Compliance Lessons from Major FINRA and SEC Texting Fines

Key Takeaways

• Recordkeeping has shifted from a back-office task to one of the most consequential compliance risks financial firms face today.
• The most common violations stem from unarchived messages on encrypted messaging apps like WhatsApp, iMessage, and Signal, compounded by personal devices and remote work arrangements that put communications outside compliance controls.
• The enforcement net has widened: investment advisers, individual brokers, and senior personnel face the same scrutiny once reserved for broker-dealers alone.
• In line with SEC Rule 17a-4, Advisers Act Rule 204-2, and FINRA Rule 4511, business communications need to be retained in a tamper-proof, retrievable format.
• The SEC and FINRA have collected more than $3.5 billion in texting fines since 2021.
• Closing the gap requires a unified archiving setup that captures every channel and device automatically, with the search, legal hold, and audit trail capabilities regulators expect.

Introduction

The SEC and FINRA have collected more than $3.5 billion in texting fines since 2021, and the enforcement wave shows no signs of slowing.

What started as a handful of broker-dealer cases has grown into a sweeping campaign that now reaches investment advisers, senior executives, and repeat offenders.

If your firm hasn’t reviewed its archiving setup recently, the gap between your policies and your actual capture coverage is probably wider than you think.

What you’ll learn in this article:

• The biggest FINRA and SEC texting fines
• Which messaging apps regulators cite most
• How self-reporting affects penalties
• A checklist to close common archiving gaps

Understanding FINRA and SEC Texting Fines

The SEC and FINRA both regulate financial markets, but they approach texting violations from different angles, and FINRA fines for texting follow a different sizing logic than SEC fines do.

The SEC enforces federal securities laws against broker-dealers and investment advisers, while FINRA, a self-regulatory organization, oversees broker-dealers and their associated persons.

A single texting violation can trigger action from FINRA, the SEC, or both at once, depending on the firm type and the conduct involved.

The table below summarizes how the two regulators differ in jurisdiction, retention rules, enforcement type, and penalty range.

FINRA texting fines are imposed based on a set of factors like:

• The severity of the violation
• The harm caused to investors
• The benefit gained by the perpetrator
• The firm’s violation history

These fines are often part of a broader disciplinary action, which may include suspensions or additional sanctions.

On the other hand, SEC fines for texting are federally enforced against institutions that manipulate the market and commit corporate fraud.

In the texting context, the SEC assesses its penalties based on the following factors:

• The harm done
• The nature of the violation
• The size of the institution
• The compliance history

There is no set amount a firm will be fined because the fines are based on multiple factors.

Key SEC and FINRA Rules Governing Text Message Retention

Three rules define the recordkeeping floor for most regulated firms.

• SEC Rule 17a-4 requires broker-dealers to retain business communications for a minimum of three years in a non-rewritable, non-erasable format. The storage format matters as much as the retention period, as records must be immutable and retrievable on demand.
• Rule 204-2 under the Investment Advisers Act requires investment advisers to retain books, records, and business communications for 5 years. If your firm manages client assets, this rule applies to you.
• FINRA Rule 4511 requires firms to create and preserve books and records in line with FINRA rules, the Exchange Act, and applicable securities laws. It reinforces the obligations set by SEC 17a-4 rather than replacing them.

In practice, these rules apply to all business communications regardless of channel, and include SMS, iMessage, WhatsApp, Signal, WeChat, and Bloomberg chat.

Recent FINRA and SEC Texting Fines

The cases below illustrate how recordkeeping failures actually unfold inside firms, from technical control breakdowns at a single firm to industry-wide patterns of off-channel communication.

The SEC’s $1.8 billion off-channel crackdown

In 2022, the SEC and CFTC fined 16 Wall Street firms a combined $1.8 billion for employees’ use of private messaging apps. The group included Goldman Sachs, Bank of America, Citigroup, Morgan Stanley, Barclays, Credit Suisse, Deutsche Bank, Jefferies, Nomura, and UBS.

The SEC found that the firms had engaged in extensive off-channel communication, with business communication taking place on personal devices and consumer messaging apps like WhatsApp, Signal, iMessage, SMS, and personal email. None of these were ever captured or retained.

This was one of the biggest fines issued by the SEC regarding texting violations.

The firms were fined, required to retain independent compliance consultants, and ordered to implement remediation plans to prevent future violations of record-keeping provisions.

Deloitte’s “Disable or Block” messaging violation

In March 2023, Deloitte Corporate Finance (DCF) received a $200,000 FINRA fine for failing to archive business-related iMessages between July 2017 and February 2022.

The firm had implemented a “Disable or Block” policy specifically because their third-party archiving system couldn’t capture iMessages due to Apple’s end-to-end encryption protocol. This technical limitation prompted Deloitte to route all communications through standard SMS/MMS channels to ensure complete message capture and stay compliant with regulatory requirements.

The compliance breakdown occurred through a series of technical and administrative failures.

The problem was that the control quietly stopped working. As iOS updates reached new devices, DCF’s blocking mechanism became ineffective, and iMessages began slipping through again. When the key employee responsible for managing this control left the company in July 2018, their critical responsibilities weren’t properly transitioned to new personnel.

