Books and records retention

Meet the SEC books and records retention requirement by keeping every advertisement you disseminate plus the supporting records that prove it was reviewed, approved, and substantiated, and storing them in an easily retrievable archive for the required retention period. Operationalize this by centralizing capture, indexing, and retention holds across all marketing channels. (17 CFR 275.206(4)-1) (17 CFR 275.204-2)

Key takeaways:

• Retain both the final ad and the substantiation that backs each material statement. (17 CFR 275.206(4)-1) (17 CFR 275.204-2)
• Build a channel-by-channel capture plan so nothing disseminated escapes retention (web, email, social, pitch decks, portals). (17 CFR 275.204-2)
• Make records exam-ready: searchable, immutable/auditable, and tied to approvals, versions, and distribution evidence. (17 CFR 275.204-2)

For SEC-registered investment advisers, “books and records retention” in the marketing context is not abstract governance. It is a practical obligation: if you advertise, you must be able to produce what you ran and the backup that proves it was not misleading. The SEC’s Marketing Rule governs how advertisements are presented, and the Advisers Act books and records rule governs what you must keep and be able to produce. (17 CFR 275.206(4)-1) (17 CFR 275.204-2)

Most exam friction comes from gaps created by modern workflows: ad content is created in multiple tools, approvals happen in chat, performance claims rely on spreadsheets, and distribution happens through third parties (PR firms, placement agents, platforms, social scheduling tools). A workable program treats marketing records like regulated business records: captured at the source, versioned, indexed, and retained with the supporting substantiation in the same file. (17 CFR 275.204-2)

This page translates the books and records retention requirement into an execution checklist a CCO or GRC lead can assign, test, and evidence, with a concrete artifact list and exam questions you should be ready to answer.

Regulatory text

Requirement: “Retain advertisements and supporting records as required.” (17 CFR 275.206(4)-1) (17 CFR 275.204-2)

Operator interpretation: You must keep (1) the advertisement as disseminated and (2) the records that support the claims in it, in a manner consistent with the SEC’s investment adviser books and records obligations. In practice, that means you can promptly produce the final version, who approved it, when and where it was used, and the substantiation for each objective statement (performance, rankings, testimonials/endorsements, comparisons, factual claims). (17 CFR 275.204-2)

Plain-English interpretation (what the requirement means)

If your firm communicates anything that qualifies as an “advertisement,” you need an audit-ready file for it. That file should show:

• What was shown to the public or investors (the exact content).
• When/where it was shown (distribution context).
• Who approved it (and under what policy/workflow).
• Why it was supportable (substantiation and calculations). (17 CFR 275.206(4)-1) (17 CFR 275.204-2)

A good mental model: if an examiner picks a single claim out of an ad, you should be able to open one folder and show the claim, the backup, and the approval trail without reconstructing it from inboxes and chats. (17 CFR 275.204-2)

Who it applies to (entity and operational context)

Applies to: SEC-registered investment advisers that create, approve, or disseminate advertisements, including communications distributed directly or indirectly through third parties. (17 CFR 275.206(4)-1) (17 CFR 275.204-2)

Operational scope typically includes:

• Marketing, IR, and sales materials (pitch decks, factsheets, commentaries, one-pagers).
• Website pages, landing pages, blogs, and gated content.
• Social media posts and paid ads.
• Email campaigns and newsletters.
• RFP/RFI responses and due diligence questionnaires where promotional claims appear.
• Third-party postings (consultant databases, platform profiles, sponsor pages) if you provide or approve content. (17 CFR 275.204-2)

What you actually need to do (step-by-step)

1) Define your “advertisement universe”

Create an inventory of channels and content types where an advertisement can appear. Do this as a table with:

• Channel (website, LinkedIn, email, webinars, portals, PR, etc.)
• Content owner
• Creation tool/source of truth
• Approver(s)
• Distribution method
• Capture method for retention (automated export, archive connector, manual upload)
• Location of substantiation support (folder path or system)
• Special risks (performance, ratings, testimonials, hypotheticals). (17 CFR 275.206(4)-1) (17 CFR 275.204-2)

2) Standardize a “marketing record package” for every ad

Require a single package (folder, case, or record entry) per advertisement that includes:

• Final disseminated version (PDF/screenshot/video file/HTML capture)
• Version history and redlines (or at least prior versions retained)
• Approvals and required sign-offs
• Substantiation set mapped to claims
• Distribution evidence (what was sent/posted and when)
• Withdrawal/expiration evidence (if removed or superseded). (17 CFR 275.204-2)

