Recordkeeping and retention

To meet the FINRA recordkeeping and retention requirement, you must retain required business communication records and the supporting approvals that show who reviewed and authorized those communications, and you must be able to retrieve them promptly for supervision, audits, and exams. Operationally, this means capturing all in-scope channels, preserving them in a tamper-resistant archive, and keeping a clear audit trail of review and approval actions.

Key takeaways:

• Capture and retain both communications and proof of supervision (reviews, approvals, escalations).
• Standardize retention rules by communication type and channel, then enforce them through systems, not manual habits.
• Build “exam-ready retrieval”: search, export, and supervisory evidence must be fast, complete, and repeatable.

“Recordkeeping and retention” becomes painful when it’s treated as an IT storage problem instead of a supervision evidence problem. Under FINRA’s communications supervision expectations, regulators will look for two things: the actual communications your firm sent/received in the course of business, and the records that demonstrate your supervisory system worked (reviews, approvals, and related documentation). The requirement is straightforward in concept, but firms fail on coverage (missing channels), integrity (editable archives), and retrieval (can’t produce records quickly or completely).

This page is written for a Compliance Officer, CCO, or GRC lead who needs to operationalize the recordkeeping and retention requirement with minimal ambiguity. It gives you a practical, step-by-step implementation approach, the specific artifacts to retain, and the exam questions you should be able to answer on demand. It also calls out common failure modes: informal approvals, “off-channel” messaging, gaps created by third parties, and retention settings that don’t match written supervisory procedures.

Primary sources referenced here include FINRA Rule 2210 (communications with the public), FINRA Rule 3110 (supervision), and FINRA Rule 4511 (books and records). ¹

Regulatory text

Regulatory excerpt (provided): “Retain required communication records and supporting approvals.” ²

What the operator must do (plain-English):

• Retain required communications that your firm creates, sends, receives, or uses in connection with its broker-dealer business, in the categories and scope your supervisory program defines under applicable FINRA requirements. ³
• Retain supporting approvals that demonstrate communications were reviewed/approved under your supervisory controls (for example, principal approval for certain retail communications, pre-use approval evidence, post-use reviews, escalations, and dispositions). ⁴
• Make records retrievable so you can produce them for supervisory testing, internal audit, and regulatory examinations. The practical test is whether you can reconstruct what happened, who approved it, and when. ⁵

Who this applies to

Entities: FINRA member broker-dealers and their associated persons operating under the firm’s supervision. ⁶

Operational context (where teams get caught):

• Corporate email, CRM notes, text/SMS, chat tools, collaboration platforms, social media, and any other channel used for business communications with customers or prospects.
• Marketing and communications workflows (drafting, approval, publication) for retail communications and other content governed by supervision rules. ⁴
• Third parties that create, distribute, or store communications on your behalf (marketing agencies, texting platforms, archiving providers, outsourced review services). The obligation stays with the broker-dealer. ⁵

Plain-English interpretation (what examiners expect)

Examiners are not only asking, “Do you keep messages?” They are asking, “Can you prove supervision worked?”

That means your recordkeeping and retention program should let you:

1. Identify the population of in-scope communications (by channel, business line, and communication type). ⁷
2. Preserve the record in a way that prevents silent alteration and supports an audit trail of custody and changes. ⁸
3. Prove supervisory actions occurred when required (pre-approval, post-review, exception handling), and tie those actions to the relevant communications. ⁴
4. Retrieve and produce records reliably for a defined timeframe and scope. ⁸

What you actually need to do (step-by-step)

Step 1: Build an inventory of communication channels and “records of supervision”

Create a simple register with:

• Channel/tool (email, SMS, Teams/Slack, social, website, ad platform, CRM notes)
• Owner (business + system)
• Population (who uses it)
• Business use cases
• Whether it produces customer-facing communications under your policies
• Where approvals/reviews happen and how they are logged (ticketing, workflow tool, email approvals, platform approvals)

Tie this to supervision requirements and WSPs so the inventory becomes your control map. ⁷

Step 2: Define what must be retained (content + context + approvals)

For each channel/type, define retention scope for:

• Content: message body, attachments, linked content where feasible, and any embedded media relevant to the communication.
• Context/metadata: sender/recipient, timestamps, subject/thread/conversation identifiers, and distribution list membership where applicable.
• Supervisory evidence: reviewer identity, approval timestamps, version history, edits requested, and final approval disposition. ⁴

Write this as an operational standard, not a legal memo. People need to follow it daily.

