Investment Advisory Client Communication Recordkeeping

Investment advisers live and die by what they communicate and what they can prove they communicated. Examiners routinely ask for client and prospective client communications to validate disclosures, assess marketing claims, and test supervision. If your firm cannot reliably produce a complete record set, you will spend the exam reconstructing history from fragments, and your supervisory controls will look theoretical.

This page is written for a CCO/GRC lead who needs to operationalize the investment advisory client communication recordkeeping requirement quickly. It focuses on the practical mechanics: defining which communications are in scope, forcing business to occur only in monitored channels, capturing and retaining the records with integrity, and running supervision that finds exceptions (including off-channel texting and collaboration tools). It also ties recordkeeping to Marketing Rule risk: if you cannot retain what was said, you cannot substantiate that what was said was not misleading, and you cannot evidence supervision over advertising and other client-facing statements. The SEC has flagged Marketing Rule compliance as an examination focus (2025-exam-priorities), so treat communications capture and review as exam-critical plumbing, not a back-office archive.

Target keyword: investment advisory client communication recordkeeping requirement.

Requirement summary (plain English)

You must maintain complete, accurate, and retrievable records of written business communications with clients and prospective clients, including electronic communications. Operationally, that means: (1) define approved business communication channels, (2) technically capture messages in those channels, (3) prevent or detect off-channel communications, (4) retain records with integrity and searchable retrieval, and (5) supervise for policy violations and misleading statements, especially where messages function as “advertisements.”

Why this matters for advisers

Two failures compound quickly:

1. Incomplete capture (you cannot produce emails/texts/DMs when asked).
2. Uncontrolled content (communications contain untrue or misleading statements, including in advertisements).

The SEC’s Marketing Rule prohibits disseminating advertisements with untrue statements of material fact or content that is otherwise false or misleading (17 CFR 275.206(4)-1). The SEC’s Division of Examinations has stated it will focus on compliance with recently adopted rules including the Marketing Rule (2025-exam-priorities). Even if your immediate program goal is “recordkeeping,” design it to withstand marketing-content scrutiny.

Regulatory text

Marketing Rule excerpt (operator-relevant): “It shall constitute a fraudulent, deceptive, or manipulative act… for any investment adviser to disseminate any advertisement that includes any untrue statement of a material fact, or that is otherwise false or misleading.” (17 CFR 275.206(4)-1)

What the operator must do with this text (in a recordkeeping program):

• Treat records as your proof that advertisements and client-facing written statements were reviewed, approved when required, and not misleading.
• Ensure your capture scope includes channels used to distribute advertisements and marketing-like messages (mass emails, newsletters, website chats, social DMs where business is discussed, and collaboration platforms used with prospects).
• Build supervision workflows that can surface potentially misleading statements early and document remediation.

Who it applies to (entity + operational context)

Covered entities

• SEC-registered investment advisers (RIAs), especially those that communicate with clients/prospects electronically and distribute marketing content (17 CFR 275.206(4)-1).

Operational context (where this breaks in real firms)

• Advisors and IARs using personal phones for client texting.
• Relationship teams using WhatsApp/Signal/iMessage, LinkedIn DMs, or other “quick” channels for scheduling, performance discussions, or sharing materials.
• Marketing distributing pitch decks and performance snippets through email blasts or collaboration platforms without clear retention and approval trails.
• Hybrid environments: some staff on O365/Google email, others on independent contractor setups, or third parties (PR firms, placement agents) sending messages “on your behalf.”

What you actually need to do (step-by-step)

1) Define scope: what counts as a record you must capture

Create a written scope statement that answers:

• Who: all supervised persons and any third party communicating on the firm’s behalf.
• What: written business communications with clients and prospects, plus communications that meet your internal definition of advertising/marketing material.
• Where: email, SMS/MMS, collaboration tools (Teams/Slack), CRM messages, social media DMs where business is conducted, website chat, and any platform used to disseminate advertisements (17 CFR 275.206(4)-1).
• When: from onboarding onward, including pre-engagement prospecting.

Deliverable: Communications Recordkeeping Standard (policy-level) + Channel Register (system-level inventory).

