Glossary
Regulatory Compliance Terms & Definitions
A plain-language glossary of key financial compliance terms, from FINRA and SEC rules to WORM storage, NLP, and off-channel communications.
A
AES-256 (Advanced Encryption Standard 256)
Established by the U.S. National Institute of Standards and Technology (NIST) in 2001, AES is a symmetric encryption algorithm. The 256-bit key length provides high security, which makes AES-256 suitable for protecting sensitive information across government, financial, and commercial systems worldwide.
AREF (Advertising Regulation Electronic Filing)
FINRA’s online portal used by broker-dealers to submit advertising and public communications materials for regulatory review under Rule 2210. Firms required to pre-file content — particularly those in their first year of operation — use AREF to upload materials in a variety of formats including PDF, video, HTML, and more. Submissions through AREF are reviewed by FINRA’s Advertising Regulation Department, which may request revisions before a firm is permitted to use the content publicly.
AWS KMS (Key Management Service)
An AWS (Amazon Web) service for creating and managing encryption keys, using FIPS 140-3 Security Level 3 validated hardware.
Audit Trail
A chronological, tamper-evident log that records all actions, changes, and events within a system, including who performed them, when, and from where. Audit trails are essential for demonstrating accountability, reconstructing past activity during regulatory exams, and detecting unauthorized or suspicious behavior. Under regulations like SEC Rule 17a-4, maintaining complete and accurate audit trails is a core recordkeeping requirement for broker-dealers.
B
BCBS 239 (Principles for Effective Risk Data Aggregation and Risk Reporting)
A Basel Committee on Banking Supervision standard setting 14 principles for how global systemically important banks (G-SIBs) and domestic systemically important banks (D-SIBs) aggregate risk data and produce risk reports. Issued in 2013, BCBS 239 governs governance, data architecture, accuracy, integrity, completeness, timeliness, adaptability, and supervisory review of risk-data pipelines. Although written for risk reporting, global supervisors - including the ECB Single Supervisory Mechanism - increasingly apply BCBS 239 data-lineage and integrity principles as a benchmark for broader bank data governance, including AI activity records and communications surveillance pipelines.
BYOD (Bring Your Own Device)
A workplace policy allowing employees to use personal devices (phones, tablets, laptops) for business activities. Under SEC Rule 17a-4 and FINRA Rule 4511, firms remain responsible for capturing and retaining business communications on personal devices, regardless of device ownership. The compliance challenge: personal devices operate outside firm control, making message capture and recordkeeping complex. FINRA Rule 3110 requires documented Written Supervisory Procedures (WSPs) specifically addressing BYOD.
Backfill (Historical Capture)
Capturing communications that pre-date the day a platform is connected to the archive, so the record includes relevant history rather than only messages going forward. Complements ongoing real-time archiving.
BrokerCheck
A FINRA tool that provides public background info on brokers and firms. Required to be linked on webpages with registered rep profiles.
Business-as-such Record
A communication is a business record - and must be retained - when it relates to the firm's business, regardless of the app or device it was sent on. It is why a deal discussed over WhatsApp or a personal text message can still carry a recordkeeping obligation.
C
CRD#
Central Registration Depository Number — a unique FINRA ID assigned to registered reps and principals. Used when logging or approving content.
Chain-of-Custody Preservation
A documented process tracking who handled data, when, and why from origin to the final use. More often, you'll hear the term "audit trail," since chain of custody preservation is often just the term used in legalese.
Compliance Testing
An auditing process to maintain internal policies, external regs (eg SEC and FINRA), and legal requirements. This includes testing for compliance with standards such as the Sarbanes-Oxley Act (SOX).
Continuous Monitoring
The ongoing process that records the handling of evidence, from collection to safeguarding and analysis. It logs who handled the data/evidence, when it was collected or changed hands, and why, ensuring the integrity and trackability of the evidence. It is essential to maintain the integrity of the data.
