Individuals and broker-dealers involved in the financial services industry have become accustomed to using social media and personal technology devices to assist in their business. Whether through Twitter, LinkedIn, electronic tablets, Facebook, smart phones, or instant messages, there is an advantage to being able to communicate quickly and with widespread distribution with the mere click of a mouse or a “Send” button. What are the regulatory consequences for users and firms of such technology? What limitations have been imposed on using these methods to communicate with customers, contra-side business, or even internally within a firm?
FINRA recently issued further guidance on this question. As a follow-up to its initial pronouncement on the topic set forth in Regulatory Notice 10-06, FINRA issued Regulatory Notice 11-39 in August 2011, which provides clarification on what obligations arise from the use of social media. Neither of these Regulatory Notices represent new rules; both are simply guidance in a question and answer format on how the regulator applies its preexisting retention, supervision, and advertising requirements to these new forms of communication.
Most notably, FINRA has reiterated that it is acceptable for individuals to use personal devices for business communication, and for firms to permit a variety of electronic methods for such communication. Nevertheless, firms are reminded that even the latest forms of communication must be retained, retrievable, and supervised.
The Communications Must Be Retained
Any doubt that emails had to be retained by broker-dealers pursuant to Rule 17a-4(b) of the Securities Exchange Act of 1934 was long ago answered by SEC guidance stating that the content of a communication, not the manner in which the communications was made, is determinative of whether it is a “business as such” communication that had to be retained.1 Regulatory Notice 10-06 and now Regulatory Notice 11-39 simply extend that principle to the latest methods of communication. In clarifying a broker-dealer’s retention obligation, FINRA has explained that a communication may be considered a business record, and thus subject to the three-year retention requirement regardless of whether it is sent on a personal device or a firm-issued one. For example, if a firm employee sends out a list of products or 1 SEC services offered by a firm, that contact would likely be viewed as a business communication that must be retained, even if it were sent from the employee’s personal computer or phone.
FINRA’s guidance in this regard serves as a reminder that, as the use of social media continues to expand, FINRA members should be mindful of their obligation to have systems in place that enable the firm to retain and monitor these communications, and provide training and education to associated persons on recognizing when their email and posts would be considered business communication.
In addition, in responding to questions regarding the technology available today for sending and posting messages, FINRA clarified that it would not be proper to use technology for business communications that automatically deletes messages because that would then not comply with the retention requirements of the Exchange Act and FINRA rules.
Some of the Communications Will Require Pre-Approval
The FINRA guidance explains that a static (unchanging) posting (as opposed to an interactive one) will be viewed as an “advertisement” under NASD Rule 2210. The significance of this is that it will require a registered principal to pre-approve the posting. The need for approval by a registered principal is also triggered when there is a material change to such a posting.2 Indeed, while silent on the ramifications of this, to the extent a static posting implicates the filing requirement of NASD Rule 2210(c)(4), there is nothing in this Regulatory Notice that differentiates these electronic advertisements from other advertisements that require filing with FINRA Advertising Regulation Department. Another element of pre-approval is the supervisory notion, embedded in NASD Rule 3010, that a registered principal review prior to use any social media site that an associated person plans to use for business communications.
The Risk-Based Approach to Supervision of Electronic Communications
It should come as no surprise that FINRA reiterates in this Regulatory Notice its guidance about supervision of email that had its origins in Regulatory Notice 07-59, entitled “FINRA Provides Guidance Regarding the Review and Supervision of Electronic Communications.” Not only does this mean ensuring that use of a social media website for business purposes will comply with federal securities laws and FINRA rules, but it further means that when an associated person posts to an interactive site, the post is deemed a "public appearance" and is subject to the NASD Rule 2210 prohibition against misleading statements and the requirement that content be fair and balanced.
Firms should consider using sampling, spot checking, or lexicon-based search methodologies to facilitate surveillance of these communications and of their associated persons’ use of social networking websites. Firms may also want to consider having associated persons certify periodically that they understand and are acting consistently with regulatory and firm policies.
Entanglement with Third-Party Websites or Posts
Often, firms link their websites to that of third parties (when they are offering the third party’s product, for example), and there is nothing improper about that connection. However, there are some limitations. Member firms cannot link to third-party sites if they know or have reason to know that the third-party site has false or misleading content. Further, if the firm is part of the development of the content of the third-party website, or approves it, it will be “entangled” with that site, and thus subject to the content requirements of NASD Rule 2210 which pertain to communications with the public, such as advertising and public appearances. The same holds true if the firm “co-brands” a website with its own logo.
The good news here is if the firm has a policy to block or delete offensive or inappropriate content, then any improper third-party messages that slip through and remain on the website will not be deemed to have been adopted by the firm. That avoids the need to apply content based standards and requirements on third-party postings. Nevertheless, even if the firm is not responsible for the content of such posted messages, the firm still has to retain those messages if they are deemed business communications.
Data Feeds Must be Scrutinized
One further clarifying point made by FINRA is in the area of third-party data feeds that are often utilized to populate firm websites. In order to minimize the chance that such information is inaccurate, firms must be familiar with the methodology vendors are using to gather and deliver that information, and be confident that the vendors are acting in a reasonable manner in this regard. If there are red flags as to the accuracy of such data, firms must either eliminate the feed or correct the data.