Correspondence Supervision

FINRA Rule 2210(b)(2) requires your firm to maintain written supervisory procedures (WSPs) to review “correspondence” in a way that fits your business, size, structure, and customers. To operationalize it quickly, define what counts as correspondence across channels, set a risk-based review and sampling approach, assign supervisory ownership, document outcomes, and retain evidence that the process works in practice. (FINRA Rule 2210)

Key takeaways:

• Your obligation is procedures + execution: written review procedures tailored to your firm, backed by records that show they operate as designed. (FINRA Rule 2210)
• Pre-approval is not required for all correspondence, but the review must be reasonably designed to catch violations through risk-based methods and sampling. (FINRA Rule 2210)
• The fastest path is to standardize channel coverage, reviewer roles, sampling logic, escalation, and retention in one correspondence supervision playbook. (FINRA Rule 2210)

“Correspondence supervision” is one of those requirements that looks simple in the rule text but becomes messy the minute you map it onto modern communications. Your registered representatives and supervisors are communicating with customers across email, texts, direct messages, collaboration tools, and sometimes third-party platforms. FINRA’s expectation under Rule 2210(b)(2) is not that you pre-approve every message. The expectation is that you establish written procedures to review correspondence that make sense for your firm’s business model, your org structure, and the risks presented by your customer base. (FINRA Rule 2210)

For a CCO or GRC lead, the operational goal is straightforward: build a repeatable supervision process that can (1) identify potentially noncompliant communications, (2) drive escalation and remediation, and (3) produce defensible evidence during an exam that the process is tailored, risk-based, and consistently followed. This page gives you requirement-level implementation guidance you can hand to a supervisory principal, surveillance lead, or compliance operations manager and expect execution without guesswork. (FINRA Rule 2210)

Regulatory text

FINRA Rule 2210(b)(2) excerpt: “Each member shall establish written procedures for review of correspondence that are appropriate to the firm's business, size, structure, and customers.” (FINRA Rule 2210)

What the operator must do

You must maintain written supervisory procedures describing how your firm reviews correspondence, and those procedures must be appropriate to your firm (not generic boilerplate). The rule text is short, but it forces several concrete decisions:

• What your firm classifies as “correspondence” (by channel and audience).
• Who reviews it, how often, and using what method (for example, sampling and risk-based review).
• How you detect, escalate, remediate, and document potential issues.
• How you demonstrate ongoing supervision through records and oversight. (FINRA Rule 2210)

Plain-English interpretation (what this requirement is really asking)

FINRA is requiring a reasonable, documented supervision system over day-to-day written communications with customers and prospects. You do not need pre-use principal approval for all correspondence, but you do need a process that can find problems. Your review approach can be risk-based and can rely on sampling methodologies, but it must be designed to identify communications that may violate applicable standards. (FINRA Rule 2210)

A good way to sanity-check your design: if an examiner asked you to explain how your firm would catch misleading performance claims, promissory language, unapproved product pitches, or “off-channel” communications, you should be able to point to specific steps in your WSPs and produce review logs and escalations that prove it happened. (FINRA Rule 2210)

Who it applies to (entity and operational context)

Entities

• FINRA member broker-dealers must establish and follow the procedures. (FINRA Rule 2210)
• Registered representatives and associated persons are typically in scope because they generate the correspondence subject to the firm’s supervision. (FINRA Rule 2210)

Operational scope (where the requirement shows up)

Correspondence supervision becomes operationally real in:

• Retail and institutional communications that are not classified as advertisements or retail communications.
• Sales and service messaging: follow-ups, recommendations, account questions, onboarding exchanges, transfer paperwork questions, and general product Q&A.
• Multi-channel communications where a representative can move from email to text or messaging apps without thinking of it as “advertising.” Your WSPs must still describe how review occurs for the channels you permit. (FINRA Rule 2210)

What you actually need to do (step-by-step)

1) Define “correspondence” for your firm and map channels

Create a one-page “channel map” that lists:

• Approved channels (for example, corporate email, archived texting solution, approved collaboration tools).
• Prohibited channels (for example, personal email, unapproved messaging apps).
• Where correspondence is captured, who owns the archive, and how it is searched.
  Then reference this map directly in your WSP section on correspondence review so the scope is unambiguous. (FINRA Rule 2210)

Practical tip: most failures start with ambiguity, not malice. If your WSPs do not clearly state whether SMS, social DMs, and collaboration chat are “correspondence,” your review program will have silent gaps.

