SEC/FINRA Exam-Ready Checklist for Messaging Compliance

Violations occur when your firm cannot capture, cannot retain, and/or cannot produce business communications — regardless of the channel.

Before the Exam

Know Your Channels

• Survey client-facing teams: what platforms do they actually use with clients?
• Map results: Platform → Who’s using it → Approved → Monitored
• Confirm business communications only are captured — not personal conversations
• Document any gaps

Know Your Regulatory Framework

Retention and supervision requirements differ by firm type. Confirm which rules apply before the exam.

• Broker-dealers: SEC Rule 17a-4 (6-year retention, first 3 years readily accessible) + FINRA Rule 4511 (general books and records). Both apply simultaneously.
• Investment advisers (RIAs): SEC Rule 204-2 under the Advisers Act (5-year retention, first 2 years readily accessible). Rule 17a-4 does not apply to RIAs.
• Dual registrants: Both frameworks apply — use the stricter standard where they conflict.

Archive Readiness

• Archive is WORM-compliant (non-rewritable, non-erasable)
• Search test: locate a specific message in under 2 minutes
• Production test: export full thread with metadata in under 30 minutes
• Retention period confirmed for your firm type — 6 years (BD/17a-4) or 5 years (RIA/204-2), with the required accessible period for the first years
• Firm’s written undertaking on file with the SEC (Rule 17a-4(f)(3)(v)) — BD only
• Archive provider’s undertaking on file (third-party access confirmed) — BD only
• Designated records custodian identified and documented

WSPs

WSPs must name specific platforms, describe the capture method, assign responsibility, and define review frequency. Vague language (“periodically,” “as needed,” “where possible”) gets cited. FINRA Rule 3110 requires written supervisory procedures reasonably designed to achieve compliance — off-channel communications are an active area of examination focus.

• Off-channel section names specific platforms (WhatsApp, Signal, iMessage, SMS)
• Capture method described — how messages are retained, not just whether they’re allowed
• Review frequency is specific (weekly, monthly — not “regularly”)
• Responsible person named by role or title
• Escalation timeline and consequences defined
• WSP version-controlled and last reviewed within 12 months
• FINRA Rule 3110 supervisory framework documented — BDs only

Supervision Documentation

• Monitoring logs accessible for last 12 months
• Training records on file for all client-facing staff
• Staff attestations signed — employees have acknowledged off-channel policy
• Prior violations documented with dates and remediation taken

During the Exam

Be Ready to Produce on Demand

Examiners expect same-day production of records from the last 2 years. “We’ll have to restore from backup” is a deficiency, not a logistical problem.

• Any employee’s messages, any channel, last 2 years — producible same day
• Archive search demo ready (show speed and completeness)
• WORM or audit-trail evidence ready — know which one you use and be able to explain it
• At least one complete supervision case ready: violation found → documented → remediated

Key Documents to Have in the Room

• Archive architecture diagram (how capture works end-to-end)
• Sample archive search results
• Monitoring logs (last 12 months)
• Training records and staff attestations
• Violation and remediation documentation

After the Exam

Remediation (30–60 days)

• All cited deficiencies addressed
• WSPs updated, version-controlled, distributed, and acknowledged by staff
• Staff retrained — completion certificates on file

Ongoing

• Monthly: review monitoring logs, report findings to senior management
• Quarterly: test archive — search speed, completeness, export format
• Annually: full WSP review; sample audit of archive completeness across 10+ employees