Off-Channel Electronic Communications Retention

You must capture and retain all business-related electronic communications, even when employees use personal devices, texting, or unapproved messaging apps, and you must be able to retrieve those records for supervision and regulatory requests. To operationalize this, combine (1) approved-channel controls, (2) technical capture/archiving where possible, and (3) testing plus disciplinary follow-through when people go off-channel. (17 CFR § 240.17a-4; 17 CFR § 275.204-2)

Key takeaways:

• Off-channel does not mean off-the-record; business messages on personal phones still create recordkeeping obligations. (17 CFR § 240.17a-4; 17 CFR § 275.204-2)
• Policies alone fail; you need enforceable technical controls, monitoring, and consequence management. (SEC Press Release 2022-174)
• Your audit trail should prove governance, capture/retention, supervision, exceptions handling, and periodic testing.

Off-channel electronic communications retention is a recordkeeping requirement that becomes operationally hard the moment a business user prefers texting a client, replying from a personal phone, or switching to a “quick” messaging app. For broker-dealers and investment advisers, the risk is straightforward: if the communication is business-related, regulators expect it to be retained and retrievable, regardless of device ownership or whether the channel was approved. (17 CFR § 240.17a-4; 17 CFR § 275.204-2)

For a CCO or GRC lead, the fastest path to control is to treat this as a systems-and-supervision problem, not a policy refresh. You need a clear definition of “business communication,” a short list of approved channels, a documented method to capture and retain communications created in those channels, and a defensible approach to detect and remediate off-channel behavior. SEC enforcement has highlighted failures to maintain and preserve required records where personnel used off-channel methods. (SEC Press Release 2022-174)

This page gives requirement-level guidance you can implement: who the requirement applies to, the control set that exam teams expect to see, the artifacts you must retain, and a practical execution plan to get from exposure to an operating program.

Regulatory text

Regulatory excerpt (provided): “Broker-dealers and investment advisers must retain records of all business-related electronic communications, including those conducted through personal devices and messaging applications.” (17 CFR § 240.17a-4; 17 CFR § 275.204-2)

Operator interpretation:

• If a message relates to your business (clients, trades, recommendations, orders, fees, onboarding, complaints, marketing of advisory services, negotiations with a third party that impact client activity), it is a record you must retain. (17 CFR § 240.17a-4; 17 CFR § 275.204-2)
• The requirement follows the communication, not the device. A personal phone does not reduce retention obligations. (17 CFR § 240.17a-4; 17 CFR § 275.204-2)
• Your controls must support preservation and retrieval. A policy that “prohibits WhatsApp” without detection, capture options, supervision, and consequences does not manage the exposure. (SEC Press Release 2022-174)

Public enforcement cases

SEC off-channel communications enforcement (press release)

The SEC announced enforcement actions focused on “off-channel communications,” where required business communications occurred on unapproved platforms and were not preserved as required by recordkeeping rules. The enforcement message for operators is consistent: regulators evaluate whether firms actually maintained and preserved business records and whether supervision and controls were effective in practice. (SEC Press Release 2022-174)

What to learn operationally:

• Regulators look past written policies and ask whether the firm captured business communications where business was actually conducted. (SEC Press Release 2022-174)
• Failure modes often include weak supervision, inconsistent enforcement, and gaps created by personal devices and consumer messaging apps. (SEC Press Release 2022-174)

Plain-English requirement (what this means day to day)

You must run your communications environment so that business conversations happen in channels you can retain and retrieve, and you must be able to prove it. If your people conduct business by SMS, iMessage, WhatsApp, Signal, Telegram, or personal email, you have an obligation to address retention and supervision risk created by those communications. (17 CFR § 240.17a-4; 17 CFR § 275.204-2)

This is not limited to front office. Operations, finance, trading support, investor relations, and anyone interacting with clients or third parties can create business records through chat and text.

Who it applies to (entity + operational context)

Entity types (core scope):

• Broker-dealers (17 CFR § 240.17a-4)
• Investment advisers (17 CFR § 275.204-2)

Operational contexts that trigger the requirement:

• Client-facing communications (advice, orders, account activity, performance discussions). (17 CFR § 275.204-2)
• Trade-related communications and internal approvals. (17 CFR § 240.17a-4)
• Business communications with third parties that relate to client service, distribution, or execution activities. (17 CFR § 240.17a-4; 17 CFR § 275.204-2)
• Hybrid/remote work where personal devices and consumer apps are more likely to creep in.

