· Luke Faragher · Compliance · 8 min read
SEC Rule 17a-4 and mobile call recording: what to capture
SEC 17a-4 makes mobile calls and texts business records. After $2bn+ in off-channel fines, what the rule requires and where SIM-level capture fits.

Since December 2021, the SEC has charged more than 100 firms and collected over $2 billion in penalties for one compliance failure: business communications that happened on channels the firm didn’t capture. Mostly texts and WhatsApp messages on personal phones. Add the CFTC’s parallel actions and the total climbs well past $3 billion.
None of those firms were fined for saying anything wrong. They were fined because the records didn’t exist.
That’s what makes SEC Rule 17a-4 worth understanding properly if your staff do business on mobile phones. Here’s what the rule requires, why the enforcement wave happened, and why the capture method — app on the device versus recording in the network — turns out to be the whole game.
One thing up front: this is not legal advice. It’s product and market information from a mobile network that builds compliance recording. Your scope under 17a-4 depends on your registration and business lines — speak to your compliance counsel.
What Rule 17a-4 actually says about communications
Rule 17a-4 (17 CFR 240.17a-4) sets out which records broker-dealers must preserve and for how long. The provision that matters for mobile is 17a-4(b)(4): firms must preserve “originals of all communications received and copies of all communications sent” relating to the firm’s “business as such” — for at least three years, the first two in an easily accessible place.
Three things follow from that wording:
- It’s channel-neutral. The rule doesn’t say “email”. A voice call, an SMS, a WhatsApp message, a chat — if it relates to the firm’s business, it’s a record.
- It’s device-neutral. There is no personal-phone exemption. If a registered rep negotiates an allocation by text from their own iPhone, that text is a firm record the firm probably doesn’t have.
- It’s a preservation rule, not a recording mandate. 17a-4 doesn’t order you to tape calls the way CFTC Rule 1.35 does for certain commodity firms (more on that in our Dodd-Frank SMS piece). But you can’t preserve what you never captured — so in practice, allowing business on a channel means having a capture mechanism for that channel, or banning the channel and actually enforcing the ban.
Layered on top sits FINRA: Rule 4511 (books and records, six-year default where no period is specified) and Rule 3110 (supervision, including review of correspondence). We’ve covered the FINRA side separately in FINRA mobile compliance recording.
The 2022 amendments: WORM gets an alternative
For years, 17a-4 required electronic records to be stored in WORM format — write once, read many, physically non-rewriteable. In October 2022 the SEC adopted amendments adding an audit-trail alternative: an electronic recordkeeping system may instead preserve records in a manner that permits recreation of an original record if it’s modified or deleted, with a complete time-stamped audit trail of every change. The amendments became effective January 3, 2023, with a compliance date of May 3, 2023 for broker-dealers.
For mobile recording, the practical upshot is good: modern archive platforms with tamper-evident, versioned storage can now satisfy the rule without legacy WORM appliances — which is exactly the model where a recording provider feeds your archive (see “bring your own archive” below).
The off-channel enforcement wave, briefly
The sweep is worth recounting because it explains why mobile is now the channel regulators look at first.
- December 2021 — JPMorgan admits widespread recordkeeping failures and pays a $125 million SEC penalty, plus $75 million to the CFTC. Employees, including managing directors, had done business over personal-device texts and WhatsApp for years; none of it was preserved.
- September 2022 — the SEC charges 15 broker-dealers and one affiliated investment adviser — essentially the top of Wall Street — with combined penalties over $1.1 billion. The same day, the CFTC orders 11 institutions to pay over $710 million for the same conduct on the swaps and futures side.
- 2023–2024 — waves continue, sweeping in mid-size brokers, investment advisers and credit-rating agencies. In August 2024, 26 firms pay a combined $390+ million.
- January 2025 — twelve more firms (including Charles Schwab, Blackstone, KKR, Apollo and Carlyle entities) pay over $63 million, in what the SEC signalled might be the final wave.
