FINRA 25-07: Rethinking Communication Oversight in the Digital Age

Is Your Compliance Process Stuck in the 1990s? FINRA agrees.

FINRA recently published a notice, Regulatory Notice 25-07, on modernizing its rules, guidance, and processes.

If you didn’t read the entirety of it (although I’m sure you did, right? It’s only a nice, dense, 8000+ words), here’s the short version:

“We get it. You're not working out of a 1997 branch office anymore."
-FINRA (not verbatim)

Remote work, AI, mobile apps, and a merciful lack of extreme shoulder pads are all standards now as compared to the 1990s. And, thankfully, FINRA isn’t issuing a rule change here. They’re inviting the industry into a conversation.

“Are the current rules still practical, fair, and effective in today’s fast-moving environment?”

In short, they’re asking what you see instead of telling you what to do.

Why section D of 25-07 matters

‍
In today’s financial services industry, client-investor communication is a lot less paper forms than it was thirty years ago. It's DMs, emails, and app alerts. 

Even so, many compliance frameworks still rely on outdated manual review practices that no longer align with the way investors and firms operate.

Why?

Well, because they were told to go by the book by FINRA. But that book is outdated as Myspace for Dummies.

Let’s zoom in on one of the more immediately actionable parts of the notice: Section D: Delivery of Information to Customers.

Don’t worry, there are only seven other sections of pure delight and no legalese at all. /s

Electronic Delivery: Welcome to the 21st Century (Finally)

TL;DR

FINRA and the SEC originally cooked up the E-Delivery rules in 1998 - the year my family got dial-up internet. Three decades later, electronic communication isn’t the future. It’s just Thursday.

The Rules?

• Obtain informed customer consent for electronic delivery
  
• Take reasonable steps to protect the confidentiality and integrity of customer information

These core principles still apply, but the expectations of clients have evolved.

Clients expect access via WhatsApp, iMessage, Slack, secure portals, and more. Sending a paper confirmation letter? That feels about as modern as asking them to fax back a response.

FINRA’s recent Regulatory Notice 25-07 highlights this shift.

Delivery of required documents, once heavily reliant on hardcopy mailing, is now governed by electronic delivery guidance aligned with longstanding SEC releases.

FINRA is asking for public feedback on whether FINRA’s current rules around electronic delivery of information and negative consent letters are still appropriate in today’s digital and fast-changing business environment.

While FINRA isn’t mandating changes (yet), their invitation is clear: Help shape the future of electronic delivery and oversight.

That means now is the time to:

• Evaluate where your firm stands
• Identify what’s working (and what isn’t)
• Don’t be a subject of enforcement later if you can be part of the solution today.

What Can Firms Do Right Now?

1. Review your E-Delivery process

• Are you collecting explicit and informed consent for digital delivery?
  
  • This means you're directly asking clients if they want to receive required documents (like trade confirmations, statements, or disclosures) via email or another digital method.
  • It’s not just a checkbox buried in a giant onboarding form. The client should understand what they’re agreeing to.
    
• Is that consent stored securely and updated as needed?
  
  • You’re not just collecting consent; you’re keeping a record of it. This is critical if regulators ask for evidence that the customer opted into digital communications.
    
• Are your electronic delivery methods secure, especially for sensitive investor data?
  
  • For example, is it encrypted, or are you emailing sensitive information in plain text?
    
    • Seriously. Is it encrypted? The entire time? Okay, good. If recent breaches have taught us anything, it’s that marketing language isn’t the same as technical protection.

If you can’t confidently answer yes to all three, maybe it’s time for a checkup.

‍

2. Audit your communications coverage

What platforms are employees actually using to communicate with clients?

If your answer relies on assumptions or informal conversations, it's time to verify. Modern messaging isn’t confined to email. 

In 2009, WhatsApp barely existed.
By 2013, it had 200 million users.
By 2020? Two billion.

That’s one in four people alive using a messaging app that's just now old enough to get a driver’s license.

Communication today is informal, fragmented, and fast-moving. Conversations that once happened in memos now unfold via DMs, voice notes, disappearing messages, and shared links, often across multiple apps in a single client interaction.

Yet many compliance programs ignore these channels entirely or treat them like an afterthought. 

That’s not just inefficient. It’s a huge regulatory gap. Ignoring off-channel communication doesn’t make it go away. It makes it risky.

This is exactly why FINRA is opening the conversation. They’re saying: 

“We know your team is communicating differently. How do we work with you, not against you?” 

How to run a real communications audit:

Survey your client-facing teams

A short, 3–5 question survey can reveal:

• What platforms employees actually use to message clients
• Which tools clients prefer or expect
• Which platforms are used “just for follow-ups”  but still count as business communication

Tool tip: Most teams can build a quick internal survey using tools like Microsoft Forms, Google Forms, or Typeform. Even a simple SharePoint list or email-based poll can uncover meaningful data in under a week.

Rethink what to archive

As regulators increase pressure on firms to supervise digital communications, many vendors have responded with a blanket approach: archive everything, across every channel. Never mind if it's relevant!
‍

‍

But that kind of over-capture introduces a different kind of risk: eroding employee trust, invading personal privacy, and storing vast volumes of irrelevant content.

The smarter path forward? Targeted oversight. Compliance systems must not only detect risk, but also know what not to retain. That means distinguishing between personal-only and business-related communications and filtering accordingly.‍

Pull System logs and usage reports

‍
Evaluate logs from messaging, conferencing, and email platforms.

👋 We’re really good at helping firms surface system usage reports and blind spots. Ask us how.

Smart compliance platforms that use natural language processing, (ahem, like ours...) can monitor these platforms without drowning your team in irrelevant flags or forcing employees to change how they work.

