Mobile Communication Compliance in Regulated Industries
June 15, 2026
—
8 Mnutes
Regulators fined financial firms more than $2 billion for off-channel communication failures between 2022 and 2025.
Total fines levied by SEC and CFTA for off-channel communication failures
of client-related conversations were happening on channels outside the firm's monitored infrastructure
Regulators fined financial firms more than $2 billion for off-channel communication failures between 2022 and 2025. The problem was not that firms lacked compliance programs. It was that their compliance programs were built for a world where customer conversations happened at a desk. That world ended years ago.
In October 2023, the SEC and CFTC concluded their second major sweep of Wall Street firms for off-channel communication failures. The fines ran to hundreds of millions across ten firms. The violations were not complicated. Brokers, traders, and managers were using WhatsApp, Signal, and personal text messages to conduct business that should have been happening on monitored, recorded systems. The firms knew the rules. Their employees knew the rules. The conversations happened anyway — because the tools people actually use are faster, easier, and already in their pocket.
The $2.1 billion in total fines accumulated since 2022 is a large number. What it represents is larger still: a structural gap between where regulated conversations are required to happen and where they actually happen. That gap exists at almost every financial services firm, in almost every insurance operation, and in most healthcare organisations. The compliance programs built to govern customer conversations were designed for desk phones and formal communication channels. Somewhere in the years between 2015 and 2025, the conversations moved to mobile. The compliance programs did not follow.
This is not a technology problem. It is a governance problem with a technology solution. And the window for addressing it quietly — before a regulator asks for records that do not exist — is getting shorter.
How did the compliance gap open?
The gap did not open overnight. It opened conversation by conversation, over years, as staff reached for the tool that worked rather than the tool that was compliant.
A broker texts a client from her personal iPhone because the client responds faster to texts than to voicemails. A care coordinator follows up with a patient via WhatsApp because the patient is more comfortable on a platform they already use. An insurance adjuster calls a claimant from his personal mobile because he is in the field and the claim cannot wait. Each individual decision is understandable. At scale, across thousands of staff members and millions of conversations, each of those decisions creates a record that does not exist — or exists somewhere the compliance program cannot reach.
The data on how far mobile has spread is stark. A 2024 analysis of communication patterns at mid-sized US broker-dealers found that an estimated 40–60% of client-related conversations were happening on channels outside the firm's monitored infrastructure. For firms with field-based or mobile-first teams — insurance, healthcare, high-value retail — the proportion is higher. The desk phone, and the compliance infrastructure built around it, covers a shrinking share of the actual conversations the business depends on.
$2.1B — Total fines levied by SEC and CFTC against financial firms for off-channel communication failures, 2022–2025. The majority involved mobile and messaging app communications on personal devices. (Source: SEC and CFTC enforcement records, compiled 2025)
The regulatory framework never changed. FINRA Rule 4511 has required broker-dealers to preserve records of all business-related communications since long before smartphones existed. The SEC's interpretation of that rule to include SMS, WhatsApp, and personal device communications was not a surprise — it was a logical extension of a principle that was always there. The same logic applies across sectors. HIPAA's Technical Safeguards provisions apply to any communication containing protected health information regardless of which device sent it. The FCA's Senior Managers and Certification Regime creates personal accountability for communication governance at UK firms. None of these frameworks created a desk-phone carve-out that expired when mobile became the dominant communication channel.
The rules did not change. The gap between the rules and how teams actually communicate grew large enough that regulators could no longer look past it.
What are the three distinct risks?
The compliance gap creates three categories of exposure that are related but distinct. Understanding them separately matters because they affect different parts of the organisation and require different responses.
1. Record keeping and supervision failure
The most direct risk is the inability to produce records when asked. A regulatory examination, a customer dispute, a litigation discovery request — all of these may require the firm to produce records of specific conversations that happened on personal devices, on WhatsApp, on channels the firm has no visibility into. When those records do not exist, no amount of retroactive policy repairs the gap. The conversation happened on a channel the firm could not see.
