Correspondence and internal communication review

To meet the correspondence and internal communication review requirement, you must implement risk-based supervisory procedures that capture, review, evidence, and escalate business communications (external correspondence and internal messages) for compliance risks. Your program has to be defensible: documented risk rationale, trained reviewers, consistent escalation, and records showing what was reviewed and what actions followed.

Key takeaways:

• A “risk-based” program needs documented risk factors, sampling logic, and supervisory follow-through, not ad hoc inbox checks.
• Your evidence burden is operational: capture + review + escalation + retention that ties to written supervisory procedures.
• The fastest path is to define populations, prioritize risks, implement surveillance + sampling, and standardize reviewer workflows and artifacts.

FINRA expects broker-dealers to supervise communications in a way that is tailored to the firm’s risks and business model. The practical challenge for a CCO or GRC lead is converting a short regulatory expectation (“review… under risk-based procedures”) into a repeatable operating model that survives exams: clear scope, consistent review mechanics, and audit-ready evidence.

This requirement sits at the intersection of (1) communications standards and content controls, (2) supervision and supervisory systems, and (3) books-and-records retention. The relevant FINRA sources in your baseline include FINRA Rule 2210 (communications with the public), FINRA Rule 3110 (supervision), and FINRA Rule 4511 (books and records) ¹. Even if your highest-risk exposures are in external emails, FINRA also expects firms to address internal communications that can evidence sales practice issues, recommendations, or improper coordination.

Below is requirement-level implementation guidance you can put into procedures, a control library, and an exam response binder quickly, with a focus on what reviewers do each day and what artifacts you must retain.

Regulatory text

Regulatory excerpt (baseline): “Review correspondence and internal communications under risk-based procedures.” ²

How to read this as an operator: you need written procedures that (a) define what counts as correspondence and internal communications in your firm, (b) describe how you will review those communications based on risk, and (c) produce records proving the review occurred and that issues were escalated and resolved. This expectation connects to supervisory system requirements and recordkeeping obligations ³.

What the regulator is testing in practice

• Your communications supervision is not “best effort.” It is systematic and evidenced.
• The review approach matches the firm’s risk profile (products, channels, audience, representative history, branch profile).
• Exceptions lead to action: remediation, discipline, training, or changes to controls ⁴.

Plain-English interpretation of the requirement

You must monitor what your people say to clients and to each other about the business. You do not need to read every message to meet a “risk-based” standard, but you do need to prove you made reasoned choices about what to review, how often, and why. The firm should be able to show: “Here are our communication channels, here are our higher-risk areas, here is our sampling/surveillance plan, here are the reviews and findings, and here is what we did about them.”

Who it applies to (entity and operational context)

Applies to: FINRA member broker-dealers and the associated supervisory, compliance, and business personnel involved in drafting, approving, sending, supervising, and retaining communications ³.

Operational contexts where this becomes urgent

• Multiple communication channels (email, chat, collaboration tools, texting).
• Remote or hybrid workforces with increased use of informal messaging.
• New products, new branches, new reps, or rapid growth that stresses supervision ⁴.
• Any business model where internal messages can evidence recommendation intent, pressure, coordination, or unsuitable targeting.

What you actually need to do (step-by-step)

1) Define the communication “population” you supervise

Create an inventory that answers, in one place:

• Channels: corporate email, approved chat, collaboration tools, internal messaging, and any other business communication pathways you permit.
• Message types: external correspondence, internal communications, and any communication that could be considered business-related.
• In-scope users: registered reps, principals, supervisors, assistants, marketing, and any staff who can communicate with customers or influence messaging.
• System of record: where each channel is captured and retained ⁵.

Artifact: Communications Channel Inventory (owner, scope, capture method, retention location, reviewer access).

2) Document risk factors and map them to review coverage

Write down the firm-specific drivers of risk that justify your review intensity. Typical factors include:

• Higher-risk products or strategies sold by the firm.
• Higher-risk rep populations (new hires, disciplinary history, elevated complaints).
• Higher-risk client segments (e.g., vulnerable investors, concentrated positions).
• Higher-risk channels (tools that are harder to supervise or that blend personal/business use).

Artifact: Communications Supervision Risk Assessment memo (dated, approved, refreshed on a defined cadence).

