It started with JPMorgan in December 2021 - a $125 million fine for WhatsApp recordkeeping failures that seemed, at the time, like a high-profile warning shot. It wasn't. Over the next three years, the SEC and CFTC charged over 100 firms and imposed more than $3 billion in combined penalties for the same category of violation. The most recent wave came in January 2025 - $63 million across twelve firms. Every CCO in financial services was paying attention.
Then the SEC stepped back. A new administration signaled less interest in technical recordkeeping violations, pivoting toward fraud and investor harm cases instead. No new off-channel enforcement actions followed in the first half of 2025. For many firms, the conclusion was straightforward: the pressure was off.
What that conclusion missed was that one regulator going quiet doesn't mean the issue goes quiet with it. The rules haven't changed. The obligation to capture, retain, and supervise off-channel communications is exactly what it was in 2021. What changed was the enforcement spotlight - and firms that have mistaken a quieter SEC for a changed regulatory landscape are building an exposure that will surface eventually.
The SEC's headline fines dominated the off-channel conversation so completely that FINRA's parallel enforcement activity barely registered. For broker-dealers, that's a significant blind spot. FINRA operates independently - it runs its own cycle examinations, issues fines under its own authority, and sets its own enforcement priorities. The two organizations share a rulebook but not a calendar. A firm that concluded the off-channel pressure had eased in mid-2025 was making a judgement about FINRA based entirely on SEC behaviour, and 2025 showed exactly what that assumption costs.
While the compliance industry was processing the administration change and watching for signals from the new SEC, FINRA kept issuing fines. In June 2025, Velox Clearing received $1.3 million in FINRA sanctions - plus a further $500,000 from the SEC - for off-channel failures uncovered during a routine cycle examination. The firm's CEO and senior staff had routinely conducted client business over WeChat. Over 10,000 messages went unretained - compliance had flagged it, and nothing was done.
The enforcement continued. In October, a former Wells Fargo Advisors broker was fined and suspended for off-channel messaging - and then deleting the evidence. A $65,000 fine against a member firm followed in November. Into 2026, FINRA barred an individual from associating with any member firm for off-channel communications use entirely. Where the SEC sweep largely targeted institutions, FINRA is increasingly holding individuals personally accountable. Personal devices can bring personal liability.
The FINRA 2026 Annual Regulatory Oversight Report is the clearest available signal of where examiner attention is going. Electronic communications capture failures, off-channel use, and inadequate supervision procedures all feature explicitly as findings from recent examinations. FINRA flags recordkeeping lapses more than 50 times across the report and recommends firms simulate regulatory examinations, monitor for unapproved channel use, and regularly refresh communications surveillance keywords. For broker-dealers planning their compliance priorities for 2026, this document deserves serious attention.
For mid-market firms, the SEC's billion-dollar enforcement wave was always a somewhat distant threat - those headline actions mostly landed on major Wall Street institutions. The SEC broadly leaves broker-dealer examinations and discipline to FINRA, except at the top end of the market. The more immediate risk has always been the FINRA cycle examination. An examiner finding off-channel failures in a routine exam doesn't generate a headline, but it does generate findings, remediation requirements, and heightened supervision plans - consequences that hit a mid-market firm disproportionately hard and linger well after the examination closes.
The absence of news is not the absence of risk. The rules haven't changed, and firms that stopped paying attention during a quieter enforcement period will find that out the hard way. Gaps that opened in 2025 don't disappear - they show up in the next cycle exam, often at the worst possible time.
The baton didn't get dropped. It just changed hands.
Staying examination-ready on off-channel communications requires more than a policy - it requires infrastructure that captures, retains, and supervises everything advisors send.
MirrorWeb provides comprehensive mobile channel capture across WhatsApp, SMS, WeChat, Signal, and even iMessage - a significant blind spot for most other vendors. Trusted Contacts goes a step further by removing the reason advisors go off-channel in the first place: the concern that personal conversations will be captured alongside business ones. With Trusted Contacts, advisors can filter their personal contacts out of capture entirely, so there's no privacy concern and no excuse.
Firms that maintained their off-channel posture through 2025 are in a fundamentally stronger position than those that didn't. That distinction will matter in the next exam.