This is the risk that generated the $2.1 billion in fines. It is also the risk that firms most consistently underestimate because its consequences are not visible until a regulator or litigant asks a question the firm cannot answer.
2. Quality and performance invisibility
The second risk is less regulatory and more operational, but it costs firms money every quarter. When a significant proportion of customer conversations happen outside the firm's QA and coaching infrastructure, managers are making performance decisions based on partial information. The conversations they can review are desk calls and formal channel interactions — the minority of conversations for most modern regulated teams. The majority of interactions, and the majority of the risks and opportunities within them, are invisible.
A broker who handles client objections differently on WhatsApp than on a recorded call is not being caught by the coaching program. An insurance adjuster whose claims conversations on personal mobile are consistently creating customer dissatisfaction does not appear in the QA data. The performance management program is operating on a sample that is neither random nor representative.
"We had a sophisticated coaching and QA program. When we finally mapped where our conversations were actually happening, we realised the program covered about a third of them. We were coaching the visible third and hoping the invisible two-thirds were fine." — Chief Compliance Officer, US regional wealth management firm
3. Personal liability under conduct regimes
The third risk is personal rather than organisational. Under the FCA's Senior Managers and Certification Regime, and under equivalent personal accountability frameworks developing in other jurisdictions, senior individuals can be held personally responsible for governance failures in their area of accountability. A Chief Compliance Officer who was aware that mobile communication was happening outside supervised channels — or who should have been aware — faces a different kind of exposure than the firm's balance sheet fine.
The SEC's enforcement actions have increasingly named individuals alongside institutions. The direction of travel in both the US and UK is toward greater personal accountability for compliance failures. Communication governance is not a function that can be delegated and forgotten.
What does the regulatory framework actually require?
The specific requirements vary by sector and jurisdiction, but the underlying principle is consistent: if a conversation happens in the course of regulated business, it must be captured, retained, and available for review.
In US financial services, FINRA Rule 4511 requires broker-dealers to preserve records of all business communications for a minimum of three years, with certain records retained for six. The SEC's staff has explicitly stated this applies to text messages, WhatsApp, and other messaging platforms when used for business communication — regardless of whether the device is personal or corporate-issued. The enforcement actions of 2022 through 2025 confirmed this is not a theoretical interpretation.
In healthcare, the standard is different in form but similar in substance. HIPAA's Technical Safeguards rule requires covered entities to implement technical security measures to guard against unauthorised access to electronic protected health information transmitted over electronic communications networks. A text message containing patient information sent from a staff member's personal iPhone is ePHI transmitted over an electronic communications network. Enforcement actions since 2023 have made clear that unmanaged personal device use is a recognised HIPAA exposure vector.
The common thread is that regulatory expectations have not been written with a channel carve-out. The obligation follows the conversation, not the device or the platform. For firms operating across multiple jurisdictions, the compliance obligation is layered. The most restrictive applicable framework sets the floor.
What does a defensible mobile compliance program look like?
The compliance programs that have held up under regulatory scrutiny share three characteristics. They are worth examining not as a template to copy but as a framework for identifying where gaps exist in a current program.
Capture that follows the conversation, not the device
The firms that have navigated off-channel communication scrutiny most effectively are not the ones that banned personal devices most aggressively. They are the ones that made compliant communication the path of least resistance for staff who need to reach customers quickly, from wherever they are, on whatever device they carry.
This means infrastructure that sits at the communication layer rather than the device layer. A system that routes business calls and messages through monitored, recorded infrastructure — capturing and retaining the conversation regardless of whether it originated on a desk phone or a personal mobile — removes the choice between compliance and convenience. Staff use their own device. The compliance program captures the conversation.
The alternative — mobile device management, separate corporate phones, strict channel bans — tends to fail because it adds friction to communication that staff are already doing. When the compliant option is harder than the non-compliant option, the non-compliant option wins. The data from firms that implemented restrictive device policies without providing a compliant mobile alternative consistently shows this.