What you actually need to do (step-by-step)

1) Define “business communication” and “in-scope channels”

Create a written definition used consistently across policy, training, surveillance, and investigations. Include examples: “texts with clients about account actions,” “messages with a third party about allocations,” “chat approving fees,” “complaint-related messages.” Anchor the definition to your recordkeeping rules. (17 CFR § 240.17a-4; 17 CFR § 275.204-2)

Deliverable: Communications classification standard mapped to retention/supervision obligations.

2) Establish an approved-channel inventory, with an enforceable prohibition list

Publish a short list of approved tools (email, corporate chat, recorded lines, approved texting solution). Publish an explicit list of prohibited channels for business use and state what happens if employees use them.

Practical point: keep the approved list short; every extra channel multiplies capture and supervision complexity.

Deliverables:

• Approved communications channels register (owner, capture method, retention location, supervision coverage)
• Prohibited off-channel list with rationale

3) Implement capture and retention for approved channels

For each approved channel, document:

• How messages are captured (native archive, connector, journaling, mobile capture).
• Where they are stored (archive system of record).
• How they are indexed and retrievable for supervision and regulatory response. (17 CFR § 240.17a-4; 17 CFR § 275.204-2)

Minimum expectation in exams: you can produce records promptly and show they are complete for the channel you approved.

Deliverables:

• Retention schedule for electronic communications (aligned to applicable rule)
• System architecture diagram for capture → archive → eDiscovery/export
• Access controls and audit logging for the archive

4) Address personal devices directly (choose one operating model)

Pick a model and document it. Common defensible approaches include:

• Corporate devices only for business communications, with technical restrictions and monitoring.
• BYOD with mobile management, where business messaging occurs only in managed/approved apps that support capture.

What exam teams look for is consistency: if you allow BYOD, you still need a method to keep business communications in retained channels. (17 CFR § 240.17a-4; 17 CFR § 275.204-2)

Deliverables:

• BYOD / device standard (allowed device types, required controls, enforcement steps)
• Attestations from covered staff

5) Build supervision and surveillance around the reality of off-channel risk

Do not treat this as a one-time compliance memo. Create an operating rhythm:

• Supervisory review of captured communications (sample-based or risk-based).
• Escalation workflow for suspected off-channel activity.
• HR/Compliance coordination for discipline and remediation.

If you cannot capture a prohibited channel, then your control must focus on prevention + detection + enforcement: restrictions, monitoring for indicators, and documented follow-through. SEC enforcement has emphasized failures where firms did not maintain and preserve required records. (SEC Press Release 2022-174)

Deliverables:

• Supervisory procedures for electronic communications review
• Investigation playbook for off-channel allegations
• Disciplinary matrix tied to violations

6) Prove it works (testing and exception management)

Run periodic tests that answer:

• Are all approved channels actually being captured?
• Can you retrieve records by user, date range, client, keyword?
• Do terminations preserve access and retention?
• Are exceptions documented and remediated?

Deliverables:

• Control testing scripts and results
• Issue log with corrective actions
• Metrics (exceptions found, time to close, repeat offenders)

7) Make third parties part of the control (archiving, eDiscovery, managed comms tools)

Your archive and communications tooling are usually provided by third parties. Your due diligence should confirm:

• The tool can capture the communication types you approved.
• Export/retrieval supports regulatory response needs.
• Audit logging and access controls meet your supervision model.

Where Daydream fits naturally: if you are coordinating multiple third parties (archiving provider, mobile management, messaging platform, eDiscovery), Daydream can centralize third-party risk evidence, contract obligations, and control ownership so communications retention doesn’t fail at the seams during audits.

Required evidence and artifacts to retain

Keep artifacts in a form that stands on its own in an exam. A practical evidence pack includes:

Governance

• Electronic communications policy (approved/prohibited channels, definitions, consequences)
• Supervisory procedures for communications review
• BYOD/personal device standard and attestations

Technical & operational

• Approved channels register with capture/retention method
• Archive configuration evidence (screenshots/config exports), journaling rules, connector settings
• Access control list for archive admins and reviewers, with audit logs

Supervision & enforcement

• Samples of supervisory review tickets/notes
• Escalations and investigation records (including outcomes)
• Training completion records and targeted training for violators

Testing

• Periodic retrieval tests (requests, results, time-to-produce notes)
• Control testing results and remediation tracking

Common exam/audit questions and hangups

Expect questions like:

• “Show your policy defining business communications and prohibiting off-channel apps.” (17 CFR § 240.17a-4; 17 CFR § 275.204-2)
• “List every channel employees use for business and show how each is captured.” (17 CFR § 240.17a-4; 17 CFR § 275.204-2)
• “Demonstrate retrieval: produce messages for a specific rep and date range.” (17 CFR § 240.17a-4)
• “How do you supervise electronic communications? Who reviews, how often, and what happens on findings?” (SEC Press Release 2022-174)
• “How do you control BYOD/personal devices? Prove adoption and enforcement.” (SEC Press Release 2022-174)
• “Show disciplinary actions taken for off-channel violations.” (SEC Press Release 2022-174)

Hangups that slow production:

• No single system of record for archived communications.
• Approved-channel sprawl without consistent capture.
• Retrieval depends on one IT admin with tribal knowledge.

