Comma Compliance
← Blog | | Sasha

Written Supervisory Procedures: Why Generic Language Fails

FINRA examiners cite WSPs for vague language, missing platforms, and undefined review frequencies. Here's what compliant WSP language uses.

wsps off channel blog banner

When FINRA examiners find off-channel violations, they almost always find a second problem underneath it: the firm’s Written Supervisory Procedures (WSPs) said something like “employees should avoid using unapproved messaging platforms where possible.”

Nobody actually believes that sentence is doing your firm any good.

Vague Language doesn’t Meet FINRA’s Supervision Rule

FINRA Rule 3110 requires every member firm to establish and maintain a system of supervision , including written procedures, “reasonably designed to achieve compliance” with applicable securities laws and regulations.

Your WSPs must do more than acknowledge problems exist. They must describe:

The keyword FINRA examiners look for is specificity. A WSP that names platforms, assigns responsibility, and defines frequency is defensible. One that uses vague qualifiers is not.

The Five Killer Words

These five words — and phrases like them — are the ones that get WSPs cited:

  1. “Where possible” - implies capture is optional
  2. “Periodically” - undefined frequency is no frequency
  3. “As needed” - no trigger, no accountability
  4. “Appropriate channels” - what channels? Examiners will ask
  5. “Discouraged” - prohibition and discouragement are not the same thing

If any of these appear in your off-channel section, rewrite them before your next exam.

Weak vs. Strong: Real Examples

Here’s what the same policy intent looks like in language that fails versus language that holds up.

Weak: “Employees are discouraged from conducting firm business over personal messaging applications where possible.”

Strong: “Firm representatives conducting securities business via WhatsApp, Signal, iMessage, or SMS must do so through channels subject to firm supervision. All business communications on these platforms are automatically captured and retained via an approved archiving solution. Violations of supervisory procedures must be reported to the Chief Compliance Officer within 24 hours.”

Weak: “The compliance department will periodically review electronic communications for potential policy violations.”

Strong: “The Chief Compliance Officer or designated delegate reviews flagged communications weekly. Monitoring logs are documented and retained for a minimum of three years. A summary report is submitted to senior management monthly.”

Weak: “Violations of communication policies should be reported to compliance management.”

Strong: “Any representative who becomes aware of a potential off-channel communication violation must report it to the Chief Compliance Officer within 24 hours. The CCO will document the violation, assess remediation steps, and escalate to senior management within 5 business days. All violations and remediation actions are retained for a minimum of 6 years.”

The Platform-Naming Requirement

FINRA Rule 3110(b)(4) requires WSPs to address actual communication channels used by your firm. In practice, examiners expect to see specific platforms identified, not just generic references to “unauthorized messaging applications.”

At minimum, your off-channel section should address the platforms your employees are most likely using for business: WhatsApp, Signal, iMessage, and SMS. For each one, your WSP should describe how communications are being captured and supervised — not just assert that they are.

Self-Test

Is Your WSP Exam-Ready?

  • 01

    How well does your WSP clearly define the specific platforms that are approved?

  • 02

    Does it describe the actual capture mechanism — not just that capture happens?

  • 03

    Does it address personal devices specifically — not just the platforms, but how the firm captures business communications that occur on employee-owned phones?

  • 04

    Does it name a responsible person by role or title (not "management" or "compliance")?

  • 05

    Does it state a specific review frequency — weekly, monthly — not "periodically"?

  • 06

    Does it define what happens when a violation is found, including timeline and escalation?

Enforcement Consequences

Generic WSP language isn’t just a documentation problem. It’s what allows other violations to compound.

When FINRA examiners find off-channel violations, they look at the WSPs. If the WSPs are vague, the firm faces two citations instead of one: failure to supervise and inadequate written procedures. The May 2025 FINRA action against Network 1 Financial is a recent example where the firm’s failure to supervise off-channel communications was compounded by the absence of mechanisms to monitor the channels being used.

The firms that fare best in examinations are the ones whose WSPs describe, in specific terms, exactly what they do. That specificity is what makes a procedure “reasonably designed” under Rule 3110(b).

Action Items

  1. Pull your current WSP section on off-channel communications
  2. Search for the five killer words, and rewrite any sentence that contains them
  3. Describe how each platform is captured and supervised. For platforms that don’t play nicely with standard archiving tools — WhatsApp, WeChat, Signal — your WSP needs to explain specifically how you’re solving that problem.
  4. Name the responsible person by role, with a defined review frequency
  5. Define the escalation path for violations, including timeline

For a full pre-exam checklist, see the SEC/FINRA Exam-Ready Checklist.

See why teams switch to Comma

Comma closes the gap on off-channel communications across 35+ platforms.

Book a Demo See Pricing
Sasha

Sasha

Sasha leads GTM and customer success at Comma Compliance, transforming compliance archiving into clear, human-centered solutions that teams trust, adopt, and rely on.

← Read more insights Learn how Comma can help

Book a demo with us

Book a Demo