Back to Blog

Website compliance requirements - answering what the FCA, SEC, FINRA and CMA all want

Marketing Team

Website compliance requirements - answering what the FCA, SEC, FINRA and CMA all want

As the face of your firm, it’s crucial your firm’s website meets all rules and regulations. However, there have never been more website compliance requirements to meet.

Therefore, we’ve designed this blog to be your one stop shop for everything you need to meet your website compliance requirements. From website compliance in the UK, to the challenges of ADA website compliance requirements in the US, we hope you find this resource useful.

To start, let’s look at website compliance in the UK…

The Financial Conduct Authority


What is FCA website compliance?


In the FCA’s Conduct of Business Sourcebook (COBS), the regulation of websites is covered in section 4.2. Here, websites are classified as financial promotions and therefore have to meet the requirement that they are “fair, clear and not misleading”. This is the key pillar of financial website compliance in the UK.

With this in mind, the products and services promoted on the website must be done in a balanced way so any claims made are realistic and information on key risks is fairly and prominently displayed (for example, wherever investments are mentioned, any information on past performance needs to be representative and not overly prominent).

Essentially, when it comes to financial services website compliance in the UK, a website has to allow consumers to make an informed choice.

Therefore, avoid:

  • Unclear statements
  • Over-optimistic projections
  • Disclosures or disclaimers that are obscured or too small to read
  • Unsubstantiated claims (including any about the firm itself)

What else you need to include…

FOS Statement

As a financial services firm, it’s a common misconception that your website will need to have a regulatory statement on it: “XX is authorised and regulated by the Financial Conduct Authority.”

However, websites do need to provide information about potential recourse options for visitors so include wording and a link for the Financial Ombudsman Service. This doesn’t need to be complex, and the following would suffice:

“The Financial Ombudsman Service is available to sort out individual complaints that clients and financial services businesses aren’t able to resolve themselves. To contact the Financial Ombudsman Service please visit”


Legal requirements

When it comes to website legal requirements in the UK, these can be dictated by the type of firm involved. Make sure your website includes the following somewhere:

For Companies and Limited Liability Partnerships:

  • Company name and status
  • The registered office address (note this should be identifiable, not just a PO box number)
  • The correspondence address (if different to the registered office address)
  • The company or LLP registration number.
  • The place of registration
  • Directors’ or members’ names – you do not need to name all of the directors or members of an LLP, but if you name one or more, then you need to name all of them


  • The main business address
  • Names of all partners or where a list of partners may be inspected
  • Sole traders
  • Business name if one is used
  • Name of the proprietor
  • The main business address


Client documentation

With a greater focus on transparency, regulators now require financial services firms to provide customers with more information about the products provided. This has a direct impact on financial website compliance in the UK.

For Packaged Retail and Insurance-based Invested Products (PRIIPs), this means firms have to have a key information document (KID) displayed on their website for each PRIIP. Therefore, when looking to satisfy FCA website compliance, it’s important to have these kinds of documents available for download on your website and easy to find.

The consequences of non-compliance with these rules can result in fines, bans for individuals and other sanctions against the firm involved. For instance, in December 2019 the FCA fined claims management firm Professional Personal Claims Ltd £70,000 for using the logos of five major banks on its website and therefore misleading customers into thinking they were doing business with these (and not PPC Ltd).


Meeting ASA/CAP requirements


Administered by the Advertising Standards Authority, and written and maintained by the Committee of Advertising Practice, all non-UK broadcast advertising, sales promotion and direct marketing has to abide by a specific code of rules. This goes wider than financial services and is a very important legal requirement for UK websites in all sectors.

Coca Cola branding on laptop next to can

However, these rules do not extend to the content of a website itself or any communications in foreign media as website adverts come under the jurisdiction of wherever they originate from.

The code itself is extensive and there are a number of caveats for specific industries. However, here are some of the main points:

  1. Marketing communications should be legal, decent, honest and truthful.

  2. Marketing communications must reflect the spirit, not merely the letter, of the Code.

  3. Marketing communications must be prepared with a sense of responsibility to consumers and society.

  4. Marketers must comply with all general rules and with relevant sector-specific rules.

  5. No marketing communication should bring advertising into disrepute.

  6. Marketing communications must respect the principles of fair competition generally accepted in business.

  7. Any unreasonable delay in responding to the ASA's enquiries will normally be considered a breach of the Code.


What is required with FINRA website compliance?

Looking to website compliance in the US, for those in the financial services sector the requirements can be quite similar and centre around FINRA Rule 2210.

FINRA Rule 2210

With FINRA website compliance, we need to look at rule 2210 which requires all communications: “To be based on principles of fair dealing and good faith, to be fair and balanced, and to provide a sound basis for evaluating the facts in regard to any particular security or type of security, industry or service.”

Wall Street sign

In many ways, meeting FINRA website compliance is very similar to satisfying website compliance in the UK. Therefore, it’s best to avoid:

  • Unclear statements
  • Over-optimistic projections
  • Disclosures or disclaimers that are obscured or too small to read
  • Unsubstantiated claims (including about the firm itself)

However, there are a couple of particular requirements specific to FINRA website compliance:

A web of wall lights

Third party links

There are special requirements for whenever a financial services firm in the US links to a third-party website. Essentially, if a firm’s website includes a link to a section of an independent third-party website, the firm has adopted the content of that third-party website if the firm has any influence or control over the content of the third-party site or if the link is not ongoing.

