Regulation Guide
SEC Rule 17a-3 requires broker-dealers to create records of all business communications, including electronic messages sent or received by firm personnel. Rule 17a-4 governs how long those records must be kept and how they must be stored.
Most firms focus on storage, but failures usually happen earlier. Communications often aren’t captured in the first place
SEC Rule 17a-3
Information
Issued by
U.S. Securities and Exchange Commission (SEC)
Who it applies to
Broker-dealers registered with the SEC
Core requirement
Create and maintain records of all business communications and transactions
Covers mobile messaging?
Yes - any channel used for business communication
Companion rule
SEC Rule 17a-4 (governs retention and storage of records made under 17a-3)
Rule 17a-3 specifies the categories of records broker-dealers must create. For communications compliance, the operative requirement is straightforward: firms must make and keep records of all correspondence — including electronic communications — relating to the broker-dealer's business.
That obligation applies no matter which platform the communication happened on. If an employee used WhatsApp to discuss a trade, respond to a client inquiry, or coordinate internally about a securities transaction, that communication is a record that had to be made.
Other records required under 17a-3 include blotters, ledger accounts, order memoranda, customer account records, and written agreements. But for most compliance reviews focused on messaging, the correspondence provision is the one that matters.
The two rules operate as one big rule:
17a-3 creates the obligation to capture. If a business communication occurred, it must be recorded. This is the upstream requirement: the point at which most modern messaging failures begin.
17a-4 governs how that record must be preserved. Once captured, the record must be stored in WORM-compliant (tamper-proof) storage, retained for the required period (generally three to six years), and be retrievable on demand.
Failing at 17a-3 means the record was never made. If you fail at 17a-4, it exists but isn’t preserved correctly. Both are violations, and regulators have cited both in the same enforcement action.
Most compliance programs are built around 17a-4: WORM storage, immutability, retention schedules. The 17a-3 problem is quieter and more common: communications happening on channels that were never connected to the archive.
Meeting 17a-3 for mobile messaging requires:
Coverage of all channels in use. You can't capture what you haven't identified. Start with a channel inventory. Find out what platforms employees are actually using for client communication, then make sure every active channel is connected to the archive.
Capture at point of delivery. The record must reflect the communication as it happened. Backup-dependent archiving (iCloud sync, device exports) creates a gap between when the communication occurred and when the record was made, thus creating a 17a-3 problem.
No reliance on employee action. Capture should be automatic. Any workflow that requires the employee to forward, export, or approve capture before the record is made introduces failure risk.
Written supervisory procedures that reflect actual channels. Your WSPs should document which channels are approved, how each is captured, and what happens when an unapproved channel is detected. Examiners will ask for this, along with your archive.
Treating a channel ban as a compliance control. Many firms still ban WhatsApp. Employees use it anyway. Regulators have fined firms specifically because employees used prohibited channels and the firm had no archive, not because the channel was permitted. Banning without enforcement doesn't satisfy 17a-3.
Assuming the archive vendor covers 17a-3. A vendor that stores records compliantly under 17a-4 is not necessarily capturing all channels that fall under 17a-3. Storage and capture are different problems. Ask your vendor explicitly: which channels do you capture, and how?
Comma connects the channels that fall outside most archives.
iMessage: Captured independently of iCloud. The archive is not dependent on backup schedules, device settings, or whether the employee keeps backups enabled. If the message was delivered, it's in the archive.
WhatsApp: Captured via open-source connector code. Every message is written to the archive at the point of delivery. No employee action required after connection.
Signal: Captured at point of delivery without compromising Signal's encryption model.
35+ additional channels. Once captured, all records are written immediately to WORM-compliant storage, satisfying both the 17a-3 obligation to make the record and the 17a-4 obligation to preserve it.
FINRA Rule 4511 incorporates the 17a-3 and 17a-4 obligations for FINRA member firms and adds supervisory requirements under FINRA Rule 3110. FINRA can and does examine member firms for off-channel communications independently of SEC enforcement, and has continued to do so.
17a-3 requires you to create the record. 17a-4 requires you to preserve it in a specific way. A firm that captures messages but stores them improperly violates 17a-4. A firm that never captures certain channels violates 17a-3.