· Luke Faragher · Compliance  · 7 min read

FINRA mobile compliance: where call recording fits

FINRA doesn't tell you how to handle mobiles — it tells you to supervise and preserve. The three policy models firms use, and where recording fits.

FINRA doesn't tell you how to handle mobiles — it tells you to supervise and preserve. The three policy models firms use, and where recording fits.

Ask what FINRA requires for mobile phones and you’ll find something slightly uncomfortable: FINRA mostly doesn’t talk about phones. It talks about supervision and records. The rules are channel-neutral, which means the mobile phone in every rep’s pocket is covered by the same obligations as the recorded desk line and the archived email system — whether or not your compliance program has caught up with that fact.

More than 100 firms and $2 billion+ in SEC penalties (plus parallel CFTC and FINRA actions) say most programs hadn’t. This post lays out the FINRA framework as it applies to mobile, the three policy models firms actually use, and where network-level recording fits — including its honest limits.

This is not legal advice. It’s product and market information. Your obligations depend on your membership agreement, registrations and business lines — speak to your compliance counsel.

The FINRA framework for mobile communications

Three layers matter:

Rule 4511 — books and records. FINRA members must make and preserve books and records as required under FINRA rules and the Exchange Act. Retention follows SEC Rule 17a-4 — business communications for at least three years, first two easily accessible — and where no period is specified, 4511 applies a six-year default. We’ve unpacked the SEC layer, including the 2022 audit-trail amendments, in SEC Rule 17a-4 and mobile call recording.

Rule 3110 — supervision. Firms must establish and maintain a supervisory system reasonably designed to achieve compliance, including review of incoming and outgoing written correspondence — and FINRA’s supplementary material ties retention of that correspondence back to 17a-4(b). “Written correspondence” includes text messages: FINRA said plainly in Regulatory Notice 17-18 that if staff text about business, the firm must retain and supervise those texts. An unmonitored channel your reps actually use is, by definition, a supervisory gap.

Rule 3170 — the Taping Rule. The one place FINRA does mandate voice recording: firms that hire a defined proportion of registered persons from previously disciplined firms must tape all telephone conversations between registered persons and existing or potential customers, and supervise them. If 3170 catches your firm, mobile calls are squarely in scope — a rep’s mobile is a “telephone.”

So the honest summary of “FINRA call recording requirements”: recording is mandatory for taping firms, and for everyone else it’s the evidential backbone of duties you unambiguously have — preservation and supervision of business communications on whatever channel they occur.

The three policy models (and how they fail)

Every FINRA member with client-facing staff on mobiles ends up choosing between three models.

1. Prohibit

Ban business communication on mobile channels that aren’t captured. It’s the cheapest policy to write and the most expensive to believe. This is precisely the policy that the off-channel enforcement wave tested to destruction: the fined firms had prohibitions. Clients text anyway, reps reply anyway, and years later the firm is explaining to a regulator why records it was required to keep don’t exist. Prohibition can work for narrow, low-risk roles with real technical enforcement — for producing reps, it mostly generates undocumented conversations.

2. Corporate devices with capture

Issue firm-owned phones with recording and archiving on them. Control is strong, and for some desks it’s the right answer. The costs: a second handset in everyone’s pocket (which quietly encourages defection back to the personal phone), device fleet management, and — if capture is app-based — all the reliability problems apps bring (next section).

3. BYOD with a captured business identity

The model that increasingly wins because it matches how people behave. The rep keeps one handset — their own. A business number on a separate SIM or eSIM is added to it; modern iPhones and Androids run dual SIM natively. Everything on the business number — voice and SMS — is captured; the personal number is never touched. The rep gets one phone and a clean work/personal split. The firm gets a complete record of the business channel and a much more credible story that business traffic actually stays on it, because using the business line is no harder than using the personal one.

Most real programs mix these by role and risk. Whatever the mix, the capture layer underneath determines whether the policy is real.

Where network-level recording fits

There are two ways to capture the business identity’s traffic.

Apps put software on the handset. Their weaknesses are structural rather than fixable: the native dialer and Messages app are always one tap away; apps get deleted, logged out and broken by OS updates; iOS restricts call audio so many “recorder apps” are really conference bridges; and completeness is unprovable — you can show what the app captured, not what it missed.

Network-level (SIM-based) recording moves capture into the mobile network itself. Every call and SMS on the business number is recorded before it ever touches the handset’s software. Nothing to install, nothing to bypass, nothing to delete. The rep uses the phone’s native dialer and Messages app like a normal human, and the record is made anyway.

For supervision, that difference is the whole point. Rule 3110 asks whether your system is reasonably designed; a review process running over a channel that users can silently exit is hard to defend, while one running over a network-captured channel starts from completeness.

Recordings and messages then need to land where your compliance team already works. ONSIM is bring-your-own-archive: full-metadata export via API, SFTP, SIP-REC or HTTPS POST into platforms including Bloomberg Vault, Global Relay, Smarsh, SteelEye, Verint, ASC, NICE, Theta Lake and Soteria, or plain AWS S3 / Azure Blob / Google Cloud storage — so lexicon surveillance, sampling reviews and reconstruction requests treat mobile as just another channel. Retention is configurable to 17a-4 periods, 4511’s six-year default, or whatever schedule your counsel sets. Product detail: Mobile Compliance Recording and Mobile Call & SMS Recording.

One more capability worth knowing about for the texting side: because ONSIM operates the network, we can put your firm in the flow of SMS — messages can be validated before delivery, not just archived after. That, plus SMS-only deployments, is covered in Dodd-Frank text message recording — relevant to dual-registrants with CFTC obligations too.

Honest limits: availability and scope

Two things we’d rather say plainly than have you discover later.

Coverage. ONSIM is a UK-headquartered mobile network. Globally we operate through partner Tier 1 networks and run centrally managed compliance deployments across multiple geographies for international institutions. US deployment is scoped case-by-case — speak to our solutions team about US deployment for your specific user base and locations rather than assuming coverage. For a global firm with US, UK, EU and APAC staff, one recording architecture across regions is exactly the problem we exist to solve; for a purely domestic US firm, let’s have the conversation first.

Scope. Recording is infrastructure, not a compliance program. Written supervisory procedures, correspondence-review workflows, training, escalation and attestation remain your compliance function’s work — we give that work a complete record to run on, and we can introduce compliance partners where useful.

If mobile is the soft spot in your supervision and books-and-records story — and for most firms it still is — we’ll walk you and your compliance team through the architecture, the archive integration and a rollout plan.

Request a quote at onsim.uk/quote or call +44 333 880 4008.


This article is general information, not legal or compliance advice. Obligations under FINRA Rules 3110, 3170 and 4511 and SEC Rule 17a-4 depend on your firm’s circumstances — confirm your position with your compliance counsel. Sources: FINRA Rules 3110, 3170, 4511 (finra.org); FINRA Regulatory Notice 17-18; 17 CFR 240.17a-4; SEC and CFTC off-channel enforcement releases 2021–2025.

Back to Blog

Related Posts

View All Posts »
ONSIM Launch 3CX SIM

ONSIM Launch 3CX SIM

ONSIM launches a native mobile 3CX SIM service in the UK, simplifying PBX connectivity without apps or VoIP.