Step 3: Implement a “retrievable archive” control

Your archive program should support:

• Central capture from all approved channels
• Controlled access (role-based permissions)
• Search and export that can recreate a communication and its approval chain
• Logging of searches, exports, and administrative actions (so you can detect misuse)

This is the practical control behind “Apply retention controls and retrievable archives.” ²

Step 4: Put approvals into a system with durable evidence

A recurring exam issue is “approval by email” that later can’t be tied to the final content version. Fix that by:

• Using a content review workflow tool or ticketing system that stores versions and approvals
• Enforcing required fields: communication ID, version, approver, approval date, conditions
• Locking publication until approval is recorded (for communications requiring pre-use approval under your policies) ⁴

If the business insists on approvals in email, require standardized subject tags and an indexing process that links approval emails to the final artifact in the archive. That’s weaker than workflow tooling but better than informal “looks good” messages.

Step 5: Align WSPs, retention schedules, and system settings

You need consistency across:

• Written supervisory procedures describing what is retained and how it is supervised ⁷
• Records program describing what is preserved and retrievable ⁸
• The actual platform configurations and retention policies

A common breakdown: WSPs say “all business texts are captured,” while the texting app only captures certain message types or a subset of users.

Step 6: Test retrieval the way an examiner will

Run periodic production tests:

• Pick a rep, a timeframe, and a communication type (for example, retail email campaign approvals)
• Retrieve the underlying communications and the approval trail
• Confirm completeness: drafts, final versions, distribution list, and evidence of supervision
• Document the test result and remediation actions ⁷

Step 7: Cover third parties explicitly

If a third party creates content, distributes messages, or hosts communication tools:

• Contractually require retention-compatible exports and audit support
• Validate the third party’s capture and retention configuration during onboarding and after material changes
• Maintain an internal “system of record” archive or a reliable method to pull records promptly ⁵

Required evidence and artifacts to retain (exam-ready list)

Keep these artifacts organized by communication type/channel:

Communications records

• Copies of communications (email, chat, SMS, social posts/messages, website pages or snapshots where relevant)
• Attachments and supporting files distributed with communications
• Distribution lists, recipient lists, and campaign identifiers where applicable ⁸

Approvals and supervisory records

• Pre-use approval records for communications that require them under your policies and FINRA communications standards ²
• Post-use review logs, surveillance alerts, exception handling, and documented dispositions ⁷
• Version history: draft, redlines/edits, final published version, approver identity ⁷

Governance and control operation

• Channel inventory and approved-channel list
• WSP sections governing communications review, escalation, and recordkeeping ⁷
• Archive system access logs and admin change logs
• Periodic retrieval test results and remediation tracking ⁷

Common exam/audit questions and hangups

Expect to answer these crisply, with artifacts ready:

• “Show me how you capture business communications across all approved channels.” ⁸
• “How do you prevent and detect off-channel communications?” ⁷
• “Produce the final version of this retail communication and the principal approval that authorized it.” ²
• “Demonstrate retrieval: give us messages for this rep and this timeframe, plus supervision evidence.” ⁵
• “What happens when a third party sends communications on your behalf?” ⁷

Hangups that slow production:

• No unique IDs linking content to approvals
• Approvals stored in one system, content stored in another, with no linkage
• Incomplete capture for mobile devices or BYOD
• Shared mailboxes and generic logins obscuring accountability ⁷

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Treating retention as storage-only.
   Fix: Define “record” to include approval evidence and supervisory actions, then implement workflow capture that produces an audit trail. ⁷

2. Mistake: Missing channels that the business “temporarily” adopted.
   Fix: Maintain an approved-channel intake process. Block use until capture and retention are validated and documented. ⁵

3. Mistake: Informal approvals without version control.
   Fix: Require approvals inside a system that stores the final content version and the approval event together. ²

4. Mistake: Third-party blind spots.
   Fix: Add contractual recordkeeping obligations and test exports/retrieval during due diligence and periodically thereafter. ⁶

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page avoids case-specific claims.

