FINRA Rule 3110 Employee Monitoring: Supervision Requirements for Broker-Dealers in 2026

Why Does FINRA Supervision Enforcement Cost Firms So Much?

FINRA issued $56.8 million in fines specifically for supervision violations in 2023. The average fine for a supervision failure case exceeds $500,000 — before legal fees, remediation costs, and reputational damage. But the 2022-2023 off-channel communications enforcement action reshaped how compliance professionals think about employee monitoring: FINRA and the SEC together fined 16 broker-dealers a combined $1.1 billion for failing to capture and retain business communications on WhatsApp, Signal, and other personal messaging platforms that firm policies technically prohibited.

The enforcement message was unambiguous. A prohibition policy without active monitoring controls is not a supervisory system. If employees use prohibited channels and the firm has no way to detect or demonstrate detection, the firm is liable for the failure — regardless of the written policy. For compliance officers, this means employee monitoring is not a nice-to-have: it is the evidentiary backbone of every supervision program.

Which Employee Communications Must Broker-Dealers Monitor in 2026?

The scope of FINRA supervision has expanded dramatically with communication technology. In 2026, FINRA-regulated firms must supervise a communication landscape that would have been unrecognizable when the original supervision rules were written.

Email — The Established Standard

Company email has been subject to FINRA supervision since the earliest electronic communications guidance. All email on firm systems is subject to Rule 3110 supervision and Rule 4511 retention. This includes email sent from firm-provided accounts to external recipients, internal email between registered persons, and email involving customer account matters. Firms that allow business email on personal email accounts must supervise those communications if evidence shows they are being used for business purposes — the platform ownership is not a supervisiory escape hatch.

Text Messages — Explicitly Required

FINRA has issued explicit guidance that broker-dealers must supervise text message communications when registered persons use them for business purposes. This applies to SMS messages, iMessage, and any text-based medium. The 2022-2023 enforcement sweep demonstrated that "we have a no-text policy" is not a defense when examiners find evidence employees were texting clients regardless. Firms must either:

• Implement a capture and archive solution for business text communications, or
• Demonstrate through active monitoring controls that no business texts are being sent — not merely assert that policy prohibits them

Several firms now issue firm-managed mobile devices with compliant text archiving to registered persons with significant client contact, eliminating the personal device supervision problem for that communication channel.

WhatsApp, Signal, and Personal Messaging Applications

The 2022-2023 off-channel communications enforcement actions produced the largest supervision fines in FINRA and SEC history. Firms including J.P. Morgan Securities ($125 million to SEC and CFTC), Deutsche Bank ($75 million), and 14 others paid a combined $1.1 billion for failing to preserve business communications sent via WhatsApp and other personal messaging apps. The key findings:

• Firm employees — including senior personnel — routinely used WhatsApp to discuss client accounts, trading activity, and securities recommendations
• Firm policies prohibited such use, but the prohibition was not monitored or enforced
• When regulators requested records of certain communications, the firms could not produce them because the messages were never captured
• The failure to retain these communications itself constituted a separate Rule 4511 violation independent of the supervision failure

For compliance officers, the practical takeaway is that active monitoring of application usage — specifically detecting the presence and usage of off-channel communication apps during work hours — is now a standard expectation for registered broker-dealer environments. eMonitor's activity logging and screen monitoring capabilities provide the usage visibility that enables compliance teams to detect and document off-channel communication activity.

Social Media — LinkedIn, Twitter/X, and Others

FINRA Regulatory Notice 17-18 (Social Media and Digital Communications) and prior notices establish that social media communications must be supervised when used for business purposes. The framework distinguishes:

• Static content (blog posts, pre-approved LinkedIn articles, website content): subject to pre-approval requirements under FINRA Rule 2210
• Interactive content (real-time messages, LinkedIn InMail, Twitter/X direct messages, comment responses): subject to the same supervision as correspondence with customers

A registered representative who uses LinkedIn messaging to discuss a client's portfolio is generating a business record that must be retained under Rule 4511 and supervised under Rule 3110. FINRA examiners now routinely request social media archives during examinations of retail broker-dealer branches.

Video Calls — Zoom, Microsoft Teams, and Webinars

Video call communications involving customer account discussions, securities recommendations, or solicitation activity are business communications subject to supervision. FINRA regulatory guidance and enforcement precedent establish that firms must either record and retain these communications or implement documented alternative controls. Many firms now require that all client-facing video calls use firm-issued platforms with native recording and automatic retention features. Where employees use personal Zoom accounts for client meetings, the compliance exposure is equivalent to using personal email — the content cannot be supervised.

