Complying With FINRA and SEC Recordkeeping Regulations

Recordkeeping is vital for all financial firms, so adding a proper tool can save you from legal issues. Find out how Stillio can help you with FINRA and SEC compliance.

Complying With FINRA and SEC Recordkeeping Regulations

Financial establishments face many rules and regulations to protect investors. Two of the most important bodies responsible for this are the SEC and FINRA.

SEC stands for the Securities and Exchange Commission. It is a government organization aimed at protecting investors and maintaining the integrity of the securities market. It oversees all the necessary aspects of both financial and business environments.

Related to this is another body, known as the Financial Industry Regulatory Authority or FINRA. It is a non-profit private organization that regulates broker-dealers. It is the largest self-regulatory organization in the US and is overseen by the SEC.

Both SEC and FINRA rules and regulations have been laid down to achieve their goal of investor protection. One of the key points here is recordkeeping.

Recordkeeping according to SEC and FINRA

The Securities Exchange Act of 1934 (SEA), in section 17(a)(1), requires registered broker-dealers to keep records and reports as prescribed by the SEC so that they can conduct adequate examinations of broker-dealers, along with other self-regulatory organizations (SROs) or state securities regulators.

Under SEA rules 17a-3 and 17a-4, broker-dealers must make and keep thorough records of all relevant written and digital communications. That includes documents, emails, fax messages, instant messages, and their website.

These rules also specify the minimum requirements concerning the format and the period they must be kept: records must be easily accessible and retained for at least six years, along with a timestamp. Regulation 17-a-4 also requires storing data in a non-rewritable and non-erasable format. Duplicate copies of data should be stored in separate locations. Some of the SEC and FINRA recordkeeping requirements are:

  • A copy of the communication and the date of the first and last use.
  • Name of any registered principal who has approved of the communication.
  • If retail communication has not been pre-approved by a registered principal, the name of the person who has prepared and distributed the communication should be mentioned.
  • The information related to the source of any statistical table, chart, or graph as used in the communication.

Similarly, FINRA also requires firms and their registered representatives to retain records of communications related to their "business." That can include anything, from emails to social media posts. FINRA also has rules centered around communications with the public, including anything that your firm shares on products or services. That includes the firm’s website and social contacts.

It’s important to note that FINRA’s rules apply to the content of the communication, no matter the device or platform used to distribute it.

FINRA has a Checklist for Recordkeeping that you can have to ensure you have everything in place.

How to comply with SEC and FINRA

Here are some crucial points to keep in mind related to online communication recordkeeping, according to FINRA rule 2210, “Communications with the public.”

General standard

As a general standard, this rule states that “all communications must be based on principles of fair dealing and good faith must be fair and balanced and must provide a sound basis for evaluating the facts regarding any particular security or type of security, industry, or service.” There shouldn’t be any omissions or exaggerated, false statements that would cause the communication to be misleading.


FINRA asks all firms to link with BrokerCheck on their website to make users check their background using this tool. The link must be visible when a user visits the site, and if there is a need for scrolling, it should be mentioned that there is further information below. When including the link on your site, you need to consider its font size and color to contrast with the background and be similar to the rest of the content on the page. FINRA suggests these two expressions:

Social media

Even though this medium is relatively new, FINRA’s rules apply to any communication, irrespective of which platform or device is being used. Social media communications should be recorded for a period of no less than 3 years. 

When doing recommendations on social media, firms should be careful, as there are applicable suitability rules to promote ethical sales practices. Firms should develop procedures to supervise social media communications that recommend specific products or prohibit them unless a registered principal has previously approved the content or the recommendation conforms to a previously approved template.

The personal use of social media is not regulated by FINRA. However, if firm personnel use a personal site for business, then this may result in a situation where the firm is unable to retain records of business-related communications as required. Therefore, if a firm allows personnel to use social media freely, before principal approval, then the firm’s written supervisory procedures must provide for:

  • Training on the methods and the content standards of the communications rules.
  • How the firm will surveil these communications to test for compliance.
  • What actions will be taken if problems are detected.
  • Documentation of any findings and the corrective actions taken.

Review and approval

All communications should be approved by a qualified registered principal of the member before publishing, and some pieces of retail communication must be filed prior to first use for approval. You can check if the last requirement applies to you by reading the FINRA rule 2210.

Third-party content

There are some rules applicable to this content when firms adopt or become entangled. A firm may adopt third-party content when they approve or endorse it. A firm becomes entangled with this content if it is involved in its preparation.

Third-party social media posts are subject to FINRA recordkeeping rules when posted on a firm’s social media sites, so they must be adequately reviewed. However, third-party posts generally are not subject to FINRA's advertising rules unless the firm has adopted or become entangled with the content of an interactive post.

That also applies to third-party links on a firm’s website. If a firm includes a link to a third party website and it indicates to endorse that content, or it has participated in the confection of that content, then the firm is responsible for that content under FINRA regulations.

Non-compliance sanctions

This deals with the SEC and FINRA fines for non-compliance. In case of non-compliance, the SEC can order securities violators to:

  • Disgorge, or payback, ill-gotten gains to return the funds to harmed investors.
  • Pay civil monetary penalties.
  • Pay interest (pre-judgment and post-judgment).

FINRA’s sanctions for non-compliance generally include fines, suspensions, and in extreme cases, bars from the brokerage industry.

In 2021, there was a record case: Robinhood Financial LLC was issued a $70 million penalty after an investigation from FINRA that found that the company had “negligently” provided false information to its customers in certain periods dating back to 2016. However, not all investigations necessarily lead to formal disciplinary actions. If the violation is minor, the matter might be resolved using informal disciplinary action.

What information should I archive?

From our previous summary of FINRA and SEC regulations, the essential points are:

  • Under the Securities Exchange Act, broker-dealers have to make and maintain proper records of all relevant documentation.
  • FINRA requires firms and registered representatives to retain records of all necessary communications related to business.
  • These rules apply to the communication content irrespective of the platform or device used for distribution.

This basically means that the safest decision you could make is to record all documents regarding your business’ operations and communications and other businesses’ communications you may have participated in. Besides the private exchange of emails, this also includes public information such as:

  • Your firm’s website.
  • Social media posts belonging to your firm or its employees.
  • Any third-party content you may have shared or contributed to its creation.

Besides the mere aim to comply with the requirement, it’s also helpful to archive these assets to prove compliance with other points, like the ones we’ve covered before. A screenshot archive of your website can prove you included the Brokercheck link at a certain time, for example.

Recordkeeping for compliance with Stillio

Now that you have a good idea regarding what to archive to comply with, it’s time for you to start recordkeeping for SEC and FINRA. Going through each website or social media profile manually can be tedious, especially since the platforms are constantly updated.

Stillio is an automated screenshot-capturing tool that lets you archive entire web pages and profiles. You need to provide URLs of the pages you want to archive, set a time interval (daily, weekly, monthly, or even 5 minutes), and these screenshots will be automatically saved.

You will also be able to archive the sitemap of your website automatically and capture pages from partners you have linked to. These screen captures can be synced to your Dropbox, Google Drive, or any other cloud storage in case of an audit.


Recordkeeping is necessary for all financial firms, so adding a proper tool can save you from legal trouble. Check out FINRA’s page for more information on their regulations, seek legal help if needed, and book a demo with us if you’d like to know more about Stillio for SEC and FINRA website archiving.

Starting at $29/m

Start capturing website screenshots automatically and save a lot of grunt work. You'll be set up in minutes. No credit card required. Check our pricing plans.