Key Takeaways
- Regulated communications include any business message (email, text, chat, voice, social media, video) subject to federal, state or industry-specific retention and supervision rules.
- Organizations in finance, healthcare, government and education face overlapping regulations (FINRA, SEC, HIPAA, the Sarbanes-Oxley Act (SOX), FOIA) that all require capturing, archiving and producing communications on demand.
- The shift to multi-channel digital communication has expanded the scope of regulated messages to channels far outside email, making off-channel communications a growing compliance risk.
- The SEC and FINRA have issued more than $2.3 billion in fines for recordkeeping failures since 2021, and enforcement has shifted from SEC firm-level fines toward FINRA actions against individual brokers.
- A unified archiving strategy that captures all communication channels in one platform is the most reliable way to meet regulatory obligations and stay audit-ready.
Introduction
Since launching its off-channel communications sweep in December 2021, the SEC brought 95 enforcement actions and imposed $2.3 billion in penalties against firms for failing to preserve off-channel communications. The current Commission has since reversed course, concluding that the enforcement campaign delivered little measurable benefit to investors. FINRA picked up where the SEC left off: its 2026 Annual Regulatory Oversight Report explicitly flags electronic communications capture failures and off-channel use as active examination priorities, and the regulator has continued pursuing individual brokers directly, including fines and suspensions at Wells Fargo Advisors and B. Riley in late 2025 and early 2026. Financial services is just one industry where failing to capture, retain and produce business communications can trigger enforcement action, litigation exposure and reputational damage.
Regulated communications affect every organization that operates under federal, state or industry-specific compliance mandates. If your employees send emails, text messages, chat messages, social media posts or make voice calls related to business, you likely have a legal obligation to capture and retain those records. The challenge is that most organizations are struggling to keep up as the number of communication channels grows.
In this guide, you’ll learn:
- What regulated communications are and how they differ from general business communications;
- Which industries and regulations apply to your organization;
- Which communication channels fall under regulatory scope;
- The real-world consequences of non-compliance; and
- How to build a compliant archiving strategy that covers every channel.
What Are Regulated Communications?
Regulated communications are any business messages or records subject to legal retention, supervision or production requirements under federal, state or industry regulatory compliance mandates. The term covers messages exchanged through email, text messages, instant messaging platforms, social media, voice calls, video conferencing and collaboration tools.
The distinction between a regulated communication and a general business message comes down to one factor: legal obligation. When a regulation requires your organization to capture, store and make a communication retrievable on demand, that message is regulated. It doesn’t matter whether the message was sent from a corporate device or a personal phone, through an approved channel or an unauthorized app.
What counts as a regulated communication
The scope extends past the content of the message itself. Regulatory requirements typically extend to metadata, which includes the sender, recipient, timestamp, channel and any attachments or linked files. A complete compliance record means capturing both the message and its surrounding context.
Common types of regulated communications include:
- Business emails sent through corporate or personal accounts;
- Text messages (SMS and MMS) discussing business matters;
- Instant messages on platforms like Teams, Slack, WhatsApp and Google Chat;
- Social media posts, direct messages and comments on business accounts;
- Voice calls and voicemail recordings related to business activity; and
- Video meeting recordings and transcripts.
For compliance officers and IT leaders, the practical implication is clear: if your employees use a channel for business communication, you need to determine whether that channel falls under a regulatory retention requirement.
Which Industries Have Regulated Communications?
Four major sectors face the most rigorous communication compliance obligations. Each has its own set of regulations, retention requirements and enforcement mechanisms.
Financial services
Financial services faces the strictest communication regulations of any industry. FINRA Rules 3110 and 4511 require broker-dealers to retain all business communications and maintain supervisory systems for reviewing them. SEC Rule 17a-4 mandates WORM-compliant (write once, read many) storage of electronic communications for three to six years.
The enforcement consequences are real. Since 2021, the SEC has conducted a sweeping enforcement campaign targeting firms that failed to capture off-channel communications, including text messages and WhatsApp messages sent on personal devices. Individual fines have reached tens of millions of dollars per firm, with the cumulative total exceeding $2.3 billion according to the SEC’s own FY2025 enforcement results.
Healthcare
HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH) govern how healthcare organizations handle communications containing electronic protected health information (ePHI). If you’re in healthcare, a dedicated HIPAA compliance email archiving approach is non-negotiable. Any email, text message or chat that includes patient data falls under these requirements.