Practical tip: give each ad a unique ID and force it into the filename and approval ticket so you can join records across systems without manual reconciliation. (17 CFR 275.204-2)

3) Build a substantiation map (claim-by-claim)

For each objective or potentially testable statement, record:

• Claim text (quote it exactly)
• Claim type (performance, risk, comparison, fees, AUM, track record, ranking)
• Data source(s)
• Calculation workbook/code and methodology notes
• Reviewer and review date
• Known assumptions/limitations
• Required disclosures that accompany the claim. (17 CFR 275.206(4)-1) (17 CFR 275.204-2)

This is where programs fail: teams archive the glossy deck but not the spreadsheets and data extracts that produced the chart.

4) Implement retention controls in the systems people already use

Your policy can be perfect and still fail if capture is manual. Choose controls that match channel reality:

• Website: scheduled HTML snapshots or CMS exports tied to release dates.
• Social: native export + screenshot capture of post as displayed, including edits.
• Email: archive the final HTML, list segment criteria, and proof of send.
• Video/webinars: store recording, slides, script/talking points, and attendee invite language.
• Third-party publishers: require the third party to provide the final posting content and timestamps, or capture it yourself at time of posting. (17 CFR 275.204-2)

If you use Daydream workflows, treat each approval as the record “spine” and attach the final creative, substantiation, and distribution evidence to the same approval item so the file is complete at closeout.

5) Make records retrievable (indexing and search)

Define mandatory metadata fields:

• Ad ID, title, business line/strategy, product, audience type
• Channel, first-use date, last-use date
• Approvers, approval date
• Substantiation owner
• Whether it contains performance, testimonials/endorsements, third-party ratings
• Related disclosures and required legends. (17 CFR 275.204-2)

Your archive is only as good as retrieval. Exams tend to test whether you can produce targeted records quickly and consistently. (17 CFR 275.204-2)

6) Test the control with a “reverse-sample” review

Quarterly (or at a frequency aligned to your risk), pick a sample of live/public-facing ads and work backward:

• Find the ad in the wild.
• Locate its record package.
• Confirm substantiation exists for each claim.
• Confirm approvals match policy.
• Confirm distribution evidence exists.
• Confirm the package is immutable and retained under the correct schedule. (17 CFR 275.204-2)

7) Put third parties on rails

Where third parties participate (marketing agencies, PR firms, placement agents, web developers):

• Contractually require record delivery (final creatives, posting logs, scripts).
• Require use of your approval workflow before dissemination.
• Require storage/transfer into your archive promptly after use.
• Enforce access controls and offboarding so records don’t sit in third-party drives. (17 CFR 275.204-2)

Required evidence and artifacts to retain

Use this as your minimum checklist per advertisement (expand based on your risk profile):

Artifact	What “good” looks like	Common gap
Final ad as disseminated	Exact PDF/screenshot/video/HTML of what the audience saw	Only draft files retained
Approval trail	Dated approvals, required reviewers, conditions captured	Approvals in chat/email only
Substantiation binder	Source data + calculations + methodology notes per claim	No backup for charts/tables
Performance support (if used)	Workpapers that tie to source systems and assumptions	Spreadsheet with no provenance
Third-party content evidence	Copy of what the third party posted/sent, with dates	“We sent it to them” only
Change/withdrawal record	Superseded versions preserved; last-use date recorded	Old claims remain untracked
Index metadata	Searchable fields aligned to exam requests	Shared drive with inconsistent naming

Common exam/audit questions and hangups

Expect questions shaped like these:

• “Provide all advertisements disseminated in the last period, including websites and social media.” (17 CFR 275.204-2)
• “Show the substantiation for this specific claim on slide X / page Y.” (17 CFR 275.206(4)-1)
• “How do you ensure ads distributed by third parties are captured and retained?” (17 CFR 275.204-2)
• “Show evidence of review/approval and when the ad was first and last used.” (17 CFR 275.204-2)
• “How do you prevent edits after approval from bypassing retention?” (17 CFR 275.204-2)

Hangups that slow production:

• No single system of record for final versions.
• Inability to prove what was actually posted (especially on web and social).
• Substantiation stored in personal drives or analyst folders.
• Missing linkage between ad version and the data snapshot used. (17 CFR 275.204-2)

Frequent implementation mistakes (and how to avoid them)

