FOIA (Freedom of Information Act)

SEC Rule 17a-4 requires broker-dealers to preserve certain electronic records for specified periods in a non-rewriteable, non-erasable (WORM) format, with indexing and prompt retrievability. It is one of the most cited drivers of immutable email and communications archiving in financial services.

The Financial Industry Regulatory Authority (FINRA) oversees U.S. broker-dealers and sets rules for retaining and supervising business communications, including electronic messaging and social media. FINRA expects firms to capture, retain, and review communications and to produce them on request.

The Markets in Financial Instruments Directive II (MiFID II) is an EU regulation that, among other things, requires firms to record and retain communications — including phone calls and electronic messages — related to transactions, typically for at least five years.

The Health Insurance Portability and Accountability Act (HIPAA) sets U.S. standards for protecting health information. For archiving, HIPAA drives secure capture and retention of communications containing protected health information (PHI), with access controls, encryption, and audit logging.

The Criminal Justice Information Services (CJIS) Security Policy governs how criminal justice information is accessed, stored, and protected by law enforcement and their vendors. CJIS mandates strong encryption, strict access control, and audit readiness for systems that hold this data.

The General Data Protection Regulation (GDPR) is the EU privacy law governing personal data. It creates obligations such as data minimization and the right to erasure, which archives must reconcile with retention requirements through granular policy and defensible deletion.