The continued growth of online social networks and social media has resulted in an increase of regulation and guidelines by the SEC and Financial Industry Regulatory Authority (FINRA). Investment advisers and other financial services professionals are increasingly using social media in order to establish and maintain client relationships. However, such firms should be mindful that one single post or tweet may potentially amplify a firm's legal risks when interacting with customers.
Such posts, tweets, or other electronic medium may be deemed advertising under the Investment Advisers Act of 1940 (Advisers Act) and sales literature under FINRA regulations and, as a result, require prior supervisory approval and retention. Further, while FINRA has provided certain guidance concerning online and social media, i.e., Regulatory Notice 10-06, registered investment advisers are governed by a more principles driven approach under Rule 206(4)-1 of the Advisers Act. In light of the Advisers Act's broad definition of advertisements, investment advisory firms, out of an abundance of caution, should be judicious in any client communication and consider all online or social networking activity that expressly identifies the firms as investment advisers to be an advertisement, including bulk email, television or radio pieces, Web sites, Facebook pages, blogs, or Twitter feeds.
As a result, investment advisory and other financial services firms that conduct business through social media sites should carefully balance the various regulatory and legal obligations against any effort to engage customers or achieve business objectives.
This client update provides a brief overview of certain rules governing investment advisory firm communications and provides certain issues to consider while crafting firm policies governing the same.
Mitigating Social Media Risk. Since social media technology evolves at a pace faster than the law governing it, a useful standard for ensuring compliance and avoiding data breaches is that a social media communication should, generally, be treated as any other form of corporate communication, subject to the Advisers Act and FINRA rules. Prior to implementing any form of social media, firm policies should be tailored to reduce legal risks, seek to control what an organization publishes, and have an effective procedure for monitoring any third-party use. Although FINRA rules are not applicable to investment adviser firms (unless such firms also are registered as brokers or dealers), the regulations developed by FINRA on the use of social media can be used as a guide for investment advisers as they utilize various forms of social media.
FINRA Chairman and CEO Richard G. Ketchum, recently noted that FINRA's Social Networking Task Force had made further progress identifying and defining what constitutes social media and indicated that FINRA will most likely provide further guidance on social media issues later this year. (FINRA last issued guidance on this topic in Regulatory Notice 10-06.) The Social Networking Task Force, organized by FINRA in 2009 and composed of FINRA staff and industry representatives, discusses how firms and their registered representatives can use social media sites for legitimate business purposes in a manner consistent with investor protection.
Although at the time of its publication Regulatory Notice 10-06 provided comprehensive guidance relating to social media issues, the social media landscape is constantly changing, and new forms of social communication may not be adequately addressed in firm policies previously drafted in light of Regulatory Notice 10-06.
In addition, earlier this year the SEC sought information from firms requesting details on levels of involvement with, or usage of, sites such as Facebook, Twitter, LinkedIn, YouTube, Flickr, and so forth. The SEC sweep requested documentation on communications — messages, tweets, blog postings — made or received and details on advisers' policies and procedures relating to its use of social media sites, as well as the use of these sites by third parties acting on their behalf. The request also asked for details on policies relating to non-business related use of social media by staff, what training is provided, what disciplinary action firms have taken, and how companies treat record retention.
Recent FINRA enforcement actions concerning an organization's failure to retain business-related instant messages sharply illustrates how evolving forms of social media continue to pose compliance and enforcement concerns to financial services firms. Similarly, related technology, such as blogs and social media, is expected to receive further scrutiny by regulators as both become more prominent forms of communicating and sharing confidential and public data with clients.
In light of these risks, FINRA has provided guidance on appropriate communications rules for financial services firms when applying FINRA communications and recordkeeping rules to social media sites, such as blogs and social networking sites. In addition, a recent report titled, “Social Media Risks and Mitigation” (BITS Report) and published by BITS, a division of the Financial Services Roundtable, provides a framework for identifying and mitigating social media risks, and is intended to help financial firms successfully use emerging and existing social media services. However, there are still considerable gaps in the regulatory framework governing a financial firm's use of social media. For example, federal banking agencies have yet to provide guidance on social media compliance issues.
