AI | Risk Management Updates (RMU)

Performing Electronic Communications Reviews: Beyond Key-Word Searches

November 18, 2025 by

The digitization of communication continues with fervor. For the financial industry, this is parallelled by the continued development of associated rules and requirements as regulators work to stay in lockstep with technological advancements. As new platforms and methods of communication emerge, firms must adapt their compliance practices and ensure their electronic communications policies and procedures align with current regulatory requirements.

Rule 204-2(a) under the Investment Advisers Act of 1940 (the “Advisers Act”) requires investment advisers to maintain records of business communications. Section 203(e)(6) of the Advisers Act requires advisers to reasonably supervise their associated persons. The combination of these two rules, along with the expectation that business communications should not violate applicable state and federal regulations or a firm’s policies, create an implicit obligation for advisory firms to review their electronic business communications on a periodic basis. In practice, regulators expect firms to ensure these requirements are being met by performing periodic reviews of all types of electronic business communications (e.g., emails, texts, instant messaging, social media posting, off-channel communications and more) as part of a reasonable compliance program. These reviews should be performed and documented on a regular basis, with the frequency depending on, among other things, the number of personnel and types of electronic communications allowed for business use.

Reviewing business communications can help firms identify and correct any procedural or compliance violations that otherwise may not be detected.

In addition to regulatory considerations, there are also business considerations for reviewing electronic communications, such as:

  • Monitoring what firm personnel are saying to clients, vendors, and each other, as that can impact a firm’s reputation. Taking measures to keep things above board improves a firm’s credibility in the marketplace.
  • Catching communication issues allows for prompt correction before they metastasize into larger and/or costly issues.
  • Having a fully formed and effective communications review program mitigates the risks that can accompany fast growth that results in expanding operations and new staff members.

The sheer volume of electronic communication that takes place on a daily basis may make this obligation feel overwhelming. In this Risk Management Update, we provide guidance and compliance tips to help make your review process meaningful and effective by addressing:

  • WHO is responsible for communication reviews
  • WHAT to look for during reviews
  • WHEN reviews should take place
  • WHERE archived electronic communications should live

We conclude with a summary of what to keep in mind when conducting reviews of your electronic communications, and information on how to obtain assistance with your review program.

 

Who is Responsible for Communication Reviews

The CCO is typically the person responsible for overseeing a firm’s electronic communications retention and review program. This responsibility usually includes:

  • Developing the firm’s policies and procedures pertaining to the creation, retention, review, and disposal of electronic business communications
  • Implementing internal controls to help ensure that no unauthorized electronic communication platforms are being used for sending/receiving business communications.
  • Confirming all business electronic communications are being archived.
  • Protecting archived communications from destruction or alteration.
  • Ensuring the firm has the ability to efficiently retrieve and review archived communications.
  • Conducting and documenting regular and timely reviews of retained business communications and/or monitoring the reviews delegated to and performed by third parties.

Having the right vendor is important, as there are certain functions that can be utilized to assist with reviews, such as setting up the software to flag a number of key words and phrases that could be problematic and having the ability to perform different types of reviews, such as by date, and/or by specific personnel. Documenting the reviews is also important, so having software that provides detailed reports of the reviews is necessary.

 

What to Look for During Reviews

1. Setting Up Your Search

Keyword lexicon, time period and sample size are just the starting point to your review. Be sure to review the landscape of your results – the total communications archived for that time period, how many messages were flagged, and how many you will be able to review.

Once your review sample is selected, the real work begins. If you are able to, sorting the sample by subject line is a good place to start. This allows you to skim over junk mail and group subject lines that start with RE and FW indicating back and forth communications.

Be sure to get a calculation for how many of those communications are instant messages, website communications, or social media. If those communication types are minimal, it may be worth reviewing all of them. Individuals communicate differently across different platforms so including messages from non-email platforms ensures your review is thorough.

