The Compliance Defensibility Gap
June 24, 2026
—
6 minutes
A regulatory examination is not the moment to discover that your communication records are incomplete. A customer dispute is not the moment to discover that the call your advisor had with a client six months ago cannot be produced.
Total regulatory fines and settlements involving communication record failures in the US, 2020–2025
Regulators focusing on communications as mobile use and off-channel communications increase
A regulatory examination is not the moment to discover that your communication records are incomplete. A customer dispute is not the moment to discover that the call your advisor had with a client six months ago cannot be produced. The defensibility gap, the distance between the records a firm believes it has and the records it can actually evidence under scrutiny, is one of the most consistent and most avoidable sources of regulatory and legal exposure in regulated businesses today.
The pattern references below is composite and drawn from multiple examination experiences across regulated industries, with customer identifying details changed.
The request arrived on a Tuesday morning. A regulatory examiner, fifteen minutes into a routine examination of a mid-sized wealth management firm, asked for the records of all communications between three named advisors and eleven named clients over a fourteen-month period.
The compliance team knew what the answer should be. They had a record-keeping policy. They had a call recording system. They had retention schedules and a compliance program that had passed its last internal audit.
What they did not have was a clean answer to the question that followed: could they produce those records; all of them, across all channels those advisors used, in a searchable and exportable format? Oh, and they need it within five business days.
The answer was no. The call recording system captured desk calls. The advisors used personal mobile phones for over half their client conversations. There were WhatsApp messages that had never entered the firm's record-keeping infrastructure. There were emails in personal accounts. The records existed in fragments, across channels the firm had not monitored, in formats that could not be efficiently searched or produced.
The examination that had been routine quickly became something else.
This is not an unusual story. The details vary, the sector, the channel, the specific gap; but the structure repeats across financial services, insurance, and healthcare with stubborn regularity. Firms discover their communication records are inadequate not when they are building the compliance program, but when someone asks a question the program cannot answer.
What is the compliance defensibility gap and how does it form?
The defensibility gap is the distance between the communication records a regulated business believes it has and the records it can actually produce, in usable form, under regulatory or legal scrutiny.
It is not, in most cases, caused by negligence. Firms with a significant defensibility gap usually have a compliance program, a record-keeping policy, and people who take their obligations seriously. The gap forms because the communication channels that the compliance program was built around, and the communication channels the business actually uses have diverged. It happens gradually, without any single decision that created the problem.
Ten years ago, most regulated business communication happened on desk phones and formal email. The compliance infrastructure of most regulated businesses was built for this environment. Call recording systems captured desk calls. Email archiving retained business correspondence. The compliance program covered the channels that mattered.
Then communication changed. Advisors started calling clients from personal iPhones. Adjusters started texting claimants because it was faster. Care coordinators started following up with patients via WhatsApp because patients preferred it. Teams started using messaging apps that were never enrolled in the firm's archiving infrastructure. The communication moved. The compliance infrastructure did not follow.
$2B+ — Total regulatory fines and settlements involving communication record failures in US regulated industries from 2020–2025. The majority of cases involved records that existed on unmonitored channels rather than records that were deliberately destroyed. (Source: SEC and CFTC enforcement records, compiled 2025)
The result is a defensibility gap that most firms have not measured and many do not know they have. The gap has three dimensions worth understanding separately because they create a different kind of exposure.
The coverage gap — conversations that happened on channels the firm does not monitor and therefore has no record of. Personal mobile calls, WhatsApp, Signal, personal email. The conversation happened. The record does not exist.
The completeness gap — conversations that were partially captured but not completely. A desk call was recorded but the follow-up WhatsApp message that changed what was agreed was not. A meeting was documented in a CRM note but the phone call before it that established the context was not captured. The record exists but it does not tell the full story.
The producibility gap — conversations that were captured but cannot be efficiently produced in response to a specific request. Records held in legacy systems requiring manual extraction. Recordings in formats that cannot be searched by participant, date range, or topic. Archives that are technically compliant but practically inaccessible. The record exists, is theoretically retainable, but cannot be produced within a timeframe regulators or courts consider acceptable.
Each dimension creates a different kind of problem in a different kind of proceeding. Understanding which gap you have — and most firms often have more than one, is the starting point for addressing it.
What happens when the gap is exposed?
The consequences of the defensibility gap surface in three contexts: regulatory examinations, customer disputes, and litigation. They operate on different timelines and involve different parts of the organization, but they share a common feature — the discovery that records are inadequate comes at the worst possible moment, when the firm is already under scrutiny.
