FINRA Rule 2210 requires broker-dealers to review, approve, file, and retain all retail-facing communications, from your website, to an Instagram ad, to a WhatsApp broadcast. Most firms understand that email and brochures are covered, but firms often forget to extend that to social posts, live audio, influencer campaigns, and encrypted messaging channels that compliance teams weren’t built to handle.
At a Glance
| FINRA Rule 2210 | Information |
|---|---|
| Issued by | Financial Industry Regulatory Authority (FINRA) |
| Who it applies to | Broker-dealers registered with FINRA |
| Communication types | Correspondence, Retail Communication, Institutional Communication |
| Pre-filing requirement | New member firms must file all retail communications with FINRA 10 business days before first use, for the first year of membership. After Year 1, only specified categories (e.g., investment company materials, bond mutual fund volatility ratings) require ongoing filing. |
| Content standard | Fair, balanced, not misleading; no unqualified performance claims or omitted risks |
| Enforcement | $850K fine to a single firm in 2024 for unapproved influencer posts and missing records |
| Retention requirement | Must retain: a copy of the communication, dates of first and last use, the name and approval date of the reviewing principal, and the source of any statistical table, chart, graph, or illustration used. |
| Covers social media? | Yes — though interactive posts and real-time replies are exempt from pre-approval and filing. |
What Regulators Expect
In a Rule 2210 exam, FINRA examiners will ask:
- What channels is your firm using to communicate with retail investors?
- Who reviewed and approved each piece of content before it went live?
- Can you produce the communication, the approval record, and the dates of use within hours?
- Do you have written supervisory procedures covering all the channels your team is active on?
- Did you file retail communications with FINRA’s Advertising Regulation Department at least 10 business days before first use?
The exam is no longer limited to brochures and email blasts. FINRA has formally stated that all social media is covered under Rule 2210. Examiners may ask specifically about influencer programs, live audio, and off-channel messaging.
Why Emerging Channels Are Hard to Manage Under 2210
Rule 2210 has three requirements that are easy to meet for traditional advertising and genuinely hard for modern digital channels: principal review before use, a complete approval record, and retained copies of everything.
Review before use is hard to enforce at speed. A post can go live, get shared 10,000 times, and be taken down, all before your compliance team sees it. Social-first workflows aren’t built around 10-business-day review windows.
Approval records are hard to maintain across channels. FINRA expects a documented record of who approved each piece, when, and with what CRD number. Most firms track this in spreadsheets, at best. When content lives across a dozen platforms, that log breaks down fast.
Retention is hard when the platform controls the content. Decentralized platforms delete content. Ephemeral messaging apps auto-expire. Influencers edit or remove posts after filing. If your archive depends on the platform keeping the record, you don’t have a record.
What a Compliant Communications Program Should Include
A Rule 2210-compliant program for modern channels should meet all of the following:
Principal review before any retail communication goes live. Every piece of content reaching more than 25 retail investors within 30 days requires review and sign-off from a registered principal. That includes websites, social posts, pitch decks, email newsletters, webinar invites, and paid ads.
A pre-filing workflow for Year 1. During your first year, all retail communications must be filed with FINRA at least 10 business days before use. After Year 1, many firms reduce pre-filing volume, but the content standards and recordkeeping requirements don’t change. A filing workflow built for Year 1 should be designed to scale, not discarded.
A complete approval log. For every retail communication, you need: a copy of the content, dates of first and last use, the approving principal’s name and CRD number, and the source of any performance data or rankings. Examiners can ask for any of this on short notice.
Retained copies that you control. Platform-dependent archives aren’t archives. Your records need to be stored somewhere your firm controls.
Written supervisory procedures that name every active channel. If your WSPs list email and your team is posting on LinkedIn, Threads, and Discord, your WSPs are out of date. Examiners match your channel list against your procedures. See what compliant WSP language actually looks like.
Common Mistakes / Risky Shortcuts
Treating social media as informal. A LinkedIn post or TikTok ad promoting your firm’s products or services is retail communication, subject to Rule 2210’s content standards.
Inheriting your influencer’s statements. If you pay someone to promote your firm and they make unqualified or misleading claims, that’s your liability. M1 Finance was fined $850K in 2024. This was FINRA’s first disciplinary action involving influencer supervision because the firm failed to review or approve influencer content that was unfair, unbalanced, or misleading before it went live.
Conflating public appearances with retail communications. Live, unscripted podcast episodes are generally treated as public appearances under Rule 2210, not retail communications, which means no pre-approval requirement. Here’s the catch: if you distribute slides, scripts, or recordings afterward, those materials may trigger filing obligations, because it’s considered broadly distributed.
Relying on the platform to keep your records. Ephemeral platforms auto-delete. Decentralized platforms can have content removed by server admins. If your retention strategy is “it’s still up there somewhere,” you don’t have a retention strategy.
How Comma Compliance Addresses FINRA Rule 2210
Comma is built for the channels FINRA is examining most aggressively: encrypted mobile messaging, emerging social platforms, and off-channel communication that legacy compliance tools weren’t designed to capture.
iMessage: Captured independently of iCloud. No dependency on backup timing, device settings, or employee behavior. Runs on the employee’s existing iPhone without requiring a separate compliance device.
WhatsApp: Captured via open-source connector code, published on GitHub. No plaintext storage at an intermediary. Broadcast lists are captured at the point of send — not reconstructed later from logs.
Signal: Captured at point of delivery without compromising Signal’s encryption model. Messages are archived before auto-delete timers can run.
Storage and retrieval. All captured communications are written to WORM storage immediately on receipt. Default retention is seven years. Records are retrievable directly from the Comma platform.
Approval workflow support. Comma’s platform supports logging communications against your review and approval workflow, so your 2210 records and your 17a-4 records live in the same place — and you can produce either on demand.
FAQ about FINRA Rule 2210
What counts as a retail communication?
Do all retail communications need to be pre-filed with FINRA?
Does Rule 2210 cover influencer marketing?
Are live podcasts and webinars covered?
How long do we need to retain retail communications?
Does Rule 2210 apply to encrypted messaging like WhatsApp or Signal?
Related regulations
FINRA Rule 3110
Supervisory system and Written Supervisory Procedures — the framework that governs how 2210 reviews and approvals are documented.
Read the guide →
FINRA Rule 4511
FINRA's books and records rule — incorporates 17a-3 and 17a-4 and governs the retention of retail communications under 2210.
Read the guide →
Written Supervisory Procedures: Why Generic Language Fails
The phrases that get WSPs cited — and what compliant language actually looks like for the channels Rule 2210 covers.
Read the guide →