The link is ongoing if it is continuously available to investors who visit the firm’s site, investors have access to the linked site whether or not it contains favourable material about the firm and investors can use the link even if the linked site is updated or changed by the independent third party.



BrokerCheck is a new part of financial services website compliance in the US and was introduced to provide the public with information on the professional background, business practices, and conduct of FINRA member firms and their associated persons.

Furthermore, rule 2210 was recently amended to make websites include a readily apparent reference and hyperlink to BrokerCheck on member firms' websites.

Fingers pointed at laptop

Specifically, to meet this website compliance requirement, every member firm's websites has to include a readily apparent reference and hyperlink to BrokerCheck on the initial webpage that the member firm intends to be viewed by retail investors; and any other webpage that includes a professional profile of one or more registered persons who conduct business with retail investors.


SEC 17a-3 and 17a-4

Under rules 17a-3 and 17a-4 (under the Securities Exchanges Act 1934) broker/dealers have to make and keep thorough records of all relevant documents, emails, fax messages, instant messages and other types of written and digital communications - including websites!

Not only do these records need to be easily accessible and absolute (as dictated by 17a-3), but they need to be retained for at least six years and time-stamped (with 17a-4 giving guidance on how these records need to be retained).

The latter regulation requires that data be stored in formats that can't be rewritten or erased, and duplicate copies of messages must be stored in separate locations.

While these rules don’t specifically govern the content and management of websites, it’s important to think about how you manage your firm’s websites with record-keeping requirements in mind.

Firms face non-compliance at their peril. For example, in September 2017, Virtu Financial Capital Markets LLC was fined $175,000 by the SEC for “failing to maintain electronic brokerage records related to approximately 46 million market-making transactions” in WORM format. Virtu also neglected to provide the requisite 90-day notice for its use of electronic storage media.


What are ADA website compliance requirements?

Looking at website legal requirements in the US, these aren’t just refined to financial services firms which brings us to ADA website compliance.

ADA stands for the American Disabilities Act and although it doesn’t explicitly mention websites, Title III of the Act has been interpreted by US courts to apply to websites.

Disabled sign on tarmac

Essentially, with ADA website compliance requirements websites need to be accessible to everyone including people with disabilities. These people need to be able to enjoy the “full and equal” use of your website, so they can access content, successfully navigate the website and engage with different elements etc.

For example, some of these requirements include:

  • Providing text alternatives for any non-text content so that it can be changed into other forms people need, such as large print, braille, speech, symbols or simpler language.

  • Providing alternatives for time-based media.

  • Creating content that can be presented in different ways (for example simpler layout) without losing information or structure.

  • Making it easier for users to see and hear content including separating foreground from background.

You can read all the requirements here. It’s important to keep these in mind as, aside from making your website accessible and enjoyable to everyone, a breach of ADA can mean a fine of up to $75,000 making this an important legal website requirement in the US and one you shouldn’t ignore.


What are CMA website compliance requirements?


In the UK, the Competition and Markets Authority has introduced many legal website requirements in the UK to ensure businesses treat consumers as fairly as possible.

This has a big impact on what can and can’t be published on a website. Specifically, there are a number of requirements when it comes to the use of online reviews and endorsements.

Person taking photo of Starbucks cup with smartphone

Therefore, when satisfying CMA website compliance requirements, on your website you should:

  • - Clearly and prominently disclose any commercial relationships you have with the businesses listed

- Ensure all reviews on your website are authentic

- Don’t offer any inducements on your website for positive reviews

- Make it clear to site users how reviews have been collected and checked

  • -Subject both negative and positive reviews to checks of the appropriate rigour, with procedures in place to remove fake reviews



This is all extremely important as any websites that mislead consumers could end up with that business in breach of the consumer protection from Unfair Trading Regulations 2008.


The role of record-keeping 


We've already touched upon this above (specifically with the requirements made under SEC rules 17a-3 and 17a-4), but an increasingly important part of website compliance is having the right record-keeping processes and systems in place.

Being able to prove compliance is almost as important as meeting the regulations in the first place and businesses now need to have thorough and reliable records for their entire digital estate. This isn't just a regulatory requirement, it has a lot to do with best practice too. 

This is what has made web archiving so popular in regulated industries like financial services. As a leading provider in this space, at MirrorWeb we've created a comprehensive guide on everything to do with web archiving. It's completely free and you can grab your copy to learn:

- How web archiving satisfies regulatory requirements where other solutions fall short

- Why backups don't do the same job as web archives

- How web archiving works, using innovative and readily-automated crawl technology

More from the Blog

2024 So Far: Recordkeeping Revamps and Regulatory Rigor

An analysis of the intense regulatory activity we have seen so far from the SEC, FINRA and the FCA.

Read Story

Whatsapp Compliance, Self-Reporting, and Ripping off the Band-Aid

The SEC has incentivized firms to self-report on off-channel violations. We look into the process and its benefits.

Read Story

FINRA Report 2024: Recordkeeping Takeaways

Key recordkeeping teakeaways from the 2024 FINRA Annual Regulatory Oversight Report.

Read Story

See what we can do for you.

Let us show you why MirrorWeb is trusted by organizations across the globe for their compliance and digital preservation needs.