2) Assign supervisory ownership and accountability

In WSPs, name:

• The supervisory role responsible for review (title/role, not a person’s name).
• A backup reviewer.
• A compliance escalation owner for potential violations.
• A technology owner for archive/search tooling.
  Also define independence expectations. For example, if a supervisor reviews their own messages, require secondary review or a compensating control. (FINRA Rule 2210)

3) Build a risk-based review method (including sampling)

Your WSPs should state the review approach clearly:

• Baseline sampling review across the population of correspondence.
• Risk-based overlays for higher-risk reps, products, customer types, or complaint history.
• Trigger reviews based on lexicon hits, surveillance alerts, complaint intake, or exception reports. (FINRA Rule 2210)

Document your selection logic in plain terms. FINRA expects procedures “appropriate to the firm's business, size, structure, and customers,” so your sampling can be lighter or heavier depending on your risk profile, but it must be explainable and consistently executed. (FINRA Rule 2210)

Example (write this into the WSP):

• “Compliance conducts periodic sampling of customer-facing email and archived text messages; sampling is increased for new hires, disciplinary history, complex products, or recent complaint activity; alerts from the lexicon review queue are reviewed promptly and escalated per the exception workflow.” (FINRA Rule 2210)

4) Define review criteria (what reviewers are looking for)

Give reviewers a short checklist so “review” is not subjective. Include categories such as:

• Misleading or unbalanced statements.
• Unapproved product discussions or prohibited topics.
• Promissory language or implied guarantees.
• Performance discussions without required context.
• Recommendations that appear inconsistent with the customer profile on file.
• Attempts to move the conversation off-channel. (FINRA Rule 2210)

Keep the checklist aligned to your firm’s actual offerings and customer base. A retail options-heavy firm needs different reviewer prompts than a firm focused on fixed income. (FINRA Rule 2210)

5) Create an escalation, remediation, and attestation workflow

Your WSPs should describe:

• What qualifies as an exception.
• How exceptions are documented (case ticket, email to compliance queue, or surveillance system case).
• Remediation steps (rep coaching, corrected communication, customer outreach when needed, disciplinary path when needed).
• When to require additional sampling for the individual or branch following an issue. (FINRA Rule 2210)

6) Train and operationalize (so it runs without heroics)

You need training that matches roles:

• Representatives: approved channels, prohibited language, and what gets monitored.
• Supervisors/reviewers: how to perform reviews, document rationale, and escalate.
• Compliance: how to tune sampling/alerts and run QA over reviewers. (FINRA Rule 2210)

This is where tooling can either help or hurt. If your archive/search process is slow, reviewers will cut corners. If you use a system like Daydream to centralize evidence collection and control checklists, set it up to mirror the WSP: same categories, same escalation states, same artifacts, and a clean audit trail.

Required evidence and artifacts to retain

Create an evidence checklist you can satisfy on demand:

• Current WSP section covering correspondence supervision and review methodology. (FINRA Rule 2210)
• Channel inventory and approval/prohibition list referenced by WSPs. (FINRA Rule 2210)
• Review logs showing what was reviewed, by whom, when, and what was found (including “no issues” outcomes).
• Sampling methodology documentation (how items are selected; what triggers enhanced review). (FINRA Rule 2210)
• Escalation records: cases, findings, remediation, approvals, and closure evidence.
• Training records for reps, supervisors, and compliance.
• QA/testing evidence that you periodically check reviewer quality and consistency (for example, second-line spot checks and documented outcomes).

Common exam/audit questions and hangups

Expect questions that probe design, coverage, and proof:

1. “Show me your WSPs for correspondence review and explain how they are appropriate to your firm.” Bring the WSP plus a short narrative of your business model and why your approach matches it. (FINRA Rule 2210)
2. “Which channels are captured and reviewed?” Be ready with your channel map and evidence of capture/search capability. (FINRA Rule 2210)
3. “How do you decide what to review?” Produce sampling logic, risk overlays, and examples of trigger-based reviews. (FINRA Rule 2210)
4. “What happens when you find an issue?” Show escalation tickets, remediation notes, and any follow-up sampling decisions. (FINRA Rule 2210)
5. “How do you know reviewers are doing quality reviews?” Provide QA results and corrective actions when reviewers miss issues.