Healthcare organizations must implement access controls, encryption and audit trails for communications that contain ePHI. Retention periods vary by state and organizational policy, but HIPAA requires maintaining certain records for a minimum of six years. Penalties for violations range from $100 to $50,000 per incident, with annual maximums reaching $1.5 million per violation category according to the HHS Office for Civil Rights.
Government and public sector
FOIA and state open records laws require government agencies to retain and produce official communications upon request. This applies to emails, text messages and social media messages sent by public officials and employees in the course of their duties.
The challenge for government agencies has grown significantly as employees use personal devices and messaging apps for official business. Courts have consistently ruled that the content of the message, not the device or platform, determines whether it qualifies as a public record.
Education
The Family Educational Rights and Privacy Act (FERPA) protects student education records, including communications that contain student information. Emails, parent-teacher messages and administrative records that reference student data all fall under FERPA’s protection requirements.
Public educational institutions face an additional layer of complexity: they must also comply with state open records laws, creating overlapping obligations for the same communications. K-12 districts and public universities need archiving systems that satisfy both FERPA privacy requirements and open records retention mandates.
Key Regulations That Govern Business Communications
Understanding which regulations apply to your organization is the first step toward compliance. Here’s a regulation-by-regulation breakdown of what each law requires for communications.
FINRA and SEC (financial services)
SEC Rule 17a-4 requires broker-dealers to retain all business communications in a WORM-compliant format for three to six years depending on the record type. For a deeper look at these requirements, see our guide on FINRA compliance and SEC 17a-4 record retention.
FINRA Rule 3110 mandates supervisory review systems for written communications. The Dodd-Frank Act added requirements for capturing communications related to swap transactions.
The SEC’s recent enforcement actions have made one point clear: the format and channel don’t matter. Whether a communication happens over email, text message, WhatsApp or any other platform, the retention obligation is the same.
HIPAA and HITECH (healthcare)
Communications containing ePHI must be encrypted in transit and at rest, protected by role-based access controls and retained according to organizational retention policies as outlined in the HIPAA Security Rule. HITECH extended HIPAA’s requirements to business associates and increased penalty amounts.
The minimum retention period for certain HIPAA-related records is six years, though many organizations adopt longer retention windows to satisfy state-level requirements.
SOX (publicly traded companies)
Section 802 of the Sarbanes-Oxley Act mandates retention of all audit-related communications, including emails and messages exchanged during the audit process. Willful destruction of records carries criminal penalties of up to 20 years in prison under SOX provisions.
SOX requirements extend to any communication that could be relevant to a financial audit, making the scope broader than many organizations realize. SOX requirements
FOIA and state open records (government)
All official communications, including those on personal devices used for government business, are subject to public records requests under FOIA and equivalent state laws. Response deadlines vary by jurisdiction, with some states imposing aggressive short deadlines for production.
Government agencies that cannot locate and produce requested communications face legal challenges, public scrutiny and potential contempt findings.
FERPA (education)
Organizations must protect communications containing student education records and limit access to authorized parties. FERPA violations can result in the loss of federal funding, making compliance a financial priority for educational institutions.
GDPR and CCPA (privacy)
The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) create a counterbalancing obligation: you must retain regulatory compliance communications long enough to meet compliance requirements, but you also must not retain personal data longer than necessary. Understanding what law establishes personally identifiable information (PII) in your jurisdiction is a prerequisite. Building retention policies that satisfy both compliance mandates and data minimization principles requires careful planning.
MiFID II (EU financial services)
The Markets in Financial Instruments Directive II (MiFID II) requires EU investment firms to record and retain all communications related to client orders and transactions, including calls, video, chat and email, for a minimum of five years. Unlike SEC and FINRA rules, MiFID II explicitly treats voice as a core recordkeeping requirement, not an afterthought.
PCI DSS (payment data)
The Payment Card Industry Data Security Standard (PCI DSS) governs any communication where payment card data is discussed, transmitted or stored, including support chats, emails and call recordings. It’s a security standard rather than a retention law, but it intersects with archiving directly: cardholder data captured in a communication must be encrypted and access-controlled, not stored in plaintext. Non-compliance can trigger fines from card networks and, in serious cases, loss of card-processing privileges.
Communication Channels Under Regulation
Regulatory scope now covers far more than email. Here’s a channel-by-channel breakdown of where compliance obligations apply.
Email remains the most established regulated communication channel. Nearly every federal and state regulation that addresses business communications includes email retention requirements. Most organizations have email archiving in place, but gaps still exist when employees use personal email accounts for business purposes.