Correspondence Communication
One-on-one or small group communications sent to 25 or fewer retail investors in any 30-day period. Example: a personal email to a prospect. Requires internal review, not pre-filing. View our in-depth regulation guide for FINRA 2210 here.
Cryptographic Hash Chain
A method to link digital records together. To ensure that sequences of events, messages, or entries have not been changed, hash chains are used. Each hash of the chain depends on all the previous hashes. This makes it easy to verify the integrity, and near impossible to forge.
Custodian (Employee)
In a compliance or eDiscovery context, the custodian is the person whose records are being archived or reviewed - the employee whose emails, chats, and messages a firm is responsible for retaining and producing. Distinct from Secure Custodian below, which is the system or provider that holds the data.
D
DORA (Digital Operational Resilience Act)
An EU regulation that entered into force on 17 January 2025, applying to every EU financial entity (banks, insurers, investment firms, crypto-asset service providers) and the ICT third-party providers that serve them. DORA mandates ICT risk management, incident reporting, digital operational resilience testing, and oversight of critical third parties. AI systems and communications platforms used in regulated workflows fall within DORA's scope of operational resilience evidence.
Data Residency
Where data is physically stored - which country or region. Multinational firms, and regulations such as the EU's GDPR (through its rules on transfers outside the EEA) and China's PIPL, can affect where regulated or personal data may be stored or transferred. Comma can place a customer's archive in the region a firm's rules require.
Data Sovereignty
The principle that data is subject to the laws of the country where it's stored or collected - the legal reasoning behind data-residency requirements.
Disposition (Defensible Deletion)
The controlled, documented deletion of records once their retention period has expired and no legal hold applies. Defensible means the deletion follows a consistent, logged policy, so a firm can show a regulator it disposed of records by the book rather than arbitrarily.
E
EU AI Act
A European Union regulation classifying AI systems by risk tier and imposing obligations accordingly. Article 12 requires high-risk AI systems to keep automatically generated logs traceable to events relevant for risk identification and supervisory inspection. Article 14 requires effective human oversight. Annex III enumerates high-risk use cases including creditworthiness assessment, insurance pricing, employment decisions, and access to essential financial services. General-purpose AI obligations took effect August 2025; high-risk-system obligations are scheduled for 2 December 2027.
eDiscovery (Production)
The process of identifying, collecting, and producing electronic records in response to litigation, an investigation, or a regulatory request. The production is the deliverable - the set of records handed over - in a readable, reviewable form, with an audit trail showing they weren't altered.
F
FINRA
The Financial Industry Regulatory Authority (FINRA) is a non-profit organization that acts as a self-regulatory body for broker-dealers in the U.S. Its main mission is to promote fairness in the markets and protect investors. However, not every financial professional or firm involved in investing is required to register with FINRA — for example, registered investment advisors (RIAs) fall under a different regulatory framework.
Fixity (Fixity Check)
Proof that a stored record hasn't changed since the moment it was archived. A fixity check recomputes the record's cryptographic hash (see SHA 256) and compares it to the value captured at archiving; if they match, the record is intact. Regular fixity checks catch silent corruption or tampering and are a hallmark of a trustworthy archive.
G
GDPR (General Data Protection Regulation)
European privacy law that gives individuals more control over their personal data. GDPR requires organizations to be transparent about how they collect, process, and store personal information and to respond quickly to data-access or deletion requests.
I
Immutable Archive
A type of data storage in which archived records cannot be deleted, edited, or altered after saving. Required for WORM-compliant record-keeping under SEC Rule 17a-4.
Institutional Communication
Communication intended exclusively for institutional investors (e.g., pension funds, hedge funds). Requires internal approval, but not filing with FINRA.
ISO/IEC 42001 (AI Management Systems)
An international standard published in December 2023 specifying requirements for establishing, implementing, maintaining, and continually improving an AI management system within an organization. ISO/IEC 42001 is to AI what ISO/IEC 27001 is to information security - a management-system framework covering governance, risk assessment, AI lifecycle controls, and continuous improvement. Increasingly cited on enterprise procurement RFPs and emerging as a third-party certification expectation for AI vendors.
