While the splashy headlines about the SEC’s enforcement of off-channel reporting rules may not be hitting our newsfeeds anymore, more subtle but no-less-impactful sanctions are being levied by FINRA, Jamie Hoyle of MirrorWeb writes. Firms that allowed their safeguards to drift during a quieter enforcement period are playing with fire.
Between 2021 and early 2025, the SEC and CFTC turned off-channel recordkeeping into one of the most heavily penalized compliance failures in recent memory — hundreds of millions in fines across dozens of firms for conduct as seemingly mundane as using WhatsApp to discuss client business.
Then the SEC stepped back. A new administration signaled less interest in technical recordkeeping violations, pivoting toward fraud and investor harm cases instead. No new off-channel enforcement actions followed in the first half of 2025. For many broker-dealers, the conclusion was straightforward: The pressure is off.
What that conclusion missed was that one regulator going quiet doesn’t mean the issue goes quiet with it. The rules haven’t changed. The obligation to capture, retain and supervise off-channel communications is exactly what it was in 2021. What changed was the enforcement spotlight, and firms that have mistaken a quieter SEC for a changed regulatory landscape are building an exposure that will surface eventually.
What FINRA was doing while everyone watched the SEC
The SEC’s headline fines dominated the off-channel conversation so completely that FINRA’s parallel enforcement activity barely registered. Operating independently, FINRA runs its own cycle examinations, issues fines under its own authority and sets its own enforcement priorities.
The two organizations share a rulebook but not a calendar. A firm that concluded the off-channel pressure had eased in mid-2025 was making a judgment about FINRA based entirely on SEC behavior, and 2025 showed exactly what that assumption costs.
While the compliance industry was processing the administration change and watching for signals from the new SEC, FINRA kept issuing fines. In June 2025, Velox Clearing received $1.3 million in FINRA sanctions — plus a further $500,000 from the SEC — for off-channel failures uncovered during a routine cycle examination. The firm’s CEO and senior staff had routinely conducted client business over WeChat. Over 10,000 messages went unretained. Compliance had flagged it, but nothing was done.
Enforcement continued. In October, a former Wells Fargo Advisors broker was fined and suspended for engaging in off-channel messaging and deleting the evidence. A $65,000 fine against a member firm followed in November. In 2026, FINRA barred an individual from associating with any member firm for off-channel communications use entirely. Where the SEC sweep largely targeted institutions, FINRA is increasingly holding individuals personally accountable. Personal devices can bring personal liability.
2026 & beyond
FINRA’s 2026 oversight report is the clearest available signal of where examiner attention is heading. Electronic communications capture failures, off-channel use and inadequate supervision procedures all feature explicitly as findings from recent examinations. More than 50 times across the report, FINRA flags recordkeeping lapses
The emphasis throughout is on supervision programs — whether firms have written procedures that reflect actual practice, whether those procedures are being enforced and whether senior management is genuinely accountable for outcomes. For broker-dealers planning their compliance priorities for 2026, this document deserves serious attention before the next cycle examination, not after.
For mid-market firms, the SEC’s billion-dollar enforcement wave was always a somewhat distant threat. Those headline actions mostly landed on major Wall Street institutions. The SEC broadly leaves broker-dealer examinations and discipline to FINRA, except at the top end of the market. The more immediate risk has always been the FINRA cycle examination.
An examiner finding off-channel failures in a routine exam doesn’t generate a headline, but it does generate findings, remediation requirements and heightened supervision plans, consequences that disproportionately hit a mid-market firm and linger well after the examination closes.
The Velox case is instructive precisely because compliance knew there was a problem. Knowing and acting are different things, and FINRA’s examiners are well aware of that gap. The absence of news is not the absence of risk.
Jamie Hoyle is vice president of product for MirrorWeb, a provider of communications archiving and surveillance software. 
