SMS Archiving for Regulated Industries: FINRA, SEC, HIPAA & FOIA

  • SMS/Text Messaging
  • SMS Archiving for Regulated Industries: FINRA, SEC, HIPAA & FOIA

    A single SEC order turned employee text messages into a $3 billion liability. It changed how every compliance officer thinks about text messages.

    J.P. Morgan paid $200 million, not for fraud or manipulation. But for letting employees text about business on personal phones without capturing those messages.

    That single action launched the most aggressive recordkeeping sweep in SEC history. By early 2025, the SEC and CFTC had imposed nearly $3.6 billion in combined penalties across over 100 firms for the same failure: unarchived texts.

    But this isn’t just a Wall Street problem. HIPAA, FOIA, and FERPA each carry their own text message obligations covering healthcare organizations, government agencies, and school districts alike.

    This guide covers:

    • Why SMS archiving is harder than email compliance
    • Requirements for financial services, healthcare, and government
    • How archiving technology works in practice
    • Best practices for staying compliant

    Why SMS Archiving Is Uniquely Challenging and Risky

    Email has been subject to archiving requirements for decades, and most regulated organizations have email archiving infrastructure in place. Text messaging is a fundamentally different problem. The gap between the two is where regulatory liability lives.

    The BYOD Problem

    BYOD (Bring Your Own Device) policies reduce costs and boost productivity, but in regulated industries they create a compliance minefield. When an employee’s personal iPhone is the device through which they text a client about a security recommendation, a patient about a medication change, or a colleague about a FOIA-sensitive matter, that conversation lives on a private device the organization cannot monitor.

    The organization bears full regulatory liability for communications it has no technical mechanism to capture. Regulators have made clear this is not an acceptable excuse. In the JPMorgan case, the SEC confirmed the failures were firm-wide: the organization knew the communications were happening and failed to build a system to capture them.

    The Consumer Messaging App Problem

    Employees increasingly use iMessage, WhatsApp, Signal, and Telegram for business. These platforms have end-to-end encryption, ephemeral messages, and auto-delete functions designed to prevent retention. Regulators have treated this as an aggravating factor, not a mitigating one.

    Using a platform built to avoid archiving is not a technical defense but it is evidence of willful non-compliance. In January 2025, SEC settlements with 12 firms totaling $63 million explicitly cited personal messaging platforms as the mechanism of violation.

    The Scale Problem

    A 50-advisor financial firm may generate thousands of client-related texts daily. A hospital system produces patient communications around the clock. A government agency in crisis mode runs almost entirely on mobile.

    Capturing, indexing, and storing this volume in a searchable, tamper-proof archive requires purpose-built technology, not manual record-keeping or periodic device exports.

    FINRA and SEC: SMS Archiving Requirements for Financial Services

    Financial services firms include broker-dealers, registered investment advisers (RIAs), financial planners, and anyone registered with FINRA or the SEC. They operate under the most stringent SMS archiving requirements of any regulated industry.

    The regulatory framework is clear, the enforcement record is extensive, and the financial consequences of non-compliance are severe.

    The Core Regulatory Requirements

    • FINRA Rule 4511 — requires firms to make and preserve records in the format and media required by SEC rules, for a minimum period of six years. This explicitly encompasses electronic communications, including text messages, that relate to the firm’s business.
    • FINRA Rule 3110 — requires firms to supervise business communications, including text messages, consistently with how they supervise email. If a firm permits employees to text with clients about business matters, it must have a supervisory system in place to review those communications. This requires archiving as a prerequisite.
    • SEC Rule 17a-4 — requires broker-dealers to preserve electronic communications for a minimum of three years, with the first two years in an easily accessible location. The records must be stored in a non-rewritable, non-erasable (WORM) format and must be retrievable within a reasonable time frame in response to regulatory requests.
    • Investment Advisers Act Rule 204-2 — requires registered investment advisers to maintain books and records of written business communications for five years. This applies to text discussing securities, client accounts, trades, investment recommendations, or client relationships.

    The regulatory standard is clear: if your employees text about business, those messages are business records, and they must be captured, retained, and supervisable. The channel, device, or carrier does not matter. 

    The regulatory obligation follows the content of the communication, not the platform through which it travels.