J
Jurisdiction
The legal and geographic regime whose rules govern a set of records - for example the US, EU, or Hong Kong. A firm's jurisdiction (or jurisdictions) determines which retention periods, privacy laws, and residency requirements apply.
L
Legal Hold
A directive to preserve specific records - tied to litigation, an investigation, or a regulatory inquiry - beyond their normal retention period. While a hold is in place, the affected records can't be deleted or expired, even if their retention window would otherwise end. The hold lifts only when explicitly cleared.
M
MAR (Market Abuse Regulation)
An EU regulation targeting insider dealing, unlawful disclosure of inside information, and market manipulation. MAR requires firms operating in EU financial markets to maintain records of communications and orders related to financial instruments. Captured firm communications - including off-channel and AI-assisted messages - are routinely requested by national competent authorities investigating suspected market abuse.
MFA (Multi-Factor Authentication)
A security protocol that requires users to verify their identity through two or more independent factors before gaining access to a system or application. These factors typically fall into three categories: something you know (a password), something you have (a mobile device or security token), and something you are (a fingerprint or facial recognition). For compliance purposes, MFA is a widely mandated safeguard that significantly reduces the risk of unauthorized access to sensitive client data and archived communications.
Material Non-Public Information (MNPI)
Information about a company that has not been made available to the general public and, if disclosed, could reasonably influence an investor's decision to buy or sell a security. Acting on MNPI to trade securities is considered insider trading and is a serious violation of federal securities law, enforced by the SEC. Firms are required to maintain information barriers to prevent MNPI from flowing between departments and being misused.
Matter / Case
A scoped collection of records assembled for review or production - usually defined by a set of custodians, a date range, and selected sources. The container a compliance or legal reviewer works within during an investigation or eDiscovery request.
Metadata
The contextual “data about your data” that your system automatically captures. Think timestamps, user IDs, message channels, or device types. Metadata helps you reconstruct what happened when, who did it, and where it lived - and for how long.
MiFID II
The EU's Markets in Financial Instruments Directive II. Among its requirements, firms must record and retain communications relating to investment services and orders - including relevant telephone calls and electronic messages - generally for at least five years (up to seven if a regulator requires). The European counterpart to US recordkeeping rules like SEC Rule 17a-4.
N
NIST AI RMF (NIST AI Risk Management Framework)
A voluntary framework published by the US National Institute of Standards and Technology to help organizations manage risks associated with AI systems across their lifecycle. The NIST AI RMF is structured around four functions - Govern, Map, Measure, and Manage - and is widely cited by US federal AI policy and procurement guidance. Frequently paired with EU AI Act conformity to demonstrate cross-jurisdictional AI risk management.
Natural Language Processing (NLP) Analysis
AI that interprets human language to detect risks or automate review, beyond basic keyword matching. For example, in a compliance setting, machine learning could analyze audit trails or chain-of-custody logs to identify suspicious access patterns that might indicate insider threats or policy violations.
O
Object Lock / Immutable Storage
A storage-level control that prevents a record from being changed or deleted until its retention date passes - enforced by the storage system itself, not just by policy. In its strictest ("compliance") setting, not even an administrator can shorten the retention or delete the data early. Cloud providers offer this as S3 Object Lock (AWS) and immutable blob storage (Azure); it's what makes WORM-grade immutability enforceable rather than a policy promise.
Off-channel communications
Also referred to as Shadow Messaging, off-channel communications are side conversations that happen outside official channels. From iMessages to LinkedIn DMs, these unofficial types of communication are risks that need to be monitored. With how many emerging techs are on the market, off-channel comms can be a hassle to deal with in the compliance section.
Office of the Comptroller of the Currency (OCC)
The U.S. Treasury bureau that charters, regulates, and supervises all national banks and federal savings associations. If you’re a fintech or broker-dealer with a national bank partner, you’ll often need to align with OCC guidance.