1. Archiving “templates” instead of “as-run” content
   Fix: require capture at dissemination, not at creation. Store screenshots/exports of the live artifact. (17 CFR 275.204-2)

2. Treating substantiation as optional
   Fix: make substantiation a required approval attachment for any objective statement. If it’s not attached, the ad can’t be approved. (17 CFR 275.206(4)-1)

3. Ignoring third-party distribution
   Fix: contract for record return and log “where posted” with timestamps. Add third-party channels to your universe inventory. (17 CFR 275.204-2)

4. Relying on email as an archive
   Fix: route approvals and final files into a controlled repository with consistent metadata and retention controls. (17 CFR 275.204-2)

5. Unsearchable shared drives
   Fix: enforce naming standards + required metadata fields; test retrieval by having someone outside marketing pull a sample set. (17 CFR 275.204-2)

Enforcement context and risk implications

No specific public enforcement cases were provided in the source set for this requirement, so this page does not cite case outcomes.

From an exam-risk perspective, weak marketing record retention creates two compounding problems: (1) you may be unable to demonstrate compliance with the Marketing Rule’s substantiation expectations, and (2) you may independently fail the books and records obligations by not maintaining required records in a producible format. The practical impact is longer exams, broader document requests, and higher remediation burden. (17 CFR 275.206(4)-1) (17 CFR 275.204-2)

Practical execution plan (30/60/90-day)

First 30 days (stabilize and stop the bleeding)

• Inventory all advertising channels and owners; identify any “shadow” channels. (17 CFR 275.204-2)
• Pick one system of record for marketing record packages (or define a controlled folder structure with permissions and naming standards). (17 CFR 275.204-2)
• Implement a mandatory closeout checklist: final ad + approvals + substantiation + distribution evidence. (17 CFR 275.206(4)-1) (17 CFR 275.204-2)
• Run a reverse-sample test on a small set of live ads; document gaps and owners. (17 CFR 275.204-2)

Next 60 days (systematize and connect substantiation)

• Roll out claim substantiation mapping for performance and other high-risk claim categories first. (17 CFR 275.206(4)-1)
• Add required metadata fields and train marketing/IR on how to file and tag records. (17 CFR 275.204-2)
• Put third-party record return requirements into SOWs/contract addenda; define the handoff method. (17 CFR 275.204-2)
• Configure Daydream (or your workflow tool) so approvals cannot close without attachments that form a complete record package. (17 CFR 275.204-2)

Next 90 days (prove the program works under pressure)

• Perform a mock exam request: produce a defined population of ads and supporting records quickly, with consistent indexing. (17 CFR 275.204-2)
• Validate retention settings, access controls, and ability to place holds for investigations or regulatory requests. (17 CFR 275.204-2)
• Establish ongoing QA: periodic reverse-sample testing plus exception tracking with remediation dates. (17 CFR 275.204-2)
• Document the operating procedure so it survives staff turnover and agency changes. (17 CFR 275.204-2)

Frequently Asked Questions

Does “books and records retention” mean I only keep the final PDF of a deck?

No. You should retain the advertisement as disseminated and the supporting records that substantiate the claims in it, plus the approval trail and distribution evidence. (17 CFR 275.206(4)-1) (17 CFR 275.204-2)

How do we retain website content that changes frequently?

Define a capture method tied to publication changes, such as dated snapshots or exports, and store those captures as the “as-run” record with the approval and substantiation. The goal is to reproduce what a viewer saw at the time. (17 CFR 275.204-2)

What counts as “supporting records” for a performance chart?

Keep the data sources and workpapers that produce the figure, including calculation files and methodology notes, so you can demonstrate how the claim was derived. Store them with the ad record package, not in an analyst’s personal folder. (17 CFR 275.206(4)-1) (17 CFR 275.204-2)

Our marketing agency posts on social media. Who is responsible for retention?

You are still accountable for maintaining required records. Contract for record return (final posts, timestamps, creatives) and capture evidence of what was posted, tied to your approval. (17 CFR 275.204-2)

Can approvals in Slack or email satisfy the approval evidence requirement?

They can be evidence, but they are fragile and hard to produce consistently. Route approvals into a controlled workflow or archive the approval artifacts into the same record package as the final ad and substantiation. (17 CFR 275.204-2)

What’s the fastest way to identify gaps before an exam?

Do a reverse-sample review: pick a set of live ads across channels and verify you can retrieve the final artifact, approvals, substantiation, and distribution evidence for each. Track exceptions and close them with owners. (17 CFR 275.204-2)