3) Set a risk-based review methodology (surveillance + sampling)

Your procedures should state how you select messages for review. A defensible model usually blends:

• Lexicon/keyword surveillance for prohibited phrases, promissory language, guarantees, performance claims, off-channel attempts, and other red flags relevant to your business.
• Targeted review for high-risk reps, high-risk branches/teams, or high-risk campaigns.
• Baseline sampling to cover general populations and detect unknown issues.
• Event-driven review triggered by complaints, trade surveillance alerts, outside business activity signals, or marketing launches ⁴.

Avoid writing procedures that promise an exact percentage unless you can operationally meet it every time. Instead, define governance: who sets sampling parameters, how exceptions are handled, and how changes are approved.

Artifact: Risk-Based Sampling Standard (selection rules, triggers, exceptions, approvals).

4) Define reviewer roles, escalation paths, and independence

Assign:

• Primary reviewers (often first-line supervisors) with defined responsibilities and training.
• Second-line QA (compliance) for calibration, spot checks, and thematic analysis.
• Escalation owners for high-severity findings (e.g., CCO, sales supervision, HR).

Write down what constitutes:

• A minor issue (coaching and documented training).
• A material issue (formal escalation, documented remediation plan, possible discipline).
• A systemic issue (WSP updates, control enhancements, broader training) ⁴.

Artifact: Escalation Matrix (issue category → severity → owner → required actions → documentation).

5) Build the workflow: review, disposition, remediation, and closure

Standardize the reviewer experience so outcomes are consistent:

1. Review item is assigned (automated queue or manual assignment).
2. Reviewer records a disposition (no issue, needs clarification, potential violation).
3. Findings are escalated per the matrix.
4. Remediation is tracked to closure (coaching, content correction, customer remediation if applicable).
5. Trends are analyzed and reported to governance (supervisory meetings, compliance committee) ⁴.

Artifact: Review Log fields (who reviewed, what was reviewed, date, channel, finding category, escalation ticket, closure date).

6) Retain the evidence (capture + review records)

Recordkeeping is where many programs fail: either messages aren’t captured, or reviews occur but are not evidenced. Maintain:

• Communications archives (immutable where possible).
• Review logs and sampling outputs.
• Escalation tickets and resolution notes.
• Training records for reviewers and staff ⁵.

Artifact: Records Retention Schedule crosswalk for communications archives and supervision records ⁵.

7) QA, calibration, and WSP upkeep

Add operational checks:

• Periodic QA by compliance on reviewer dispositions.
• Calibration sessions to keep supervisors consistent.
• Updates to lexicons and risk factors after product changes, incidents, or exam feedback ⁴.

Artifact: QA results, calibration minutes, WSP change log ⁴.

Required evidence and artifacts to retain (exam-ready checklist)

Keep these in a single “communications supervision” evidence folder:

• Written Supervisory Procedures section covering correspondence and internal communications review ⁴.
• Communications Channel Inventory and in-scope user mapping.
• Risk assessment and documented rationale for the risk-based approach.
• Sampling/surveillance rules, change approvals, and exception handling.
• Review logs with reviewer identity, timestamps, and dispositions.
• Escalation documentation: tickets, investigation notes, determinations, remediation, discipline/training.
• Supervisory reports to management (trend reports, recurring themes).
• Record retention proof: archive configuration, retention settings, access controls ⁵.

Practical note: Daydream can help you structure these artifacts into a control narrative and evidence map so your WSP language, review workflow, and retained records stay aligned as your channels change.

Common exam/audit questions and hangups

Expect examiners to ask:

• “List all communication channels in use for business, including internal messaging. How do you ensure capture?” ⁵
• “Show your risk-based rationale for what you review and why that scope is sufficient.” ⁴
• “Demonstrate that supervisors actually performed reviews. Show the logs and outcomes.”
• “How do you handle exceptions, and who approves changes to the sampling approach?” ⁴
• “How do findings translate into remediation and changes to supervision?” ⁴
• “How do you supervise communications with the public, including content standards?” ²

Hangups that slow exams:

• No single inventory of channels and capture methods.
• Review logs exist, but do not show disposition quality or follow-through.
• Risk-based approach is asserted but not documented.

