SEC Rule 17a-3: Records Retention and the Obligation to Capture Business Communications

SEC Rule 17a-3 requires broker-dealers to create records of all business communications, including electronic messages sent or received by firm personnel. Rule 17a-4 governs how long those records must be kept and how they must be stored. Most firms focus on storage, but failures usually happen earlier. Communications often aren’t captured in the first place

At a Glance

What 17a-3 Actually Requires

Rule 17a-3 specifies the categories of records broker-dealers must create. For communications compliance, the operative requirement is straightforward: firms must make and keep records of all correspondence — including electronic communications — relating to the broker-dealer’s business.

That obligation applies no matter which platform the communication happened on. If an employee used WhatsApp to discuss a trade, respond to a client inquiry, or coordinate internally about a securities transaction, that communication is a record that had to be made.

Other records required under 17a-3 include blotters, ledger accounts, order memoranda, customer account records, and written agreements. But for most compliance reviews focused on messaging, the correspondence provision is the one that matters.

How 17a-3 and 17a-4 Work Together

The two rules operate as one big rule:

17a-3 creates the obligation to capture. If a business communication occurred, it must be recorded. This is the upstream requirement: the point at which most modern messaging failures begin.

17a-4 governs how that record must be preserved. Once captured, the record must be stored in WORM-compliant (tamper-proof) storage, retained for the required period (generally three to six years), and be retrievable on demand.

Failing at 17a-3 means the record was never made. If you fail at 17a-4, it exists but isn’t preserved correctly. Both are violations, and regulators have cited both in the same enforcement action.

Most compliance programs are built around 17a-4: WORM storage, immutability, retention schedules. The 17a-3 problem is quieter and more common: communications happening on channels that were never connected to the archive.

What a Compliant Capture Workflow Looks Like

Meeting 17a-3 for mobile messaging requires:

Coverage of all channels in use. You can’t capture what you haven’t identified. Start with a channel inventory. Find out what platforms employees are actually using for client communication, then make sure every active channel is connected to the archive.

Capture at point of delivery. The record must reflect the communication as it happened. Backup-dependent archiving (iCloud sync, device exports) creates a gap between when the communication occurred and when the record was made, thus creating a 17a-3 problem.

No reliance on employee action. Capture should be automatic. Any workflow that requires the employee to forward, export, or approve capture before the record is made introduces failure risk.

Written supervisory procedures that reflect actual channels. Your WSPs should document which channels are approved, how each is captured, and what happens when an unapproved channel is detected. Examiners will ask for this, along with your archive.

Common Mistakes

Treating a channel ban as a compliance control. Many firms still ban WhatsApp. Employees use it anyway. Regulators have fined firms specifically because employees used prohibited channels and the firm had no archive, not because the channel was permitted. Banning without enforcement doesn’t satisfy 17a-3.

Assuming the archive vendor covers 17a-3. A vendor that stores records compliantly under 17a-4 is not necessarily capturing all channels that fall under 17a-3. Storage and capture are different problems. Ask your vendor explicitly: which channels do you capture, and how?

How Comma Compliance Addresses SEC Rule 17a-3

Comma connects the channels that fall outside most archives.

iMessage: Captured independently of iCloud. The archive is not dependent on backup schedules, device settings, or whether the employee keeps backups enabled. If the message was delivered, it’s in the archive.

WhatsApp: Captured via open-source connector code. Every message is written to the archive at the point of delivery. No employee action required after connection.

Signal: Captured at point of delivery without compromising Signal’s encryption model.

35+ additional channels. Once captured, all records are written immediately to WORM-compliant storage, satisfying both the 17a-3 obligation to make the record and the 17a-4 obligation to preserve it.