The regulatory impact was substantial, as approximately 676,000 business communications went completely unarchived, creating a significant blind spot in their recordkeeping infrastructure and ultimately leading to regulatory penalties.

This violation breached Section 17(a) of the Securities Exchange Act, Rule 17a-4, and FINRA Rules 4511 and 2010, which require firms to preserve all business communications for at least three years.

Technical controls like “Disable or Block” policies require ongoing verification, especially after system updates.

The Wall Street WhatsApp and text messaging incident

In 2023, the US regulators imposed $549 million in combined SEC and CFTC penalties against nine Wall Street firms, including Wells Fargo, BNP Paribas, SG Americas, BMO Capital Markets, and Mizuho Securities, over their employees using off-channel communication via text messages and WhatsApp.

The incident was a huge breach of the SEC requirement to retain all work-related communications. The firms had not established any controls on how employees used personal devices, nor did they archive text messages at all. WhatsApp was one of the primary off-channel platforms cited in the action.

All nine companies admitted that their employees had been communicating on personal devices since 2019. This revealed a four-year gap in record-keeping, which made the severity of the SEC’s fine even greater.

Training alone would not have prevented this. The firms had no technical mechanism to capture messages sent from personal devices. Without an archiving solution that works across personal and company-issued devices, policy enforcement depends entirely on employee behavior, and that’s not a defensible compliance position.

FINRA individual broker suspensions and fines for texting

Enforcement isn’t limited to firms. FINRA regularly disciplines individual brokers, and the case below shows how quickly an SMS-based violation can derail a career.

In 2023, FINRA imposed a 15-month suspension as well as a $15,000 fine on a former Edward D. Jones & Co. broker because they sent client documents to another individual at the firm via SMS.

By sending messages that contained business-critical information on their personal phone, the employee bypassed the firm’s data retention policy, and the messages were never archived.

Because of this, the investigation couldn’t prove if the employee’s violation was accidental or malicious. FINRA decided to act.

There are many similar cases when FINRA suspended and fined individual brokers for texting.

The SEC’s $392 million senior-level sweep

In August 2024, the SEC fined 26 firms $392.75 million for widespread recordkeeping failures tied to off-channel business communications.

The largest penalties went to Ameriprise, Edward Jones, LPL Financial, and Raymond James at $50 million each, followed by RBC Capital Markets at $45 million and BNY Mellon Securities and Pershing at $40 million each.

The SEC said the violations involved personnel at multiple levels of authority, including supervisors and senior managers, showing that this was not limited to isolated employee behavior.

WhatsApp remained one of the most commonly cited off-channel platforms in this wave of SEC WhatsApp fines, alongside text messaging and other consumer apps.

Investment advisers enter the enforcement net

In January 2025, the SEC fined 12 firms $63.1 million for failing to maintain and preserve electronic communications.

Notable penalties included Blackstone at $12 million, KKR at $11 million, Charles Schwab at $10 million, and Apollo at $8.5 million.

This enforcement wave was significant because it included investment advisers, not just broker-dealers, confirming that off-channel recordkeeping obligations extend across both sides of the financial services market.

For firms with Asia-Pacific operations, this also reinforces that WeChat falls squarely within FINRA and SEC recordkeeping obligations.

How Self-Reporting Reduces SEC and FINRA Penalties

The SEC has repeatedly stated that self-reporting and proactive cooperation can reduce penalties, even though they do not eliminate enforcement action.

Recent examples include Truist at $5.5 million, Cetera at $4.5 million, Hilltop Securities at $1.6 million, and PJT Partners at $600,000, all materially lower than the penalties imposed on many others that didn’t receive similar cooperation credit.

Self-reporting still results in admissions, penalties, and remediation obligations, including compliance consultant requirements in some cases. It reduces exposure, but it does not make the matter go away.

More Than Just Fines: The Hidden Costs of Non-Compliance

Financial penalties from FINRA and the SEC are headline-grabbing, but they’re often just the beginning of the consequences organizations face after a texting violation.

Here are some additional impacts that can hurt your firm’s long-term stability:

• Reputational damage — Fines and public enforcement actions signal weak internal controls, damaging client trust and investor confidence. Firms such as Wells Fargo and Goldman Sachs faced significant media coverage and client inquiries following their settlements.
• Operational disruption — Investigations often lead to sudden changes, such as policy overhauls, audits, vendor replacements, the retention of independent compliance consultants, and the need to review thousands of messages under tight deadlines. Remediation can consume internal resources for 12–18 months.
• Loss of regulatory goodwill — Firms with prior violations often face increased scrutiny in future exams, raising the risk of more frequent audits or stricter penalties. Several that appeared in earlier enforcement waves resurfaced again in 2023 and 2024, suggesting that incomplete remediation can compound future exposure.
• Employee morale and turnover — Inconsistent policies or unclear guidelines can frustrate staff, especially if disciplinary action is taken against individuals for using non-compliant tools they weren’t trained on.

Avoiding fines is important, but safeguarding your firm’s integrity and operational resilience should be the bigger goal.