    The Enforcement Record: A Penalty Tracker

    The following table illustrates the major SMS and off-channel communications enforcement actions from 2021 through January 2025:

    Firm(s) and Date Penalty Violation
    JPMorgan Securities — December 2021 $200M Employees texted clients on personal phones for 3 years. No records kept.
    16 Wall Street firms — September 2022 $1.1B Firms let staff use personal messaging apps for business. Nothing archived.
    20+ broker-dealers & investment advisers — August 2023 $400M Firms let staff use personal messaging apps for business. Nothing archived.
    16 firms (5 BDs, 7 dual-registered, 4 IAs) — February 2024 $81 Employees used unapproved platforms for business
    26 investment advisers & broker-dealers — August 2024 $392.75M Senior executives and employees using texting, WhatsApp, and other apps for client communications without archiving
    12 firms (9 IAs, 3 BDs) — Januray 2025 $63 Failure to maintain and preserve electronic communications including texts on personal devices

     

    Key Lessons from the Enforcement Record

    Five years of SEC enforcement reveals patterns every compliance officer should internalize:

    Size offers no protection. The sweep expanded beyond major Wall Street institutions to standalone RIAs, municipal advisors, and small broker-dealers. Regulators have made clear there is no firm too small to prosecute.

    Senior staff are the highest risk. In every major action, supervisors, managing directors, and compliance officials were texting off-channel themselves, not just junior employees. This is what converted isolated incidents into firm-wide failures and maximum penalties.

    Self-reporting cuts penalties by 95%. The January 2025 settlements made this stark: one firm that self-reported paid a fraction of what non-reporting firms paid for identical violations. Early disclosure is the most financially rational decision available.

    Fines are only part of the cost. Beyond penalties, firms faced mandatory third-party compliance audits, independent consultants, enhanced supervisory procedures, and multi-year regulatory monitoring. These costs exceed the fine itself.

    What Must Financial Firms Archive

    Any text or electronic message constituting a business communication is covered on any platform, on any device. In practice, this means:

    • Securities discussions, trade ideas, and client account matters regardless of how casually phrased is an archivable investment recommendation)
    • Client instructions received via text: order confirmations, allocation changes, withdrawal requests
    • Internal communications touching client matters, firm strategy, or market conditions
    • Messages on SMS, iMessage, WhatsApp, Signal, Telegram, or any other platform, firm-issued or personal

    HIPAA: SMS Archiving Requirements for Healthcare Organizations

    HIPAA (Health Insurance Portability and Accountability Act) does not prohibit text messaging but it imposes strict requirements on how protected health information (PHI) is transmitted and retained via any electronic medium, including SMS.

    How HIPAA Applies to Text Messages

    Standard SMS lacks every safeguard HIPAA demands: end-to-end encryption, user authentication, audit logging, access controls, and compliant message retention. A nurse texting a patient’s medication information to a colleague via standard SMS is likely committing a HIPAA violation because the channel is unsecured.

    Compliant transmission of PHI (Personal Health Information) via text requires a secure messaging platform with encryption in transit and at rest, role-based access control, MFA, immutable audit logs, and configurable retention aligned with HIPAA’s six-year requirement.

    HIPAA’s Six-Year Retention Requirement

    Every text message containing PHI must be retained for a minimum of six years, stored in a retrievable format, and available for production during an HHS Office for Civil Rights (OCR) audit. Messages stored on a personal device or carrier infrastructure do not meet this standard. They can be overwritten, lost during device replacement, or inaccessible when an employee leaves.

    A purpose-built archiving solution captures messages at transmission, indexes them with full metadata, and stores them in a tamper-proof repository.

    HIPAA Penalty Structure

    HIPAA penalties follow a four-tier culpability structure, with 2025 maximums reaching $2 million per violation category per year for willful neglect. Each affected patient counts as a separate violation. In 2025, the OCR highlighted a major shift by announced 10 resolution agreements that targets vulnerabilities in basic HIPAA Security Rule compliance

    Business Associate Agreements

    Any vendor handling PHI must have a signed Business Associate Agreement (BAA) before processing a single message. This applies directly to SMS archiving vendors.

    A compliant BAA must commit the vendor to using PHI only as permitted, maintaining appropriate safeguards, reporting breaches, and binding subcontractors to the same requirements.

    HIPAA SMS Violation Scenarios

    • Nurse texts patient diagnosis to wrong number: unauthorized PHI disclosure
    • Physician uses personal iPhone for patient care coordination: no BAA, archive, or audit trail
    • Hospital uses group SMS for shift coordination including patient names: unencrypted PHI
    • Home health agency uses WhatsApp for care coordination: no BAA, enterprise archiving, or  audit log

    FOIA and State Sunshine Laws: SMS Archiving for Government Agencies

    Government agencies at every level (federal, state, and local) are required to preserve text messages that relate to the conduct of official business as public records

    This obligation exists regardless of whether the message was sent from a government-issued device or a personal one.

    Business Text Message Archiving

    Government text messages are public records when their content relates to official business. Courts in California, Washington, and elsewhere have repeatedly affirmed this substance-over-device standard.

