Communications Supervision: Is a 5% Sample Enough?

For most of the past two decades, reviewing a fraction of firm communications was not a compliance shortcut. It was the only realistic option available.

FINRA and the SEC have always required firms to establish a reasonable supervision system. What "reasonable" looked like in practice was shaped by what was operationally possible. Examiners understood that a mid-sized broker-dealer, for example, could not read every email, message, and call record produced by its advisors. Sampling became the accepted methodology not because regulators decided it was sufficient, but because nobody could credibly argue the alternative.

The Constraint That Shaped the Standard

Supervision programs built around random sampling have never been designed to find everything. They are designed to find enough, with ‘enough’ defined by what the technology of the time could realistically surface. A 5-10% review rate gives examiners evidence that a firm is looking, and it gives firms a defensible methodology when questions arise. It is not, and has never been, a regulatory ceiling on what firms are expected to find.

The rules have not changed. FINRA Rule 3110 still requires firms to establish and maintain a supervisory system reasonably designed to achieve compliance. The SEC's books and records requirements still set out what must be captured and retained. But the conditions that made sampling reasonable are shifting, and the interpretation of "reasonably designed" will shift with them.

What AI Removes From the Equation

The argument for sampling was always volume based. There is too much to review, too few reviewers to read it, and too much operational disruption in trying to close that gap. That argument held for a long time because it was accurate.

AI-powered supervision tools have changed the premise. Comprehensive review across email, mobile, and collaboration channels is now operationally viable without requiring a proportional increase in compliance headcount. Firms can review all communications, flag material issues, prioritize escalations, and do it within the same team structure that previously supported a sampling approach. The volume problem has not disappeared, but the tools available to manage it have fundamentally changed.

That change matters in the exam room. An examiner who is familiar with what current supervision technology can do will ask harder questions about a firm that is still sampling. Not because the rules require 100% review, but because the main justification for sampling is harder to make. "We can't review everything" is a weaker position when the tools to do exactly that are now widely available.

The Risk Firms May Not Have Priced In

Enforcement trends rarely shift overnight, and there is no formal regulatory announcement that sampling programs are under scrutiny. But the conditions that produced regulatory tolerance for sampling have changed, and enforcement patterns tend to follow the operational environment over time.

The more immediate risk is an exam finding that a firm's supervision program was not reasonably designed, in a period when comprehensive review was both available and affordable. That is a harder position to defend than it would have been five years ago. It is not hypothetical exposure. It is the kind of gap that shows up in deficiency letters when examiners can point to what firms in the same peer group were doing.

What Good Looks Like Going Forward

Firms that are still relying on random sampling are not necessarily non-compliant today, but they are carrying risk that is worth reassessing. A supervision program built for comprehensive review, with the tooling to manage volume intelligently rather than simply increasing reviewer workload, is where the industry is heading.

The firms that move early will be in a stronger position when examiner expectations catch up with what technology now makes possible. The ones that wait may find that the methodology they built their program around no longer reads as reasonable.

How MirrorWeb Can Help

MirrorWeb's supervision engine is built for the volume that modern communications produce. Sentinel AI comprehensively reviews communications across email, mobile, collaboration channels and more, surfacing genuine risk and reducing the false positives that make high-volume review feel unmanageable. Firms get full coverage without proportional increases in reviewer workload.

For firms that are reassessing their supervision methodology, or that want to understand what a comprehensive review program looks like in practice, we'd love to walk through how the platform works. Get in touch to arrange a demo.