The point of innovative compliance software is to adapt to actual workflows, not complicate them. 

Review and analyze the results.

If you’re using a tool like Microsoft Forms or Google Forms, responses are automatically recorded and exportable.

Use them to spot usage trends, off-channel surprises, and communication blind spots. 

Consider mapping the data into a simple table:
Platform → Who's using it → Is it approved → Is it monitored?
‍

Compare against your approved communication policy

What’s on the “official” list vs what’s actually being used? The delta=exposure.
This is where many teams realize the real issue isn’t rogue behavior. It’s tooling that relies on people to change their habits.

3. Assess your manual review costs

Manual review systems may seem manageable ...right up until you model them at scale.

According to McKinsey & Company’s report The Social Economy, the average employee sends 5,000+ digital messages per month. If each takes 10 seconds to review, a 50-person team generates over 170 hours of review time monthly, costing upwards of $10,000 in labor.

Start with a quick exercise: pull time-tracking or payroll data to estimate the number of hours spent on message review each month. (Or even easier, use our slider here.) Chances are, you’ll uncover a quiet cost center hiding in plain sight.
‍

Now add:

• Secondary reviews
• Inconsistent flags
• Training time
• Opportunity cost
  ‍

Beyond cost, there's the issue of consistency.

Antiquated static keyword-based systems add to this load. It's like using AskJeeves instead of Google.

They’re brittle by design, easy to game, and prone to trigger alerts on harmless messages while overlooking the more nuanced ones. Messaging is often short-form, tone-dependent, and often indirect; thus, false positives become the norm instead of the exception.

The True Cost of Decision Fatigue

When compliance teams spend hours sifting through irrelevant alerts that turn out to be nothing, it's easy to get desensitized. That’s when essential signals can get lost in the noise.

Automation is powerful, but it doesn’t replace human oversight. Its real value is in reducing the volume of noise, so teams can focus on high-risk activity. A well-designed compliance platform should enhance employee effectiveness, not sideline it. That means surfacing fewer, higher-quality alerts and giving professionals the context they need to make defensible decisions.

Before your next compliance or budget meeting, try asking a few questions:

• How much time are we really spending on review each week?
  
• What’s our current false positive rate?
  
• Are we confident we’re catching what matters most?

Manual inspection still has a role. But its efficiency and reliability depend heavily on the quality of the inputs, and the ability of your systems to adapt to modern communication styles.

Easy Win:

Block out 15 minutes this month to tally your team’s review hours week-over-week. Bring the data to your next leadership meeting to see where that time could be reduced.

Balancing Innovation with Investor Protection: Don’t Leave Seniors Behind

As firms embrace digital tools to streamline compliance and client communications, it's essential not to overlook the needs of senior investors and those less comfortable with technology. Modernizing doesn’t mean abandoning traditional investors: digital-first must not become digital-only.

Regulators like FINRA and the SEC continue to emphasize investor protection, especially for vulnerable populations. Firms are expected to:

• Offer secure alternative communication options, such as paper delivery or hybrid models that blend physical and digital formats.
  
• Pay special attention to senior investors and others with limited digital access.
  
• Maintain flexibility and respect client preferences when choosing communication methods.
  
• Obtain clear, informed consent before transitioning any customer to electronic-only communications.
  

Action you can take this week

• Run a quick analysis: What percentage of your clients currently receive only digital communications?
  
  • Pull a list of all active client accounts from your CRM or client record system. Look at your communication preference field - email, paper, hybrid, or however you’ve chosen to categorize it. 

Sort or filter the data to calculate:

• % receiving only digital
  
• % still using paper or hybrid
  
• % with no preference recorded (this is a compliance red flag to take action on)

Even a 30-minute sweep through your CRM or account data can reveal where your oversight gaps.

Set up a hybrid pilot program (in 4 simple steps):

1. Define a manageable test group (20–50 clients), ideally those over 60 or without clear delivery preferences
   ‍
2. Send both digital and physical communications for a 60-day period
   
   Include a brief feedback option (e.g., a reply email, phone survey, or a note in a mailed letter) asking which format they prefer‍
   ‍
3. Track engagement and preferences through opens, feedback, or support requests
   ‍Track any support requests related to delivery or accessibility‍

1. Assess impact: Did the hybrid pilot increase engagement? What were the costs? What feedback surfaced?

By taking small, proactive steps, firms can modernize responsibly, staying aligned with evolving regulations while supporting clients of all ages and tech comfort levels.

A Smarter Path Forward

Regulatory clarity comes from dialogue.

FINRA’s Notice 25-07 is your invitation to help shape how the industry supervises communication in a digital-first world.

Now is the time to speak up.

If you see gaps, challenges, or opportunities in how current rules apply to your firm’s reality, choose to contribute. FINRA is listening. (We’re addressing one section of the notice here; there are seven others to consider further.)

At Tres Comma Compliance, we believe the firms that engage early and lead with insight will be best positioned for what’s next. That’s why our platform is built not just to meet today’s standards, but to evolve with them -  and with you.

We help compliance teams:

• Capture and supervise off-channel communications
  
  
• Cut noise, not context, using smarter NLP-based review tools
  
  
• Respect personal boundaries while securing business-critical records
  
  
• Stay audit-ready without the cost and fatigue of manual review

We don’t believe in blanket surveillance.

We believe in clarity, context, and compliance management tools that work the way people actually communicate.

If you're thinking through what modernization means for your firm, we’d love to talk.

If you're ready to be part of the regulatory conversation, FINRA wants to hear from you. The comment period is until to July 14, 2025.

And if you're ready to modernize with confidence, we’re here to help. Ready to future-proof your compliance strategy? Contact TCC today and discover how we can help you modernize with clarity and confidence.