    FOIA (Freedom of Information Act) governs federal agencies, with NARA guidance requiring text messages be treated identically to other communications and scheduled for retention accordingly. Every state has a parallel sunshine law applying the same logic to state agencies, municipalities, school districts, and county governments.

    The BYOD Gap in Government Agencies

    The compliance gap in government SMS archiving is well-documented. The majority of government organizations that allow text messaging for official business are not retaining those messages.

    This means that most are generating public records they cannot produce in response to an open records request.

    This is not a hypothetical problem. Government agencies that fail to produce responsive text messages in response to FOIA or sunshine law requests face: civil penalties under state open records laws, court sanctions and adverse judgments in litigation, findings of contempt if records should have been preserved under a litigation hold, and reputational damage from the perception of hiding records.

    What Government Agencies Must Archive

    • Any text from agency-issued devices discussing official business
    • Work-related texts from personal devices used by government employees
    • Group texts coordinating official government activities
    • Texts that include decision-making record for government actions

    Government agencies that fail to archive official text messages aren’t just creating an administrative gap. They’re exposing themselves to real legal and reputational consequences.

    SMS Archiving Requirements by Regulation:

     

    Regulation Industry Retention Period Max Penalty
    FINRA Rule 4511 Broker-dealers, FINRA members 6 years $310,000 per violation
    SEC Rule 17a-4 Broker-dealers 3 years $200M+ (JPMorgan precedent)
    IA Act Rule 204-2 Registered Investment Advisers 5 years $4M–$12M per firm (2025 actions)
    HIPAA Covered entities & business associates (healthcare) 6 years Up to $2.19M per violation category/year
    FOIA / State Sunshine Laws Federal & state/local government agencies Varies by state Civil penalties, court sanctions, litigation costs

     

    BYOD, COPE, and Capture Methods: How SMS Archiving Actually Works

    Modern archiving solutions support multiple device ownership models and capture methods —to help achieve compliance without disrupting how employees actually work.

    Device Ownership Models

    • Bring Your Own Device  (BYOD): The most compliance-complex model. App-level archiving captures business communications without touching personal messages. This is a legal and technical distinction regulators expect organizations to enforce.
    • Corporate-Owned, Personally Enabled (COPE): Organization-owned and personal use permitted. Device-level archiving captures all communications without the privacy boundary issues present in BYOD.
    • Corporate-Owned, Business Only (COBO): The simplest compliance scenario. Restricted to business use only. Comprehensive device-level archiving with no personal privacy considerations.
    • Choose Your Own Device (CYOD): Employees choose from organization-approved devices that are provisioned and controlled, functionally equivalent to COBO for archiving purposes.

    Capture Methods

    • Carrier-Level Capture: Intercepts and archives messages at the carrier before they reach the device. Comprehensive and invisible to the end user, but requires carrier cooperation and does not cover third-party messaging apps.
    • App-Level Archiving: A purpose-built app captures all business communications automatically with clean separation from personal channels. The most effective method for BYOD deployments.
    • Device-Level Archiving: Software installed directly on the device captures all SMS, MMS, and app-based messages. Most comprehensive for managed devices, but requires MDM integration.

    SMS Archiving Best Practices

    Step 1: Conduct a Mobile Communication Audit
    Map every messaging channel in use (SMS, iMessage, WhatsApp), every device ownership model, every employee category that communicates with clients or patients via text, and every type of information transmitted.

    This audit is the foundation of your archiving policy and technology selection. You cannot archive what you have not identified.

    Step 2: Establish a Written Mobile Communication Policy
    Define which channels are approved, what information may be transmitted via text, and the explicit prohibition on consumer apps like Signal, personal WhatsApp, and personal iMessage for business use. The policy must be signed by every employee, reviewed annually, and reflected in your supervisory procedures under FINRA Rule 3110.

    It must also include a clear process for employees to report archiving failures internally which enables the firm to self-disclose to regulators before an investigation begins.

    Step 3: Deploy a Purpose-Built SMS Archiving Solution
    Consumer-grade tools and manual exports are not compliant. A purpose-built solution must deliver:

    • 100% message capture with no manual steps or coverage gaps
    • WORM-compliant tamper-proof storage satisfying FINRA Rule 4511 and SEC Rule 17a-4
    • Complete metadata preservation: sender, recipient, timestamp, delivery status, and message threading
    • Full-text search across millions of messages using keyword, date range, sender/recipient, and proximity filters
    • Legal hold functionality to freeze specific messages or conversations pending litigation or investigation
    • Redaction tools for producing records in response to FOIA requests while protecting exempt information
    • A complete audit trail of every access, search, and export applied to archived messages
    • A signed Business Associate Agreement (BAA) for healthcare organizations handling PHI

    Step 4: Integrate SMS into Your Broader Compliance Infrastructure
    Text messages do not exist in isolation. When a regulator requests all communications between a specific advisor and client over a six-month period, your team needs to search email, SMS, and social media in a single query. Unified archiving across all channels is the only operationally viable compliance posture.

