Regulators do not take your word for it. A firm can fail an examination for missing records even when the content itself met every standard, because compliance you cannot prove is treated as compliance you do not have. The evidence trail is part of the deliverable, not an administrative afterthought.
This sets out what a complete approval record contains, why a screenshot fails for dynamic content, how long records have to survive in each regime, and why the trail has to show ongoing monitoring rather than just the original sign-off. The efficient way to carry all of that is to capture the evidence as a by-product of the workflow, so the trail builds itself rather than being reconstructed under pressure when a regulator asks.
What this article covers
- Why the record is the deliverable, and what its absence costs
- What a complete approval record has to contain across regimes
- Why dynamic content breaks naive capture, and how retention works
- Why the trail must show monitoring, and how to make it a by-product
Compliant content with no provable record still fails. That is the uncomfortable fact at the centre of regulated content, and it is the one most teams discover too late, when an examiner asks them to demonstrate something they actually did but never captured. The content was fine. The proof was not there. In a regulated industry those amount to the same outcome.
This sits within the wider system mapped in our guide to content marketing in regulated industries, and it deals with the layer underneath both the UK and US workflows: the evidence that proves what you did. A note carried throughout: this is educational, not legal or compliance advice, and Ridley Digital is not an authorised approver, a registered principal, or a provider of a compliant system of record.
Why the record is the deliverable, not an afterthought
The principle holds across regimes. If you cannot produce the approval and the content as it was published, you cannot prove the content was compliant, and unprovable compliance fails an examination. A regulator examining your marketing is not assessing whether your content was good; it is assessing whether you can demonstrate, with records, that the right person approved the right content against the right standard, and kept the proof. The demonstration is the test.
This reframes recordkeeping from a clerical chore into the actual output of the process. The content is what the public sees, but the record is what the regulator sees, and the regulator is the one who can shut you down. Treating the record as a tidy-up task to do later, or to reconstruct if asked, is how firms that were genuinely compliant still end up failing, because by the time the request comes the evidence has degraded or vanished. The record has to be created as the work happens, deliberately, as part of what “done” means.
What a complete approval record contains
Across UK and US practice, a complete record has a recognisable shape, even though the regimes differ in detail. It contains the content exactly as it was published, not a near-enough version. It identifies the approver and the date of approval. It records the dates of first and last use, so the window the content was live is provable. It captures the substantiation source for every claim, statistic and performance figure, so each claim can be traced to its evidence. And where content changed, it holds the version history, so you can show which version was live when.
Each element exists because its absence is a specific failure. Without the published version, you cannot prove what the public actually saw. Without the approver and date, you cannot prove the sign-off happened before use. Without the substantiation source, you cannot defend a claim that is later questioned. Without the dates of use, you cannot bound your exposure. Without version history, a later edit can make it look as though an unapproved version was live. FINRA’s own recordkeeping requirements under Rule 2210 name several of these contents explicitly, including the approving principal and the source of any statistics used.
Capturing content as it actually appeared
Here is where naive recordkeeping breaks. A static screenshot was adequate when content was a printed brochure. It is not adequate for the content firms actually publish now. Interactive features, linked pages, embedded media and content that changes by user behaviour are not captured by a flat image, so a screenshot can miss the very thing a regulator asks about. Social content is worse: posts get edited or deleted, comment threads change the meaning of the original, and what existed at publication may be gone by the time anyone looks.
The standard the capture has to meet is simple to state and harder to meet: it has to reflect what the public actually saw, in the form they saw it, at the time they saw it. That means capturing dynamic and interactive content in a way that preserves its behaviour, and capturing social content at the moment of publication rather than trusting it to still be there later. A record that does not reflect the real experience of the content is not a reliable record, however neatly it is filed.
Retention, format and accessibility
How long the record has to survive, and in what form, depends on the regime, and the two main ones differ. Under FINRA’s framework, tied to the SEC’s recordkeeping rules and Rule 4511, communications and approvals are generally kept for at least three years, with the first two readily accessible, in a non-alterable format. In the UK, financial-promotion approvers carry ongoing monitoring obligations and report to the FCA on a six-monthly basis, so the record has to support that continuing duty rather than just the moment of approval.