Compliance Checklist: How to Avoid SEC and FINRA Texting Fines

Across every enforcement wave, the same patterns keep surfacing: employees using personal devices for business, encrypted apps that sit outside the firm’s archiving system, and remote work arrangements that blur the line between personal and professional communication.

The checklist below addresses the controls regulators now expect firms to have in place to close those gaps.

1. Audit all communication channels employees use for business, including SMS, iMessage, WhatsApp, Signal, WeChat, Bloomberg chat, and personal email.
2. Define and enforce an approved-channels policy that clearly states which platforms employees may use for business communications.
3. Deploy archiving that captures SMS, iMessage, WhatsApp, and other platforms automatically.
4. Implement supervisory review workflows so compliance teams can monitor business communications on an ongoing basis.
5. Train employees annually on recordkeeping obligations and the risks of off-channel communication.
6. Test controls after every OS, device, or app update to confirm that message capture still works as expected.
7. Conduct periodic mock audits of message retrieval so you can prove records are searchable and defensible.
8. Establish a self-reporting protocol for discovered gaps so the firm can respond quickly if a recordkeeping issue is identified.

How Archiving Solutions Solve the Problem

Avoiding FINRA and SEC texting fines comes down to one core principle: every business communication has to be captured, retained, and readily retrievable, no matter where it originates from. Any channel your system doesn’t reach, device it doesn’t cover, or message it can’t index is a liability waiting to surface in an audit or enforcement action.

A compliant archiving approach relies on automatic capture rather than employee forwarding, paired with tamper-proof storage, granular search, legal hold capability, and a defensible audit trail.

If any of those controls are missing, the firm may still have records somewhere, but not in a form regulators will accept. BYOD and CYOD environments raise the stakes further, since firms are still on the hook for capturing business communications regardless of who owns the device.

For financial services firms, a text message archiving solution should:

• Offer standalone archiving of text messages, in case a firm already has a separate email archiving system that they are not planning to migrate.
• Offer integrated text message archiving with email, social media, Bloomberg, and other official channels used for communication. This approach is advised because it allows you to search all communication records from a single system, saving time and resources.
• Be able to archive text messages and calls from company-issued, CYOD, and BYOD phones, because firms can’t rely on employees to self-archive or forward messages from personal devices.
• Capture iMessages automatically to avoid compliance gaps caused by failed blocking policies.

Jatheon allows you to unify the archiving of text messages, iMessages, phone calls, email, Bloomberg, WhatsApp, and social media. It’s also possible to retain only text messages.

Once archived, your text messages will be indexed and available for ediscovery.

With advanced filters like keywords, phrases, proximity, fuzzy, and boolean operators, Jatheon helps you find the records you’re looking for in minutes and helps you respond to regulatory inquiries, litigation holds, and internal investigations in minutes instead of weeks, with complete, verifiable records.

Once found, you can easily prove message integrity, making the records viable evidence in any court case.

Along with this, you can create custom data retention policies to manage automatic data deletions.

FAQ

What are the SEC texting rules?

For broker-dealers, SEC Rule 17a-4 requires firms to retain business communications for at least three years in a non-alterable format. For investment advisers, Rule 204-2 requires retention for five years. These rules apply to all electronic communications used for business, including SMS, iMessage, WhatsApp, Signal, and WeChat.

What counts as a “business communication” in a text message?

Any message related to the firm’s business, regardless of length or formality. Scheduling a client call, confirming a trade detail, or discussing a deal over text all qualify. The SEC’s standard is the subject of the message, not the tone or frequency.

What are the biggest recent FINRA and SEC texting fines?

The FINRA and SEC texting fines include Deloitte ($200K), the 2022 Wall Street crackdown ($1.8B across 16 firms), the 2023 SEC and CFTC action ($549M across 9 firms), the 2024 senior-level enforcement wave ($392.75M across 26 firms), and the 2025 expansion to investment advisers ($63.1M across 12 firms).

What’s the difference between archiving and backup for SEC compliance purposes?

Backups are designed to restore data after a failure. Archives are designed to preserve communications in a tamper-proof, indexed, and searchable format that satisfies SEC Rule 17a-4’s WORM requirement. A backup alone will not pass a regulatory exam, even if it contains the messages in question.

Does encrypted messaging like Signal, WhatsApp, or iMessage make archiving impossible?

No. Encryption prevents capture at the network level, but compliant archiving solutions capture messages at the device or account level, before or after encryption is applied. The technical challenge is solvable. The compliance risk comes from firms that haven’t deployed a solution that handles it.

What should a firm do if it discovers a recordkeeping gap during an internal review?

Document the scope of the gap, preserve any related records, and consult counsel before deciding whether to self-report. Self-reporting has historically reduced penalties, but the credit depends on acting quickly and cooperating fully once the matter is raised with regulators.

About the Author

Natasa Djalovic

Natasa Djalovic is a Senior Content Writer at Jatheon, with 10+ years of experience in creating B2B and SaaS content, with a strong focus on compliance, archiving, and tech topics. Outside of work, she likes to collect and build LEGO sets, hang out with her cats, and watch documentaries.