Customer Mail Retention (FINRA 2268)

“Hold mail” requests sound operationally simple, but regulators treat them as a supervision and recordkeeping risk because they can suppress customer communications, hide address issues, and create opportunities for fraud or unsuitable activity to go unnoticed. FINRA’s standard is clear: you can hold customer mail only if the customer provides written instructions that include the time period for holding the mail, and you satisfy the safeguards required by the rule. (FINRA Rule 3150)

For a CCO or GRC lead, the fast path is to turn this into an auditable, time-boxed workflow that answers three exam questions without drama: (1) Did the customer request this in writing? (2) Is the hold period explicitly defined and enforced? (3) Can you prove, with records, what you held, for how long, who approved it, and how you prevented misuse? Your controls should also align with your broader record retention obligations for broker-dealers, including preserving the request and related records. (17 CFR 240.17a-4)

This page gives requirement-level implementation guidance: applicability, step-by-step operating procedures, evidence to retain, exam hot spots, and a practical execution plan to get to a stable, repeatable control.

Plain-English interpretation (what the rule requires)

FINRA permits a member to hold mail for a customer who will not be receiving mail at their usual address only if two conditions are met:

1. You receive written instructions from the customer, and those instructions include the time period for holding the mail. (FINRA Rule 3150)
2. You satisfy the safeguards in the rule. (FINRA Rule 3150)

In practice, treat this as a restricted service that is allowed only through a documented exception process. If you cannot produce the customer’s written, time-bound instruction, you should assume the hold is noncompliant.

Regulatory text

FINRA’s requirement (excerpted) is: “A member may hold mail for a customer who will not be receiving mail at his or her usual address, provided that the member receives written instructions from the customer that include the time period for holding the mail and satisfies the safeguards in the rule.” (FINRA Rule 3150)

Operator translation:

• “May hold” means the default is delivery; holding is an exception you must control.
• “Written instructions” means you need a retained record of the customer’s request (paper or electronic, consistent with your recordkeeping program). (FINRA Rule 3150; 17 CFR 240.17a-4)
• “Include the time period” means an explicit start/end or a defined duration you enforce in systems and procedures, not an open-ended hold. (FINRA Rule 3150)
• “Satisfies safeguards” means your procedures must prevent abuse (for example, holds used to conceal communications) and must be supervised and auditable. (FINRA Rule 3150)

Who it applies to (entity and operational context)

Applies to: FINRA member broker-dealers that offer or honor requests to hold customer mail. (FINRA Rule 3150)

Operational contexts where this comes up:

• Customers traveling or temporarily relocating.
• Seasonal addresses, international travel, military deployment.
• Address instability or customer safety concerns (where mail routing is sensitive).
• Transition periods during account transfers or estate administration.

Teams typically involved:

• Operations / client services (intake and execution)
• Compliance (policy, escalation, surveillance)
• Supervisory principals (approval and review, depending on your model)
• Records management (retention under your books-and-records program) (17 CFR 240.17a-4)
• Information security / physical security (storage controls)

What you actually need to do (step-by-step)

1) Define a “hold mail” service standard

Document, in a procedure, what “holding mail” means at your firm:

• What communications are held (statements, confirmations, shareholder materials, letters).
• What is excluded (for example, regulatory notices you must still deliver, if applicable to your model).
• Where mail is stored and who can access it.
• How the hold starts, ends, and is enforced in systems.