Regulatory examinations
Regulatory examinations in financial services, healthcare, and insurance routinely include requests for communication records. The request may be targeted to specific advisors, specific clients, or specific time periods., Or, it could be broad, covering categories of communication over extended periods. In either case, the firm's ability to respond completely and quickly is itself being assessed, not just the content of the records.
A firm that cannot produce complete records within the requested timeframe faces compounding consequences. The incomplete production is itself a finding. It triggers requests for explanation. That raises questions about whether the gaps are systematic or isolated, and so on. What often begins as a simple and unrelated request, becomes an full-on examination of the entire compliance and record-keeping program. Now, the entire company is in scope for regulatory action, regardless of what the original examination was focused on.
"The examination that concerns me most is not the one where we have records of something bad. It is the one where we cannot produce records at all. The first problem is addressable. The second raises questions that are much harder to answer." — General Counsel, US regional broker-dealer
The SEC's enforcement actions involving off-channel communication failures are instructive. The fines were not imposed primarily because the conversations contained regulatory violations — some did, many did not. They were imposed because the conversations happened on channels the firms were not monitoring, creating records the firms could not produce. The absence of the record was the violation.
Customer disputes
Customer disputes in regulated industries frequently turn on "what was said" during a conversation. What was represented about a product's risk profile, what was disclosed about fees, what was promised about a claims process. When a dispute escalates to a formal complaint or regulatory referral, the communication record becomes the primary evidence.
A firm with complete, searchable communication records can review the relevant conversations, assess the merits of the dispute, and respond from a position of factual confidence. A firm with a defensibility gap responds to the same dispute without knowing what was actually said. The settlement calculus changes significantly when the firm cannot establish what happened.
Litigation
In litigation involving regulated businesses, communication records are a standard subject of discovery. The scope of discovery requests has expanded significantly in recent years, driven by parties who understand that the records on unmonitored channels are often the most revealing. A discovery request specifically asking for communications on personal mobile devices, WhatsApp, and messaging platforms is increasingly routine in this sector.
A firm that cannot produce these records faces sanctions for failure to produce. A firm that produces records selectively, because it only monitored some channels, faces questions about why other channels were not monitored and what those channels might contain. The defensibility gap that was a compliance problem before, becomes a litigation problem with a much different cost structure.
Which firms are most exposed and why?
The defensibility gap is not uniformly distributed across regulated businesses. Certain firm characteristics consistently correlate with larger gaps and higher exposure.
Mobile and field-based workforces
The single strongest predictor of a significant defensibility gap is the proportion of client-facing staff who operate primarily on mobile devices or in the field. Insurance adjusters, financial advisors who visit clients, healthcare teams across multiple sites, sales staff — these populations communicate with customers from wherever they are, on whatever device is most convenient. In most firms, that device is a personal mobile phone that was never enrolled in the record-keeping infrastructure.
The coverage gap for these workforces is not marginal. In firms with primarily field-based client-facing staff, a majority of regulated customer conversations may be happening on channels the compliance program has never reached.
Firms that have grown through acquisition
Mergers and acquisitions in regulated industries frequently produce defensibility gaps that neither party had individually. The acquiring firm's communication infrastructure and the acquired firms were built independently. Different systems, different channel policies, different retention schedules. Post-merger integration addresses technology, branding, and organizational structure. Communication compliance infrastructure sits lower on the priority list. The gap between two firms' records sits unaddressed for months or years after the transaction closes.
Regulators examining merged entities have become more attentive to this. A post-merger examination covering both the period before and after the transaction will look for records from both legacy environments. If one environment did not capture mobile communications and the other did, the combined entity's records are incomplete for the period before integration was complete.
Firms with legacy communication infrastructure
Firms that built their communication infrastructure before cloud-based solutions became standard often have the producibility gap in its most acute form. Records exist. They meet technical retention requirements. But they are held in systems not designed for rapid, targeted production. No way to manually extract easily, non-searchable formats, and archives requiring specialist access. When a request arrives for specific records within a tight regulatory timeframe, the system that was adequate for retention proves inadequate for production.
The strongest sign of a defensibility gap is how many customer-facing employees work on mobile devices or out in the field.
How do you close the defensibility gap?
Closing the defensibility gap is a program, not a project. It involves identifying which gaps a firm has, prioritising them by exposure, and implementing infrastructure and process changes in the right sequence. The firms that have done this most effectively share a common approach worth describing as a framework.