The fact pattern was identical everywhere: firms had approved, captured channels — recorded turrets, archived email, compliant chat. And staff routed around all of it, because the phone in their pocket was faster. The firms’ policies prohibited it. The prohibition didn’t survive contact with a personal device, and when the SEC asked for the records, there was nothing to produce.
The lesson isn’t “write a sterner policy.” It’s that any compliance architecture that depends on the user choosing the compliant channel will leak.
App-based capture vs SIM-level capture
Once a firm decides mobile voice and text must be captured, there are two architectures.
App-based capture puts software on the handset — a dialer app, a messaging app, or an MDM-wrapped container. Business calls and texts made through the app are captured. The problems are structural:
- The user can simply not use the app — the native dialer and native SMS still sit right there.
- Apps can be deleted, logged out of, or starved of permissions after an OS update — often silently.
- iOS in particular restricts call-audio access, so many “recording apps” are actually conference bridges with their own reliability and quality problems.
- Coverage is only as good as installation, version and login status across your whole fleet — which becomes an evidentiary problem when a regulator asks you to demonstrate completeness.
SIM-level (network-level) capture moves the recording off the device entirely. The business number lives on an ONSIM SIM or eSIM; every call and SMS on that number is recorded in the mobile network itself, before it ever reaches (or after it leaves) the handset. There is no app to forget, bypass or delete. If the device is lost, wiped or replaced, the record is unaffected because it never depended on the device.
That distinction is the core of the off-channel problem. An app asks the user to cooperate. The network doesn’t ask.
It’s the same approach we take for UK firms under FCA rules — the regulatory labels differ, the architecture doesn’t. Full product detail is on our Mobile Compliance Recording page, with the underlying capture service described at Mobile Call & SMS Recording.
Retention and supervision: the workflow after capture
Capture is step one of three. A defensible 17a-4 program on mobile looks like:
- Capture — every voice call and SMS on the business number, recorded at network level with metadata (calling/called numbers, timestamps, duration, user identity).
- Retain — in your archive, for your schedule: three years minimum under 17a-4(b)(4), first two easily accessible; six years where FINRA 4511’s default applies; longer if your counsel says so. Post-2022-amendments, tamper-evident audit-trail storage qualifies.
- Supervise — compliance reviews and surveillance run over the mobile channel exactly as they do over email: sampling, lexicon search, trade-reconstruction pulls. This only works if mobile lands in the same archive as everything else.
Which is why we built ONSIM as bring-your-own-archive. We’re a mobile network, not an archive vendor — recordings and messages export with full metadata into the platform you already use: Bloomberg Vault, Global Relay, Smarsh, SteelEye, Verint, ASC, NICE, Theta Lake, Soteria, or straight into AWS S3, Azure Blob or Google Cloud storage, delivered via API, SFTP push, SIP-REC or HTTPS POST. Your surveillance team’s tooling doesn’t change; mobile simply appears as another captured channel alongside email and chat.
For BYOD environments, dual-SIM and eSIM handsets let you put a captured business identity on a personal device — business number recorded, personal number untouched. That’s frequently the policy shape that actually sticks, and it’s the pattern we discuss in more depth in the FINRA post.
Where ONSIM fits (and honest limits)
ONSIM is a UK-headquartered mobile network that global banks and financial institutions already use for network-level compliance recording. We operate globally through partner Tier 1 networks, with centrally managed deployments across multiple geographies. US deployment is scoped case-by-case — speak to our solutions team about your specific footprint rather than assuming coverage, and bring your compliance counsel into the conversation early.
If your firm is working out how to close the mobile gap — whether that’s full voice-and-SMS capture or SMS-only for a specific desk — we’ll walk through the architecture, the archive integration and the rollout with you.
Request a quote at onsim.uk/quote or call +44 333 880 4008.
This article is general information, not legal or compliance advice. Rule scope, retention periods and supervisory obligations depend on your firm’s registrations and business lines — always confirm your position with your compliance counsel. Sources: 17 CFR 240.17a-4; SEC Release 34-96034 (electronic recordkeeping amendments, Oct 2022); SEC press releases 2021-262, 2022-174 and subsequent off-channel actions; CFTC press releases 8470-21 and 8599-22.



