Nearly all businesses in the modern age of technology must have an extensive online presence, starting with informative and robust websites. Financial investment firms, however, must recognize their websites as both essential marketing tools and vessels for highly regulated content.
The SEC (Securities and Exchange Commission) and FINRA (Financial Industry Regulatory Authority) impose stringent, detailed archiving requirements on retail communications with the public; the primary goal of these regulations is to protect investors and the integrity of the securities market. Much of the content on financial firms’ websites qualifies as retail communications, and thus must be preserved and archived in certain ways.
But which content, exactly, is subject to SEC website archiving rules? And what overlap, if any, is there between SEC and FINRA website requirements?
This guide will help those working in securities trading identify website content that must be archived and collect the right tools to ensure ucompliance.
Are Firm Websites Regulated Under SEC and FINRA Rules?
Yes, content on financial firms' websites is often considered regulated or retail communications—especially if it offers investment advice or advertises products or services.
Regardless of the firm’s intent with various marketing messages, the SEC and FINRA insist on specific recordkeeping and retention requirements when firms publish content that’s even slightly promotional in nature.
What Website Content Must Be Retained Under SEC Rules?
SEC Website Requirements Explained
The medium of communication between brokers and clients is essentially irrelevant when it comes to SEC and FINRA rules for websites. Over the years, amendments to the Securities Exchange Act have addressed technological advances, including social media, which, according to the SEC, is “an umbrella term that encompasses various activities that integrate technology, social interaction, and content creation.”
Accordingly, website content is now subject to the same retention requirements as written communications issued through emails and press releases.
SEC Rule 17a-3: Website Records That Must Be Archived
SEC Rules 17a-3 and 17a-4 govern the types of records that brokers must archive and the retention periods for those records. SEC Rule 17a-3 outlines the details of records related to general business operations that must be retained.
Records that firms often need to archive pursuant to SEC Rule 17a-3 include:
- Product and service pages.
- Performance claims.
- Disclosures.
- Educational blog posts.
- All records of website updates, edits, and deletions.
The term "SEC website records" is generic and encompasses a wide range of content that may be considered public communications.
SEC Rule 17a-4: How Website Records Must Be Preserved
SEC Rule 17a-4 states the retention requirements for records mentioned in Rule 17a-3. Firms must retain records for 3–6 years and keep them in easily accessible locations for the first two years after creation.
Additionally, firms must:
- Produce records within 24 hours after a request from SEC or FINRA regulators. This means that ad-hoc and manual storage procedures can leave firms vulnerable during audits.
- Archive records in a “non-rewriteable, non-erasable” (aka “WORM”) format to prevent tampering.
- Save data with respective timestamps and digital signatures.
Many Rules and regulations touch on the SEC website archiving requirements, but 17a-3 and 17a-4 are vital for investment firms’ compliance officers and marketing departments.
FINRA Website Compliance
How FINRA Regulates Firm Websites
While the SEC regulates a wide swath of entities within the securities industry, FINRA focuses on broker-dealers. However, the general spirit of FINRA website compliance is not much different than that of the SEC. Among other aims, FINRA works to ensure that broker-dealers present investors with fair, balanced, and accurate communications backed by data.
FINRA focuses on public-facing communications because its primary goal is to help the SEC protect investors and the overall integrity of the securities market. Through various Rules, FINRA provides website archiving guidance for broker-dealers.
FINRA Rule 2210: Websites as Communications With the Public
Based on FINRA’s definition of “retail communications,” broker-dealers’ websites (or a significant portion of them) qualify as such and must adhere to certain rules. FINRA defines retail communications as “any written (including electronic) communication that is distributed or made available to more than 25 retail investors within any 30 calendar-day period.”
In addition to the requirement that communications be fair and balanced, firms must retain records showing how they ensure ongoing compliance with website content. Another requirement for Rule 2210 compliance is to run retail communications by a registered principal before publication.
FINRA Rule 4511: Website Record Retention
Rule 4511 makes clear that FINRA-regulated firms (broker-dealers) must retain “books and records” in accordance with SEC rules. In cases where neither FINRA nor the SEC specifies retention periods, broker-dealers must keep data for at least six years.
The Rule also requires broker-dealers to retain electronic data in the manner laid out by SEC Rule 17a-4.
FINRA Rule 3110: Supervising Website Content
FINRA Rule 3110 requires broker-dealers (sometimes called “member-dealers” or simply “members”) to create Written Supervisory Procedures (WSPs) for content approval and publication. The Rule applies to broker-dealers and their “associated persons.”
Simply, firms must develop their own systems for reviewing public communications and other regulated online activities. Systems should name the individuals responsible for reviews and issue escalations. Firms must document every step of the content approval process.
Adoption, Entanglement, and Hyperlinks on Firm Websites
What Adoption and Entanglement Mean Under FINRA Rules
Adoption and entanglement refer to situations in which an adviser has become involved in third-party content and, therefore, must retain that content pursuant to FINRA Rule 2210.
