Is Your Firm's Messaging Archiving Actually SEC Rule 17a-4 Compliant?

SEC Rule 17a-4 requires broker-dealers to retain all business communications in tamper-proof storage for three to six years, retrievable on demand. Most firms have email covered. The gap is encrypted mobile messaging: channels employees actively use, that legacy compliance vendors still can’t capture cleanly, and that regulators are now examining as a priority.

At a Glance

What Regulators Expect

In a 17a-4 exam, SEC examiners will ask:

• What channels are employees using for client communication?
• Are all those channels being archived?
• Can you retrieve a specific conversation from three years ago within hours?
• Can you prove the archive hasn’t been altered since capture?
• Do you have written supervisory procedures covering electronic communications?

The exam is no longer limited to email. Since 2021, the SEC has examined mobile messaging as a separate line of inquiry, and firms that answer “we have email covered” are exposed. Examiners now ask specifically about WhatsApp, iMessage, and Signal by name.

Why Mobile Channels Are Hard to Archive Under 17a-4

17a-4 has three requirements that are easy to meet for email and genuinely hard for encrypted mobile messaging: capture at point of delivery,immutable storage from the moment of receipt, and a verifiable audit trail.

Capture at delivery is hard to prove. Most vendors rely on iCloud backups or device syncs — both of which can lag, fail, or be disabled by the employee. That gap between message delivery and archive write doesn’t meet the rule’s standard.

WORM compliance is hard to verify. A vendor can claim WORM storage — or, under the 2022 amendment, a compliant audit trail. Without visibility into the capture architecture, you can’t confirm messages were locked immediately on receipt — or that an intermediary didn’t hold plaintext before writing to storage.

Audit trail requires knowing how capture actually works. Examiners increasingly ask not just “is it archived?” but “how was it captured?” If your vendor can’t answer that question clearly, neither can you.

What a Compliant Archive Should Include

A 17a-4-compliant archive for modern messaging should meet all of the following:

Capture at point of delivery — not via backup or sync. Messages must be written to the archive the moment they’re received. iCloud backup can lag by hours, and users can disable it. The gap between message delivery and archive write is a compliance gap.

Immutable storage from the start. The message should be written once and locked immediately on receipt. The 2022 amendment to Rule 17a-4 introduced an alternative to WORM storage: firms may use a complete, time-stamped audit trail in lieu of non-rewriteable storage, provided it captures all modifications, deletions, and the identity of anyone who touched the record. Both approaches require that tampering be impossible or immediately detectable — the underlying standard is the same.

Retrieval within hours, not days. Examiners expect prompt production. An archive that requires submitting a ticket is not compliant in practice, regardless of what the contract says.

Verifiable capture architecture. You should be able to answer “how was this message captured?” with something more specific than “we trust our vendor.” After the TeleMessage incident — where a vendor marketed compliant Signal archiving while storing plaintext messages insecurely — the question of how a vendor captures has become a due diligence requirement.

A vendor undertaking on file. Under Rule 17a-4(i), your archive provider must file a written undertaking with the SEC. Under 17a-4(f)(3)(v), your firm must file a separate undertaking with FINRA. Comma’s undertaking is available upon request.

Common Mistakes / Risky Shortcuts

Banning the channel instead of archiving it. Many firms still ban specific apps like WhatsApp. Employees use it anyway. Regulators have fined firms specifically because employees used prohibited channels and the firm had no archive — not because the channel was permitted. Banning without enforcement doesn’t satisfy 17a-4.

Treating email compliance as messaging compliance. Your email archive is not your messaging archive. SEC examiners now ask about mobile messaging explicitly. “We have email covered” is not an acceptable answer.

Relying on iCloud or device backups. Backup-dependent archiving fails the capture-at-delivery standard. An exam request for a message sent during a period when iCloud was disabled, delayed, or cleared exposes the gap.

How Comma Compliance Addresses SEC Rule 17a-4

Comma captures messages as an authorized participant in the conversation — not by intercepting network traffic, installing screen-readers, or relying on device backups.

iMessage: Captured independently of iCloud. No dependency on backup timing, device settings, or employee behavior. Runs on the employee’s existing iPhone without requiring a separate compliance device.

WhatsApp: Captured via open-source connector code, published on GitHub. No plaintext storage at an intermediary.

Signal: Captured at point of delivery without compromising Signal’s encryption model. The capture works with Signal’s architecture: it doesn’t break it.

Storage and retrieval: All captured messages are written to WORM storage immediately on receipt. Default retention is seven years. Records are retrievable directly from the Comma platform — no support ticket required.