Frequent implementation mistakes (and how to avoid them)

1. Treating “internal” communications as out of scope. Internal messages can show intent, coordination, or pressure. Include them in scope and apply a risk-based approach.
2. WSPs that describe a process the business doesn’t follow. Write procedures from the workflow backward: what can you prove happened every time?
3. Sampling without a rationale. “We sample messages” is not a rationale. Tie sampling to risks and document governance for parameter changes.
4. No linkage between findings and remediation. Examiners look for supervisory action. Require closure notes and attach evidence of coaching or discipline.
5. Retention gaps. If a channel is permitted for business, ensure capture and retention under your books-and-records program ⁵.

Enforcement context and risk implications

No public enforcement cases were provided in your source catalog for this requirement. Even without case citations here, the risk is straightforward: weak supervision of correspondence and internal communications can lead to undetected problematic communications, inconsistent application of communications standards, and supervisory/control failures ⁶. The practical implication is exam friction, remediation commitments, and increased supervisory scrutiny once gaps are identified.

A practical 30/60/90-day execution plan

Day 0–30: Stabilize scope and evidence

• Build the Communications Channel Inventory and confirm capture/retention for each channel ⁵.
• Identify in-scope populations and high-risk groups (new hires, high-risk desks).
• Draft or update the WSP section describing risk-based correspondence and internal communications review ⁴.
• Stand up a minimum viable review log with required fields and a consistent disposition taxonomy.

Day 31–60: Implement risk-based review mechanics

• Document risk factors and approve the risk assessment memo ⁴.
• Implement surveillance and sampling rules appropriate to your channels and risks.
• Publish an escalation matrix and train reviewers and supervisors ⁴.
• Start QA spot checks by compliance; run calibration with supervisors.

Day 61–90: Prove the control works and refine

• Produce management reporting: volumes reviewed, issue themes, remediation status.
• Tune lexicons and selection logic based on findings.
• Close-loop remediation: demonstrate that issues drive training, WSP updates, or control changes ⁴.
• Assemble an exam-ready evidence binder: WSPs, risk assessment, review logs, escalation samples, retention proof ⁵.

Frequently Asked Questions

Do we have to review every message to satisfy the correspondence and internal communication review requirement?

The baseline requirement calls for risk-based procedures, so your goal is a documented approach that matches your risks and produces evidence of supervisory review ⁴. If you choose sampling, document why the sampling method is reasonable for your business.

What counts as “internal communications” for supervision purposes?

Treat internal communications as business-related messages between employees or associated persons that relate to securities activities, customer interactions, recommendations, marketing, or supervisory decisions. Your WSPs should define the channels and examples that are in scope ⁴.

How do we show evidence that reviews actually occurred?

Keep review logs that identify the reviewer, date, communication reference, disposition, and any escalation ticket, then retain supporting records for remediation and closure ⁵. Examiners typically want to trace from a reviewed item to the supervisory outcome.

Can first-line supervisors perform the reviews, or does compliance have to do it?

FINRA supervision frameworks generally rely on supervisors as the first line, with compliance providing oversight, testing, and guidance ⁴. If supervisors review, add compliance QA and calibration to improve consistency.

How do we tie this requirement to communications-with-the-public rules?

Your review program should be able to identify communications that raise content concerns for external audiences, and your escalation workflow should route those issues for appropriate remediation under your communications standards ⁷.

What’s the fastest way to operationalize this without rewriting our entire supervisory program?

Start by inventorying channels and ensuring capture/retention, then define a risk-based sampling and escalation workflow with standardized logs and artifacts ⁸. Tools like Daydream help you map procedures to evidence so updates don’t break your exam package.

Related compliance topics

• 2025 SEC Marketing Rule Examination Focus Areas
• Access and identity controls
• Access Control (AC)
• Access control and identity discipline
• Access control management

Footnotes

1. FINRA Rule 2210; FINRA Rule 3110; FINRA Rule 4511

2. FINRA Rule 2210

3. FINRA Rule 3110; FINRA Rule 4511

4. FINRA Rule 3110

5. FINRA Rule 4511

6. FINRA Rule 3110; FINRA Rule 2210

7. FINRA Rule 2210; FINRA Rule 3110

8. FINRA Rule 4511; FINRA Rule 3110