspection still has a role. But its efficiency and reliability depend heavily on the quality of the inputs, and the ability of your systems to adapt to modern communication styles.\ \ **Easy Win:** Block out 15 minutes this month to tally your team’s review hours week-over-week. Bring the data to your next leadership meeting to see where that time could be reduced. ##### **Balancing Innovation with Investor Protection: Don’t Leave Seniors Behind** As firms embrace digital tools to streamline compliance and client communications, it's essential not to overlook the needs of senior investors and those less comfortable with technology. Modernizing doesn’t mean abandoning traditional investors: **digital-first must not become digital-only**. Regulators like FINRA and the SEC continue to emphasize investor protection, especially for vulnerable populations. Firms are expected to: - Offer secure alternative communication options, such as paper delivery or hybrid models that blend physical and digital formats. - Pay special attention to senior investors and others with limited digital access. - Maintain flexibility and respect client preferences when choosing communication methods. - Obtain clear, informed consent before transitioning any customer to electronic-only communications. ###### **Action you can take this week** - **Run a quick analysis: What percentage of your clients currently receive only digital communications?** - Pull a list of all active client accounts from your CRM or client record system. Look at your communication preference field - email, paper, hybrid, or however you’ve chosen to categorize it.  **Sort or filter the data to calculate:** - % receiving only digital - % still using paper or hybrid - % with no preference recorded**(this is a compliance red flag to take action on)** Even a 30-minute sweep through your CRM or account data can reveal where your oversight gaps. ##### **Set up a hybrid pilot program (in 4 simple steps):** 1. Define a manageable test group (20–50 clients), ideally those over 60 or without clear delivery preferences\ 2. Send both digital and physical communications for a 60-day period\ _\ Include a brief feedback option (e.g., a reply email, phone survey, or a note in a mailed letter) asking which format they prefer_\ 3. Track engagement and preferences through opens, feedback, or support requests\ _Track any support requests related to delivery or accessibility_**** 1) Assess impact: Did the hybrid pilot increase engagement? What were the costs? What feedback surfaced? By taking small, proactive steps, firms can modernize responsibly, staying aligned with evolving regulations while supporting clients of all ages and tech comfort levels. ### **A Smarter Path Forward** Regulatory clarity comes from dialogue.\ \ [FINRA’s Notice 25-07](https://www.finra.org/rules-guidance/notices/25-07) is your invitation to help shape how the industry supervises communication in a digital-first world. **Now is the time to speak up.** If you see gaps, challenges, or opportunities in how current rules apply to your firm’s reality,**choose to contribute.**FINRA is listening. (We’re addressing one section of the notice here; there are seven others to consider further.) At **Comma Compliance**, we believe the firms that engage early and lead with insight will be best positioned for what’s next. That’s why our platform is built not just to meet today’s standards, but to evolve with them -  and with you. We help compliance teams: - Capture and supervise off-channel communications - Cut noise, not context, using smarter NLP-based review tools - Respect personal boundaries while securing business-critical records - Stay exam-ready without the cost and fatigue of manual review We don’t believe in blanket surveillance. We believe in clarity, context, and compliance management tools that work the way people actually communicate.\ \ If you're thinking through what modernization means for your firm, we’d love to talk. If you're ready to be part of the regulatory conversation, FINRA wants to [hear from you](https://datacollection.fnrw.finra.org/?notice_ref=367851). The comment period is until to July 14, 2025. **Ready to future-proof your compliance strategy?** [Get in touch](/get-in-touch) and see how Comma helps you modernize with clarity and confidence. _This article is for informational purposes only and does not constitute legal or compliance advice._