
Off-Channel Communications in Finance Meeting SEC and CFTC Standards
Off-channel communications have become one of the most heavily penalized compliance failures in modern financial services. As regulators intensify their scrutiny of how firms capture and preserve mobile messaging, understanding the rules, the risks, and the right technology has never been more critical.
Off-Channel Communications: The $3.5 Billion Wake-Up Call
The numbers are hard to ignore. Since December 2021, combined penalties from the SEC, CFTC, and FINRA have exceeded $3.5 billion. This was against more than 100 firms for off-channel communications violations. In 2024 alone, the SEC imposed over $600 million in penalties against more than 70 firms for violations related to messaging compliance.

These fines were not limited to junior staff. Regulators found that violations involved employees at multiple levels of authority, including supervisors and senior executives. Firms like Bank of America, Citigroup, Goldman Sachs, Wells Fargo, and BNP Paribas have all faced penalties for employees using platforms such as WhatsApp, iMessage, and Signal to conduct business without proper recordkeeping.
The Recordkeeping Challenges of Text Messaging
Under SEC Rules 17a-3 and 17a-4, broker-dealers are required to create, preserve, and supervise business-related communications, regardless of the device or platform used. FINRA Rule 4511 reinforces this obligation. FINRA Rule 3110 further requires firms to establish supervisory systems reasonably designed to ensure compliance, including supervision of communications.
The challenge is structural. Financial professionals regularly use personal devices, often texting clients through SMS, iMessage, or third-party apps without archiving those conversations. Without a controlled collection process, these messages can stay invisible to compliance teams until a regulatory request or enforcement action forces the issue. Manual methods, such as screenshots and self-reported exports, have been deemed insufficient by regulators for regulatory purposes.
Common compliance gaps include:
Use of personal devices without centralized archiving
Inconsistent preservation across business units and regions
Reliance on policies and attestations rather than preserved records
Ad hoc collection methods that lack auditability and chain of custody
The Essential Components of a Defensible Archive
A "defensible archive" is more than a storage folder. It is a structured, documented system that can withstand regulatory examination and enforcement scrutiny. Regulators have made clear that collected records must meet specific standards, including non-rewritable, non-erasable WORM format under SEC Rule 17a-4. This means records cannot be altered or deleted during defined retention periods.
For financial firms, a defensible archive must include:
Immutable storage with cryptographic integrity verification
Clear chain-of-custody and audit trails for every collection
Repeatable, documented workflows that can be explained to regulators
Targeted, scoped acquisition to avoid over-collection and privacy risk
Review-ready output formatted for efficient regulatory production

The absence of any one of these elements is where firms typically face enforcement exposure. When regulators request communications, they evaluate not just what firms preserved, but how they preserved it. A firm must be able to demonstrate that its collection methodology was consistent and auditable.
Auditing Off-Channel Communications Proactively
Reactive compliance is increasingly risky. Firms that wait for a regulatory request to begin collecting mobile communications face compressed timelines, higher costs, and greater enforcement exposure. The better approach is proactive, ongoing oversight.
Purpose-built mobile data collection platforms like PME are designed to fundamentally shift this dynamic. Rather than relying on device seizures or onsite technicians, our platform allows compliance teams to perform remote, highly targeted extractions from a custodian's personal device. Teams can scope collections by date range, data type, and custodian, ensuring they capture only relevant business communications. This reduces privacy risk while keeping the process efficient and defensible.
PME supports collection of SMS, iMessage, and messaging app content, such as WhatsApp, including attachments, metadata, and timestamps. Every collection follows documented workflows with full audit trails. Compliance teams can use the PME platform to define relevant timeframes, and produce records that align directly with SEC and FINRA recordkeeping expectations.
Taking Control Before Regulators Do
The enforcement landscape has made one thing undeniable: off-channel communications are a books-and-records issue, not simply a technology gap. Financial firms operating in this environment cannot afford to rely on informal or inconsistent collection methods.
PME provides broker-dealers and investment advisers with a practical, regulator-aligned solution for capturing, preserving, and producing mobile communications when examinations or enforcement actions demand it. With remote workflows, immutable storage, and audit-ready documentation, firms can move from reactive crisis management to a repeatable, proactive compliance program.
Ready to address off-channel communication risks before regulators do? Contact PME to learn how targeted mobile collection supports examinations and enforcement readiness.
Quick Guide: FAQ
What are off-channel communications, and why do regulators care about them?
Off-channel communications refer to business-related messages sent through personal devices or unapproved apps, such as WhatsApp, iMessage, and Signal, outside of a firm's official recordkeeping systems. Regulators care because SEC and CFTC rules require broker-dealers and other registered entities to preserve all business communications as official records. When firms fail to capture these messages, they cannot produce them during investigations or enforcement actions, a failure regulators treat as a serious recordkeeping violation.
Can PME help firms that are already under regulatory scrutiny for off-channel communications?
Yes. PME is designed to support both proactive compliance programs and remediation efforts following regulatory scrutiny. The platform enables targeted, defensible collection of mobile communications from personal devices, with immutable storage, chain-of-custody documentation, and audit trails suitable for SEC, CFTC, and FINRA examinations. Firms can use PME to demonstrate concrete remediation steps, not just policy changes.
What types of mobile communications does PME collect?
PME supports defensible collection of SMS, iMessage, WhatsApp, and other messaging app content, including attachments, media, timestamps, and sender/recipient metadata. Collections can be scoped by custodian, date range, and data type, enabling firms to capture only relevant business communications while minimizing privacy exposure from over-collection.