P
PIPL (Personal Information Protection Law)
China's Personal Information Protection Law, a GDPR-style privacy regime. It can require certain operators to store the personal data of people in China within China (and to use approved mechanisms to transfer it abroad), which can affect where a multinational's archive lives. See Data Residency.
Performance Claim
Any statement—actual, hypothetical, or projected—about how an investment, strategy, or firm has performed or is expected to perform (e.g., past returns, back-tested or model performance, guarantees, targets, benchmarks). Under FINRA Rule 2210 a performance claim must be fair and balanced: it can’t omit material risks or fees, can’t promise results, and must disclose how the figure was calculated.
Point-of-Delivery Capture
A compliance archiving method that records business communications at the exact moment they are sent or received, before any device-level actions (deletion, backup, offline sync) can affect them. This captures messages at the source, ensuring they exist independent of device state or user action. Point-of-delivery capture is the compliant method for archiving messages on personal devices and is required to satisfy SEC Rule 17a-4 and FINRA Rule 4511 recordkeeping obligations.
Pre-filing
Submittal of public-facing content to FINRA’s Advertising Regulation Department at least 10 business days before it’s used ( which is mandatory in first year).
R
Regulation S-P
An SEC rule requiring broker-dealers, investment advisors, and investment companies to protect the privacy of customers' non-public personal information. Firms must provide customers with clear privacy notices, explain how their data is shared, and offer opt-out rights for certain disclosures to third parties. Reg S-P also mandates safeguards programs to protect customer data from unauthorized access or misuse.
Real-Time Archiving
Capturing and storing communications (chat, email, SMS, voice) when they occur. Real-time archiving keeps you exam-ready and helps compliance teams spot issues right away rather than weeks later.
Real-Time Flagging
Automatically scanning live conversations or posts for policy violations, then alerting your compliance team the second something risky appears to turn reaction to immediate intervention.
Redaction
Masking or removing privileged, irrelevant, or personal information from a copy of a record before it is produced - without altering the original archived record. The sealed original stays intact; only the produced copy is redacted.
Registered Investment Advisor (RIA)
An individual or firm registered with the SEC or state regulators to provide personalized investment advice for compensation. Unlike broker-dealers, RIAs operate under a fiduciary standard, meaning they are legally required to act in their clients' best interest at all times. RIAs managing over $110 million in assets register with the SEC, while smaller firms register at the state level.
Registered Principal
A FINRA-licensed supervisor (usually Series 24) who must review and approve communications, trading, operational, and sales activity; the person legally accountable for the firm’s compliance in those areas. To learn about the activites permitted by registered principals, you can view them on FINRA.
Registered representatives
FINRA-licensed individuals (often Series 7 or 63) who are authorized to solicit and sell securities to clients. Any communication they send, be it emails, social posts, or even WhatsApp messages, fall under FINRA’s review and archiving rules.
Regulatory exams
Formal audits or inspections conducted by regulators (FINRA, SEC, OCC, state authorities) to verify you’re following rules.
Retail Communication
Any content sent to more than 25 retail investors within a 30-day period. Examples: websites, Instagram ads, email newsletters, YouTube videos. Requires pre-filing with FINRA during your first year.
Retention Period (Retention Schedule)
How long a record must be kept before it can be deleted. Retention varies by record type - under SEC Rule 17a-4 and FINRA Rule 4511 many broker-dealer records must be kept for six years, while some communications have shorter periods - and firms often retain records longer based on their own policies or the jurisdictions they operate in. A retention schedule is the ruleset that decides how long each type of record is held.
Rule 2210 (FINRA)
FINRA rule that sets advertising and public-communication standards for broker-dealers (filing, content, record-keeping). For a look at rule 2210 for new firms, you can read through our in-depth guide.
Rule 3110 (FINRA)
FINRA’s rule requiring broker-dealers to establish and maintain written supervisory procedures, designate qualified supervisors, and conduct regular inspections of offices and activities. It’s the backbone of any compliant surveillance and review program. To learn more about details, you can read our article on rule 3110.
