At the recent 2018 Financial Industry Regulatory Authority (FINRA) Annual Conference, financial services compliance professionals explored how to embrace the future of communications while remaining compliant.
Amy Sochard, Senior Director in FINRA Advertising Regulation moderated a panel of Evan Charkes, Managing Director and Associate General Counsel, Bank of America Merrill Lynch, Robert Salvador, Chief Compliance Officer, Motif Investing, Inc. and Nubiaa Shabaka, Global Head of Cybersecurity Legal and North America Head of Privacy and Data Protection Legal, Morgan Stanley. Together, they recapped 9 key practices for compliant social media:
- According to a poll conducted at FINRA, firms have some concerns about social media. Unauthorized social media accounts that cannot be supervised (or monitored) and the inability to capture and retain content are both key issues for compliance professionals. Other worries include possible cyberattacks, inadvertent sharing of personal information, embarrassment through inappropriate sharing, and false or misleading content. Industry practice: Put processes and controls in place to monitor and supervise social media communications.
- When associated persons communicate through electronic medium, U.S. Securities and Exchange Commission (SEC) record-keeping rules apply, noted Sochard. This includes social media, instant messaging, text messaging and messaging apps. Industry practice: Deploy technology to capture and retain approved business communications wherever they occur.
- Firms tend to prohibit the use of communications that can not be seen or managed in some way. Therefore, they are at risk of being out of compliance when clients reach out to associated persons and want to do business on prohibited communications channels said Shabaka. “We train our employees that any type of communication that relates to business, and needs to be captured, should be redirected to the appropriate device or firm system that is able to capture those communications”. Industry practice: Firms need to “create reasonably designed supervisory processes and procedures that are reinforced through training” said Charkes.
- According to Sochard, there has been a “sea change” over the last few years from the concept of maintaining a “bright white line” between personal and business communications. Nowadays, there is a “real desire to allow associated persons to act as brand ambassadors and to let the world know about the firm’s brand without treading into an offer or a promotion of securities” said Sochard. However Charkes cautioned: “Think about how much risk your firm is willing to take in this area.” Industry practice: “According to FINRA Regulatory Notice 17-18, associated persons may use their personal social media to link to content on the firm’s websites or other digital properties, if the linked content is not related to the products or services of the firm” explained Sochard.
- According to FINRA, firms have recordkeeping, content and supervisory responsibilities when they “adopt” or “become entangled” in third party content. This includes the original digital communication and link as well as the specific content. FINRA draws the line at content accessed through secondary links, unless those links are a means to getting to that specific content. Industry practice: Many firms create a library of pre-approved third-party content for associated persons to share. However, due to copyright and branding issues, some more conservative firms avoid third party content altogether and only allow their associated persons to share content that has been created in house. (Contributor’s note: The concept of “adoption and entanglement” is based on a SEC theory around the level of involvement in the creation of the content.)
- Native advertising (communications that look and feel like news articles, but are really paid advertising) is permissible according Sochard. Industry practices: Firms need to adhere to FINRA’s Communications with the Public rules when using native advertising. These include certain content standards, not being misleading, and being upfront about paid advertisement, said Sochard. Charkes added that firms also should review guidance from the Federal Trade Commission (FTC) that states that native advertising needs to be clear, conspicuous and prominent.
- The use of testimonials on social media has long been a question in the financial industry. From FINRA’s point of view, broker dealers may use customer testimonials in some specific circumstances and with proper disclosures. Due to space limitations, disclosures could be included via hyperlink explained Sochard. FINRA has attempted to clear up industry confusion about regulatory requirements when a third party makes comments on a social media site said Sohard. FINRA’s stance is that as long as the firm has neither “adopted nor become entangled” with the comment, then the firm would not be responsible for the advertising rules (such as supervision or the content of the comment) associated with it. However, if the firm “liked” or “shared” a comment, then the firm is considered to have “adopted” it, and hence now is responsible for it, and all rules would pertain. To make things more complex, testimonials are prohibited outright in the advisor space. Industry practices: Given industry complexities, and dually registered associates following two sets of rules, firms tend to prohibit testimonials by policy or use technology to either disable or supervise endorsements when possible.
- FINRA provides a regulatory distinction for the supervision of social media between “static” and “interactive” content said Sochard. Static content, such as a Profiles on LinkedIn, Facebook or Twitter, are viewed as akin to an advertisement and requires approval by the principal of the firm before being used for business. Interactive content, such as real time communications, is viewed as correspondence and may be supervised (or reviewed) after the fact, just like how firms have been supervising correspondence almost 19 years explained Sochard. Industry practices: Supervisory approaches vary across the industry. Some firms prohibit the use of social media for business and only check for possible violations, others only allow their associated persons to use a library of pre-approved content. Still others support both a library of pre-approved content plus allow their associated person to customize their content in real time.
- “The intersectionality of privacy, cyber security and social media is very real” said Shabaka . That’s because someone could gain access to your personal information based on what you post on social media. The repercussions can be financial loss, reputational risk, ID theft, legal and regulatory consequences said Shabaka. Industry practice: Manage your risk by bringing data privacy, protection and cybersecurity into your compliance processes said Sochard. Education and training is key concluded Shabaka.