Tie this procedure to your supervision and recordkeeping policies. (FINRA Rule 3150; 17 CFR 240.17a-4)

2) Standardize the customer written instruction (template + acceptance criteria)

Create an approved form or digital workflow that captures, at minimum:

• Customer name and account identifier(s)
• Confirmation they will not receive mail at the usual address
• Explicit holding period (start date and end date, or a clearly defined period)
• Delivery instructions after the hold ends (resume normal mail, forward to new address, pick-up)
• Customer signature or authenticated electronic approval, consistent with your firm’s practices
• Date received and method received (portal, email, physical)

Do not accept ambiguous requests (“hold until further notice”). Require a defined holding period because the rule requires it. (FINRA Rule 3150)

3) Add a risk-based approval and escalation gate

Build a simple decision matrix for operations:

Approve in standard workflow when:

• Written instruction is complete and time-bound
• Account is in good order (no red flags identified by your firm’s criteria)

Escalate to Compliance/Supervision when:

• High-risk account types per your internal risk framework (for example, vulnerable customers, unusual trading patterns, prior complaints)
• A request that coincides with address changes, disbursement requests, or other unusual activity (your internal fraud red flags)
• Third party involvement (someone other than the customer asks for the hold)

The rule text points you to safeguards; escalation is one of the most defensible safeguards you can show an examiner because it demonstrates supervision and misuse prevention. (FINRA Rule 3150)

4) Implement system controls to enforce time bounds

You need operational mechanisms that make it hard to “forget” holds:

• A case/ticket with required end date fields
• Automatic reminders before expiration
• A hard stop or renewal requirement when the period ends (new written instruction required)

If your mailing is handled by a third party print/mail vendor, ensure your instructions propagate to that third party and that you can evidence the change (change tickets, vendor confirmations, file transmissions). Treat this as third-party oversight in addition to FINRA compliance. (FINRA Rule 3150)

5) Secure handling and access control

Design secure storage and restricted access:

• Physical mail: locked cabinets, controlled keys, access logs
• Digital items (scanned correspondence): role-based access and audit trails

Even if the rule excerpt does not list storage specifics, secure handling is part of demonstrating “safeguards” and is typically expected under a reasonable supervisory system. (FINRA Rule 3150)

6) Supervision, periodic review, and closure

Operationalize a recurring review of open holds:

• Validate holds are still within the authorized time period.
• Confirm mail is either retained or released per instructions.
• Close the case with a completion record when the hold ends.

Maintain records in line with SEC broker-dealer record preservation requirements. (17 CFR 240.17a-4)

Required evidence and artifacts to retain (what exams ask for)

Maintain a “hold mail” evidence package per account/request:

Customer authorization

• Written instruction with time period (original or compliant electronic record) (FINRA Rule 3150)
• Any renewals or amendments (each should be written and time-bound) (FINRA Rule 3150)

Operational execution

• Case/ticket record showing start/end, who processed it, and approval/escalation outcomes
• Mail hold flag change logs (CRM/back office) or vendor confirmations
• Inventory/log of held items (enough detail to prove control; avoid sensitive content in logs where unnecessary)

Supervision and safeguards

• Exception/escalation notes and supervisory sign-off where triggered
• Periodic review evidence (queue reports, attestations, supervisory review sign-offs)

Retention mapping

• Your retention schedule mapping these records to broker-dealer recordkeeping requirements and the repository where they are preserved. (17 CFR 240.17a-4)

Common exam/audit questions and hangups

• Show me the customer’s written instruction and where it specifies the time period. (FINRA Rule 3150)
• How do you prevent open-ended holds or holds that outlive the authorized period?
• Who can place/remove a mail hold, and how is that access controlled?
• How do you supervise for misuse (e.g., holds used to conceal communications)? (FINRA Rule 3150)
• Where are these records preserved, and for how long under your books-and-records program? (17 CFR 240.17a-4)
• If a third party handles printing/mailing, how do you ensure instructions are executed correctly?

Frequent implementation mistakes (and how to avoid them)

1. Accepting verbal requests.
   Fix: require written instruction before processing. If a call triggers the request, send the form immediately and do not activate the hold until received. (FINRA Rule 3150)

2. Missing or vague time periods.
   Fix: make end date a required field; reject “until further notice.” (FINRA Rule 3150)

3. No proof the hold was actually applied.
   Fix: retain system change logs, tickets, and vendor confirmations; store them with the request record. (17 CFR 240.17a-4)

4. Holds that never get reviewed or closed.
   Fix: queue-based reviews with documented outcomes; add renewal workflow requiring new written instructions. (FINRA Rule 3150)

5. Weak segregation of duties.
   Fix: restrict who can place holds; require supervisory approval for risk-triggered scenarios; audit access periodically.

