# FINRA Rule 4511: Books and Records

FINRA Rule 4511 requires broker-dealers to create and preserve every business communication. Learn what examiners check and where most firms fall short

Source: https://commacompliance.com/regulations/finra-rule-4511
Last updated: 2026-04-18

---
FINRA [Rule 4511](https://www.finra.org/rules-guidance/rulebooks/finra-rules/4511) requires broker-dealers to create and preserve every required book and record, including all electronic communications, under the standards set by the Securities Exchange Act. Most firms have email covered. The exposure is everywhere else: the channels employees actually use for client communication that most recordkeeping programs don't reach, and that FINRA now examines as a first-order priority.

## **At a Glance**

| FINRA 4511               | Information                                                           |
| ------------------------ | --------------------------------------------------------------------- |
| Issued by                | FINRA                                                                 |
| Who it applies to        | FINRA-registered broker-dealers                                       |
| Core Obligation          | Make and preserve all required books and records per the Exchange Act |
| Incorporates             | SEC Rule 17a-3 (what to create) and SEC Rule 17a-4 (how to preserve)  |
| Retention                | 6 years minimum; first 2 years in an easily accessible location       |
| Covers mobile messaging? | Yes: any channel used for business communication                      |

## The Two Obligations Under Rule 4511

Rule 4511 has two distinct requirements that firms need to meet independently.

### Create the Records (Rule 17a-3)

Under 4511(a), broker-dealers must make and keep books and records as required by FINRA rules and the Exchange Act — which incorporates [SEC Rule 17a-3.](/regulations/sec-17a-3) That rule specifies what records must exist, including:

- Blotters of all purchases, sales, receipts, and deliveries of securities
- General and subsidiary ledger accounts
- Customer account records
- Order tickets
- Employment and registration records
- All written communications received, and copies of all written communications sent, relating to the broker-dealer's business

That last item is the one most firms underestimate. "Written communications" covers email, instant messages, texts, and any other electronic medium used for business, regardless of platform or device. There is **no** carve-out for personal apps.

### Preserve Them Properly (Rule 17a-4)

Under 4511(b), records must be preserved in compliance with [SEC Rule 17a-4.](/regulations/sec-17a-4) That rule requires:

- **Non-rewriteable,**[**non-erasable storage (WORM)**](/resources/worm-storage)or a complete, time-stamped audit trail that captures all modifications, deletions, and who touched the record
- **Retention for 6 years**, with the first 2 years in an easily accessible location (producible within hours, not days)
- **Third-party access**: your archive provider must allow regulators to download records directly if needed
- **A written undertaking on file —** both from your archive provider and from your firm (see below)

## The Undertaking Requirement

Rule 4511's incorporation of 17a-4 includes an undertaking requirement that many firms miss.

Under **Rule 17a-4(f)(3)(v)**, your firm must file a written undertaking with FINRA confirming that your archive provider meets the rule's storage requirements. This is separate from anything your vendor files — it's your firm's written representation to FINRA.

Under **Rule 17a-4(i)**, your archive provider must also have a written undertaking on file, agreeing to provide regulators with direct access to stored records if required.

Both must be in place. A vendor that stores records compliantly but hasn't filed an undertaking, or a firm that uses a compliant vendor but never filed its own, is still technically non-compliant.

Comma's undertaking is available upon request. We can also walk you through what your firm's undertaking should cover.

## What Regulators Examine

During a FINRA examination, books and records examiners typically ask:

- What record categories does your firm create, and how are they preserved?
- Can you retrieve a specific communication from two years ago within hours?
- Is your archive in WORM-compliant storage or a compliant audit trail format?
- Do your Written Supervisory Procedures describe your recordkeeping system and channel coverage?

That second bullet? That's where where most firms are exposed. Email coverage satisfies item 2 for one channel. Mobile messaging (cue WeChat, Telegram, etc) is a separate line of inquiry.

## Why Mobile Messaging Creates a Rule 4511 Problem

Creating a 4511-compliant record for an email is straightforward. Creating one for an encrypted mobile message is not, for three reasons.

**Capture at point of delivery is hard to guarantee.** Backup-dependent archiving such as iCloud sync, device backups, & scheduled exports creates gaps. A message delivered while iCloud was disabled, or deleted before the next backup ran, may not exist in your archive. That missing record is a Rule 4511 problem.

**WORM compliance requires knowing how capture works.** A vendor can claim compliant storage. It's worth understanding how messages actually get from the device to the archive: specifically whether they're locked at point of capture or handled in an intermediate state before being written to WORM storage. That's a reasonable question to ask any provider

**Retrieval on demand requires more than having an archive.** An archive that requires submitting a support ticket is not compliant in practice. Rule 4511 expects prompt production: records accessible within hours, not business days.

## Common Mistakes

**Treating 4511 as an email rule.** Rule 4511 incorporates the full Exchange Act recordkeeping framework. Email was the first channel examined. Mobile messaging is now examined as routine.

**Assuming prohibition is compliance.** A policy banning WhatsApp doesn't satisfy 4511 if employees use it anyway and no record exists. The obligation is to the record, not to the policy.

**No WSPs covering specific platforms.** Written Supervisory Procedures that address "electronic communications" broadly, without naming specific platforms or describing how each is monitored, are increasingly insufficient in examination.

**Backup-dependent archiving.** iCloud and device backups don't meet the capture-at-delivery standard. Gaps in backup timing are problems in your records.

## How Comma Addresses Rule 4511

Comma captures messages as an authorized participant in the conversation.

**Worm Storage:** Every captured message is written immediately to non-rewriteable, non-erasable storage. No intermediary holds plaintext. The record is locked at the moment of capture

**Capture:** Comma captures messages as an authorized participant in the conversation, not via backup, screen-scraping, or network interception. Messages are captured at point of delivery [across encrypted channels,](/encrypted-messaging-compliance) with no dependency on device settings, backup schedules, or employee behavior.

**Retention:** Comma's default retention is seven years, exceeding Rule 4511's six-year minimum.

**Retrieval:** Rule 4511 requires records from the first two years to be producible within hours. Records in Comma are retrievable directly from the platform within minutes. No support ticket required.