2) Establish an “approved channels” allowlist

Publish a short, enforceable list:

• Approved email domains and accounts.
• Approved texting solution or mobile capture approach.
• Approved collaboration tools and rules for external messaging.
• Approved social accounts for business.

Then write the “hard line”:

• Business communications with clients/prospects must occur only in approved channels.
• Off-channel communications are policy violations and trigger remediation.

Practical control: require attestation at onboarding and annually, plus a “no client business on personal messaging apps” acknowledgment.

3) Implement technical capture and retention controls

Your goal is defensible completeness, not “best effort.”

Minimum capabilities to implement:

• Ingestion: journaling for email; API- or connector-based capture for Teams/Slack; mobile message capture for SMS (and, if permitted/used, other channels).
• Normalization: keep metadata (sender/recipient, timestamps, attachments, edits/deletes if captured by the platform).
• Retention + legal hold: retention rules aligned to your recordkeeping policy; legal holds override deletion.
• Search and export: fast retrieval by client name, rep, date range, channel, and keyword.

Evidence you want to be able to show: sample retrievals, system logs showing ingestion health, and exception queues for failed captures.

4) Prevent and detect off-channel communications

Technical enforcement varies by environment, but you need both prevention and detection.

Options to combine:

• MDM/MAM controls on firm-managed devices (block installation or restrict use of unapproved messaging apps for business profiles).
• Conditional access (business apps only accessible from managed devices).
• DLP flags for client identifiers leaving approved systems.
• Supervisory sampling that includes outreach to high-risk desks and a review of CRM notes for evidence of off-channel interactions (example: “texted client details” noted in CRM but no corresponding captured text).

5) Supervise content, including marketing/advertising risk

Recordkeeping without supervision leaves you exposed.

Build a supervision workflow with:

• Risk-based review queues: new joiners, high-volume communicators, high-risk products/strategies, performance discussions, and any message templates used broadly.
• Keyword/theme lexicon: performance claims, guarantees, “risk-free,” “exclusive,” “SEC approved,” cherry-picked returns, and other phrases that often create misleading impressions (tie back to 17 CFR 275.206(4)-1).
• Pre-approval where needed: marketing materials and mass distributions should have documented review/approval trails and final archived versions.

Keep the escalation path simple:

• flag → triage → remediate (corrective client communication if needed) → discipline/training → control fix.

6) Test the program and document results

Exams reward provable control operation.

Run recurring tests:

• Capture completeness testing: pick a set of users and confirm that known messages exist in the archive; test attachments; test external chats.
• Retrieval SLA drills: simulate an exam request and time how long it takes to produce a complete packet with audit trail.
• Exception remediation: confirm that ingestion failures or off-channel events were resolved and documented.

If you use Daydream, map each channel to an owner, evidence, and test cadence so you can show an examiner a single control narrative with supporting artifacts rather than screenshots scattered across teams.

Required evidence and artifacts to retain

Keep these in a central “Exam Ready” folder with version control:

Governance

• Communications recordkeeping policy and procedures (current + prior versions).
• Approved channel list, with effective dates.
• Role-based responsibilities (Compliance, IT, Supervision, Marketing).

Technical

• System architecture diagram for capture/archiving (data flows, connectors).
• Configuration exports or admin screenshots for key settings (journaling, connectors, retention rules).
• Ingestion health logs and exception reports.
• Legal hold procedures and examples of holds applied.

Supervision

• Supervisory review procedures, sampling methodology, and reviewer training.
• Review logs (what was reviewed, by whom, when, disposition).
• Escalation tickets and remediation tracking (including coaching or disciplinary outcomes where applicable).
• Marketing review/approval records for advertisements and related distributions (17 CFR 275.206(4)-1).

Testing

• Periodic control testing results and follow-up actions.
• Mock exam request packages and retrieval evidence.

Common exam/audit questions and hangups

Expect variations of:

• “List all communication channels your supervised persons use for client/prospect business. Which are approved?”
• “Show how you capture texts and collaboration messages. What about personal devices?”
• “Produce communications for [rep] and [client] over [date range] across all channels.”
• “Show evidence of supervisory review and how you handle exceptions.”
• “How do you ensure advertisements are not false or misleading, and what records prove review and dissemination?” (17 CFR 275.206(4)-1; 2025-exam-priorities)

Hangups that slow production:

• No single index across channels.
• Incomplete identity mapping (rep has multiple emails/phones).
• Attachments stored outside the archive.
• Poor audit trails for edits/deletes in collaboration tools.

