FINRA Rule 4511 requires broker-dealers to create and preserve every required book and record, including all electronic communications, under the standards set by the Securities Exchange Act. Most firms have email covered. The exposure is everywhere else: the channels employees actually use for client communication that most recordkeeping programs don't reach, and that FINRA now examines as a first-order priority.
FINRA 4511
Information
Issued by
FINRA
Who it applies to
FINRA-registered broker-dealers
Core Obligation
Make and preserve all required books and records per the Exchange Act
Incorporates
SEC Rule 17a-3 (what to create) and SEC Rule 17a-4 (how to preserve)
Retention
6 years minimum; first 2 years in an easily accessible location
Covers mobile messaging?
Yes: any channel used for business communication
Rule 4511 has two distinct requirements that firms need to meet independently.
Under 4511(a), broker-dealers must make and keep books and records as required by FINRA rules and the Exchange Act — which incorporates SEC Rule 17a-3. That rule specifies what records must exist, including:
That last item is the one most firms underestimate. "Written communications" covers email, instant messages, texts, and any other electronic medium used for business, regardless of platform or device. There is no carve-out for personal apps.
Under 4511(b), records must be preserved in compliance with SEC Rule 17a-4. That rule requires:
Rule 4511's incorporation of 17a-4 includes an undertaking requirement that many firms miss.
Under Rule 17a-4(f)(3)(v), your firm must file a written undertaking with FINRA confirming that your archive provider meets the rule's storage requirements. This is separate from anything your vendor files — it's your firm's written representation to FINRA.
Under Rule 17a-4(i), your archive provider must also have a written undertaking on file, agreeing to provide regulators with direct access to stored records if required.
Both must be in place. A vendor that stores records compliantly but hasn't filed an undertaking, or a firm that uses a compliant vendor but never filed its own, is still technically non-compliant.
Comma's undertaking is available upon request. We can also walk you through what your firm's undertaking should cover.
During a FINRA examination, books and records examiners typically ask:
That second bullet? That's where where most firms are exposed. Email coverage satisfies item 2 for one channel. Mobile messaging (cue WeChat, Telegram, etc) is a separate line of inquiry.
Creating a 4511-compliant record for an email is straightforward. Creating one for an encrypted mobile message is not, for three reasons.
Capture at point of delivery is hard to guarantee. Backup-dependent archiving such as iCloud sync, device backups, & scheduled exports creates gaps. A message delivered while iCloud was disabled, or deleted before the next backup ran, may not exist in your archive. That missing record is a Rule 4511 problem.
WORM compliance requires knowing how capture works. A vendor can claim compliant storage. It's worth understanding how messages actually get from the device to the archive: specifically whether they're locked at point of capture or handled in an intermediate state before being written to WORM storage.
That's a reasonable question to ask any provider
Retrieval on demand requires more than having an archive. An archive that requires submitting a support ticket is not compliant in practice. Rule 4511 expects prompt production: records accessible within hours, not business days.
Treating 4511 as an email rule. Rule 4511 incorporates the full Exchange Act recordkeeping framework. Email was the first channel examined. Mobile messaging is now examined as routine.
Assuming prohibition is compliance. A policy banning WhatsApp doesn't satisfy 4511 if employees use it anyway and no record exists. The obligation is to the record, not to the policy.
No WSPs covering specific platforms. Written Supervisory Procedures that address "electronic communications" broadly, without naming specific platforms or describing how each is monitored, are increasingly insufficient in examination.
Backup-dependent archiving. iCloud and device backups don't meet the capture-at-delivery standard. Gaps in backup timing are problems in your records.
Comma captures messages as an authorized participant in the conversation.
Worm Storage: Every captured message is written immediately to non-rewriteable, non-erasable storage. No intermediary holds plaintext. The record is locked at the moment of capture
Capture: Comma captures messages as an authorized participant in the conversation, not via backup, screen-scraping, or network interception. Messages are captured at point of delivery across encrypted channels, with no dependency on device settings, backup schedules, or employee behavior.
Retention: Comma's default retention is seven years, exceeding Rule 4511's six-year minimum.
Retrieval: Rule 4511 requires records from the first two years to be producible within hours. Records in Comma are retrievable directly from the platform within minutes. No support ticket required.
Rule 17a-4 is the SEC's preservation rule. It governs storage formats, retention periods, and WORM requirements. Rule 4511 is FINRA's rule that incorporates 17a-4 and makes it enforceable for FINRA-registered broker-dealers. A 17a-4 violation is also a 4511 violation.
Rule 17a-3 specifies what records must be created. Rule 17a-4 specifies how they must be preserved. Rule 4511 incorporates both. Think of 17a-3 as the "what," 17a-4 as the "how," and 4511 as FINRA's enforcement mechanism for both.
Most records under FINRA 4511 should be preserved for six years. The first two years must be in an easily accessible location, meaning producible on request within hours. Records from years three through six must be retained but not necessarily immediately at hand.
Yes. The obligation follows the communication, not the device. If an employee used a personal iPhone for a business-related message, that record is subject to Rule 4511 regardless of whether the firm manages the device.
Rule 4511 applies to FINRA-registered broker-dealers. RIAs are governed by the Investment Advisers Act and SEC Rule 204-2. Comma covers both frameworks from a single platform.
Yes, if they’re business communications. If an employee uses an AI tool to draft a client message, summarize a call, or communicate about a trade — and that output is sent to or received by a client — regulators expect it to be captured. This is an area of active SEC focus heading into 2026.
Rule 17a-4 applies to broker-dealers. RIAs are governed by Investment Advisers Act Rule 204-2. Comma covers both from a single platform.