Supervision that scales with conversation volume
Capture without supervision is a filing system, not a compliance program. The conversations need to be reviewed — for compliance with disclosure requirements, for adherence to communication policies, for risk language that triggers escalation. Manual review at sample rates that made sense for desk phone call volumes does not scale to the full volume of mobile conversations.
The firms with the strongest mobile compliance programs have moved from manual sampling to automated review at full conversation coverage. Every captured conversation is scored against the firm's compliance requirements within a defined time window. Exceptions are surfaced for human review. The supervision program covers the full population of conversations rather than a sample — which is what the regulatory frameworks actually require and what firms struggle to evidence when relying on manual QA.
Records that are defensible, not just present
The final characteristic is the one that most often separates firms that survive regulatory examination from those that do not: the records are not just captured but defensible. They carry metadata that establishes authenticity — timestamp, device identifier, participant identity. They are retained in a format that is accessible and producible. They can be searched, filtered, and exported in response to a specific regulatory or legal request without a multi-week internal project.
A conversation record that exists but cannot be produced efficiently under pressure has limited compliance value. The firms that have been fined include some that had significant volumes of mobile communication records — they simply could not produce them in the form and timeframe regulators required.
Mobile Compliance FAQs
Does FINRA Rule 4511 really apply to personal device communications?
Yes. The SEC's Division of Examinations has confirmed in multiple staff bulletins and through its enforcement actions that the recordkeeping rules apply to business communications regardless of device or platform. The enforcement actions of 2022–2025 fined firms specifically for failing to capture business communications conducted on personal iPhones and via WhatsApp. The device being personal does not exempt the communication from the recordkeeping obligation.
Can we solve this with a mobile device management policy?
MDM gives the firm control over the device — encryption, remote wipe, application restrictions. What it does not do is capture and retain the content of business communications in a regulatory-compliant format. MDM is a device governance tool. Communication compliance requires infrastructure that captures the content of conversations, not just the device they happen on. Some firms use both: MDM handles device security, the communication infrastructure handles content capture and retention.
What about staff who refuse to use a corporate communication tool on their personal phone?
This is the central practical challenge of mobile compliance and it is not solved by policy. Staff resistance to corporate tools on personal devices is consistent and well-documented. The most effective approaches share a common feature: the compliant option is not materially different from the non-compliant one in terms of user experience. A communication system that works like a normal phone app, from the device the staff member already carries, with no requirement to carry a second phone, achieves adoption rates that policy-based approaches do not.
How does mobile compliance work for field-based teams — healthcare, insurance, retail?
The compliance requirement is the same for field teams as for office-based ones — the infrastructure challenge is different. Field staff communicating from their car, from a patient's home, or from a dealership floor need a solution that works on the device they carry without requiring connectivity infrastructure that may not be available. Solutions designed for field deployment prioritise mobile-first operation, offline capability, and synchronisation when connectivity is restored. The compliance obligation does not pause when a staff member leaves the office.
What is the personal liability for a CCO if mobile conversations go unrecorded?
Personal liability under conduct regimes like the FCA's SMCR depends on whether the individual took reasonable steps to implement appropriate governance given the risks they were or should have been aware of. A CCO who identified mobile communication risk, escalated it to the board, and implemented a remediation program with demonstrable progress is in a materially different position than one who identified the risk and took no action. The enforcement trend toward personal accountability makes the documentation of the CCO's own awareness and response as important as the compliance program itself.
“Our brokers need to be mobile, but we couldn’t afford the compliance blind spots that came with that. Spoke gave us visibility into mobile calls and messages without slowing our teams down — and we’ve seen measurable improvements in both risk and performance.”
See how Spoke protects your company from fines
Book time with our sales and solutions engineers to talk about your mobile workforce and how Spoke can help you protect yourself from compliance risk and fines.