Frequent implementation mistakes (and how to avoid them)

1. Policy-only compliance.
   Fix: tie the policy to technical controls, supervision, and a disciplinary workflow you can evidence. (SEC Press Release 2022-174)

2. Approving a channel before you can retain it.
   Fix: require a retention readiness review before approving any new communication tool.

3. Undefined scope for “business-related.”
   Fix: publish a definition with examples and train to it; use the same definition in investigations. (17 CFR § 240.17a-4; 17 CFR § 275.204-2)

4. BYOD allowed in practice but unmanaged on paper.
   Fix: decide your operating model, document it, and collect attestations; enforce with access controls.

5. Weak offboarding controls.
   Fix: ensure terminated users’ communications remain retained and retrievable through the archive.

Enforcement context and risk implications

Off-channel retention failures create two immediate exposures:

• Books-and-records violations if business communications are not preserved. (17 CFR § 240.17a-4; 17 CFR § 275.204-2)
• Supervision/control failures if the firm cannot show it monitored behavior and enforced restrictions in practice. (SEC Press Release 2022-174)

Operationally, the risk is compounded during investigations and litigation holds. If you cannot prove completeness of the record, you may face escalated scrutiny and broader testing of supervisory controls. (SEC Press Release 2022-174)

Practical 30/60/90-day execution plan

First 30 days (stabilize and stop the bleed)

• Name an executive owner (Compliance) and technical owner (IT/InfoSec) for communications retention.
• Publish interim guidance: approved channels only; remind staff that business messages must occur in retained channels. (17 CFR § 240.17a-4; 17 CFR § 275.204-2)
• Build the channel inventory: what tools are used today, including shadow IT and texting patterns.
• Start an exceptions log and require managers to report known off-channel use.

Days 31–60 (implement controls you can evidence)

• Finalize approved channels register with capture/retention mapping.
• Implement or harden archiving for approved channels; document configurations and retrieval steps. (17 CFR § 240.17a-4; 17 CFR § 275.204-2)
• Roll out BYOD/device controls aligned to your chosen model; collect attestations.
• Stand up supervision procedures and escalation workflow; run initial review cycles.

Days 61–90 (prove effectiveness and close gaps)

• Conduct retrieval tests and document time-to-produce and completeness.
• Run targeted surveillance for high-risk roles (client-facing, trading, senior leadership).
• Execute disciplinary actions for confirmed violations; document consistency. (SEC Press Release 2022-174)
• Formalize third-party oversight for communications tooling and archiving; centralize evidence in a system like Daydream to reduce scramble during exams.

Frequently Asked Questions

If employees use a personal phone for business texts, do we still have to retain those messages?

Yes. The obligation is tied to business-related communications, including those on personal devices and messaging apps. (17 CFR § 240.17a-4; 17 CFR § 275.204-2)

Can we solve this by banning WhatsApp/Signal and requiring email only?

A ban helps, but enforcement expects more than a written prohibition if off-channel behavior continues. Pair restrictions with detection, supervision, and documented disciplinary follow-through. (SEC Press Release 2022-174)

What evidence should we keep to show we can “retrieve” communications?

Keep documented retrieval procedures, sample exports from the archive, and logs showing who accessed records and when. Your goal is to demonstrate repeatable production capability. (17 CFR § 240.17a-4; 17 CFR § 275.204-2)

Do we need to retain communications with third parties (for example, a placement agent or technology provider)?

If the communication is business-related and falls within your recordkeeping scope, retain it regardless of whether the counterparty is a client or another third party. Use your “business communication” definition to drive consistent decisions. (17 CFR § 240.17a-4; 17 CFR § 275.204-2)

What’s the fastest way to reduce exposure if we can’t technically capture SMS immediately?

Restrict business communications to channels you can retain, require written attestations, increase supervision for high-risk groups, and document investigations and outcomes for violations. Regulators focus on whether firms maintained and preserved required records in practice. (SEC Press Release 2022-174)

How should we handle senior executives who prefer texting?

Treat them as in-scope and high-risk. Apply the same channel rules, require the same attestations, and document enforcement actions consistently to avoid the appearance of uneven supervision. (SEC Press Release 2022-174)