Executive Summary
Regulators continue to focus on “off-channel” communications—business-related messages conducted outside a firm’s approved system. While much of the enforcement attention has centered on text messaging and collaboration apps, email surveillance remains a critical first line of defense. Incorporating the names of known social media and messaging platforms as keyword search terms in email surveillance programs can help broker-dealers and investment advisers identify red flags indicating the use of unapproved communication channels.
Regulatory Background: Why Off-Channel Communications Matter
The Financial Regulatory Authority (FINRA) and the Securities and Exchange Commission (SEC) have repeatedly emphasized broker-dealers’ and investment advisers’ obligations to retain, supervise, and review business communications, regardless of format. Therefore, broker-dealers and investment advisers are expected to maintain supervisory systems designed to capture and oversee business-related communications across all channels.
For broker-dealers, FINRA Rule 3110 requires firms to supervise not only the content of communications, but also the methods by which registered representatives conduct firm business. FINRA has repeatedly highlighted the risks posed by unapproved messaging platforms and has criticized firms that prohibit off-channel communications without implementing practical detection and monitoring controls. Investment advisers face similar expectations under the Advisers Act. SEC Rules 204-2 and Rule 206(4)-7 govern books and records, and compliance programs require advisers to consider whether client communications occur on platforms that evade retention and supervisory review.
Recent FINRA and SEC enforcement actions have reinforced that policies alone are insufficient, particularly when firms lack controls designed to detect the use of unapproved platforms. The key regulatory themes underlying those actions included firms’ failure to (i) maintain reasonable supervisory systems tailored to their size, business model, and communication risks; (ii) exercise their supervisory obligations, which extended to how representatives communicate, not just what they say; and (iii) maintain surveillance programs that evolve as communication technology changes.
Against this backdrop, email surveillance plays a critical role. Even when substantive discussions occur elsewhere, representatives often reference messaging platforms in firm email systems. Regulators increasingly expect firms to leverage these indicators within a risk-based supervisory framework, including through keyword searches that reflect commonly used social media and messaging applications.
The Role of Email Keyword Surveillance
Regulators have emphasized that supervision obligations extend not only to the content of communications but also to the channels a firm uses to conduct business. Both FINRA and the SEC expect firms to maintain supervisory systems to detect business communications outside approved platforms.
Email surveillance plays a critical role because firm email systems often capture early warning signs of off-channel activity, even when substantive business conversations occur elsewhere. Common examples include emails stating, “I’ll text you the details,” “Let’s move this to WhatsApp,” or “I sent the documents via Telegram.” While these messages may seem routine, they can signal that securities-related communications are occurring on platforms not subject to firm retention or review.
Including the names of well-known social media and messaging applications in email keyword searches helps firms move beyond policy prohibitions to practical detection and supervision. Feedback from regulators in recent exams makes it clear that they view this targeted, risk-based surveillance as a reasonable and proportionate response to modern communication risks.
Incorporating Social Media and Messaging Platforms into Keyword Lists
A well-designed email surveillance program should account for the reality that associated persons routinely reference social media and messaging applications, even where firm policies prohibit their use for business communications. Incorporating the names of widely used platforms into keyword libraries enables firms to identify potential off-channel activity early and apply supervisory judgment before issues escalate.
Keyword lists should incorporate both current usage trends and firm-specific risk factors. Common keywords to consider include WhatsApp, Signal, Telegram, iMessage, Instagram DMs, LinkedIn messaging, and similar tools that enable direct, often encrypted, communication outside firm-approved systems.
Importantly, the use of platform-based keywords does not indicate misconduct. Rather, it supports a risk-based supervisory approach by enabling compliance teams to triage communications, confirm whether approved tools were used, and document appropriate follow-up. Firms that periodically refresh keyword lists and align them with evolving communication technologies demonstrate that their surveillance programs are reasonably designed, actively maintained, and responsive to regulatory expectations.
Practical Compliance Considerations
When adding social media platform keywords to email surveillance programs, firms should consider:
- Risk-based calibration: Adjust keyword scope based on firm size, representative population, and prior findings.
- False positives: References to social media may be benign; documented review and escalation procedures are essential.
- WSP alignment: Written Supervisory Procedures should expressly address off-channel communication detection and follow-up steps.
- Training integration: Surveillance findings can inform targeted training on approved communication channels.
- Vendor coordination: Ensure surveillance vendors can accommodate dynamic keyword updates.
Takeaways for Broker-Dealers and Investment Advisers
Regulators expect firms to proactively adapt supervisory controls to address modern communication risks. Incorporating known social media and messaging platforms into email keyword surveillance is a practical, defensible step that demonstrates reasonable supervision and a culture of compliance. Firms that periodically review and refresh their keyword libraries and document the rationale are better positioned to identify off-channel risks before they become enforcement issues.