Collaboration Platforms — Teams, Slack, and Persistent Chat

The growth of persistent chat platforms in financial services has created a supervision challenge that many firms are still addressing. Microsoft Teams, Slack, and Bloomberg IB messaging between registered persons discussing client accounts, trading ideas, or securities recommendations generate records that must be captured and retained. Several major broker-dealers have implemented approved communication channel policies requiring all internal collaboration to use firm-managed platforms with native archiving — prohibiting consumer Slack workspaces for any business purpose.

What Does FINRA Rule 3120 Add to the Supervision Framework?

FINRA Rule 3120 requires broker-dealers to test and verify their supervisory control system on an annual basis and certify the results to senior management. Where Rule 3110 creates the supervision obligation, Rule 3120 creates the obligation to prove the supervision is working.

Annual Testing Cycle

Each year, the firm must designate one or more principals to test the written supervisory procedures. Testing must cover at least a sample of each category of supervisory procedure — including procedures for electronic communications monitoring, trading supervision, customer account review, and outside business activity oversight. Test results must be reported in writing to senior management, which must review and approve the findings.

What Examiners Look For in Rule 3120 Documentation

FINRA examiners specifically look for three failure patterns in Rule 3120 testing:

1. Superficial testing: Testing that confirms procedures exist rather than testing whether they actually work. A test that verifies the email monitoring policy is written, but does not verify that any email monitoring actually occurs, is a common finding.
2. Unresolved deficiencies: Test findings that identify supervision gaps but are not remediated before the following year's test. Repeated findings for the same deficiency are treated as aggravating factors in enforcement.
3. Senior management non-review: Documentation where the required senior principal signature is present but evidence suggests no substantive review occurred. Examiners interview senior principals on the content of certification reports to assess this.

For employee monitoring technology, the Rule 3120 annual test should include: a sample review of whether the monitoring system is actually capturing the communications it is supposed to capture; a test of whether exception alerts are being generated and reviewed within expected timeframes; and a verification that monitoring system audit logs and supervision records are being retained in compliant format.

How Do You Build a FINRA-Compliant Supervision Program From Scratch?

A supervision program that withstands FINRA examination is not a single document — it is an integrated system of written procedures, technology controls, trained personnel, and documented evidence. Here is the six-step framework that covers all Rule 3110 and Rule 3120 obligations.

Step 1: Map All Communication Channels Used by Registered Persons

Before procedures can be written, compliance must know every channel through which registered persons communicate with customers or conduct business. This mapping exercise should cover:

• All firm-issued communication platforms (email systems, internal chat, video conferencing)
• All customer-facing platforms used by registered persons (LinkedIn, firm website chat, client portals)
• All personal devices and personal accounts used for any business purpose, even occasionally
• All third-party platforms mandated by institutional clients (Bloomberg IB, specific trading platforms)

eMonitor's activity logging provides direct visibility into which applications registered persons are using during work hours — giving compliance a factual baseline rather than relying on self-reporting. A firm that discovers registered persons are using a collaboration platform never mentioned in the mapping exercise faces a supervision gap it can address proactively rather than during an examination.

Step 2: Implement Systematic Monitoring for Each Channel

For each identified channel, implement a monitoring control appropriate to the channel's risk level and technical capabilities:

• Email: Automated keyword scanning with human review of flagged communications; risk-based sampling of unflagged communications
• Text messages: Archive-and-review solution or firm-managed devices with native archiving
• Social media: Social media archiving platform capturing all business communications; pre-approval workflow for static content
• Video calls: Recording and retention for client-facing calls; meeting summary review as minimum for platforms without recording
• Off-channel detection: Application usage monitoring to detect the presence of prohibited communication apps during work hours on firm-issued devices

Step 3: Designate Supervisory Principals With Appropriate Scope

Each registered person must have a designated supervisory principal with responsibility for their activities and communications. Principal designations must be documented in writing and reviewed when personnel changes occur. Principals must have the practical capacity to perform their supervision — a principal responsible for 200 registered representatives who cannot practically review a representative sample of their communications is a documented supervision failure waiting for an examination.