Firms and their representatives should be cautious when communicating through social media and ensure that records of those communications are retained consistent with the recordkeeping regulations under the Advisers Act and to the extent the firm also is a FINRA member, with FINRA guidance. Specifically, such firms should, at a minimum, consider the following action items: (i) develop an automatic retention policy for interactive electronic communications and (ii) implement a system that "flags" and retains those interactive electronic communications that contain certain key words as determined by the firm.
Finally, investment advisers, in particular, should remain cognizant of the following general requirements governing adviser advertisements: (i) truthfulness and accuracy; (ii) retain copies of all advertisements for five years from last use; (iii) document how the advertisement was distributed and by whom; (iv) do not use any testimonials; (v) do not divulge private client information; and (vi) do not provide a specific investment recommendation or advice to clients via social media platforms.
Even with FINRA, SEC, and industry guidance, until technology exists that is beyond reproach in monitoring policies and supervisory structures, firms that utilize social media and capture customer data confront unique supervisory and compliance obstacles that might not always have a clear legal answer.
Communications, Protection of Customer Data, and Social Media. Investment advisory firms that use social media often access and disseminate a significant amount of customer data in their day-to-day. Generally, a firm will utilize social media to communicate with or service their customers through an internet portal; employees in their personal or professional capacities; or contractors outside the office. FINRA regulated firms are, generally, under Rule 2210, required to establish systems that retain all communications and supervise all electronic communications encompassing their business, including whether or not such communications are permitted and what procedures will be applicable. In addition, specific communications that recommend an investment product may trigger the FINRA suitability rule, thus creating possible substantive liability for the firm or a registered representative.
As a result, any electronic communication originating from a registered representative or firm to a customer or prospective customer concerning such firm's business is subject to FINRA and SEC rules regarding communications with the public, as well as the supervision and retention of such communication. These electronic communications also are often subject to archival and retention for a certain duration. There is no doubt that new forms of social media will continue to increase the overall amount of information that is subject to such retention requirements, and will lead financial services firms to questions of applicability and best practices.
Regulatory concerns associated with the use of email and instant messaging over firm-hosted networks continue to evolve and now include most forms of electronic communications, such as blogs, text messages, group forums, social networks, and Skype messaging, as well as static and interactive content. The BITS Report identifies certain issues (noted below) that should be addressed in a financial services or investment adviser firm's social media data protection policy:
- Social media policies should include relevant privacy issues
- Employees should be trained and updated on social media policies and the risks related to privacy
- A firm should consider whether the preferred platform is appropriate for the nature of the interaction or information being shared
- Customer verification procedures should be reviewed in light of common data shared via social media
In addition, the BITS Report identified key issues and questions these organizations should address when engaging or interacting with existing or potential customers:
- What information are customers requesting though social media? Such information passes through systems that may not match the data-protection measures used by financial institutions.
- Be aware of rights granted to social media sites, such as a perpetual license to posted information. While your use of collected information may align with your stated privacy practices, the social media provider's use may not.
- Do customers understand when their communications are operating under a social media site's privacy rules and not those of the institution? It is important that a company clearly state the applicable privacy rules on every site where it maintains a presence.
- As social media evolves, how will news services or features affect social media privacy practices? For example, the use of mobile or geo-location information may be considered an encroachment on customer's privacy.
- Remain vigilant about changing privacy settings on any given social media site where you maintain a presence to avoid sharing information with an unintended audience.
- As social media providers undergo mergers and acquisitions, there is the additional concern about how customer data will be shared and/or protected by the new entity. In such cases, the aggregation of data could lead to further erosion of information privacy for both individuals and organizations.
