All guides

    SEC & FINRA SMS Archiving Compliance: A Guide for Financial Services (and GoHighLevel Users)

    If your firm is registered with the SEC or FINRA — broker-dealers, registered investment advisers (RIAs), insurance reps, or any financial services business communicating with clients by text — every business-related SMS must be captured, retained, and producible on demand. This guide covers what SEC Rule 17a-4 and FINRA Rules 4511 / 2210 require for text messages, how the audit trail and proof-of-consent obligations interact with TCPA/10DLC, and how to architect a compliant SMS workflow on GoHighLevel.

    What the SEC & FINRA require for SMS

    Text messages sent or received in the course of business by a registered firm are "business communications" under federal securities law. Three rules drive the requirements:

    • SEC Rule 17a-4(b)(4) — broker-dealers must preserve originals of all communications relating to their business for at least 3 years (first 2 years in an easily accessible place).
    • SEC Rule 17a-4(f) — electronic records (including SMS) must be stored in a non-rewriteable, non-erasable (WORM) format, time-stamped, indexed, and producible on demand.
    • FINRA Rule 4511 — extends the same recordkeeping standard to FINRA members, with a default 6-year retention for many record types.
    • FINRA Rule 2210 — content standards for retail communications, including SMS marketing.
    • Investment Advisers Act Rule 204-2 — RIAs must retain client communications for at least 5 years.

    In 2022–2024 the SEC fined more than 60 firms a combined $2.6 billion+ for off-channel communications failures, the bulk tied to unarchived text messages. Enforcement is active and trending up.

    Who is covered

    These requirements apply to:

    • SEC-registered broker-dealers and their representatives
    • FINRA member firms (associated persons included)
    • Registered investment advisers (RIAs) under the Advisers Act
    • Insurance and annuity representatives selling securities products
    • Bank-affiliated wealth and trust units handling securities business

    If a representative texts a client about an account, a trade, a product recommendation, or anything that "relates to the business of such member," the message is in scope — regardless of which phone or app sent it.

    Audit trail requirements

    An SEC/FINRA-grade SMS audit trail must capture, at minimum:

    • Full message content (inbound and outbound), including media
    • Sender and recipient identifiers — phone number, associated person, client account
    • Trusted, immutable timestamps synced to a reliable time source
    • Delivery/read status where available from the carrier
    • Tamper-evident storage — typically a cryptographic hash chain or WORM media, with an independent audit log of access events
    • Indexed, searchable retrieval so the firm can produce specific messages within the SEC's "promptly producible" window

    The record must survive a representative leaving the firm, switching devices, or deleting messages locally. That is why personal-device SMS without an enterprise archive is the failure mode regulators keep fining.

    Archiving GoHighLevel SMS for SEC/FINRA compliance

    GoHighLevel is the most common SMS platform among financial-services agencies and independent advisers, but GHL's native conversation history is not an SEC-grade archive. It is editable, deletable by sub-account users, and not stored in WORM format.

    To make GHL workflows defensible:

    1. Export SMS to a WORM archive in real time. Use GHL's outbound webhooks on `InboundMessage` and `OutboundMessage` events to stream every SMS to a compliant archive (Smarsh, Global Relay, Proofpoint, MirrorWeb, or a self-hosted S3 bucket with Object Lock).
    2. Capture proof-of-consent at opt-in. Replace GHL's default opt-in form with a court-admissible consent capture (OptInFix or equivalent) that records IP, user agent, the exact CTIA disclosure shown, and a SHA-256 hash of the submission. Store the hash and a downloadable certificate.
    3. Hash-chain the archive. Each archived message should reference the hash of the prior message, so any deletion or reordering is detectable.
    4. Restrict deletion permissions at the sub-account level — only a compliance role can purge records, and purges are logged.
    5. Document the workflow in your written supervisory procedures (WSPs) so an examiner can see how SMS flows from GHL to the archive.

    This pattern — GHL for sending, an external WORM archive for retention, and a dedicated consent platform for opt-in evidence — is what passes an SEC sweep.

    Implementation checklist

    Use this as a starting checklist for SEC/FINRA-grade SMS on GoHighLevel:

    • 10DLC brand + campaign registered to the correct legal entity
    • Opt-in form captures IP, user agent, timestamp, disclosure version, and a tamper-evident hash
    • CTIA-compliant SMS disclosure shown at opt-in and on the first message
    • GHL webhooks streaming every inbound/outbound SMS to a WORM archive
    • Retention configured for at least 6 years (broker-dealer) or 5 years (RIA)
    • Hash-chain or WORM Object Lock protecting the archive
    • Suppression list synced when a recipient texts STOP
    • Quarterly compliance review documented in WSPs
    • Designated principal able to retrieve any message within the SEC's prompt-production window

    Frequently asked questions

    Can GoHighLevel texts be archived for SEC compliance?+

    Not out of the box. GoHighLevel stores SMS in an editable conversation database, not a WORM archive. To meet SEC Rule 17a-4(f), stream GHL's inbound/outbound message webhooks to a compliant archive (Smarsh, Global Relay, MirrorWeb, or an S3 bucket with Object Lock) and pair it with court-admissible proof-of-consent records.

    How long must broker-dealers retain SMS under SEC Rule 17a-4?+

    At least 3 years, with the first 2 years in an easily accessible place. FINRA Rule 4511 extends the practical retention to 6 years for most business records. RIAs fall under Advisers Act Rule 204-2 with a 5-year retention. Plan for 6 years to cover the strictest applicable rule.

    Do TCPA consent records satisfy SEC archiving?+

    No. TCPA proof-of-consent and SEC message archiving are separate obligations. TCPA requires proof the recipient opted in; SEC Rule 17a-4 requires the verbatim content of every business message be preserved in WORM format. Compliant firms maintain both, linked by phone number.

    Are personal-device texts from financial reps in scope?+

    Yes if they relate to firm business. The 2022–2024 SEC off-channel sweeps targeted exactly this — reps using personal phones for client communications that the firm could not produce. Either prohibit personal-device business texting in writing, or route it through an archived enterprise channel.

    What format does the SEC accept for SMS archives?+

    Non-rewriteable, non-erasable (WORM) electronic storage, time-stamped, indexed, and producible on demand under Rule 17a-4(f). Cloud storage with object-level immutability (e.g., S3 Object Lock in Compliance mode) and a designated third-party downloader meet the standard when configured correctly.

    What happens if a firm cannot produce archived texts during an SEC exam?+

    Recent enforcement settlements have ranged from $1.5M to $125M+ per firm for off-channel communications failures, with individual reps separately fined and supervisors charged with failure-to-supervise. The SEC has signaled these sweeps will continue.

    Related reading

    GoHighLevel Compliance Guide

    End-to-end 10DLC and TCPA compliance on GoHighLevel.

    TCPA Consent Guide

    Prior express written consent and 4-year retention.

    10DLC Registration Guide

    Carrier-side brand and campaign registration.

    Financial Services use case

    Consent and audit trail tailored for FINRA/SEC firms.

    Get court-grade consent proof in 5 minutes

    Free tier covers your first consents. Cancel anytime.