FINRA has made off-channel communications a top examination priority — and the fines reflect it. Since 2021, regulators have issued over $2 billion in penalties for broker-dealer employees using WhatsApp, iMessage, and Signal for business with no compliant archive. The violations weren’t about firms that permitted those channels. Most had banned them. The liability came from firms that couldn’t produce records when examiners asked. Under FINRA Rule 4511, the obligation is to the record, not the policy.
At a Glance
| FINRA Off-Channel Communications | Information |
|---|---|
| Regulatory basis | FINRA Rule 4511 (books and records) + Rule 3110 (supervision) |
| Applies to | FINRA-registered broker-dealers |
| The issue | Business communications on personal messaging apps with no compliant archive |
| Firm liability | Yes — even when channels were officially prohibited |
| Fines since 2021 | $2B+ across dozens of firms |
| Largest fine | JPMorgan Chase, $200M (2021) |
| Common channels | WhatsApp, iMessage, Signal, personal SMS |
What Off-Channel Means
Off-channel refers to any communication platform that employees use for business that falls outside the firm’s supervised, archived environment. Historically that meant email on personal accounts. Since 2021 it primarily means encrypted mobile messaging — WhatsApp, iMessage, and Signal — used on personal devices.
The regulatory issue isn’t the channel itself. It’s the missing record. Under FINRA Rule 4511 and the incorporated SEC Rules 17a-3 and 17a-4, every business communication must be created, preserved in compliant storage, and producible on demand. A business conversation that happened on WhatsApp and was never archived is a recordkeeping violation — regardless of whether the firm knew about it or had a policy against it.
Why Banning the Channel Doesn’t Solve It
The enforcement wave established one principle clearly: a firm is responsible for business communications made by its employees, regardless of whether the channel was authorized.
Most of the firms fined between 2021 and 2024 had written policies prohibiting WhatsApp. Employees used it anyway. When examiners asked for records, firms couldn’t produce them. The charge was Rule 4511 — failure to preserve — not “allowed WhatsApp.”
Banning without enforcement and archiving creates the worst outcome: the channel gets used, no record exists, and when examiners ask, the firm has nothing to show.
The enforcement record:
- JPMorgan Chase: $200M (2021) — SEC and OCC fines after finding firm-wide use of WhatsApp across three years, including by managing directors, that actively hindered multiple investigations
- Goldman Sachs: $200M (September 27, 2022) — $125M SEC + $75M CFTC, part of a 16-firm sweep
- Morgan Stanley: $200M (September 27, 2022) — $125M SEC + $75M CFTC, same sweep
- August 2024: $392M across 26 firms in a single action — including Ameriprise, LPL Financial, Raymond James, and Edward Jones, each paying $50M
- Fiscal year 2024 total: $600M+ across more than 70 firms
- January 2025: $63M across 12 firms — including KKR, Charles Schwab, Apollo, and Carlyle
What Regulators Expect in an Exam
FINRA examiners now ask the following as standard:
- What channels are employees using to communicate with clients — including on personal devices?
- Are all those channels being archived, including ones your policy prohibits?
- Can you produce a specific mobile conversation from two years ago within hours?
- Do your Written Supervisory Procedures name specific messaging platforms?
- What mechanisms exist to detect when an employee uses a prohibited channel?
- What would you produce if we asked for all WhatsApp communications from a specific employee over the past 18 months?
The last question is the one most firms can’t answer. A policy document and a signed acknowledgment don’t satisfy it.
What a Compliant Approach Requires
WSPs that name specific platforms. Examiners expect your Written Supervisory Procedures — required under FINRA Rule 3110 — to address WhatsApp, iMessage, and Signal by name, whether they’re permitted, prohibited, or monitored, and describe what happens when a violation is detected. Generic “electronic communications” language is increasingly insufficient.
Archiving that matches actual behavior. Coverage has to reflect how employees communicate, not what the policy says they should use. If your archive covers email and an approved platform, you have no coverage for what employees do on personal devices.
Capture on personal devices, without MDM. Mobile Device Management gives you control and visibility over managed devices — it doesn’t produce FINRA-compliant records. Compliant capture needs to work at the application layer, on personal devices, independently of device management.
Immediate write to WORM storage. Records must be locked on receipt. Backup-dependent archiving creates gaps; off-device capture to WORM storage at point of delivery does not. iCloud is not WORM. A shared drive is not WORM. A backup is not WORM.
Retrieval on demand. Examiners expect records within hours. If producing records requires opening a ticket with your vendor, that’s a gap an examiner will find.
Common Mistakes
“We banned WhatsApp, so we’re covered.” FINRA has rejected this directly. The violation is the missing record, not the use of the channel.
“Our employees signed a policy.” A signed acknowledgment doesn’t produce records on demand. The archive is the defense.
“We use MDM.” MDM manages devices. It doesn’t write to WORM storage or produce FINRA-compliant records.
“This is a big-firm problem.” The enforcement actions include regional and mid-size broker-dealers. Rule 4511 applies to all FINRA-registered members.
“We’ll deal with it if we get examined.” By the time an examiner asks, the records either exist or they don’t. There is no remediation path for records that were never captured.
How Comma Addresses Off-Channel Risk
Comma captures messages as an authorized participant in the conversation — on the employee’s personal device, without MDM, without relying on backups, and without breaking the encryption of the underlying platform.
iMessage: Captured independently of iCloud on the employee’s existing iPhone. Records written to WORM storage immediately on receipt.
WhatsApp: Captured via open-source connector code published on GitHub under Apache 2.0. The capture architecture is fully auditable by your compliance counsel, CISO, or any examiner who asks.
Signal: Captured at point of delivery without compromising Signal’s encryption. Comma works with Signal’s architecture, not around it.
Personal devices, no MDM required. Capture happens at the application layer on whatever device the employee uses for business.
WORM storage, seven-year default retention. Records are retrievable directly from the platform within minutes.
FAQ about FINRA Off-Channel Communications
What's the legal basis for off-channel enforcement actions?
Can we permit WhatsApp and remain compliant?
What if employees use personal devices the firm doesn't manage?
What's the difference between off-channel and just having a weak archive?
Does a prohibition policy protect us from liability?
Related regulations
FINRA Rule 4511
FINRA's books and records rule — incorporates SEC Rules 17a-3 and 17a-4 and makes them enforceable for FINRA-registered broker-dealers.
Read the guide →
FINRA Rule 3110
The supervision rule — requires WSPs that address actual communication channels, including mobile messaging used on personal devices.
Read the guide →
SEC Rule 17a-4
The retention standard — tamper-proof WORM storage, 6-year minimum, records retrievable on demand within hours.
Read the guide →
Off-Channel Communications Compliance
What off-channel compliance requires, where firms get cited, and what examiners check.
Read the guide →