Text messages (SMS and MMS)
Text messaging has become a major enforcement focus, particularly in financial services. The SEC’s off-channel communications sweep targeted firms whose employees used personal text messages for business discussions without capturing those records. If your employees discuss business over text, those messages are subject to the same retention rules as email.
Instant messaging and chat
Messages on collaboration platforms like Teams, Slack, WhatsApp, Google Chat and Zoom carry the same retention obligations as email under most regulations. The challenge is that many organizations adopted these tools rapidly without extending their archiving infrastructure to cover them.
According to Gartner, “the rapid adoption and growth of digital communication tools and application data requires a reassessment of corporate and regulatory compliance capabilities.”
Social media
FINRA, SEC, the Federal Trade Commission (FTC) and the Food and Drug Administration (FDA) all regulate business communications on social platforms. Posts, direct messages, comments and even deleted content may be subject to retention requirements. Financial firms must pre-approve certain social media communications and maintain archives of all business-related social activity.
Voice calls and voicemail
Voice recording and retention requirements apply under several regulations, including FINRA rules for broker-dealer communications and the Markets in Financial Instruments Directive II (MiFID II) requirements for financial firms operating in the EU. Organizations must capture call recordings, voicemail messages and, in many cases, transcripts for compliance purposes.
Video conferencing
Organizations must capture and store recordings and transcripts of regulated meetings. As video conferencing has become a standard business communication tool, regulators have signaled that the same retention requirements that apply to other channels extend to video as well.
Risks of Non-compliance with Communication Regulations
The consequences of failing to comply with communication retention and supervision requirements are measurable and severe.
Financial penalties
SEC enforcement data shows the agency imposed more than $2.3 billion in fines for communication recordkeeping failures since 2021, though new off-channel cases slowed sharply through 2025 as the agency’s priorities shifted. Individual firms have faced penalties ranging from $10 million to over $100 million.
FINRA has since picked up the enforcement focus, flagging recordkeeping and off-channel lapses more than 50 times in its 2026 Annual Regulatory Oversight Report. It is also increasingly holding individual brokers personally liable, with penalties including suspensions and at least one outright industry bar.
HIPAA violations carry penalties of up to $1.5 million per violation category annually, according to the HHS Office for Civil Rights. SOX violations can result in fines up to $5 million for individuals and $25 million for organizations, per Section 1106 of the Sarbanes-Oxley Act.
Legal exposure
When your organization cannot produce communications during litigation or a regulatory inquiry, the consequences extend past fines. Under the Federal Rules of Civil Procedure (FRCP), failure to preserve and produce relevant electronically stored information can trigger adverse inference instructions. That means a court may instruct the jury to assume the missing communications contained information unfavorable to your organization.
In ediscovery, speed matters as much as completeness. Courts expect organizations to produce relevant communications within reasonable timeframes. An inability to search, retrieve and export archived communications quickly can result in sanctions, extended litigation timelines and increased ediscovery costs.
Reputational damage
Public enforcement actions erode client trust and market confidence. In financial services, SEC and FINRA enforcement announcements are public record.
Healthcare organizations face reputational harm when HIPAA violations become public. Government agencies lose public trust when they cannot comply with open records requests.
Operational disruption
Regulatory investigations divert internal resources from core business operations. Legal and compliance teams spend months responding to inquiries, IT teams scramble to locate and produce records, and leadership attention shifts from growth to damage control.
How to Build a Regulated Communications Compliance Strategy
A compliance strategy for regulated communications requires a systematic approach. Here are seven steps your organization should follow.
1. Identify your regulatory obligations
Start by mapping which regulations apply to your organization based on your industry, geographic operations and communication types. Many organizations operate under multiple overlapping regulations. A healthcare company that is publicly traded, for example, must comply with HIPAA, SOX and potentially state-level privacy laws simultaneously.
2. Audit your communication channels
Inventory every channel your employees use for business communication. This includes corporate email, personal email used for business, text messages, messaging apps, collaboration platforms, social media, voice calls and video conferencing. Pay special attention to shadow IT and unsanctioned apps that employees may be using without organizational approval.
3. Implement a unified archiving solution
Deploy a compliance archiving solution that captures all communication channels in one place with tamper-proof storage, configurable retention policies and search capabilities. Fragmented archiving across multiple tools creates gaps, increases costs and makes ediscovery more difficult.
Gartner projects that “by 2029, 30% of enterprises will shift to a proactive employee digital communications governance approach” indicating that the market is moving toward unified, proactive archiving rather than reactive, channel-by-channel solutions.
