SEC Electronic Recordkeeping and Books & Records Requirements - Off-Channel Communications

To meet the SEC electronic recordkeeping and books & records requirements - off-channel communications requirement, you must ensure business-related communications occur only on approved, captured channels and that all such communications are preserved and producible. Operationally, that means banning (and actively detecting) business use of personal text/WhatsApp/Signal/personal email unless captured by your firm’s recordkeeping system and enforcing the policy with supervision, monitoring, training, and attestations.

Key takeaways:

• Capture and preserve all business communications; “off-channel” business chats create books-and-records violations ¹.
• Exams and enforcement focus on supervision, not just written policy; you need monitoring, escalation, and discipline ².
• Enforcement has been broad and recurring across multiple settlement waves ³.

Off-channel communications is a recordkeeping problem first and a conduct problem second. If employees discuss firm business through channels your firm does not capture and retain, your firm cannot meet SEC books-and-records obligations, and you lose the ability to evidence supervision. The SEC has repeatedly charged firms for widespread recordkeeping failures tied to employee use of personal texts and messaging apps for business conversations ⁴.

For a CCO or GRC lead, the fastest path to “operationalized” is to treat communications like a controlled system: define approved channels, technically enforce where you can, monitor what you cannot fully block, and maintain an audit-ready evidence set. Your goal is simple to state and hard to execute: business communications must be captured, preserved, and quickly producible. This page gives requirement-level steps, artifacts, and an execution plan you can run with IT, HR, and front-office leadership.

Requirement in plain English

You must preserve business-related communications and prevent business conversations from moving to tools that are not captured by your firm’s recordkeeping systems. For broker-dealers, SEC Rule 17a-4 requires preservation of originals of communications received and copies of communications sent relating to the firm’s business, and permits production/reproduction on electronic storage media ¹. For registered investment advisers, parallel books-and-records obligations apply under the Advisers Act recordkeeping rule ⁵.

Operator translation: if an employee uses WhatsApp, Signal, iMessage/SMS, personal Gmail, or DMs to discuss client matters, trading, research, deals, approvals, valuations, fees, complaints, or any other firm business, you need a system that captures and retains it, or you need to stop the behavior.

Who it applies to (and where it shows up operationally)

Entity scope

• SEC-registered broker-dealers ¹
• SEC-registered investment advisers ⁵
• Dual registrants should assume both regimes apply, and they should align to the stricter operational standard across the enterprise ⁶.

Operational scope (where off-channel happens)

• Front office: client texting “quick questions,” trade color, deal negotiation, allocations, suitability discussions.
• Investment teams: research sharing, committee decisions, pricing/valuation chats.
• Supervisory workflows: approvals, exceptions, side letters, marketing review, escalations.
• After-hours: “just ping me on my cell,” travel, conferences, and personal-device convenience.
• Third parties: clients, placement agents, consultants, and other external counterparties pushing to consumer apps.

Regulatory text

Core recordkeeping obligation (broker-dealers):
“Every member, broker and dealer shall preserve originals of all communications received and copies of all communications sent… relating to its business…” and required records “may be… produced or reproduced on electronic storage media.” ¹

What you must do with that text (operator view)

1. Inventory what counts as a business communication in your business model (client comms, trade discussions, approvals, advice, complaints).
2. Constrain channels so those communications occur only in systems you capture and retain.
3. Prove preservation with retention settings, immutable audit trails where applicable, and tested production.
4. Supervise through monitoring, periodic testing, and enforcement actions when violations occur.

Public enforcement cases

The SEC has publicly announced repeated enforcement actions against firms for recordkeeping failures tied to off-channel communications, including employee use of unauthorized methods such as text messages and WhatsApp for business communications ⁴. The SEC’s statements in these releases frame the issue as a market oversight and compliance failure when communications occur outside official channels ⁷.

Risk implication: in this area, “policy on paper” has not been enough in enforcement narratives. The recurring theme is widespread conduct plus inadequate controls to detect, preserve, and supervise ².