Adoption, in the eyes of the SEC and FINRA, occurs when a firm does something to imply that it endorses third-party content. That may occur when the firm’s social media accounts or website shares information from third-party sources. Entanglement refers to situations in which advisers have contributed to content creation featured on a third-party source.
Sometimes, adoption or entanglement can happen so subtly that firms don’t even notice it.
User-Generated Content on Firm Websites
The SEC has only recently relaxed its stance on user-generated content and its involvement in firm advertising materials. Testimonials, once forbidden, can now be included on websites if advisers make proper disclosures and have written agreements with compensated testimonial providers.
Comments and reviews may also become subject to FINRA and SEC recordkeeping requirements if firms take actions to endorse or adopt them. For instance, including positive comments on website home pages often triggers an investment firm's requirement to document the steps it took to approve the content. Abiding by the applicable retention periods is also important for regulated third-party content.
Hyperlinks and Third-Party Content
The SEC and FINRA do not require investment firms to always archive content contained under hyperlinks. Links to purely educational materials, such as FINRA’s website or unbiased news articles, usually don’t trigger retention rules under SEC Rules 17a-3 and 17a-4.
That isn’t the case if firms appear to endorse or adopt third-party content. Selectively linking to sources in retail communications and other marketing materials can indicate adoption.
Therefore, firms must archive:
- Hyperlinked content for three years.
- The decision-making process for content approval and publication.
- The website pages on which the third-party hyperlinks appear.
What Counts as Communication With the Public on a Website?
Both the SEC and FINRA use the terms “communications” and “correspondence” in a wide array of contexts, which sometimes makes it unclear which retention and recordkeeping rules apply to particular content.
Communications with the public, in the context of FINRA, typically refer to “retail communications.” Retail communications are most communications (including website content) that can, in theory, reach at least 25 investors within a 30-day period.
Investment firms sometimes overlook the following when taking stock of their websites’ retail communications:
- Archived blogs.
- Chats involving both chatbots and real people.
- Awards, recognition, and endorsements.
- Discussion boards.
- Embedded social media posts.
- Temporary landing pages.
To err on the side of caution, investment firms should archive content that has even the slightest appearance of being promotional or advertorial. If your team has a reasonable belief that more than a handful of non-institutional investors have access to such content, you should be more confident that the SEC or FINRA wants to know about it.
Why Website Backups and Screenshots Are Not SEC & FINRA Compliant
The Limits of CMS Backups
Most users create websites under pre-built foundations offered by content management systems (CMS). Although CMS backups can be useful for quickly fixing minor errors on websites, they are not meant to serve as FINRA- or SEC-compliant data archives.
For one, CMS backups typically go back only a few weeks or months. Every so often, the CMS overwrites older versions to make way for newer ones. Rarely do CMS tools archive versions from three or more years prior, as required by FINRA.
Even if they did reach back that far, they wouldn’t pass muster with regulatory bodies. The SEC and FINRA require firms to archive data, including retail communications and website content, in the WORM (write-once, read-many) format, which CMS backups cannot guarantee. Another limit of CMS backups is the lack of supervisory or audit trails that firms must often provide.
Why Screenshots Fail Regulatory Requirements
Screenshotting digital content does not satisfy the SEC’s website archiving requirements. The primary deficiency is that screenshots are merely images, and images can easily be manipulated with basic editing tools. It can be difficult to prove to regulators that your team has not tampered with screenshots.
Additionally, screenshots, like CMS backups, do not have crucial metadata, digital signatures, or hash values—all of which are important in proving authenticity. Trying to take screenshots of every piece of content that needs to be archived can be nearly impossible for most firms. And that’s to say nothing of nested comments, embedded media, and other content that may always appear on screen.
What a Compliant Website Archiving System Must Include
Considering the multitude of rules the SEC and FINRA set forth on archiving regulated communications, investment firms need a comprehensive, third-party archiving solution. CMS backups and screenshotting content do not produce compliant records.
A FINRA- and SEC-compliant website archiving system should have:
- A continually updated archive that does not require manual capture.
- The complete history of edits, deletions, and approval verification.
- Tamper-proof, immutable copies in the WORM format.
- An indexed data repository for easily retrievable content.
How Automated Website Archiving Reduces Compliance and Supervision Risk
The proper website archiving tools give advisers something important: peace of mind. Reducing compliance and supervision risk allows marketing teams to post content with confidence and speed. It also allows employees to avoid cumbersome manual capture processes.
When the SEC or FINRA comes knocking, your team doesn’t have to scramble to find the requested materials. If matters escalate to a court of law, you don’t have to worry about whether the archives contain legally defensible records. The right archiving software also keeps records in line with applicable retention periods.
In the long run, the best archiving option is robust third-party software that continually archives retail communications and retains them in defensible formats. Trying to save records through screenshots or CMS backups can leave firms vulnerable to costly penalties and reputational damage.