Frequent implementation mistakes (and how to avoid them)

Mistake: WSPs that restate the rule but do not describe a process

Avoid it: Write procedures that name channels, roles, sampling logic, review criteria, and escalation steps. “We review correspondence periodically” is not operational. (FINRA Rule 2210)

Mistake: Channel gaps (especially texting and messaging)

Avoid it: Either prohibit a channel and enforce it, or approve it and archive + supervise it. Ambiguous “allowed in practice, prohibited on paper” is where exams go sideways. (FINRA Rule 2210)

Mistake: Sampling with no rationale, or “set it and forget it”

Avoid it: Tie sampling intensity to risk indicators you can explain (new reps, products, complaints) and document when you change the approach. (FINRA Rule 2210)

Mistake: Reviews happen, but there is no evidence trail

Avoid it: Standardize review logs and exception case management. If it is not recorded, you will struggle to prove it occurred. (FINRA Rule 2210)

Mistake: No second-line testing of the reviewers

Avoid it: Add periodic QA that re-performs a subset of reviews and documents whether the reviewer caught the right issues, then feed that back into training.

Enforcement context and risk implications

FINRA can evaluate correspondence supervision through exams and requests for information even without a single “headline” event. The risk is not only misleading communications; it is also weak supervision signals such as undocumented sampling, inconsistent execution across branches, or unmanaged off-channel communications. The operational impact can include corrective action plans, increased scrutiny, and follow-up reviews, plus reputational risk if customer communications create downstream disputes. (FINRA Rule 2210)

Practical 30/60/90-day execution plan

First 30 days (stabilize scope and ownership)

• Draft/refresh the correspondence supervision WSP section with channel scope, roles, sampling approach, review criteria, and escalation workflow. (FINRA Rule 2210)
• Publish an approved/prohibited channel list and align it with what the business actually does. (FINRA Rule 2210)
• Stand up a basic review log format and an exception tracking workflow.

Days 31–60 (operate the control and tune it)

• Start baseline sampling reviews plus targeted reviews for higher-risk areas (new hires, complex products, complaint-related reps). (FINRA Rule 2210)
• Run reviewer training and require acknowledgement.
• Hold a calibration session: compare reviewer decisions on the same sample set and tighten guidance where inconsistency shows up.

Days 61–90 (prove effectiveness and harden evidence)

• Implement second-line QA testing of reviewer quality and document outcomes.
• Refine sampling logic and lexicon/trigger rules based on early findings.
• Package an “exam-ready binder” in your GRC system (or Daydream): WSPs, channel map, review logs, exceptions, training, and QA.

Frequently Asked Questions

Does FINRA Rule 2210(b)(2) require pre-approval of all correspondence?

No. The requirement is to establish written procedures for review of correspondence that fit your firm, and the review must be reasonably designed to identify communications that may violate standards, including risk-based and sampling approaches. (FINRA Rule 2210)

What counts as “correspondence” for supervision purposes?

Your WSPs should define it by channel and audience based on how your firm communicates. Operationally, treat any customer-facing written message in approved channels as in scope unless your procedures clearly classify it differently. (FINRA Rule 2210)

Can we use sampling, or do we need to review everything?

Sampling is compatible with the requirement as long as the procedures are reasonably designed and appropriate to your firm’s business, size, structure, and customers. Document the sampling method and the risk-based factors that increase review intensity. (FINRA Rule 2210)

How do we show an examiner that our correspondence review is “appropriate” to our firm?

Bring your WSPs plus artifacts that tie your approach to your business model: channel map, product/customer risk factors you considered, sampling logic, and evidence of consistent execution through logs and exception cases. (FINRA Rule 2210)

What evidence matters most during an exam?

Examiners typically want to see written procedures and proof the process runs: review logs, escalation records, remediation actions, and reviewer training and QA/testing results. (FINRA Rule 2210)

How should we handle off-channel communications risk within this requirement?

Your correspondence supervision program should clearly prohibit unapproved channels, train to that policy, and set up detection and escalation when reviewers see attempts to move conversations off-channel. Document exceptions and remediation actions. (FINRA Rule 2210)