Step 4: Implement Documented Review Procedures

Written supervisory procedures for electronic communications review should specify:

• Review frequency for different risk tiers of registered persons and communication types
• Keywords and patterns that trigger escalation for immediate principal review
• The review documentation format — how supervisors record their review and findings
• Escalation thresholds to compliance, senior management, and FINRA reporting
• Procedures for preserving evidence of potential rule violations for regulatory reporting

Step 5: Configure Keyword Alerting for Prohibited Topics

Automated keyword alerting is not a substitute for review, but it is an essential triage tool for high-volume communications environments. FINRA examiners expect to see keyword libraries that reflect the actual risk profile of the firm's registered persons. A retail branch with elderly clients should have keywords focused on suitability, guaranteed returns, and senior financial exploitation. A trading desk should have keywords focused on material non-public information, front-running, and spoofing. Common keyword categories include:

• Prohibited representations: "guaranteed," "can't lose," "risk-free," "sure thing," "[specific dollar amount] return"
• Outside business activities: personal securities discussions unrelated to firm business, references to other investment accounts
• Complaint indicators: "unhappy," "lost money," "want my money back," "call my attorney"
• Regulatory risk terms: "off the record," "delete this," "don't put this in writing," "personal email"

eMonitor's screen monitoring and activity logging capabilities allow compliance teams to configure detection for prohibited application usage alongside keyword-level communication review — providing a dual-layer supervision control.

Step 6: Conduct Annual Rule 3120 Testing and Document Results

The annual testing cycle should be structured to test whether the supervision system actually works, not merely whether it exists. Testing should include:

• Pull a random sample of electronic communications from each supervised channel and verify they were reviewed within the required timeframe
• Verify that keyword alert exceptions were generated for communications that should have triggered alerts
• Confirm that all required supervisory review records are retained in compliant format and are producible within the timeframe FINRA specifies
• Assess whether the supervision technology is capturing communications from all identified channels — not just the channels it was configured for when originally deployed
• Interview a sample of supervisory principals on the substance of their review procedures to confirm practice matches the written procedures

What Are the Supervision Obligations for Remote Registered Persons?

The COVID-19 pandemic accelerated remote work adoption in financial services, and FINRA has addressed the supervision implications through guidance and examination priorities. In 2026, remote registered representatives present persistent supervision challenges that compliance programs must address explicitly.

OSJ Structure and Remote Work

FINRA guidance confirms that a registered person's home office is not automatically an OSJ or branch office solely because they work from home. However, firms must ensure remote registered persons remain within the supervisory structure of a properly designated OSJ with an appropriately assigned supervisory principal. Remote work has not altered the obligation — it has changed only the logistics of delivering it.

Supervision Heightened by Home Work Environment

Remote work creates supervision challenges absent in the office environment:

• Registered persons have easier access to personal devices and personal communication accounts during work hours
• Physical separation from supervisors reduces the informal observation that office environments provide
• Personal and work activity can intermingle on a single device if firm-issued devices are not provided
• Client meetings via video call are harder to monitor in real time than in-office meetings

FINRA's 2023 and 2024 examination priorities specifically identified remote supervision as an area of elevated scrutiny. Firms with large remote registered representative populations should have explicitly addressed remote supervision in their WSPs, including how electronic communications monitoring applies to remote workers and whether any supplemental controls are in place.

Firm-Issued Devices for Remote Registered Persons

The most defensible approach to remote supervision for higher-risk registered persons is providing firm-issued devices configured with compliant communication archiving and monitoring software. When all business activity occurs on a firm-managed device with appropriate monitoring controls, the supervision exposure from off-channel communication on personal devices is substantially reduced. This is the approach several wirehouse firms have adopted following the 2022-2023 enforcement sweep.

Legal Disclaimer

The information on this page is provided for general informational purposes only and does not constitute legal advice. FINRA rules, SEC regulations, and related guidance are subject to amendment, and enforcement positions evolve through regulatory guidance letters, examination findings, and adjudicated proceedings. Broker-dealers should consult qualified securities counsel and a Chief Compliance Officer before implementing any supervision or employee monitoring program. This guide reflects publicly available regulatory information as of April 2026 and is not a substitute for professional legal and compliance advice specific to your firm's registration categories, business model, and existing supervisory structure. References to enforcement actions and fines are drawn from publicly available FINRA and SEC press releases and AWC documents.