Frequent implementation mistakes (and how to avoid them)

1. Policy says “no off-channel,” but there is no enforcement.
   Fix: pair policy with device/app controls and supervision that generates documented exceptions.

2. Capture exists, but retrieval is painful.
   Fix: run retrieval drills and build repeatable “exam packet” templates (search terms, export format, chain-of-custody notes).

3. Marketing review is separated from communications retention.
   Fix: require that final approved advertisements and the distribution communications are both retained and linked (17 CFR 275.206(4)-1).

4. Third parties communicate on your behalf without capture.
   Fix: contract clauses requiring approved channels, retention cooperation, and audit rights; route third-party outbound through firm-controlled systems where possible.

5. Supervision is “check-the-box” sampling with no outcomes.
   Fix: track findings to remediation, training, and control changes. Keep the evidence.

Enforcement context and risk implications (without inventing cases)

No public enforcement case sources were provided for this page, so don’t anchor your risk story to specific penalties. You can still plan for exam pressure: the SEC has explicitly called out Marketing Rule compliance as an exam focus (2025-exam-priorities). If communications that function as advertisements are missing, incomplete, or not reviewable, you increase the chance that an examiner treats the deficiency as both a recordkeeping/control failure and a misleading-advertising risk (17 CFR 275.206(4)-1).

Practical execution plan (phased, no calendar-day claims)

Immediate phase: stabilize scope and stop the bleeding

• Publish approved-channel list and off-channel prohibition.
• Identify highest-risk groups (client-facing reps, marketing, senior leadership).
• Turn on or validate email journaling and confirm retention is active.
• Create an exception intake path (mailbox or ticket queue) for capture gaps and off-channel reports.

Near-term phase: complete capture and launch supervision

• Extend capture to mobile and collaboration platforms used with clients/prospects.
• Roll out device controls (managed devices for client communications where feasible).
• Start supervisory sampling with documented findings and escalations.
• Build a standard exam production workflow (who pulls, who reviews, who approves).

Ongoing phase: test, tune, and prove operation

• Run recurring capture completeness tests and retrieval drills.
• Refresh training and attestations; update channel inventory for new tools.
• Review keyword lexicon and marketing workflows tied to the Marketing Rule (17 CFR 275.206(4)-1).
• Use a system of record (for many teams, Daydream) to track controls, evidence, exceptions, and remediation in one place.

Frequently Asked Questions

Do we have to capture communications with prospective clients, or only existing clients?

Treat prospect communications as in scope if they relate to advisory business. Examiners often review the full lifecycle from initial outreach through onboarding because early messages can include performance claims or other advertising-like statements (17 CFR 275.206(4)-1).

Are LinkedIn DMs “client communications” for recordkeeping purposes?

If business is conducted in the DMs (scheduling, advice discussions, sharing materials, solicitation), treat them as in-scope records. Either prohibit that channel for business or implement capture and supervision for it.

We prohibit WhatsApp/Signal. Is policy alone enough?

A prohibition without detection and consequences rarely holds. Add device/app controls where feasible, supervisory review designed to detect off-channel behavior, and documented remediation when exceptions occur.

How do we tie recordkeeping to the Marketing Rule without boiling the ocean?

Start by tagging and retaining anything that meets your internal definition of an advertisement and keep the approval trail next to the final version. Then supervise distribution communications and templates for misleading statements risk (17 CFR 275.206(4)-1), aligned to the SEC’s stated exam focus (2025-exam-priorities).

What evidence is most persuasive in an SEC exam for communications recordkeeping?

Fast, complete production across channels plus auditable proof the controls operate: retention settings, ingestion health reports, review logs, and documented exception remediation. A clean “exam packet” beats a pile of screenshots.

Can we allow personal devices for texting clients?

Yes, but only if you can capture and retain those business messages reliably and supervise them. If you cannot, require firm-managed devices or restrict client texting to an approved platform that archives by design.