What you actually need to do (step-by-step)

1) Define “business communication” and “approved channels”

• Write a short definition list tailored to your firm: client instructions, recommendations/advice, marketing materials, pricing/valuation, trade-related discussions, approvals, exceptions, complaints.
• Publish an Approved Channels Standard (example): corporate email, recorded lines, approved chat (e.g., Teams/Slack with archiving), approved client portals, and any mobile messaging solution that is captured by your archive.

Deliverable: Communications Policy + Approved Channels Register (mapped to retention/archiving).

2) Decide your model: “ban” vs “capture”

For each channel category, decide:

• Ban and technically block (preferred for consumer apps on managed devices).
• Allow with capture only if the channel is integrated into your recordkeeping archive and you can produce records promptly ¹.

A quick decision matrix you can run in a working session:

Channel	Business allowed?	Condition to allow	Control owner
Personal SMS/iMessage	No (default)	Only via captured mobile solution	Compliance + IT
WhatsApp/Signal	No (default)	Only if captured and supervised	Compliance + IT
Personal email	No	None; require forwarding is usually weak	Compliance
Teams/Slack	Yes	Archiving + retention + eDiscovery/export test	IT + Records

3) Implement technical controls (don’t rely on training alone)

Minimum control set most exam teams expect to see, even at smaller firms:

• MDM/MAM on managed devices to restrict app installs, control OS-level backups, and enforce passcode and encryption standards.
• App allow/deny lists for high-risk messaging apps on corporate devices.
• Email controls to reduce forwarding to personal accounts and detect external auto-forward rules.
• Archive + retention configuration for approved channels, with periodic export tests to prove “producible” ¹.

If you use Daydream to run third-party due diligence, include your archiving, mobile management, and surveillance providers as in-scope third parties. You need contractual clarity on retention, search, export, incident support, and audit rights because exam requests often turn into urgent production exercises ².

4) Add monitoring and detection for “shadow channels”

Even with blocking, you need detection because:

• Employees may use personal devices outside your MDM boundary.
• Clients may initiate off-channel contact.

Build a monitoring program with:

• Periodic attestations (initial + recurring) that staff did not conduct business off-channel and understand approved channels ².
• Supervisory reviews of sampled communications in approved systems, plus escalations if business appears to be migrating elsewhere.
• Exception workflow for urgent scenarios (e.g., travel) with documented remediation: “move the conversation back to an approved channel and summarize key facts in the captured system.”

5) Investigation, remediation, discipline

Write an “Off-Channel Communications Playbook”:

• Intake sources: hotline reports, surveillance alerts, client complaint references, IT app inventory flags.
• Investigation steps: preserve devices where appropriate, gather screenshots if needed, document the business context, and assess recordkeeping impact.
• Remediation: coaching, formal warning, device policy changes, removal of mobile privileges, or HR discipline. Track consistency for exam credibility.

6) Test production

Run a quarterly “books-and-records fire drill”:

• Pick one employee and one client matter.
• Export communications from each approved channel.
• Validate completeness, timestamps, and chain-of-custody documentation.

Deliverable: Production test report with gaps, fixes, and retest dates.

Required evidence and artifacts to retain

Keep an exam-ready evidence folder that shows “design + operation”:

• Communications policy and approved channel register ⁶
• Records retention schedule and archive configuration evidence (screenshots, admin exports)
• MDM configuration baselines; app block rules; device inventory
• Training materials + attendance logs
• Employee acknowledgments and off-channel attestations ²
• Monitoring/surveillance procedures and sampling logs
• Incident register for off-channel findings, investigations, and outcomes
• Production test results and corrective actions
• Third-party contracts/SOWs for archiving, eDiscovery, and surveillance, plus due diligence records (store in Daydream if that’s your system of record)

Common exam/audit questions and hangups

Expect variants of these:

1. “List approved communication channels and show how each is captured and retained.” ¹
2. “Show exceptions. Who can approve, and how do you remediate records?” ¹
3. “What monitoring detects off-channel communications?” ⁷
4. “Provide attestations, training, and disciplinary actions for violations.” ²
5. “Demonstrate you can produce records promptly from archives.” ¹

Hangup to plan for: IT will say “we can’t see personal devices.” Your policy and supervisory process must address that reality with clear prohibitions, attestations, and documented enforcement.