Frequently Asked Questions About SEC & FINRA Website Archiving
Do SEC and FINRA rules apply to marketing websites?
Yes, SEC and FINRA regulations (including archiving obligations) apply to websites that investment firms primarily use for marketing purposes. The two agencies have an expansive view of what constitutes retail communications, so firms typically must archive significant portions of their websites. For broker-dealers and FINRA members, public website content used to promote products, services, or the firm itself is generally a written electronic communication subject to FINRA Rule 2210 and SEC/FINRA books-and-records rules. For SEC-registered investment advisers, website pages that offer advisory services can also qualify as “advertisements” under the SEC marketing rule and must be retained under Rule 204-2.
How long must website content be retained under SEC & FINRA Rules?
It depends on the firm type and the record category. For broker-dealers, many business communications must be kept at least three years, with the first two years in an easily accessible place; some records must be kept six years, and FINRA’s default retention period is six years where no shorter period is specified. For SEC-registered investment advisers, advertisements generally must be kept for five years, with the first two years in an appropriate office.
Are website backups enough for SEC & FINRA compliance?
Usually no. A backup may help restore a site after an outage, but SEC and FINRA compliance requires records that can be promptly located and produced, are preserved in WORM format or with a compliant audit trail, and include required recordkeeping details such as approval information and dates of use. A standard backup often does not meet all of those requirements on its own.
Do firms need to archive deleted webpages?
Yes, investment firms need to archive all versions of retail communications that have appeared on their websites within the specified retention periods—including deleted webpages. If a webpage was a required business or marketing communication, taking it down does not erase the retention obligation. Broker-dealers still must preserve records of business communications, and compliant electronic systems must either preserve records in non-rewriteable, non-erasable form or maintain an audit trail that allows the original record to be recreated if it is modified or deleted.
Does FINRA require supervision of website changes?
Yes. FINRA Rule 3110 requires supervisory procedures for written electronic communications, and Rule 2210 requires principal approval of most static public content before use. FINRA also says material changes to static content require renewed prior approval, which means website updates need supervision, not just the first version.
Does FINRA require firms to archive every version of a webpage?
Not in those exact words, but in practice firms need to preserve each materially different version that was used. That is because Rule 2210 requires a copy of the communication plus dates of first and last use, and FINRA expects prior approval for material changes to static content.
Are PDFs, disclosures, and downloadable files on a website considered records?
Yes, if they are business-related communications or part of a public-facing advertisement or disclosure set. The rules focus on the content and purpose of the communication, not whether it appears as HTML, a PDF, a brochure download, or another file type. This underscores the need for comprehensive archiving tools that capture all elements of webpages, including embedded media.
How do SEC and FINRA rules apply to microsites or campaign landing pages?
They apply the same way they do to main-site pages. If a microsite or landing page is used to communicate with the public about the firm’s business, products, or advisory services, it can be a regulated communication or advertisement and must be reviewed, retained, and producible for the applicable retention period.
Do archived websites need to be searchable for audits and exams?
Yes. Compliant records must be organized so firms can locate and retrieve them quickly. SEC and FINRA rules require electronic systems to support ready download and transfer of records and the information needed to locate them, and the Advisers Act books-and-records rule requires records to be arranged and indexed for easy location, access, and retrieval.
Can regulators request historical website content during an examination?
Yes. Broker-dealers using electronic recordkeeping systems must be able to immediately produce requested records to the SEC, self-regulatory organizations, and state regulators. Investment advisers also must promptly provide legible copies of records and the means to access, view, and export them.
Are multilingual or regional versions of a website subject to the same SEC & FINRA requirements?
Any website content for investment firms that promote products or services—even tangentially—is subject to SEC and FINRA requirements. Retail communications in different languages may require firms to create separate records of each version, and the same goes for regional versions that may have slight differences.
How often should website content be archived to remain compliant?
The SEC & FINRA rules do not set one universal crawl interval. The practical standard is that firms must preserve what was actually published, when it was used, and any required audit trail or approval record, so archiving needs to happen often enough to capture every material change—not just occasional snapshots.
How do SEC and FINRA define “readily accessible” website records?
SEC Rule 17a-4 requires that investment firms keep archives of retail communications in a readily accessible format for at least two years after publication. Readily accessible, in this context, means that firms must be able to produce records promptly (within 24 hours is a good rule of thumb). The records must also be indexed, searchable, and organized.
How does website archiving support FINRA Rule 3110 supervision requirements?
Website archiving helps firms prove what was published, when it was published, who approved it, and what changed over time. That supports Rule 3110 by giving compliance teams a reviewable record of written electronic communications and evidence that supervisory procedures were actually carried out.
Is website archiving required for SEC & FINRA compliance, even if no performance claims are made?
Yes. Performance claims create extra substantiation obligations, especially for investment advisers, but ordinary website content can still be a regulated business communication, retail communication, or advertisement. In other words, the recordkeeping duty is not limited to pages with performance data.