Practically, weak recordkeeping creates three exam risks:

• Supervision failure optics: If you cannot show approvals and review evidence, examiners may conclude controls are not reasonably designed or not operating. ⁷
• Books-and-records exposure: If you cannot produce required records, the firm risks findings tied to record preservation and production obligations. ⁸
• Communications compliance gaps: Missing approval evidence for certain retail communications can create issues under communications standards and supervision expectations. ⁴

Practical 30/60/90-day execution plan

Days 0–30: Stabilize scope and stop the bleeding

• Publish an “approved channels only” notice and require business attestation for any exceptions. ⁷
• Build the channel inventory and map each channel to capture method and supervisory evidence location. ⁷
• Identify your highest-risk communication types (retail communications, mass emails, SMS with customers) and confirm they are captured and retrievable. ³
• Run a retrieval tabletop: pick a sample communication and produce content + approval + review trail end-to-end. Document gaps. ⁷

Days 31–60: Implement durable evidence and retrieval

• Implement or tighten the archive configuration for all in-scope channels, with access controls and admin logging. ⁸
• Standardize approval capture using a workflow tool or structured ticketing process tied to final versions. ⁴
• Update WSPs to match real workflows and tools, then train supervisors and marketers on the “record = content + approval evidence” standard. ⁷

Days 61–90: Prove operational effectiveness

• Execute recurring retrieval tests and supervision evidence tests; track remediation to closure. ⁷
• Add third-party contract clauses and onboarding checks to ensure communications created/distributed by third parties remain retrievable. ⁶
• Prepare an exam production package: system diagrams, data flow, sample productions, and named owners per channel.

Where Daydream fits naturally: teams often lose time assembling channel inventories, documenting evidence expectations, and proving retrieval readiness. Daydream can serve as the working system to track control ownership, required artifacts, test results, and remediation tasks so recordkeeping and retention stays audit-ready between exams, not rebuilt during them.

Frequently Asked Questions

What counts as “supporting approvals” for communications?

Any record that shows who reviewed, approved, or rejected a communication and what version they approved. For FINRA communications supervision, approvals should be linkable to the final distributed content. ⁴

Do I need to retain drafts or only final versions?

Your program should retain what your supervision process requires to evidence compliance, which often includes drafts and version history when changes occur during review. Keep enough to reconstruct the review and approval trail. ⁵

How do we handle reps who text customers from personal phones?

Treat it as a channel control problem: either prohibit it or require an approved texting method that is captured and retrievable. Supervision needs evidence that business communications are retained and reviewable. ⁵

If our marketing agency posts on our social accounts, who retains the records?

The broker-dealer remains responsible for retaining required communications and related approvals, even if a third party performs the activity. Put retention/export requirements in the contract and validate the process works. ⁶

What’s the fastest way to get “exam-ready retrieval”?

Start with a retrieval drill: select a representative, a time window, and a communication type, then produce the messages and the approval/review evidence. Use the gaps you find to prioritize tooling and workflow fixes. ⁵

We have an archive, but approvals live in email. Is that acceptable?

It can work if you can reliably link each approval to the final communication version and retrieve both promptly. In practice, a workflow system that stores versions and approvals together reduces ambiguity and production risk. ⁴

Related compliance topics

• 2025 SEC Marketing Rule Examination Focus Areas
• Access and identity controls
• Access Control (AC)
• Access control and identity discipline
• Access control management

Footnotes

1. FINRA Rule 2210; Source: FINRA Rule 3110; Source: FINRA Rule 4511

2. FINRA Rule 2210

3. FINRA Rule 2210; Source: FINRA Rule 4511

4. FINRA Rule 2210; Source: FINRA Rule 3110

5. FINRA Rule 3110; Source: FINRA Rule 4511

6. FINRA Rule 4511; Source: FINRA Rule 3110

7. FINRA Rule 3110

8. FINRA Rule 4511