What does it mean to meet the compliance bar for social media use in financial services? While most now know about FINRA 10-06, there are often questions about what it takes to be compliant. It’s critical that the industry have plenty of conversations on the topic whether among the regulators, across firms, or at industry events to ensure they have the facts.
FINRA has shared that they will release additional clarification on social media in a few months. But, we also know that social media is an ever changing landscape, so it’s difficult to provide a black and white answer to the question… Where is the social media compliance bar?
We recently held a compliance forum with over 30 representatives from our customers. As part of that daylong session we discussed many of the answers to the question above. This experience, plus our deployments with more than 100 financial services firms since 2009, have led to the following 6 points that will help you and your firm ensure you are fully compliant. And this is not just opinion, we’ve had multiple clients go through and pass social media regulator audits already this year.
- Policy- Compliance starts with policy. Regulators, like FINRA, require each firm to have a social media policy in place before opening access. Unlike other forms of electronic communication, social media requires a close look at the data and the activity that users can create and engage in. In addition, social networking sites are constantly changing so firms should plan for updates and think through how policy will flow from a paper document to technology for automation purposes. For more information on setting social media policy you can refer to the Guides we’ve published on the topic here. In addition, I’d encourage you to watch the recorded webinar on setting policy that was part of our joint LIMRA series title the Social Media Adoption Lifecycle.
- Training- Just like having a policy, training is a requirement from the regulators. Training should cover everything from your policy, associated procedures and even best practices on how to use social media for business purposes. The latter is not a regulatory requirement but does go hand-in-hand with opening up access to new mediums, like social networks. Before recreating the wheel on training be sure to check out solutions from organizations, such as LIMRA, who are experts at training the field on regulatory issues.
- Content- Archiving social media data is a fundamental requirement of all regulators. We know that social is treated the same as any other form of electronic communication in the eyes of the regulators. The challenge with social is getting all of the data you need to be compliant. You would never accept archiving 70% of your email, so why would that be acceptable with social? As you explore how you will archive social networking information be sure to verify that all data is being captured.
- Context- To be compliant in social media you need more than just the data created on the sites themselves you need the context as well. Yes, you must have the content that was posted, say a status update, but you also must have the fact that the data was a status update vs. a direct message. The reason is simple. Messages in social networks are not created equally. Depending on the context you must apply different supervisory principles. Context also becomes critical when a post turns into a full-blown conversation. Supervising a post without the context of a conversation is useless. Another challenging aspect of social networks is the concept of personas. Are you operating in a personal mode or a professional one? This is another area where context will serve you well, ensuring you are scrutinizing the right content.
- Activity- Another area where social networks create unique compliance risk is around the activities of these sites. On LinkedIn, you can accept and display recommendations on your profile. Unfortunately, this is a violation of the Investment Advisers Act of 1940. That regulation states that you can’t have testimonials inside of advertisements. What about “liking” a comment? Does that create suitability or endorsement concerns? It can. Part of ensuring compliance will be to limit access to these activities that can create risk for the individual and the firm.
- Supervision- Supervision is fundamental when it comes to the communication of reps to consumers. With social media certain content must be pre-reviewed, as its considered an advertisement, and certain content requires post-review, similar to email or IM. While there is lots of debate on what must be pre-reviewed vs. post-reviewed (we will save this for a later post) it is clear that supervision of social media can create a real burden if the processes and points of integration to existing systems are not managed or thought through. Furthermore, firms must address the real-time nature of this medium. How will you ensure that the field can use these platforms effectively if your processes don’t support timely review?
Evolving? Yes. Impossible to meet the bar? No, if you plan appropriately and base your decisions on industry best practices and expertise. And one last word of caution. Don’t just plan for the first 6 months of use. Be sure to consider the compliance challenges that are created as you expand your rollout, eventually approaching 100% utilization (check out this research from Morgan Stanley). It happened with email, and my prediction is that it will happen here as well. This puts a premium on getting it right the first time.