- What personal information do customers disclose in their personal use of social media? While companies use such information to verify customer identity, customers should be cautioned against sharing private data through social media sites.
Social Media and Integrating Compliance With Existing Firm Policies. The vast majority of financial services firms have sufficient policies in place to govern employees' access and use of personal data as well as their behavior in social settings, both online and in the workplace. Many of these same organizations are quickly coming up to speed on social media policies as well. How does a firm design a social media policy that fosters compliance while not stifling the opportunity presented by social media and governing any out-of-office employee activity?
The simple answer is provided a firm's social media policy adequately addresses any regulatory requirements, the firm should not have to globally block or limit access to social media sites. Good policies that mitigate risks through training and technology are both key steps to a fundamental and sound practice. The following also are key issues to consider: all codes of conduct should address social networking; employees should be familiar with the benefits, risks, policies, and agency goals for using social media; certain individuals or registered agents should have company-produced profiles and scripted materials for social media; and the firm should adopt technical controls that address how social media should be used and content control methods.
Of a particular concern to FINRA are communications that potentially rise to the level of a recommendation or endorsement. FINRA suitability requirements apply to any recommendation made through electronic communications. Firms should be particularly careful, as many Web sites make their content widely available, which could result in a much greater responsibility and undertaking by firms making the suitability determination. Specifically, member firms and registered representatives should, at a minimum, consider the following action items: (i) require pre-approval by a registered principal of the content of all interactive electronic communications that recommend a specific product; (ii) develop a database of previously approved communications and require all interactive electronic communications to conform to the templates in the database; and (iii) develop procedures governing all communications that promote specific investment products, regardless of whether the communications would constitute a "recommendation."
In addition, Rule 206(4)-7 under the Advisers Act requires registered investment advisers and FINRA rules require its member firms to establish and maintain systems to supervise the activities of their employees in a way that is reasonably designed to ensure compliance with securities laws and regulations. As a result of the spontaneous nature of social media, firms may be best suited to adopt supervisory policies requiring prior approval as opposed to a subsequent review. Specifically, firms and their employees should, at a minimum, consider the following action items: (i) develop policies and procedures for the review of certain internal electronic communications by employees (e.g., research reports, customer complaints, and account changes); (ii) supervise specific social media sites and prohibit persons from engaging in business communications on a social media site that is not supervised by the firm; (iii); require training on the firm's policies and procedures regarding interactive electronic communications; and (iv) monitor compliance with internal policies regarding use of social media sites and consider restricting or prohibiting usage for continual violators. The BITS Report also suggests that: (i) all firm policies should be reviewed, in light of the nuances social media presents, to ensure employees are compliant with any social media; (ii) be precise and expressly state when other firm policies are applicable or ought to be consulted; and (iii) clearly state the penalties and disciplinary action for failure to comply, and implement monitoring methods to detect breaches. Finally, as with any policy, firms should have a mandatory training program for all employees and continually provide updated training as social media trends evolve.
Investment advisers also may want to consider reviewing/amending the following policies, as applicable, in light of the nuances social media presents to ensure that the adviser and its employees are monitored for any of their social media activity:
- Code of conduct/ethics policies
- Sarbanes-Oxley policies
- Privacy notices
- Marketing, brand, and logo enforcement policies
- Trademark and intellectual property policies
- Legal risk policies
- Risk management policies
- Promotion, contest, and sweepstakes policies
- Employment verification/ professional reference policies
- External communications policies
- Information security policies
- Securities law policies
- Solicitation and distribution policies
Summary. Since social media technology continues to evolve, the potential for reputational and financial loss from any employee or firm mistake is difficult to quantify. Prior to venturing into any form of social media, firm policies should be: (1) firmly established; (2) precise; (3) clearly define the employees' responsibilities; (4) and explain how they are to be monitored on each electronic platform utilized by the firm. Until the law catches up with technology, a useful way to reduce and manage unforeseeable social media risk is to create a work environment that fosters a strong culture of compliance.