4. Establish retention policies
Set retention periods that meet or exceed the strictest regulation your organization must follow. A financial services firm subject to SEC Rule 17a-4 needs a minimum of six years for certain records. A government agency may need indefinite retention for some categories of public records.
Document your retention policies formally and review them at least annually as regulations change. A broader data governance strategy can help you formalize this process. For financial firms, the FINRA books and records requirements page provides detailed guidance on retention periods.
5. Enable supervision and monitoring
Configure automated alerts and review workflows for high-risk communications. Financial firms need supervisory review of written communications under FINRA Rule 3110.
Healthcare organizations need to monitor for ePHI in non-secure channels. Compliance automation tools with classification and sentiment analysis can help compliance teams focus their review efforts on the highest-risk messages.
6. Prepare for audits and ediscovery
Your archiving system must support rapid search, retrieval and production of communications. When a regulator sends an inquiry or opposing counsel issues a preservation notice, you need the ability to locate relevant records across all channels quickly.
Test your ediscovery readiness regularly. Run mock searches and production exercises to confirm that your team can meet regulatory response deadlines.
7. Train employees
Make sure your staff understands which communications are regulated and what their obligations are. Training should cover approved communication channels, prohibited practices (such as using personal devices for regulatory communications without capture) and the consequences of non-compliance for both the organization and the individual.
How Jatheon Can Help
Building a regulated communications strategy is one thing. Proving it holds up during an audit, exam or legal hold is another. Jatheon Cloud gives compliance and IT teams a single platform to capture, retain and produce communications across every channel this guide covers.
- Capture every regulated channel from one platform. Jatheon’s 25+ Data Connectors archive email, SMS, iMessage, WhatsApp, Microsoft Teams, Slack, social media, file sharing, AI communications and website content. So the off-channel gaps that drive FINRA and SEC enforcement don’t exist in your archive.
- Meet SEC 17a-4 and FINRA 3110 requirements out of the box. WORM-compliant, tamper-proof storage and configurable retention by channel and record type satisfy the three-to-six-year retention window, while built-in supervision and keyword-review workflows cover the platforms brokers actually use, not just email.
- Support HIPAA and SOX obligations with the same infrastructure. Role-based access controls, encryption in transit and at rest, and a complete, tamper-evident audit trail help healthcare organizations protect ePHI and give publicly traded companies a defensible record of audit-related communications.
- Automate FOIA and open records production. For government agencies and school districts, FOIA Request Automation manages the records-production workflow end to end, helping you meet state and federal response deadlines without manual collection.
- Find anything in minutes, not weeks. Unified Search runs across every archived channel at once, and Liya, Jatheon’s built-in AI assistant, summarizes results and answers questions directly inside search; turning a regulatory inquiry or legal hold into a same-day task.
- Stay audit-ready by default. The AI-Powered Dashboard consolidates storage volumes, search and export activity, and policy changes into one view, so you can document compliance posture before an auditor or regulator asks for it.
FAQ
Which industries have regulated communications?
Financial services, healthcare, government and education face the strictest communication compliance requirements. Financial firms must comply with FINRA and SEC rules, healthcare organizations with HIPAA, government agencies with FOIA and open records laws, and educational institutions with FERPA.
What happens if you fail to comply with communication regulations?
Penalties range from significant fines to criminal liability. The SEC and FINRA have imposed over $2.3 billion in fines for communication recordkeeping failures since 2021, with FINRA now also pursuing individual brokers directly. Organizations also face adverse inference rulings in litigation, reputational damage and operational disruption from regulatory investigations.
Do text messages and social media count as regulated communications?
Yes. Text messages, social media posts, direct messages and comments all fall under the same regulatory requirements as email when used for business purposes. The SEC’s recent enforcement sweep specifically targeted firms that failed to archive text and messaging app communications.
How long must regulated communications be retained?
Retention periods depend on the applicable regulation. SEC Rule 17a-4 requires three to six years for broker-dealer communications. HIPAA mandates a minimum of six years for certain records, and government agencies may need to retain public records indefinitely depending on their jurisdiction and record classification.
Does every employee conversation count as a regulated communication?
Working in a regulated industry doesn’t automatically turn every message into a regulatory communication. A broker discussing general market trends with a colleague isn’t the same as a broker discussing a specific client’s account or a pending transaction. The second falls under retention and supervision requirements, the first typically doesn’t. The distinction comes down to whether the content relates to a regulated business activity, not just who sent it or what platform they used.