The detail that catches firms out is the non-alterable requirement. A record kept in a system where it could be edited after the fact is weaker than one held in a form that cannot be changed, because the point of the record is to be trustworthy evidence, and evidence you could have altered is evidence a regulator can discount. The format is part of the standard, not just the content of the record. Which exact retention applies to you depends on your regime and facts, so confirm it rather than assuming a single number transfers.
The monitoring trail, not just the approval trail
Most teams think of the evidence trail as proving a moment, the approval, when in fact it has to prove a continuing process. Approval is a point in time; the obligation continues for as long as the content is live. So the trail has to show ongoing review, not only the original sign-off. In the UK that follows directly from the approver’s monitoring duty: it is not enough to show you approved a promotion in March if you cannot show you were watching it through the year. Under FINRA, the firm’s continuing responsibility for content, including content on its behalf, means the same in practice.
The practical implication is that the record is not closed when the content goes live. It stays open, accruing evidence of monitoring, re-review, and any decision to withdraw or amend approval as circumstances change. A trail that stops at publication tells only half the story, and it is the wrong half if a regulator is asking what you did about a promotion that drifted out of line three months after it launched.
Building the trail into production, not bolting it on
All of this sounds like a heavy administrative burden, and it is, if you treat it as a separate compliance task running alongside the real work. The efficient move is the opposite: capture the evidence as a by-product of the workflow itself. When approval, dates, substantiation sources and the published version are recorded automatically as content moves through the production process, the trail builds itself, and nobody has to reconstruct it later under pressure.
That is the difference between a firm where recordkeeping is a dreaded periodic scramble and one where the evidence is simply always there, because the process produced it. Designing that into the content operation, rather than bolting it on, is the subject of our guide to building the sign-off model into your content operation. The record is most reliable, and least painful, when it is a natural output of how the work is done.
FAQs
What records do you keep for regulated marketing content?
A complete record generally includes the content exactly as published, the identity of the approver and the approval date, the dates of first and last use, the substantiation source for every claim and statistic, and the version history where content changed. Each element exists to prove a specific thing: what the public saw, that sign-off happened before use, how long the content was live, that claims were evidenced, and which version was live when. The exact requirements depend on your regime, so treat this as the common shape rather than a definitive list for your situation.
How long must marketing compliance records be kept?
It depends on the regime. Under FINRA’s framework, tied to the SEC’s recordkeeping rules and Rule 4511, communications and approvals are generally kept for at least three years, with the first two readily accessible and in a non-alterable format. In the UK, financial-promotion approvers carry ongoing monitoring obligations and report to the FCA every six months, so records have to support that continuing duty. Which retention applies to you depends on your regime and facts, so confirm it against the relevant rules rather than assuming a single figure applies everywhere.
Does a screenshot satisfy recordkeeping rules?
Often not, especially for modern content. A flat screenshot was adequate for a printed brochure but does not capture interactive features, linked pages, embedded media or content that changes by user behaviour, and it can miss exactly what a regulator asks about. Social content is harder still, because posts get edited or deleted and comment threads shift the meaning of the original. The capture has to reflect what the public actually saw, in the form they saw it, at the time they saw it, which usually means more than a static image.
What is an approval log?
An approval log is the record that ties each piece of content to its sign-off. At minimum it captures what was approved and by whom, the date of approval, and the standard it was approved against, alongside the published version and the substantiation for any claims. Done well, it is not a separate document maintained by hand but a by-product of the workflow, populated automatically as content moves through production. Its purpose is to let the firm demonstrate, on request, that the right person approved the right content before use and kept the proof, which is what an examination tests.
Can compliant content still fail an audit?
Yes, and this is the central risk of weak recordkeeping. A firm can produce content that met every content standard and still fail an examination because it cannot produce the records that prove it, the approval, the dates, the substantiation, the published version. Regulators assess whether you can demonstrate compliance, not just whether you achieved it, so unprovable compliance is treated as non-compliance. That is why the record is the deliverable, and why capturing it as the work happens matters as much as getting the content right in the first place.
Last reviewed: June 2026
This article is general information about recordkeeping for regulated content and is not legal, compliance or regulatory advice. Ridley Digital is not an authorised approver, a FINRA registered principal, or a provider of a system of record. Required record contents and retention depend on your regime and facts; confirm them against the relevant rules and take professional advice before relying on this.
Stop renting your growth. Own it.
We build the growth system on assets you own, prove what worked, then hand it back so it keeps running without us.
Start with a conversation →