Frequent implementation mistakes (and how to avoid them)

• Mistake: Writing a ban with no enforcement. Fix: pair policy with MDM controls, monitoring, and discipline records.
• Mistake: Allowing “temporary” exceptions with no capture. Fix: require immediate migration back to approved channels and memorialize in a captured system.
• Mistake: Ignoring senior leadership behavior. Fix: require senior attestations and apply discipline consistently; enforcement releases highlight senior involvement as a theme ².
• Mistake: Treating archiving as “set and forget.” Fix: test production; document results; remediate gaps.

30/60/90-day execution plan

First 30 days (stop the bleeding)

• Publish an interim off-channel directive: business communications must stay on approved channels ¹.
• Stand up an approved channel register and map each to an archive/retention owner.
• Launch attestations for all staff and supervisors ².
• Identify highest-risk groups (front office, deal teams, supervisors) and run targeted training with real scenarios.

Days 31–60 (build enforceable controls)

• Deploy or tighten MDM policies on corporate devices; block high-risk apps where feasible.
• Finalize monitoring: sampling plan, escalation workflow, and investigation playbook.
• Centralize evidence collection (policies, training logs, attestations, archive configs) in a single audit-ready repository.

Days 61–90 (prove it works)

• Run your first production fire drill across all approved channels ¹.
• Conduct a focused review of exceptions and any off-channel incidents; document discipline and remediation.
• Present metrics to senior management: attestation completion, exception counts, incident counts, production test results (keep metrics qualitative if you cannot support precise figures).

Frequently Asked Questions

Do we have to ban WhatsApp and texting completely?

You have to ensure business communications are preserved and producible under SEC recordkeeping rules ¹. If you cannot capture and retain a channel, a ban plus enforcement is the simplest defensible approach.

What if a client refuses to use our approved channels?

Treat that as a business constraint, not a compliance exception. Require employees to move the conversation to an approved channel and document the interaction in a captured system, then escalate repeat issues through client coverage management.

Are employee attestations enough?

No. Attestations help demonstrate supervision and were a recurring remedial theme in SEC announcements, but firms also need controls that prevent, detect, and remediate off-channel behavior ².

How do we handle BYOD if we can’t impose MDM on personal phones?

Write a strict rule: no business communications on personal messaging apps or personal email, and give employees a compliant alternative (recorded line, captured chat, corporate email). Back it with training, attestations, and documented discipline when violations occur.

What evidence should we have ready for an exam request?

Keep policies, approved channel lists, retention/archiving configurations, training and attestations, monitoring logs, incident investigations, disciplinary actions, and production test outputs ⁸.

Where does Daydream fit in this control?

Daydream is a practical system of record for the third parties that make this program work (archiving, mobile management, surveillance, eDiscovery). Use it to store due diligence, contracts, and ongoing monitoring evidence so you can answer exam requests quickly and consistently.

Related compliance topics

• 2025 SEC Marketing Rule Examination Focus Areas
• Access and identity controls
• Access Control (AC)
• Access control and identity discipline
• Access control management

Footnotes

1. 17 CFR 240.17a-4

2. SEC Press Release 2022-225 (16 firms)

3. SEC Press Release 2022-225 (16 firms); SEC Press Release 2024-119 (26 firms)

4. SEC Press Release 2022-225 (16 firms); SEC Press Release 2024-18 (16 firms); SEC Press Release 2024-119 (26 firms); SEC Press Release 2024-132 (11 firms)

5. 17 CFR 275.204-2

6. 17 CFR 240.17a-4; 17 CFR 275.204-2

7. SEC Press Release 2024-119 (26 firms)

8. 17 CFR 240.17a-4; SEC Press Release 2022-225 (16 firms)