Rule 4511 (FINRA)
FINRA's general books-and-records rule. It requires broker-dealers to make and preserve the books and records that FINRA rules and the Securities Exchange Act require, in the formats and for the periods specified by SEC Rule 17a-4 - with a six-year default where no other period is set. Rule 4511 is the FINRA companion to the SEC's 17a-4.
Rule 4530
A FINRA rule requiring broker-dealers to promptly self-report certain internal and external events to FINRA, including regulatory actions, customer complaints, civil litigation, and findings of rule violations by the firm or its associated persons. Firms must file reports within 30 days of discovering a reportable event. Rule 4530 also requires quarterly statistical summaries of written customer complaints. The rule is designed to promote transparency and ensure regulators have timely visibility into potential misconduct or compliance failures across the industry.
S
SEC (Securities and Exchange Commission)
According to SEC.gov, SEC was "founded to help our country respond to the Great Depression, we’re the agency that protects investors from misconduct, promotes fairness & efficiency in the securities markets, and facilitates capital formation for those looking to hire, innovate, and grow."
SEC Exchange Act Rule 17a-4
The U.S. Securities and Exchange Cmmission rule is the foundational records retention rule for broker-dealers, specifying exactly how electronic books and records must be stored and preserved in WORM format. For more info, you can read our write-up here.
SHA 256
Secure Hash Algorithm 256 is a type of integrity verification that helps to maintain the integrity of stored files, to ensure they are fully functional and not altered or tampered during transit.
SOC 2 Type I & II
Independent audit reports that assess how well your service controls protect customer data. Type I covers the design of those controls at a point in time; Type II proves they work over a sustained period.
SR 11-7 (Federal Reserve Guidance on Model Risk Management)
A 2011 Federal Reserve supervisory letter setting expectations for model risk management at US banks - including model development, validation, governance, and inventory. SR 11-7 has become the de facto US standard for AI and machine learning risk management at supervised banks, with examiners increasingly applying its principles to generative AI and agentic deployments.
Secure Custodian (Archive Provider / System)
An independent party or system that securely holds and manages archived communications and data on behalf of a firm. A Secure Custodian ensures the integrity, confidentiality, and availability of records by using encryption, strict access controls, audit logs, and tamper-evident, WORM-enforced storage, all in line with regulatory requirements. Distinct from the compliance Custodian (Employee) above, which is the person whose records are being archived.
Single Sign-On (SSO)
An authentication method that allows users to log in once with a single set of credentials and gain access to multiple applications and platforms without needing to sign in separately to each one. SSO is widely adopted across enterprise software and SaaS platforms, making it a standard expectation for business tools today. For compliance teams managing multiple systems, SSO streamlines user access, reduces password fatigue, and strengthens security by centralizing authentication and making it easier to revoke access when an employee leaves the firm.
Smart Contact Filters
A feature of Comma Compliance that automatically distinguishes between business and personal contacts, archiving only messages from work-related contacts, while leaving private contacts untouched. Smart Contact Filters ensure your compliance archive captures the communications you need without compromising employee privacy.
T
Tamper-Evidence
The ability to prove a record has not been altered. A well-designed archive is tamper-evident rather than simply tamper-proof - any change would be detectable through cryptographic hashing, audit trails, and WORM storage. Detectability is the standard regulators actually look for.
W
WORM (Write-Once-Read-Many)
Write Once, Read Many is a type of secure storage that ensures archived data (like communications or social media posts) can’t be altered after saving. Required for compliance. You can find our in-depth look at Comma’s WORM Storage here.
Written Supervisory Procedures (WSPs)
Formal, documented policies that broker-dealers are required to maintain under FINRA Rule 3110, outlining how the firm supervises its registered representatives, business activities, and communications. WSPs must be tailored to the firm’s specific operations and updated regularly to reflect regulatory changes. They serve as the foundational blueprint for a firm’s compliance program and are among the first documents reviewed during a regulatory exam.