Industry Insight

Best Practices for Mobile App Communication Compliance

September 28, 2023by Smarsh

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing

From the webinar: Mobile Apps are the New Email - Is Your Firm Compliant? by Steve Boyd, Director, Head of Miami, Optima Partners and Tiffany Magri, Senior Regulatory Advisor, Smarsh.

As more firms begin to allow the use of mobile communication channels, the need for robust books and records and supervisory controls is paramount. Firms understand that these tools are critical for meeting regulatory mobile communications compliance obligations and reducing the risk of an enforcement action.

The Securities and Exchange Commission (SEC) has begun cracking down on off-channel communications and, between September 2022 and August 2023, the SEC brought 30 enforcement actions. The SEC also ordered more than $1.5 billion in combined penalties for what the SEC called “widespread and longstanding failures” by financial services firms and their employees to maintain and preserve electronic communications.

Enforcement sweeps like these force firms to pay more attention to their employees’ mobile communication activities. “They are thinking about this a little bit more,” said Steve Boyd, director and head of the Miami office for Optima, a consulting and regulatory services firm. “They’re asking the right questions and trying to be on the right side of it.”

In our recent webinar, “Mobile Apps are the New Email: Is Your Firm Compliant,” experts discussed best practices for implementing policies and procedures and supervisory practices that enable compliant mobile communication. Below is a summary of key points from that discussion.

ssb 23 session 7 feat img

Gather key stakeholders

Your stakeholders must be on board, and the earlier, the better. Tiffany Magri, a regulatory advisor at Smarsh, recommends that all key stakeholders, including the head of IT, have a seat at the table early on in the strategic process when structuring a mobile communications compliance strategy. For example, some firms have a communications governance council to ensure key stakeholders are always on the same page.

Firms must grasp which mobile apps they use – both from a marketing standpoint and from the perspective of communicating and engaging with clients. From there, put the proper guardrails in place by pinpointing the firm’s books and records and supervisory obligations around their compliance obligations. “Always make sure that you are not using anything you can’t capture, retain, and supervise,” Magri said.

Implement policies and procedures

Policies and procedures are necessary to carry out the firm’s strategy and should address not only what is permitted but what is prohibited as well. “Regulators have been very clear that you must have some reasonable form of policies and procedures and supervision around off-channel communications,” Magri said.

Policies need to be structured in a way that’s achievable for the firm based on its size, culture, and business approach. “There is no blanket policy that’s going to work for [all firms],” Boyd said.

For example, when considering whether to implement a bring-your-own-device (BYOD) policy, cost savings will likely be the most important factor for a small firm just starting out. For firms with greater resources – enough to issue corporate-owned devices – security considerations will likely be at the top of their list, Boyd noted.

Policies and procedures also should address how to handle any one-off situation that might arise in the event business-related communications are received over unapproved channels. Specifically, employees should know who to call and what steps to take to combat compliance gaps.

Boyd provided an example wherein a portfolio manager at a fund received text messages from a trader. “You want to make sure that there is a policy that allows you to then forward that to a specific email address or get it back onto an email or a messaging platform that will then archive that message,” he said.

Policies and procedures should also cover what disciplinary actions will be taken for non-compliance, such as disciplinary warnings, bonus or compensation clawbacks, or even suspensions or terminations in egregious cases. “Also, make sure to document that, as well as any remedial actions taken,” Magri said.

Define books and records

Firms should clearly understand and define what books and records to keep from a recordkeeping standpoint. Broadly, that includes “any client or investor communication; marketing communications to clients, investors, or prospects; communications regarding research or portfolio names; and then any communications surrounding investment recommendations,” Boyd said.

Many firms today choose to capture all communications because it’s often too difficult to delineate between which communications should be captured and which should not, Boyd said. “Therefore, by default, everything becomes a business record,” he said.

Train and educate

To encourage people to adhere to policies and procedures as it concerns communications over mobile apps, education is a key factor, Boyd said. Employees should be trained on what channels they’re allowed to communicate on, “and, ultimately, reminding them of the policies that are in place,” he said.

“As compliance [officers], it’s your obligation to supervise, but it’s also your obligation to educate,” Boyd added. Reminding folks verbally during large team meetings or department gatherings is one way. Sending out periodic emails reminding employees about the firm’s mobile communication policy is another way.

In addition to training and education, employees also should have to attest, preferably on a quarterly basis, that they comply with the firm’s electronic communication policies and procedures, “so that you’re getting their word,” Boyd said. These check-ins also keep compliance top of mind for employees and remind them of the seriousness of only using approved communications channels.

Trust, but verify

In addition to employee attestations, compliance should review the firm’s archives at least quarterly, looking for things within the archive that potentially point to a policy violation to help employees adhere to the policy from a compliance standpoint. “You always want to trust your employees, but you also want to verify,” Boyd said.

From a supervisory standpoint, it’s critical to have the right set of lexicons in place and to update those at least annually, or even more frequently as new apps are introduced. Meta’s new social networking website, Threads, is one example. “Have you included something about Threads in your lexicons in the last month or two to see if people are now moving over to Threads?” Magri said. Monitoring trending channels and getting a lay of the land will help firms stay on top of compliant communications practices.

Boyd noted that other language to watch for that could point to non-compliant behavior includes:

  • “Use this channel”
  • “Text me”
  • “Let’s take it offline”
  • “Call me”

“These are [key phrases] that give compliance officers pause,” Boyd said.

Lastly, Magri advised that firms make sure to conduct ongoing evaluations around the firm’s mobile application channels. “Particularly as new features are added to those applications, make sure those communications can still be captured,” Magri said.

For example, firms need to think about how to capture and put supervisory controls around emojis and gifs, and voice-to-text features, that could signal off-channel business communications, which regulators have signaled they are paying more attention to.

It’s not possible to stop every bad actor from engaging in off-channel communications, “and it’s going to be very hard for compliance to keep up when you have all this technology that’s rapidly evolving,” Boyd said. However, implementing robust policies and procedures, employee training and attestations, and continuously monitoring for noncompliance will significantly reduce the risk of getting on the wrong side of regulators.

Share this post!

Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Get a Quote

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing

Contact Us

Tell us about yourself, and we’ll be in touch right away.