With the proliferation in recent years of social media, instant messaging, and mobile applications that facilitate communication, financial services firms must ensure their compliance programs are designed to address the risks inherent in these tools. According to the SEC, the failure to maintain business communications records is one of the most prevalent violations. While many firms have policies in place to supervise employees’ email correspondence, what’s often lacking is a plan to address social media compliance.
Social Media’s Impact on the Regulatory Landscape
Disparate regulatory requirements add more complexity to an already confusing issue. What one regulator allows under certain circumstances is completely prohibited by another regulator’s rulebook. For compliance professionals, it is critical to understand which rules apply, and how to operate within those rules.
- FCPA: The FCPA recently revised its Corporate Enforcement Policy to acknowledge widespread use of messaging apps and other communication tools. In its revision, the agency charged companies with implementing “appropriate guidance and controls.” This essentially leaves decisions about whether to allow the use of instant messaging and similar tools, and how to supervise such use, up to individual companies. However, financial services firms regulated by the SEC and/or FINRA should not take solace in the FCPA’s relaxed policies. As you’ll see below, the financial regulators have not yet formally taken the same stance.
- SEC: Under the Investment Advisers Act and SEC interpretation and guidance of the rules, there is no exception for messaging apps. In a December 2018 Risk Alert, the SEC reminded advisers that the use of certain technologies is prohibited. Specifically, technologies that allow for the automatic destruction of messages, anonymous communications, and those that don’t allow for third-party review or backup may not be used by SEC registrants or their personnel.
- FINRA: FINRA Rule 2210 requires firms to manage communications with the public. Though the rules today do not specifically address instant messaging apps or similar tools, member firms must adhere to the regulator’s content, supervision, and recordkeeping requirements, which also extend to the use of social media. FINRA has indicated that AI-based tools and RegTech can be helpful for firms, giving compliance personnel the means to conduct automated reviews of social media profiles and posts so firms can address them.
8 Best Practices for a Social Media Compliance Plan
Although the regulators may not provide the clear framework many compliance professionals would prefer, there are some best practices that can help firms manage social media and electronic messaging risk.
- Understand the risks. In addition to the concern about being able to police content and maintain records for social media posts and instant messages, the use of social media by financial services firms also increases the threat of cyberattacks. Firms must weigh and evaluate the potential risks and rewards when creating policies.
- Only allow the use of tools that fit within the regulatory framework. Additionally, keep in mind that tools that technically fit could still be misused.
- Develop and implement policies, procedures, and controls to manage social media communications. This includes oversight of corporate-managed social media accounts. One solution is to create a workflow around the approval of corporate or employee specific social media posts to avoid violations.
- If your firm allows employees to use personal devices for business use, be sure your compliance and information security policies include mechanisms for the monitoring and retention of business messages sent/received on personal devices or through personal accounts. The policies you put in place should address the use of social media, personal email, and texting, providing employees with a roadmap to follow if they receive a business-related communication through personal channels.
- Reinforce your social media and communication policies and procedures through regular training and ongoing internal communications. Employees generally want to comply with their firm’s rules but will struggle to do so if the rules are unclear. Using periodic attestations can help ensure employees understand what’s acceptable and what falls outside the lines.
- Your firm’s social media policies and procedures should be all-encompassing and include the use of social media for business use, personal use, “native advertising” (paid advertising that looks like articles), third-party content, social selling, testimonials, and endorsements.
- Include regular reviews of social media sites in your supervision and compliance policies and procedures, looking for profiles or content that have not gone through established channels. Use automated alerts to help you identify mentions of the firm or its employees to identify potential compliance issues before they become major problems.
- Leverage technology tools to help you capture, supervise, and retain social content. Automated content supervision tools can help manage both static content, such as social media profiles, and dynamic content, including posts and messages. For example, a marketing team can set up a workflow that directs social media copy to compliance for approval before posting.
Is Your Firm Prepared to Supervise and Manage the Future of Communications?
In today’s digital world, social media and messaging tools have become the primary modes of communication. Rather than ignore this reality, compliance officers and their teams should proactively address it. It’s imperative to identify appropriate social media use policies, train personnel, and incorporate oversight and retention procedures designed to comply with all applicable regulatory requirements.