The Financial Industry Regulatory Authority (FINRA) has issued a regulatory notice to address the many questions surrounding social media and personal device use in business communications by brokers and other financial services workers.
FINRA is an independent regulator for all U.S. securities firms. In January 2010 it issued Regulatory Notice 10-06, reminding firms of the record-keeping, suitability, supervision and content requirements for social media communications. FINRA Regulatory Notice 11-39, unveiled Aug. 18, is designed as an update to 10-06, to address concerns raised after its release.
"We put out guidance that doesn't encourage firms to use social media to engage in business communications, or discourage them," said Joseph E. Price, FINRA's senior vice president of advertising regulation and corporate financing. "It's just designed to say if you are going to do it, and it makes sense for your business model, here's how you can do it in compliance with SEC and FINRA rules."
One of the major issues that financial firms were concerned about was whether employees could access business applications through personal devices. The answer is yes -- as long as the firm is able to retain, retrieve and supervise business communications.
"You have to comply with the rules, but employees can access business applications through devices that they own, rather than those that the firm owns," Price said.
Regulatory Notice 11-39 mandate: Retain and supervise records -- all of them
FINRA Regulatory Notice 11-39 notes that the Securities Exchange Act requires firms to retain records of communications that relate to its business. Whether a communication is related to the business of the firm depends on the facts and circumstances, but it does not depend on the type of device used to transmit the communication, said Price.
Stephen Marsh, founder and CEO of Smarsh Inc., an electronic communications archiving provider, said the message of FINRA Regulatory Notice 11-39 notice is clear: It's the content that ultimately determines whether a message is a qualifying business communication.
"The medium is irrelevant," Marsh said. "If a message is business-related, it doesn't matter if it's a text message from your personal phone, an email from a company laptop or a tweet from your personal tablet -- you must retain, retrieve and supervise."
FINRA 11-39 adds more context and detail regarding social media communication, and clarifies some of the questions around mobile devices, Marsh said. With a significant focus on policy and training solutions that have emerged since Regulatory Notice 10-06, Marsh said firms should read Notice 11-39 and ensure that social media policies align to FINRA's recommendations.
"Despite the challenges that social media may present, firms must still extend their compliance policies to cover this form of communication and they must employ effective procedures to enforce them," Marsh said.
Todd Pack, president and chief operation officer of Financial Advisers of America LLC (FAA), noted that FINRA 11-39 suggests random reviews of social media use might be beneficial. He suggested that firms adopt a form of surveillance, such as Google searches or website reviews that are above and beyond normal review procedures.
In addition, firms should consider adopting an annual attestation that requires employees to disclose whether they use any form of social media, Pack said.
"The option would be to elect: 'I do not use social media,’ ‘I use social media for personal use only,’ or ‘I use social media for business,’" Pack said. "Based on the individual responses, searches can be conducted to identify potential discrepancies."
Business vs. personal communications guidelines in Regulatory Notice 11-39
Another area of concern addressed in Notice 11-39 was where firms should draw the line between what is considered a "personal" communication and a "business" communication. Many firms prohibit employees from using social media for business communications but are aware that employees provide biographical information such as place of employment and their responsibilities on sites such as LinkedIn.
If you are using the site to solicit business for the firm, then obviously it's a business communication.
Joseph E. Price, senior vice president of advertising regulation and corporate financing, FINRA
Notice 11-39 stipulates that firms should develop policies and procedures that include training regarding the difference between business and nonbusiness communication to enable appropriate compliance. The notice states that in certain contexts, such as sending a resumé to a potential employer, the communication could be viewed as not relevant to the business. In other contexts, such as posting a list of products or services offered by the firm, the communication likely will be viewed as a business communication.
"If you are using the site to solicit business for the firm, then obviously it's a business communication," Price said. "But if you are just talking about you and what you do, then it's more to the nature of autobiographical information."
In general, Notice 11-39 did not add much additional detail to what is expected of firms regarding social media regulation, but it does help provide a level of confirmation of those expectations, Pack said. To meet these expectations, firms must make a technological investment so that they can automate the review and supervision of social media forums such as LinkedIn and Facebook, he said.
Firms should also dedicate sufficient resources to training licensed persons on its social media risk management policy.
"Many firms do a tremendous amount of work to minimize compliance risk but often fail to clearly document that work,” Pack said.”Whether conducting surveillance, making approvals or monitoring social media lexicons, be sure to document and archive that information."
As social media continues to spread in the business world, firms should expect regulators to start scrutinizing its use more frequently, Marsh said. He noted that a recent Smarsh survey revealed that 22% of respondents who were audited in the last year received requests for social media data -- that’s a 65% increase from those audited before 2010.
"Organizations within the financial services industry that choose to turn a blind eye on social media compliance mandates are putting themselves at unnecessary risk, which could end up being extremely costly," Marsh said. "Aside from leaving firms open to fines for noncompliance, reputational damage, data loss and damaged investor trust are very real risks for firms."
Let us know what you think about the story; email Ben Cole, Associate Editor.