Regulation Guide
SEC Rule 17a-4 requires broker-dealers to retain all business communications in tamper-proof storage for three to six years, retrievable on demand. Most firms have email covered. The gap is encrypted mobile messaging: channels employees actively use, that legacy compliance vendors still can't capture cleanly, and that regulators are now examining as a priority.
SEC Rule 17a-4
Information
Issued by
U.S. Securities and Exchange Commission
Who it applies to
Broker-dealers registered with the SEC
Storage standard
Retain all business communications in tamper-proof electronic storage: either Write-Once, Read-Many WORM format or a complete, time-stamped audit trail
Retention Period
2 years easily accessible; 6 years total (most record types)
Retention (Corporate Records)
Lifetime (partnership docs, Forms BD, articles of incorporation)
Covers mobile messaging?
Yes — WhatsApp, iMessage, Signal if used for business
Enforcement
$2B+ in fines (2021–present) for off-channel messaging violations
In a 17a-4 exam, SEC examiners will ask:
The exam is no longer limited to email. Since 2021, the SEC has examined mobile messaging as a separate line of inquiry, and firms that answer "we have email covered" are exposed. Examiners now ask specifically about WhatsApp, iMessage, and Signal by name.
17a-4 has three requirements that are easy to meet for email and genuinely hard for encrypted mobile messaging: capture at point of delivery,immutable storage from the moment of receipt, and a verifiable audit trail.
Capture at delivery is hard to prove. Most vendors rely on iCloud backups or device syncs — both of which can lag, fail, or be disabled by the employee. That gap between message delivery and archive write doesn't meet the rule's standard.
WORM compliance is hard to verify. A vendor can claim WORM storage — or, under the 2022 amendment, a compliant audit trail. Without visibility into the capture architecture, you can't confirm messages were locked immediately on receipt — or that an intermediary didn't hold plaintext before writing to storage.
Audit trail requires knowing how capture actually works. Examiners increasingly ask not just "is it archived?" but "how was it captured?" If your vendor can't answer that question clearly, neither can you.
A 17a-4-compliant archive for modern messaging should meet all of the following:
Capture at point of delivery — not via backup or sync. Messages must be written to the archive the moment they're received. iCloud backup can lag by hours, and users can disable it. The gap between message delivery and archive write is a compliance gap.
Immutable storage from the start. The message should be written once and locked immediately on receipt. The 2022 amendment to Rule 17a-4 introduced an alternative to WORM storage: firms may use a complete, time-stamped audit trail in lieu of non-rewriteable storage, provided it captures all modifications, deletions, and the identity of anyone who touched the record. Both approaches require that tampering be impossible or immediately detectable — the underlying standard is the same.
Retrieval within hours, not days. Examiners expect prompt production. An archive that requires submitting a ticket is not compliant in practice, regardless of what the contract says.
Verifiable capture architecture. You should be able to answer "how was this message captured?" with something more specific than "we trust our vendor." After the TeleMessage incident — where a vendor marketed compliant Signal archiving while storing plaintext messages insecurely — the question of how a vendor captures has become a due diligence requirement.
A vendor undertaking on file. Under Rule 17a-4(i), your archive provider must file a written undertaking with the SEC. Under 17a-4(f)(3)(v), your firm must file a separate undertaking with FINRA. Comma's undertaking is available upon request.
Banning the channel instead of archiving it. Many firms still ban specific apps like WhatsApp. Employees use it anyway. Regulators have fined firms specifically because employees used prohibited channels and the firm had no archive — not because the channel was permitted. Banning without enforcement doesn't satisfy 17a-4.
Treating email compliance as messaging compliance. Your email archive is not your messaging archive. SEC examiners now ask about mobile messaging explicitly. "We have email covered" is not an acceptable answer.
Relying on iCloud or device backups. Backup-dependent archiving fails the capture-at-delivery standard. An exam request for a message sent during a period when iCloud was disabled, delayed, or cleared exposes the gap.
Comma captures messages as an authorized participant in the conversation — not by intercepting network traffic, installing screen-readers, or relying on device backups.
iMessage: Captured independently of iCloud. No dependency on backup timing, device settings, or employee behavior. Runs on the employee's existing iPhone without requiring a separate compliance device.
WhatsApp: Captured via open-source connector code, published on GitHub. No plaintext storage at an intermediary.
Signal: Captured at point of delivery without compromising Signal's encryption model. The capture works with Signal's architecture: it doesn't break it.
Storage and retrieval: All captured messages are written to WORM storage immediately on receipt. Default retention is seven years. Records are retrievable directly from the Comma platform — no support ticket required.
Yes. The SEC has made clear that any electronic communication used for business purposes — regardless of platform — must be captured and retained under 17a-4. The $2 billion+ in fines issued between 2021 and 2023 were primarily for WhatsApp and personal messaging app violations.
Yes. Under Rule 17a-4(e)(7), firms must maintain a compliance and supervisory procedures manual covering electronic communications, including which channels are permitted, how they're archived, and how violations are handled. Examiners ask for this alongside your archive. Having Comma in place covers the archiving piece. Your compliance counsel should ensure your WSPs reflect it.
Write Once, Read Many. Once a message is written to WORM storage, it cannot be edited, deleted, or overwritten — by anyone, including your own IT team. This is the technical definition of tamper-proof in a regulatory context.
Generally, the first two years must be in an easily accessible location, meaning producible within 36 hours on request; years three through six must be preserved but not necessarily at hand. What counts as "easily accessible" for branch and remote-work environments is an evolving area as more firms transition to a work-from-home scenario.
At Comma, messages are captured at delivery and written to WORM immediately, so a deletion on the employee's device has no effect on the archive. If your vendor relies on device backups or iCloud sync, a deletion before the next backup runs may not be recoverable.
Yes, if they’re business communications. If an employee uses an AI tool to draft a client message, summarize a call, or communicate about a trade — and that output is sent to or received by a client — regulators expect it to be captured. This is an area of active SEC focus heading into 2026.
Rule 17a-4 applies to broker-dealers. RIAs are governed by Investment Advisers Act Rule 204-2. Comma covers both from a single platform.