Enforcement context and risk implications

No public enforcement cases were provided in the supplied source catalog for this requirement, so this page does not list case citations.

Practically, the risk is still real:

• Customer harm and dispute risk: customers miss statements, confirmations, or notices.
• Supervision risk: a mail hold can mask address manipulation or suspicious disbursements.
• Books-and-records exposure: inability to produce the written instruction and related logs becomes a recordkeeping issue. (17 CFR 240.17a-4)

A practical 30/60/90-day execution plan

Because this is narrow but exam-visible, drive to a “small, clean process” fast.

First 30 days (Immediate controls)

• Publish a one-page procedure: eligibility, written instruction requirement, required time period, and storage expectations. (FINRA Rule 3150)
• Implement a standard request template (paper or digital) with mandatory time period fields. (FINRA Rule 3150)
• Stand up a centralized intake queue (shared mailbox or case system) with naming conventions and required attachments.
• Identify where records will be preserved under your broker-dealer recordkeeping program. (17 CFR 240.17a-4)

By 60 days (Operational hardening)

• Add system required fields and reminders for end dates; build a renewal workflow that requires new written instructions. (FINRA Rule 3150)
• Implement access controls for who can place/remove holds; document roles and approvals.
• Add an escalation matrix for red flags and third-party involvement; train ops and supervisors.

By 90 days (Supervision + audit readiness)

• Run a lookback on active holds to confirm each has written, time-bound instructions; remediate gaps. (FINRA Rule 3150)
• Create an examiner-ready report: list of active holds, start/end dates, evidence links, and review status.
• Perform a tabletop test: pick sample accounts and prove the end-to-end evidence trail from request to storage to closure. (17 CFR 240.17a-4)

Where Daydream fits: teams use Daydream to keep requirement text, procedures, evidence checklists, and test results in one place so “show me the evidence” becomes a filtered export instead of a scramble. Keep the workflow in your core systems, then use Daydream to maintain the control narrative and artifacts that auditors and regulators ask for. (FINRA Rule 3150; 17 CFR 240.17a-4)

Frequently Asked Questions

Can we hold mail based on a phone call if the customer later sends something in writing?

Process the request only after you have written instructions that specify the holding period. Keep the written instruction with the operational ticket so you can evidence the timeline. (FINRA Rule 3150)

What qualifies as “written instructions” for a mail hold?

The rule requires written instructions that include the time period for holding mail. Use a signed form or an authenticated electronic instruction captured in your records system, consistent with your recordkeeping approach. (FINRA Rule 3150; 17 CFR 240.17a-4)

Do we need a new written instruction to extend a hold?

Yes, treat an extension as a new request because the written instruction must include the time period. Store the renewal/extension instruction alongside the original request and update the end date controls. (FINRA Rule 3150)

If a third party mail vendor prints and sends our statements, how do we show compliance?

Retain the customer instruction and evidence that the hold was applied in the systems or files sent to the vendor, plus confirmation or logs showing execution. Preserve these records under your books-and-records program. (FINRA Rule 3150; 17 CFR 240.17a-4)

Can a customer ask us to hold mail for multiple accounts with one instruction?

You can operationalize it that way if the instruction clearly identifies all covered accounts and includes a defined holding period. Your evidence should tie the single instruction to each account’s hold flag and tracking record. (FINRA Rule 3150)

What will an examiner focus on first?

Expect requests for the written, time-bound instruction and proof your firm enforced the period and supervised the process. Be ready to produce tickets/logs and your retention mapping under SEC recordkeeping rules. (FINRA Rule 3150; 17 CFR 240.17a-4)