Start with a gap assessment, not an infrastructure purchase
The first move is understanding what the firm's actual communication record looks like, not what the policy says it should look like. This means mapping where regulated conversations actually happen, on which channels, which devices, and which staff populations. Then comparing that map to what the current infrastructure captures.
This exercise consistently produces surprises. Firms that believed their mobile gap was limited to a small number of field staff discover it extends much further. Firms that believed their email archiving was comprehensive, often discover significant volumes of business communication in accounts never enrolled. The gap assessment is not comfortable, but it is necessary.
Close the coverage gap before addressing completeness and producibility
The coverage gap, conversations on channels the firm does not monitor, is the most serious exposure because it produces liability where no records exist. Records that are incomplete or difficult to produce are a problem. Records that do not exist at all are a different category of problem.
Closing the coverage gap means extending the firm's communication infrastructure to the channels and devices where regulated conversations are actually happening. For most firms this primarily means mobile. The full treatment of what this requires is covered in our piece on mobile communication compliance. The sequencing principle here is: coverage first, completeness second, producibility third.
Build for production, not just retention
Retaining records in a format that meets regulatory minimums is not the same as retaining records that can be efficiently searched and produced in response to a specific request. The practical requirements of defensible communication records go beyond storage. Records need metadata establishing authenticity, such as timestamps, device identifiers, and participant identities. They need to be searchable by participant, date range, channel, and keyword. They need to be exportable in formats regulators and courts can receive and process. And the retrieval process needs to work within days, not weeks.
A firm whose records meet retention requirements but cannot be efficiently produced has met the letter of the obligation, but failed in its purpose.
Document the program itself
A documented gap assessment, a remediation plan with milestones, and evidence of progress changes the regulatory conversation significantly. The gap exists. But it is not seen as a governance failure, regulators see it as an acknowledged risk under active management. Regulators examining communication compliance programs look for two things simultaneously: the records themselves and the program that was supposed to produce them. The organization that can demonstrate it identified its gaps, escalated them at the appropriate governance level, and is executing a systematic remediation has a defensible position even while the gaps remain.
FAQs - Regulatory defense questions we often get asked
How do we know if we have a defensibility gap?
The fastest diagnostic is one question: if a regulator requested all communications between three of our client-facing staff and ten named clients over the past eighteen months, across every channel those staff used, could we produce a complete record within five business days? If the honest answer is no, or if answering requires assumptions about channels you have not verified — you have a gap. The follow-up is where: which channels are not captured, which populations are not covered, and whether your production capability matches your retention capability.
Is this primarily a financial services issue?
No. The pattern repeats across every regulated sector. Healthcare organizations face it with patient communication — HIPAA applies to any channel used to communicate protected health information regardless of whether the organization built the system or not. Insurance firms face it with claims communication. High-value retail with regulated finance components faces it with sales conversations. The regulatory frameworks differ. The underlying problem is the same.
What is the personal exposure for a GC or CCO if a gap is discovered?
Personal exposure depends on what the individual knew, when they knew it, and what they did about it. Under the FCA's SMCR, and under the personal accountability frameworks developing in US financial services regulation, a senior individual who was aware of a communication compliance gap and took no steps to address it faces different scrutiny than one who identified the gap, escalated it appropriately, and was executing a remediation program. The documentation of awareness and response is as important as the remediation itself.
How quickly can the coverage gap be closed for a mobile workforce?
Most firms can extend compliant communication infrastructure to a mobile workforce within eight to twelve weeks of beginning implementation. The implementation does not require replacing existing devices or deploying separate corporate phones, as good compliant communication solutions operate as an application layer on existing devices. Staff use their phones normally. The infrastructure captures the conversation.
What do we do about conversations that have already happened on unmonitored channels?
Historical conversations on unmonitored channels are generally not recoverable without legal process. The appropriate posture is to treat them as legacy exposure rather than attempt reconstruction. Conduct a gap assessment to understand the scope of historical exposure, brief legal counsel, document the assessment and remediation plan, and implement compliant infrastructure from a defined date. Draw a clean line and make it defensible. Regulators understand that coverage was not always complete, and what they look for is that the organization has identified its gaps and is systematically closing them.
“Spoke provides our team with freedom of communication. They have access to the rich feature set of an enterprise telephone system right on their mobile phone. Our team members have conversions with each other and/or our customers from anywhere. We are no longer tied to our desk phone. Importantly, our team can also control when they are available for calls and easily access voicemail and call recordings.”
See how Spoke Solves Your Defensibility Gap
Book time with experts. They can advise broadly and talk about real customer projects we've been part of.