2. Issues To Look For

When reviewing electronic communications within a firm’s selected archiving platform, supervisors should evaluate messages across several key risk areas. Common categories and examples of what to look for include:

  • Marketing and Advertising: Any misleading or exaggerated statements, including promissory language such as “guaranteed,” “no risk,” or “safe.” Watch for testimonials or endorsements lacking required disclosures, references to hypothetical performance that violate firm policy, or the distribution of marketing materials through unapproved channels.
  • Trading Practices: Indications of trade errors and confirm that any identified issues were resolved appropriately. Unapproved personal securities transactions and any unauthorized disclosure of client holdings, trade confirmations, or other sensitive trading information.
  • Fees and Billing: Signs of potential fee miscalculations, billing discrepancies, or representations about fees that conflict with the firm’s Form ADV or advisory agreements.
  • Client Instructions and Advice: Individuals who are not registered investment adviser representatives (IARs) but are providing investment advice. Whether advisory guidance provided appears appropriate and client instructions are communicated through approved business channels.
  • Custody and Access to Client Assets: Any instance where employees request or accept client login credentials, or where communications imply unauthorized access to client funds. Whether communications related to funds and/or securities transfers follow firm policy and custody rules.
  • Client Servicing and Red Flags: Any client dissatisfaction or complaints that have not been reported. Reports of identity theft, signs of phishing or compromised accounts, concerns about unauthorized trading, or indicators of potential senior investor vulnerability, such as confusion or memory issues.
  • Code of Ethics (COE) Compliance: Any undisclosed outside business activities (OBAs), referral or solicitation arrangements, and/or gifts and entertainment.

 

When Reviews Should Take Place

How often electronic communications reviews are conducted will depend on the size and complexity of a firm, the number of firm personnel, the types of communications permitted, as well as the volume of communications taking place on a daily basis. Typically, reviews are most effective when they are completed regularly, such as on a weekly, monthly, or quarterly basis, as it can help firms to more readily address any issues found.

In addition, there may be times when more frequent reviews are necessary on the communications by certain personnel that have been placed on heightened supervision.

 

Where Archived Business Communications Should Live

Researching options for where to store electronic communications is important, but the main takeaway is that a centralized system that pulls together the various forms of business communications from all of a firm’s different platforms is best. This not only ensures retention, but it also streamlines supervision through a review process, which helps with meeting regulatory obligations more effectively.

There are a number of vendors that provide retention services, which have the ability to pull and maintain electronic communications, including emails, texts, instant messaging, and social media posts from various platforms. They also offer review capabilities that can be performed by the firm, and in some cases performed by artificial intelligence (AI). These vendors include but are not limited to (listed in alphabetical order):

Global Relay – https://globalrelay.com
Hadrius – https://hadrius.com
Intradyn – https://intradyn.com
Smarsh – https://smarsh.com

The vendor you select should be subject to proper due diligence before being retained and at least annually thereafter. This should include, but not be limited to, a review of their privacy safeguarding controls and cybersecurity policies as well as their server and backup processes.

 

Conclusion

Further to what we have outlined at the beginning of this RMU, there are additional reasons why firms need to perform reviews. From a regulatory standpoint, Rule 206(4)-7 of the Advisers Act outlines that investment advisers must perform reviews of their policies, procedures, and internal controls at least annually to confirm they are designed to prevent violations of applicable federal securities laws. Performing ongoing reviews of electronic communications serves as a strong internal control that tests compliance with a number of important rules, which include:

  • Rule 204-1 of Advisers Act – Books and Records to be Maintained by Investment Advisers
  • Rule 206(4)-1 of Advisers Act – Investment Adviser Marketing,
  • Rule 204A-1 of Advisers Act – Investment Adviser Code of Ethics
  • Rule 10b5-1 of the Securities Exchange Act – Trading on Material Nonpublic Information
  • Regulation S-P – Privacy and Safeguarding Customer Information

From a business standpoint, performing these reviews often results in early detection of potential or actual violations, which in turn can help to avoid client harm, loss of revenue, and reputational damage.

Core Compliance consultants have extensive experience in both performing reviews and assisting advisory firms with developing and/or enhancing their electronic communication review programs. For more details and information on how we can help you, please contact Core Compliance at info@corecls.com or 619-278-0020.

Author: Geneva Roman, Compliance Consultant; Editor: Tina Mitchell, Managing Director, Consultation Services, Core Compliance & Legal Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, and private fund managers on regulatory compliance issues.

This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon regarding any particular facts or circumstances without first consulting with a lawyer and/or tax professional.