Most compliance officers at broker-dealers know FINRA Rule 3110 exists. Fewer understand what it requires in practice for supervising communications. The gap between awareness and execution is where enforcement actions arise.

Here's what the rule requires, and where firms consistently fall short.

What Rule 3110 actually says

At its core, Rule 3110 requires firms to establish and maintain a system to supervise the activities of associated persons that is reasonably designed to achieve compliance with applicable securities laws and FINRA rules. That phrase — reasonably designed — does a lot of work. It means a policy document isn't enough. The system itself has to function.

On communications specifically, Rule 3110(b)(4) requires firms to have supervisory procedures for the review of incoming and outgoing written correspondence, including electronic communications, relating to the firm's investment banking or securities business.

And critically, merely opening a communication is not a sufficient review, according to FINRA. The rule requires evidence of review — who looked at it, when, and what action was taken.

Where firms get into trouble

Restricted list supervision often illustrates the problem. Firms maintain lists of issuers tied to live deals, research restrictions, or other information barriers. Those lists are supposed to connect to communication monitoring systems that can detect when the securities appear in employee messages.

In practice, that connection is often weaker than firms expect. If a restricted issuer trades under a ticker symbol that is also an ordinary word, traditional keyword surveillance can generate thousands of irrelevant alerts — or miss the reference entirely.

What This Looks Like in a Real Communication

The first and most common failure isn't ignoring the rule. It's underestimating the scope of what "written communications" now covers. Restricted list supervision illustrates the issue particularly well.

Example message:

“Let’s talk about shop once the client call ends.”

If Shopify is on the firm’s restricted list because of a live transaction or research restriction, the message using the ticker symbol for Shopify — shop — becomes a reference to a restricted issuer inside a firm’s communications.

Rule 3110 supervision requires firms to maintain systems capable of reviewing and supervising these communications in practice, not just capturing them for archival purposes.

Your team is texting on iPhones, closing deals on WhatsApp, and following up on LinkedIn. FINRA Rule 3110 requires business-related communication to be captured, reviewed, and archived. Off-channel communication remains one of the most active areas of FINRA and SEC enforcement. Fines in this area have run into billions of dollars industrywide over the past few years — not because firms didn't have policies, but because they couldn't demonstrate that those policies were being enforced.

The second failure point is false positives. Keyword-based surveillance systems generate enormous review queues that compliance teams can't meaningfully work through. When everything flags, nothing gets real attention. The result is a supervision system that exists on paper but doesn't function in practice, which is exactly what regulators look for when they examine a firm.

What "reasonably designed" looks like today

A supervisory system that meets the current standard needs to do three things well: catch risk in context, not just by keyword; produce documentation that demonstrates actual review, not just capture; and surface genuine patterns rather than burying reviewers in noise.

Rule 3110 requires firms to maintain evidence that supervision has occurred — review logs, inspection reports, records of escalations, and corrective measures taken. Regulators operate on the principle that if it isn't documented, it didn't happen.

The firms that pass examinations cleanly aren't the ones with the most elaborate policies. They're the ones that can show that their system actually worked. In practice, that means supervisory systems must be able to detect when employee communications reference restricted issuers — even when the ticker symbol is indistinguishable from ordinary language.

That's the standard. The question is whether your current stack can meet it.

Because at this point, supervision isn’t about having policies, or even about capturing communications. It’s about demonstrating — clearly and consistently — that risk is being identified, reviewed, and acted on in real time. And that’s where many firms are still falling short. Not because they don’t understand Rule 3110, but because the tools and systems they rely on weren’t built for how communication actually happens today.

In a world of fragmented channels, ambiguous language, and increasing regulatory scrutiny, “reasonably designed” is no longer a low bar. It’s an operational test — one that regulators are actively enforcing.

The firms that meet it won’t be the ones with the most documentation. They’ll be the ones whose systems can prove, communication by communication, that supervision is actually happening.

Book a free demo of HarmCheck today: http://harmcheck.ai/demo

By Alphy staff

HarmCheck by Alphy is an AI communication compliance solution that detects and flags language that is harmful, unlawful, and unethical in digital communication. Alphy was founded to reduce the risk of litigation from harmful and discriminatory communication.