    Step 5: Train Employees Continuously
    Employees use personal devices because it is convenient and feels informal. Training must make concrete examples of what constitutes a business communication via text, why archiving is required, and the individual consequences of using unapproved channels. Repeat annually and reinforce every time a new messaging platform is deployed.

    Step 6: Conduct Regular Supervisory Audits
    Archiving technology without supervision does not satisfy FINRA Rule 3110. Firms must conduct documented supervisory reviews of archived messages, searching for off-channel activity patterns and coverage gaps.

    Documented audits also demonstrate good faith to regulators and directly influence enforcement outcomes if a violation is discovered.

    How Intradyn's SMS Archiving Solution Meets Regulatory Requirements

    Intradyn’s SMS archiving solution is purpose-built for the specific compliance demands of FINRA, SEC, HIPAA, and FOIA. This includes:

    Device and carrier flexibility. BYOD, COPE, COBO, and CYOD deployments are all supported, with both app-level and carrier-level capture so your compliance framework fits your workforce, not the other way around. App-level archiving also ensures personal messages are never captured, a non-negotiable for BYOD privacy.

    Tamper-proof, audit-ready storage. Every message is stored in WORM-compliant format, non-rewritable and non-erasable, satisfying SEC Rule 17a-4 and FINRA Rule 4511. Complete metadata including sender, recipient, timestamp, and delivery status is preserved automatically.

    The hard channels, solved. iMessage and WhatsApp, the two platforms at the center of most major enforcement actions, are fully supported with dedicated capture solutions.

    One search across all channels. SMS archiving integrates with Intradyn’s email and social media archiving into a single platform, with full-text fuzzy search and one-click legal hold automation.

    Key Takeaways

    • Text messages are legally binding business records across financial services, healthcare, and government. The device doesn’t matter, the content does.
    • The SEC and CFTC have imposed nearly $3.6 billion in penalties since 2021 for unarchived texts  and enforcement has expanded to small firms, not just Wall Street.
    • BYOD is the biggest compliance gap. Personal devices don’t exempt organizations from archiving obligations.
    • Consumer apps like WhatsApp and Signal make things harder for regulators to treat them as evidence of willful non-compliance.
    • Every major regulation (FINRA, SEC, HIPAA, FOIA) requires tamper-proof, searchable, retrievable storage, manual exports don’t cut it.
    • Self-reporting violations can reduce penalties by up to 95%.

    Frequently Asked Questions

    Do personal phone texts count as public or business records?
    Yes, if the content relates to official business or regulated activity. Courts and regulators have consistently ruled that the device doesn’t determine whether a message is a record, the content does.

    What happens if an employee texts a client from a personal app like WhatsApp?
    The firm is still liable. Using an app designed to avoid retention is treated as an aggravating factor, not a defense. Multiple SEC enforcement actions have explicitly cited WhatsApp as the mechanism of violation.

    How long do text messages need to be retained?
    It depends on the regulation: FINRA requires six years, SEC Rule 17a-4 requires three years (two easily accessible), the Investment Advisers Act requires five years, and HIPAA requires six years. Government agencies vary by state retention schedule.

    Does HIPAA ban texting with patients?
    No, but it requires that any text containing PHI be transmitted and stored on a compliant, encrypted platform with an audit trail and a signed Business Associate Agreement with the vendor.

    Can we just export texts from phones periodically to stay compliant?
    No. Manual exports create gaps, lack metadata, and don’t satisfy WORM storage requirements. Regulators expect automated, continuous, tamper-proof capture.

     

    Ready to Keep Your Business Texts Compliant and Captured?

    Don’t wait for an SEC sweep, HIPAA audit, or FOIA request to expose gaps in your SMS compliance. Our Intradyn team can help you find the right archiving solution for your industry and retention requirements..

     

    Avatar photo

    Azam is the president, chief technology officer and co-founder of Intradyn. He oversees global sales and marketing, new business development and is responsible for leading all aspects of the company’s product vision and technology department.

    FINRA Compliance Checklist Avoid Hefty Penalties With Our FINRA/SEC 17a-4 Compliance Checklist.
    FINRA Compliance Checklist
    Avoid Hefty Penalties With Our FINRA/SEC 17a-4 Compliance Checklist.
    Download Now